Somedays ago I was playing one game. And as I not so often playing
games. I would like to change some variables in memory like ammo quantity
or health. May be it is not very interesting to play game with "cheating"
but there is much more interest to play with program.
In such play can help scanmem
Here is example of programm that will help us to lern how to use scanmem:
#include <stdio.h>
#include <stdlib.h>
unsigned int secret_dw = 1000; //variable to search
unsigned int tmp;//for input variable
int main()
{
int i;
while ( secret_dw != -1 )
{
scanf("%u",&tmp);
printf("secret_dw was %u \n",secret_dw);
secret_dw = tmp;
tmp = 0; // This is to prevent from detecting tmp variable position
}
printf("\bExit\n");
return 0;
}
here only two variables one secret_dw for value that we will search
and second one tmp to save input. Also tmp will zeroed if not then we will find tmp and secret_dw.
compile example with
make
and run
./example
And in paralel run
$ scanmem `pidof example`
scanmem version 0.11
Copyright (C) 2009,2010 Tavis Ormandy, Eli Dupree, WANG Lu
Copyright (C) 2006-2009 Tavis Ormandy
scanmem comes with ABSOLUTELY NO WARRANTY; for details type `show warranty'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show copying' for details.
info: maps file located at /proc/1801/maps opened.
info: 5 suitable regions found.
Please enter current value, or "help" for other commands.
As we searching 4 byte value of uint we defining it by setting up option
0> option scan_data_type int32
Now we ready to start our game. At begining we know our secret_dw value it is 1000 but we will not use it.
Type 1 in example
1
secret_dw was 1000
in scanmem
0> 1
info: 01/05 searching 0x8049000 - 0x804a000...........ok
info: 02/05 searching 0xb763d000 - 0xb763e000...........ok
info: 03/05 searching 0xb7787000 - 0xb778a000...........ok
info: 04/05 searching 0xb77a7000 - 0xb77a9000...........ok
info: 05/05 searching 0xbf9d4000 - 0xbf9f5000...........ok
info: we currently have 58 matches.
As we can see 58 matches. WooHoo. Now type '1000'in example
1000
secret_dw was 1
in scanmem
58> 1000
..........info: we currently have 2 matches.
only 2 now
scanmem has also many built in commands you can see them when type help.
One of them is 'list'. Use it.
2> list
[ 0] 0x8049680, 1000, [I32 ]
[ 1] 0xbf9f2dd8, 1000, [I32 ]
Here is list of matched variables. Number,address,value,size. By adress we see that
our variable is with number 0.
2> set 0=999
info: setting *0x8049680 to 0x3e7...
2> list
[ 0] 0x8049680, 1000, [I32 ]
[ 1] 0xbf9f2dd8, 1000, [I32 ]
Now our variable is with value 999. When you type list it may be little
bit confusing that values is the same. Go in example
12
secret_dw was 999
Yes. We have changed our variable. Our goal is completed.
Scanmem webpage http://taviso.decsystem.org/scanmem.html
Source contains programm outputs and example code.
Now we will try to make disasm output whery unclear. We make jump with eax register
Programm 1
main:
push lbl+1
pop eax
jmp eax
lbl:
db 0xe8
mov eax, 4
mov ebx, 1
mov ecx, msg1
mov edx, msg1_size
int 80h
mov eax, 1
mov ebx, 0
int 80h
Output is same as source. Nothing changes
Dissassembler output 1
? ....... ! main: ;xref o80482d7
? ....... ! push offset_804837d
? 8048379 ! pop eax
? 804837a ! jmp eax
? 804837c db 0e8h
? 804837d !
? ....... ! offset_804837d: ;xref o8048374
? ....... ! mov eax, 4
? 8048382 ! mov ebx, 1
? 8048387 ! mov ecx, strz_I_am_running__8049568
? 804838c ! mov edx, 0eh
? 8048391 ! int 80h
? 8048393 ! mov eax, 1
? 8048398 ! mov ebx, 0
? 804839d ! int 80h
Here we add only one instruction. We get jump adress and add 1. Disasm cannot calculate adress of jmp.
Programm 2
Like in first programm disasm think that we push correct adress and disasm it. And our byte 0xe9 is used for disasm output. That nice.main:
push lbl
pop eax
inc eax
jmp eax
lbl:
db 0xe9
mov eax, 4
mov ebx, 1
mov ecx, msg1
mov edx, msg1_size
int 80h
mov eax, 1
mov ebx, 0
int 80h
Dissassembler output 2
? ....... ! main: ;xref o80482d7
? ....... ! push offset_804837d
? 8048379 ! pop eax
? 804837a ! inc eax
? 804837b ! jmp eax
? 804837d !
? ....... ! offset_804837d: ;xref o8048374
? ....... ! jmp 804883ah
? 8048382 add [ebx+1], bh
? 8048388 mov ecx, 8049568h
? 804838d mov edx, 0eh
? 8048392 int 80h
? 8048394 mov eax, 1
? 8048399 mov ebx, 0
? 804839e int 80h
Now we add nop instruction after every line of our code. It doesnt have any imapct on programm work.
Programm 3
main:
push lbl
pop eax
inc eax
jmp eax
lbl:
db 0xe9
mov eax, 4
nop
mov ebx, 1
nop
mov ecx, msg1
nop
mov edx, msg1_size
int 80h
mov eax, 1
mov ebx, 0
jmp lbl2+1
lbl2:
db 0xe9
int 80h
Disasm output now is very nice. Output isnt very good. For first time when you view this output it is very unclearabout what exactly is done by this code.
Dissassembler output 3
? ....... ! main: ;xref o80482d7
? ....... ! push offset_804837d
? 8048379 ! pop eax
? 804837a ! inc eax
? 804837b ! jmp eax
? 804837d !
? ....... ! offset_804837d: ;xref o8048374
? ....... ! jmp 804883ah
? 8048382 add [eax+1bbh], dl
? 8048388 add [eax+49578b9h], dl
? 804838e or [eax+0ebah], dl
? 8048394 add ch, cl
? 8048396 cmp byte ptr [eax+1], 0bbh
? 804839d add [eax], al
? 804839f add [eax], al
? 80483a1 jmp 80483a4h
? 80483a3 jmp 98950475h
Here is one more way how to make unclear jumo to other place. We using functionand inside function we change return adress by 1.
Programm 4
Thats also works fine. Disasm dont know real return adress ans and use 0xe8 as he think is better.
main:
call fun
db 0xe8
mov eax, 4
mov ebx, 1
mov ecx, msg1
mov edx, msg1_size
int 80h
mov eax, 1
mov ebx, 0
int 80h
fun:
pop ebp
inc ebp
push ebp
ret
Dissassembler output 4
? ....... ! main: ;xref o80482d7
? ....... ! call sub_804839c
? 8048379 ! call 8048836h
? 804837e ! add [ebx+1], bh
? 8048384 ! mov ecx, strz_I_am_running__8049568
? 8048389 ! mov edx, 0eh
? 804838e ! int 80h
? 8048390 ! mov eax, 1
? 8048395 ! mov ebx, 0
? 804839a ! int 80h
? 804839c !
? ....... ! ;-----------------------
? ....... ! ; S U B R O U T I N E
? ....... ! ;-----------------------
? ....... ! sub_804839c: ;xref c8048374
? ....... ! pop ebp
? 804839d ! inc ebp
? 804839e ! push ebp
? 804839f ! ret
Source
