THIS PROJECT HAS BEEN REWRITTEN AND REBRANDED AS RWLAZER64
Since this tool can easily eff-up your computer, it is highly recommended to use it in a virtual environment, such as Hyper-V
Pre-release alpha binaries can be downloaded HERE
RWLAZER is currently a memory editing tool, similar to Cheat Engine. It's R/W operations are done in privileged (ring0) mode via an EFI Driver.
- Read/Write operations from privileged mode (ring0)
- Signature scans with wildcard support from privileged mode (ring0)
- Memory scans from privileged mode and user-space (ring0 & ring3)
- Read/Write Model-Specific Registers (MSRs)
- Convert values between hexadecimal/decimal/float
- Screw up your computer
- x64 debugger [WIP]
- C API
- Configurable installer
- Trainer Engine (picture Cheat Engine Tables)
- x64 Assembler & Disassembler
- Scripting interface
- Loop operations
- Database of used R/W memory addresses and values
- More More More
- UEFI compatible system running Windows 10 x64
- The tool has been tested on following Windows 10 versions:
version 1909
version 2004
version 20H2
All of these are marked as COMPATIBLE
- Well, I couldn't get Cheat Engine installer to launch on my VM, to read obfuscated communication data from a car disagnostic tool at work. So.. yea.. I was also working on a Call of Duty: Black Ops Cold War kernel cheat, so this is a combined result.
- I only recently discovered that RWEverything is a thing! ;_;
- Make sure Secure Boot is disabled, or manually add
EFI\Boot\bootx64.efi
andEFI\rwlazer\rwlazer.efi
to trusted entries. - If you're using Hyper-V, make sure your Generation2 machine's first entry in the boot order is your HDD with EFI System Partition, NOT
bootmgfw.efi
- Download the alpha pre-release
- Extract the archive to a folder
- Run
install_lazer64.exe
as administrator - Mind the warning
- If the installation completed successfully, restart your computer
- You should see RWLAZER logo before Windows 10 boots , if you don't, something went wrong
- Run
rwlazer.exe
as administrator - Attach to a PID and go nuts
- These are unsafe operations (yes, I see the irony), which are hidden by default. To enable them, type
1337
in the main menu prompt and press ENTER.
- RWLAZER is malware free and the source code will be released as soon as I clean it up a little bit and move on to beta releases.
- In fact, I do NOT encourage you to use this program on any bare-metal. Please use a virtual machine.
- I know..
Heeeeeeell NO! Special BIG thanks goes to:
- Jamesits for their BGRT Injector - this is responsible for chain-loading the
rwlazer.efi
driver and the cool RWLAZER boot logo! - TheCruZ for their CRZEFI EFI loader, which is really the base foundation of this tool
- The mentioned ring3 memory scanner was taken from HERE. I fixed and revamped it a lot, but the original credit goes to the forum member TEDSON.
- You can, but expect to be banned if the anti-cheat is at least semi-decent and/or runs with a driver. As I said, I used this to hack CoD: BOCW without issues and detection, but their anti-cheat has been updated long since doing so, and I'd expect an instant ban now. Do NOT rely on it. This is NOT a game hacking tool (
anymore).
Files bundled in 'rwlazer64.rar':
'install_lazer64.exe' - RWLAZER Installer - Mounts EFI System Partition and copies RWLAZER files to it
'rwlazer.exe' - RWLAZERRRRRR
'EFI\Boot\bootx64.efi' - BGRTInjector - It takes care of all the things necessary to load the Windows 10 Boot Manager 'bootmgfw.efi', but instead passes the control over to 'rwlazer.efi'
'EFI\rwlazer\rwlazer.efi' - This is the heart of RWLAZER. Better said, it's the EFI Driver responsible for all ring0 R/W, and other privileged instructions
Files present in the repo, which are not bundled in 'rwlazer64.rar':
'DebugDummy.exe' - A debugging dummy application to test RWLAZER on
'src\installer_main.c' - Source code of 'install_lazer64.exe'
[1] - Change PID - Change current working PID
[2] - Get Base Address - Get Process Base Address. Doing R/W operations on System 'processes' (like 'System' PID 4) will result in a BSOD. You can usually predict this, when this fuction fails to retrieve the base address
-----------------------------------------------
[3] - Read Memory - Read `n` bytes at specified memory address
[4] - Write Memory - Write `n` bytes at specified memory address
[5] - Read String - Read NULL terminated string at specified memory address
[6] - Read Addr+Offset - Read address at a specified memory address (pointer)
-----------------------------------------------
[8] - MemScan - Ring3 Memory Scanner
[9] - SigScan - Ring0 Signature Scanner (can be used as a ring0 memory scanner)
-----------------------------------------------
[30] - Re-read last address - Re-read value from last-read memory address
[40] - Re-write last address - Write to last used memory address
[41] - Re-write last value [DISABLED] - Currently disabled
[42] - Zero Memory - Quick ZeroMemory()
-----------------------------------------------
[50] - Float2Hex Calculator - Float to Hex calculator (Little Endian)
[51] - Base Calculator - Hexadecimal <-> Decimal converter + Endianness calculator
[52] - Print DataType Size Chart - Displays size info of default C data types and their MIN/MAX values
-----------------------------------------------
[63] - Read MSR [UNSAFE] - Read Model-Specific Register - rdmsr
[64] - Write MSR [UNSAFE] - Write to Model-Specific Register - wrmsr
-----------------------------------------------
[70] - Enable Automatic Endian Conversion - DEPRECATED - Automatically converts Big Endian to Little Endian. Smart ByteData system takes care of this
[71] - Disable Smart ByteData Input - It is highly recommended to leave this enabled at all times. The Smart Input feature accepts user input in decimal and hexadecimal, while detecting machine endianness and automatically converting byte data according to the detected endianness
-----------------------------------------------
[80] - Clear Last Address Info - When doing R/W operations, RWLAZER saves the respective memory addresses and displays them in main menu. Use this to clear them
[81] - Clear Console - Clear console output
[82] - Fresh Start - Clear all saved addresses/values and current working PID
-----------------------------------------------
[99] - Exit
[1337] - Toggle UNSAFE mode (rdmsr/wrmsr)
- Smart Input accepts hex/dec input. In order to pass hex data to RWLAZER, use the
0x
prefix (0xdeadbeef
). Without the prefix, RWLAZER will process the data as decimal values - The ring3 memory scanner, despite being revamped, still holds some iffy/annoying quirks. Fixes incoming.
- If you find a bug, please create a new issue, with detailed information about the bug/problem. It'd help to include your Windows version from
winver
command. Thank you!