Play with memory

Hi

I've made for example an application with 2 buttons.
This is the code :
~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-
var
  Form1: TForm1;
  Myvar : Integer;   /// <- A Global Variable...
implementation

{$R *.dfm}

procedure TForm1.Button1Click(Sender: TObject);
begin
  Randomize;
  MyVar:=Random(100);    /// Randomize the value .... max = 100
end;

procedure TForm1.Button2Click(Sender: TObject);
begin
  ShowMessage(IntToStr(Myvar));  // Show contents of Myvar
end;

~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-
The first button randomize a value (0<x<100) and store it to the global var MyVar,,,
The second shows MyVar,,,,
.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-

Question :

I want to make an application that will search in memory for the value that MyVar has
at the current moment and change it lets say to 250... Then click the button and show 250...
Can you please provide some code ?

Thanks in advance.
LVL 16
CodedKAsked:
Who is Participating?
 
ThievingSixConnect With a Mentor Commented:
This will scan memory of a process(Identified by the given PID) for a certain value. If that value is found it populates a TStringList with the addresses.

Ex:
procedure TForm1.Button1Click(Sender: TObject);
var
  cPID : Cardinal;
  sAddresses : TStringList;
  I : Integer;
begin
  GetWindowThreadProcessID(FindWindow(nil,'WINDOW_CAPTION_HERE'),cPID);
  GetAddressesFromValue(cPID,StrToInt(Edit1.Text),sAddresses);
  For I := 0 To Addresses.Count - 1 Do
    begin
    ShowMessage(sAddresses.Strings[I]);
  end;
  sAddresses.Free;
end;

Now I highly recommend that you use this as an example or change the ADDRESSFROM/ADDRESSTO as it will take a long time to scan the entire 32 bit region. What you could also do is put it in chunks and create threads to do it at the same time. If you want an example of that just ask.
function GetAddressesFromValue(cPID: Cardinal; iValue: Integer; var sAddresses: TStringList): Boolean;
type TBytes = Array[1..4] of Byte;
const
  ADDRESSFROM : Integer = $00400000;
  ADDRESSTO   : Integer = $7FFFFFFF;
var
  aBuffer : TBytes;
  cAmmountRead : Cardinal;
  hProcess : THandle;
  iOutput : Integer;
  I : Integer;
function AtoI(Input: TBytes): Integer;
begin
  Result := (Input[1]) + (Input[2] * 256) + (Input[3] * 65536) + (Input[4] * 16777216);
end;
begin
  Result := False;
  sAddresses := TStringList.Create;
  hProcess := OpenProcess(PROCESS_ALL_ACCESS,False,cPID);
  If hProcess <= 0 Then Exit;
  I := ADDRESSFROM;
  While I <= ADDRESSTO Do
    begin
    FillChar(aBuffer,SizeOf(aBuffer),0);
    If ReadProcessMemory(hProcess,Pointer(I),@aBuffer,4,cAmmountRead) Then
      begin
      iOutput := AtoI(aBuffer);
      If iOutput = iValue Then
        begin
        sAddresses.Add(IntToHex(I,2));
        Result := True;
      end;
    end;
    Inc(I,4);
  end;
  CloseHandle(hProcess);
end;

Open in new window

0
 
2266180Connect With a Mentor Commented:
that will not be an easy thing to do. first, you need to determine where, relative to the start of the app in memory, is the variable located. that operation has to be done evry single time the app changes. which is not nice.
what you could do to improve this, is to place some string ID. you find that string and know that right after it (hopefully :P) is your variable.
a few tests could indicate if that is always true. I think it is, but I'm not sure since I never was interested in such details :)
0
 
ThievingSixCommented:
You could nullify all randomize procedures with some remote code but that won't be too useful. Since the variable is constantly changing finding it dynamically isn't easy at all. The only way I can suggest going about this is too use ciuly's idea and set a string variable right before it.

MyString := 'FindMyVariable';

This way when you do a ReadProcessMemory() search you can find the MyString then the Randomized variable.

What, may I ask, will you be wanting to do this for anyway?
0
The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

 
CodedKAuthor Commented:
Hi ThievingSix :)

Your previous question is the reason i ask. About protecting. I think i have a good idea.
I need to get a solution for this though, your comment isnt what i want at all.
Its super easy to do this because memory does not change location when we change the content ;)
The only problem is the code... I need some code.
0
 
CodedKAuthor Commented:
Hi Ciuly.

>>that operation has to be done every single time the app changes
Thats ok.

I need some code to do the following :
1) Get the memory space of the app1
2) Search for the current value
3) Make a list of the addresses
4) Search again, only the addresses in the list, narrow down the list...
5) Repeat again till the list has 1-3 values.
0
 
developmentguruConnect With a Mentor PresidentCommented:
 Are you wanting to search for the variable within one running application from another application?  I need a little clarification here.  If that is the case then you will need administrator priveleges at the very least, this may allow you to create a readable memory segment to overlay the executable's memory address.  This involves using global descriptor table instructions at the processor level ( LGDT and SGDT - usually limited to OS operations).

  If you are able to do this then the suggestions you already have should serve you well.  The one change I would make is that instead of searching for a string you would need to make it an array of character so it will be at that address in memory.  Normally a string will store a pointer to the string.  You mentioned searching for the current value... does this indicate that you have some way of knowing the current value in order to search for it?

  Another approach would be to look for a 4 byte memory location, within the code segment, that is changing on a regular basis... If you want to try that approach, it would help if the variable were declared as a constant with a type and a value.  I believe that changes where it is stored and would make it easier to differentiate.

  I had another question years ago that involved the use of the global descriptor table.  A student told us that his professor had declared the windows 200 was un-crashable and gave out extra credit for anyone able to produce code that would crash it.  I wrote a small assembly routine that you had to have administrator proveleges to run.  The routine made a descriptor to allow writing to the zero page of memory and promptly zeroed the whole page.  Several other experts told me that I needed to write 10,000 times, "I will not overwrite zero page.  I will not overwrite zero page!"  Unfortunatley it has been more than a few years and I no longer have the code.  I hope you can get started in the right direction based on some of this though.  I do not have the time to do more than this right now.
0
 
ThievingSixCommented:
"I need some code to do the following :
1) Get the memory space of the app1
2) Search for the current value
3) Make a list of the addresses
4) Search again, only the addresses in the list, narrow down the list...
5) Repeat again till the list has 1-3 values."

Thats the problem I see, since it's randomized the only way we could get (2) would be to open the program up in olly and shift through it and make pointers.
0
 
2266180Commented:
this reminds me of some tool to help cheating in games :))
good old times :)
0
 
CodedKAuthor Commented:
First of all.
Both applications..are mine ! As stated in the question...
APPLICATION 1
has 2 buttons...1 to randomize, 1 to show me the value.
APPLICATION 2
will search for the current value that i allready know ofcourse !
Since i am free to poush Button2 of App1
~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-
@ Developmentguru
>>If that is the case then you will need administrator priveleges.
I have seen applications written (most with Borland C++) in 1993 that work excellent, and can do this both, in Dos and Windows even XP!
I dont think i need some fancy code to do it.
@ciuly
:) True Ciuly... Take for example those applications you mentioned.
How this stuff works even now ?
But if you look the PAQs of ThievingSix its another story. I'm trying to work the other way around.
I have an idea and i'm stuck here.
@ThievingSix
I know the value ! Thats the point. (This is why i made button 2 in the 1st app)
I'm just trying to find the right address and change it beyond the max point !
0
 
ThievingSixCommented:
Ok since you know the value that makes it MUCH easier.
I'll type up some code in about 1/2 hr.
0
 
CodedKAuthor Commented:
Hi ThievingSix
Thank you very much for the code and for your time :)
If you want please give me some code for "chunks n' threads".

But first of all i need to find the range of the right addresses to search :/
There must be some code out there for finding this.
I'm trying some code from Madshi with no luck till now :(


0
 
ThievingSixCommented:
Technically the right range of addresses is the one provided. Until you find the pointer and use that you'll never know exactly where it is. After work I'll provide some thread code.
0
 
CodedKAuthor Commented:
Thank you all for your help.

ThievingSix if you want to post something about threads then tell me here,
 so i can post a new question..

Thanks.
0
All Courses

From novice to tech pro — start learning today.