Geek Answers Handbook

Change memory address via C #, how to set the operator?

I want to edit the active application (edit memory address),

at 00498D45 I want to change its value

currect value:

 MOV BYTE PTR SS:[EBP-423],7

to

updated value:

  MOV BYTE PTR SS:[EBP-423],8

what i got so far is this (searched about it on the net and this is how far i got):

early!

now using this code:

what should it look like?

 WriteMemory(Process process,00498D45 , MOV BYTE PTR SS:[EBP-423],8)

but I can’t compile / debug it, how can I configure it?

thanks in advance,

here is the code:

 using System.Runtime.InteropServices; [Flags] public enum ProcessAccessFlags : uint { All = 0x001F0FFF, Terminate = 0x00000001, CreateThread = 0x00000002, VMOperation = 0x00000008, VMRead = 0x00000010, VMWrite = 0x00000020, DupHandle = 0x00000040, SetInformation = 0x00000200, QueryInformation = 0x00000400, Synchronize = 0x00100000 } [DllImport("kernel32.dll")] private static extern IntPtr OpenProcess(ProcessAccessFlags dwDesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, int dwProcessId); [DllImport("kernel32.dll", SetLastError = true)] private static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out int lpNumberOfBytesWritten); [DllImport("kernel32.dll", SetLastError = true)] static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [Out] byte[] lpBuffer, int dwSize, out int lpNumberOfBytesRead); [DllImport("kernel32.dll")] public static extern Int32 CloseHandle(IntPtr hProcess); Process process = Process.GetProcessesByName("My Apps Name").FirstOrDefault(); public static bool WriteMemory(Process process, int address, long value, out int bytesWritten) { IntPtr hProc = OpenProcess(ProcessAccessFlags.All, false, process.Id); byte[] val = BitConverter.GetBytes(value); bool worked = WriteProcessMemory(hProc, new IntPtr(address), val, (UInt32) val.LongLength, out bytesWritten); CloseHandle(hProc); return worked; }
-1
source share
1 answer
 WriteMemory(Process process,00498D45 , MOV BYTE PTR SS:[EBP-423],8)

There are so many problems with this, I don’t know where to start. First of all, it is not so close to the correct C # syntax.

  • You call the function, but you have the Process there is a signature.
  • 00498D45 not a valid constant in any database. If you mean hex (which you probably do as you deal with addresses), then like all other C-like languages, this should be expressed as 0x00498D45 .
  • This x86 assembler code is in ASCII (but this is not a string, you are just a mess). You cannot just move the ASCII assembly code to another process address space!

Perhaps you should do a little more research on how compilation and assembly are done when the program is created, and also what your processor actually does when the program runs. In addition, I recommend reading the example code, which you obviously took somewhere and try to understand. You will be better off learning what is happening than asking everyone to help fix what you put together. </rant>

In any case, after you have compiled your code, it looks like this (re-parsed):

 C68559FEFFFF08 mov byte [ebp-0x1a7],0x8

This means that your instruction is actually a string of bytes C6 85 59 FE FF FF 08 . Here is what you need to write to the target application.

This is the foundation of what you are trying to do:

 byte[] new_instr = new byte[] {0xC6, 0x85, 0x59, 0xFE, 0xFF, 0xFF, 0x08}; IntPtr target_addr = (IntPtr)0x00498D45; int bytesWritten; WriteProcessMemory(hProcess, target_addr, new_instr, (UInt32)new_instr.Length, out bytesWritten);

The WriteMemory memory function that you copy and paste will not help you. The problem is that it only writes long , which is 4 bytes. You need to write 7 bytes. Thus, you have to either change this function to use the byte[] parameter, or do it yourself.

+2
source

More articles:


All Articles