PDA

View Full Version : Memory Read/Write functions?




MacMan93
Jul 20, 2007, 03:16 AM
Well, I'm sorta new with Cocoa but I know my way around. (somewhat)

I am wanting to write a Memory Editor (well eventually) for OS X. I cannot find any articles or what not about how I would go about reading and writing directly to the RAM. (also searching it but that counts in the "reading" part too)

Can some one direct me in the right direction with this? An article on accessing RAM using Cocoa?

Just to give you a better idea. If you've ever heard of Club.Live and LiveMacro. I basicly want to make a Mac OS X version of LiveMacro. :D (Like I said; eventually as I'm still learning)

Description of what I'm looking to do:
Scan the memory for a certain number. Then scan the narrowed down amount of numbers for a new certain number(repeat until there is only one left) then change that number (which is a percentage) to 100.


Also, somthing I'm going to have to tackle later. macros. It would be nice if you also had any links to articles about writing Keyboard/Mouse macros under Cocoa/Obj-C.

I have searched Google and Developer.Apple and I have found nothing. :( (not sure if I'm using the correct terms and such)

I did find a great articl on writting a memory scanner. Although, it was for Windows and written in C#.

Thanks!
:) :apple:



garethlewis2
Jul 20, 2007, 03:27 AM
I don't want to sound condescending, you when rewritten your question becomes.

I want to inflate this bike tyre using a Potato but I cannot get it to work. Can you help?

You are using the wrong technology for this. Think of Cocoa as just the graphic layer of you application. You can use C calls directly in your Objcetive-C programs to look at memory. Just create a byte *pointer and set it to look at a certain memory address, using standard pointer access look at the data. You can then copy this data into another byte buffer malloced and using an NSView to look at it.

MacMan93
Jul 20, 2007, 03:40 AM
I don't want to sound condescending, you when rewritten your question becomes.

I want to inflate this bike tyre using a Potato but I cannot get it to work. Can you help?

You are using the wrong technology for this. Think of Cocoa as just the graphic layer of you application. You can use C calls directly in your Objcetive-C programs to look at memory. Just create a byte *pointer and set it to look at a certain memory address, using standard pointer access look at the data. You can then copy this data into another byte buffer malloced and using an NSView to look at it.

Yes, no offence taken. I see what your saying. (I typed it fast and am tired :o )

Thanks. I will go and try to find some information on accesing memory using C.

MacMan93
Jul 21, 2007, 10:17 PM
Ok, I have been reading up on pointers and such. So far. I think I've made pretty good process. I'm still having a little trouble with finding the values. Here is what I'm thinking(won't compile. just to explain were I'm at so far):

int *memPtr;

memPtr = ? //This is were I'm stuck. Do I just start off at the first memory address or what?

if *memPtr = 10 //Current percent completion
{
*memPtr = 100 //change 10 to 100% completion
}

memPtr = ? // the next memory block over.




This is not exactly what I want to do. But I'm just trying to get finding, reading, and changing memory values. After I figure out how to get past my current situation I will go into narrowing down the memory values until I get just one left.(then actually changing the value when I pinpoint 1 memory location that has matched up every time) There are probably MANY instances of "10" stored in the memory.

EDIT:
Here is a program I wrote to test out actually changing the value:
#include <stdio.h>

int *ptr; //Pointer to store memory address
int p; //Percent
p = 7; //sample percent

void main () {


printf ("p = %i \n" , p ); //Tells what the current percent is

ptr = &p; //Gets the address of P and stores it in "ptr"

printf ("The address of p is: %i \n" , ptr ); //displays address of p

*ptr = 100; //Changes value of p using a pointer

printf ("p is now equal to: %i \n" , p ); //displays what the percent is now

}

This actually compiles and works. Still stuck on the part I mentioned in the first code snippet in this post. Any help with that would be greatly appreciated!

Thanks so far!!!(and before posting I had no clue what pointers do and I knew very limited C) Now still very limited...but I'm so excited that I'm getting close to atleast having a command line version of this! :eek: :) :D

:apple:

robbieduncan
Jul 22, 2007, 03:30 AM
What, exactly, are you trying to change? You can't just get a pointer to some memory and change values without expecting things to crash completely. You cannot access memory across process boundaries at all. So your program cannot change the memory state of another program.

savar
Jul 22, 2007, 10:20 AM
It looks like you're trying to modify some value in a running application?

There were old programs that did this, usually for the purpose of modifying a game. Like giving yourself a million points or something.

This will never work on any modern operating system. Foremost, each application runs in its on virtual memory space, so if you address memory from 0 to 0xFFFF FFFF FFFF FFFF (max address for a 32 bit memory space), its still all in your own address space. So it's literally not possible to address another application's memory.

Windows, Mac OS X, and every single Linux and Unix I've ever used have virtual memory that essentially works this way.

You could modify the target application itself, but seriously it sounds like you're out of your league here.

MacMan93
Jul 22, 2007, 09:54 PM
It looks like you're trying to modify some value in a running application?

There were old programs that did this, usually for the purpose of modifying a game. Like giving yourself a million points or something.

This will never work on any modern operating system. Foremost, each application runs in its on virtual memory space, so if you address memory from 0 to 0xFFFF FFFF FFFF FFFF (max address for a 32 bit memory space), its still all in your own address space. So it's literally not possible to address another application's memory.

Windows, Mac OS X, and every single Linux and Unix I've ever used have virtual memory that essentially works this way.

You could modify the target application itself, but seriously it sounds like you're out of your league here.

Yes, that is almost exactly what I'm trying to do. There are some online games on Club.Live.com. When you play them you collect tickets and witht the tickets you can get free stuff from....Micro$oft.

There is a program called LiveMacro which does what I'm trying to write although it is for Windows. I am trying to make a Mac OS X version of it. (I do NOT have any source code. But I'm willing to email the guy and see if he can help me out any bit)

The games are flash and ran in the browser.

I'm still confused how this is possible in Windows but not in OS X.

CheatEngine and T-Search are also programs for Windows that can modify memory to cheat in games. I just can't see how it is impossible for OS X.....

I have got my program to be able to read the values of random memory addresses...(and I can change them but I don't want to crash the computer)

robbieduncan
Jul 23, 2007, 02:14 AM
If they are running in Flash within a browser it is possible that a another plugin running in the same browser could alter the memory of a plugin within the same browser as this would not cross any process boundaries.

As noted above all the memory you are accessing "at random" is within a virtual address space so is within your own process. It is not another applications memory.

If you did this on Windows you would get the same result.

garethlewis2
Jul 23, 2007, 02:38 AM
Ah.

Now I see what you are trying todo.

I am going to put my physic hat on. It is the one featured in Harry Potter.

The program on Windows, must be running, but it must take a snapshot of the memory before something happens, and a snapshot of the Flash programs memory, after an event of sometype has occured. It then compares the differences and determines what has changed. This is a very clunky way of doing things, but it does work. It is how HD-DVD and Blu-Ray got cracked so easily.

Your going about this the wrong way. You need to write a plugin for safari that specifically only gets called when a Flash program of the type you want to modify is executed. That is going to be completely different to the way Windows would do it. A plugin like yours will only get called by Safari when a compatible HTML tag is encoutered, the Flash plugin doesn't run all the time. Only when Flash is on the page and is visible.

You should check out the Apple developer mailing list, specifically the Safari one. It is the only place that most Apple engineers will post to.

savar
Jul 23, 2007, 03:02 AM
The games are flash and ran in the browser.

I'm still confused how this is possible in Windows but not in OS X.

CheatEngine and T-Search are also programs for Windows that can modify memory to cheat in games. I just can't see how it is impossible for OS X.....

I have got my program to be able to read the values of random memory addresses...(and I can change them but I don't want to crash the computer)

Robbieduncan is correct. Since you're talking about a web browser, it would probably be possible to do what you're doing since the flash and your plugin would be running in the same memory space.

Still, it sounds pretty tough. On an old system you could do this:

int searchValue=20;
void *p = 0;
while (*p != searchValue) p++;
printf("found value %d at address %x", *p, p);

But I don't think this would work on a modern system for several reasons. One is that memory is almost guaranteed not to be contiguously mapped. Which means your plugin would crash the browser as soon as it tried to reference any unmapped memory.

It would be far less effort for you to buy Windows XP and install it on your Mac and then run this other guy's program.

MacMan93
Jul 23, 2007, 03:30 AM
Robbieduncan is correct. Since you're talking about a web browser, it would probably be possible to do what you're doing since the flash and your plugin would be running in the same memory space.

Still, it sounds pretty tough. On an old system you could do this:

int searchValue=20;
void *p = 0;
while (*p != searchValue) p++;
printf("found value %d at address %x", *p, p);

But I don't think this would work on a modern system for several reasons. One is that memory is almost guaranteed not to be contiguously mapped. Which means your plugin would crash the browser as soon as it tried to reference any unmapped memory.

It would be far less effort for you to buy Windows XP and install it on your Mac and then run this other guy's program.

I already have a PC computer and my mac mini with a beta version of VMare fusion + XP installed.

I was simply doing this for the challenge, bordem, and something to motivate me to learn C then later Obj-C :)

MacMan93
Jul 24, 2007, 07:47 AM
http://www.codeproject.com/csharp/sojaner_memory_scanner.asp

I downloaded this and ran it.(this is Under XP and written in C#) When it runs it asks you wich proccess do you want to scan.

Is there any way I can do something similar to that to gain access to another programs memory under OS X?

overcast
Jul 24, 2007, 09:31 AM
I already have a PC computer and my mac mini with a beta version of VMare fusion + XP installed.

I was simply doing this for the challenge, bordem, and something to motivate me to learn C then later Obj-C :)
I think had you better start with "Hello World" and work up from there.

ChrisA
Jul 24, 2007, 05:55 PM
It looks like you're trying to modify some value in a running application?

This will never work on any modern operating system. Foremost, each application runs in its on virtual memory space...

Don't say "never". There is a system call to map data from one virtual address space into another. The kernel does this routinely. for example oif you run two copies of safari the code is physically only in RAM once but is mapped into both processes address space.

One good example of a program that can access the memory of another is the common debugger called "gdb" that Apple shiops as part of xcode. Notice that one of the arguments is "Process ID". It can attach to a running process and read/write data in that process. If you own both processes or if you are running as root it can be done. The normal UNIX file permissions apply

So there is already a program that can do this from the command line so why write another? Just use the debugger. But if you want to, look at mmap(2) man page. If says you can only look at bytes in a file but remember _everything_ is a file in UNIX.

None of this is OS X specific. It's been this way from at least the mid 80's

savar
Jul 25, 2007, 10:23 AM
One good example of a program that can access the memory of another is the common debugger called "gdb" that Apple shiops as part of xcode. Notice that one of the arguments is "Process ID". It can attach to a running process and read/write data in that process. If you own both processes or if you are running as root it can be done. The normal UNIX file permissions apply.

Hmm.. interesting idea. I forgot that gdb could attach to an existing process.

I guess the OP has his work cut out for him. :D

Source for GDB is here: http://sourceware.org/gdb/current/

Good luck, I'd definitely like to hear more about this!

scrod
Jul 29, 2007, 02:03 PM
It is indeed possible to do this on Mac OS X, and someone has already beat you to it. Behold, the OS X equivalent to the classic Mac OS' Pandora's Box: The Cheat (http://www.brokenzipper.com/thecheat/)

It uses official Mach kernel APIs (http://www.brokenzipper.com/developer/howthecheatworks.html) to read and alter memory of other running processes owned by the same user.

(And there's even source code available to show you how!)

MacMan93
Jul 30, 2007, 06:42 AM
It is indeed possible to do this on Mac OS X, and someone has already beat you to it. Behold, the OS X equivalent to the classic Mac OS' Pandora's Box: The Cheat (http://www.brokenzipper.com/thecheat/)

It uses official Mach kernel APIs (http://www.brokenzipper.com/developer/howthecheatworks.html) to read and alter memory of other running processes owned by the same user.

(And there's even source code available to show you how!)

Thanks a bunch!

Now, if I can only get it to work. It may be something with it being a PPC app and I have an Intel mac. (It always returns zero results) I'm going to try and test it on my G3 iMac later.

scrod
Jul 31, 2007, 10:42 PM
Thanks a bunch!

Now, if I can only get it to work. It may be something with it being a PPC app and I have an Intel mac. (It always returns zero results) I'm going to try and test it on my G3 iMac later.

You may find this thread to be of use:
http://forum.brokenzipper.com/index.php?showtopic=305