Jump to content

Recommended Posts

Posted (edited)

Scanmem

scanmem is a simple interactive debugging utility for linux, used to locate the address of a variable in an executing process. This can be used for the analysis or modification of a hostile process on a compromised machine, reverse engineering, or as a "pokefinder" to cheat at video games.

scanmem.thumb.jpg

Features

  • Interactive command mode, with online help.
  • Specify target value exactly, or using abstract "higher" and "lower".
  • Supports variable width targets.
  • Set variable to any value.
  • Modify variables once, or continually over user specified period.
  • Detailed information about mappings, allow users to eliminate regions.

Example

You can use scanmem to cheat at nethack (on systems where nethack is not installed sgid), here is an example session finding and setting my gold to an arbitrary value.

$ scanmem --pid `pidof nethack`
info: attaching to pid 17907.
info: maps file located at /proc/17907/maps opened.
info: 17 suitable regions found.
Please enter current value, or "help" for other commands.
0>

The 0 in the scanmem prompt indicates there are no known matches, so I enter my current gold level (12 pieces) and ask it to search for possible matches.

0> 12
info: searching 0xbfff9000 - 0xc0000000...........ok
info: searching 0x401c2000 - 0x401e3000...........ok
info: searching 0x401c1000 - 0x401c2000...........ok
info: searching 0x401b6000 - 0x401b8000...........ok
info: searching 0x401b5000 - 0x401b6000...........ok
info: searching 0x40189000 - 0x4018a000...........ok
info: searching 0x40188000 - 0x40189000...........ok
info: searching 0x40181000 - 0x40183000...........ok
info: searching 0x4017f000 - 0x40181000...........ok
info: searching 0x40070000 - 0x40071000...........ok
info: searching 0x40068000 - 0x40070000...........ok
info: searching 0x40030000 - 0x40031000...........ok
info: searching 0x40029000 - 0x4002a000...........ok
info: searching 0x4001f000 - 0x40020000...........ok
info: searching 0x40016000 - 0x40017000...........ok
info: searching 0x081d4000 - 0x0820a000...........ok
info: searching 0x081b7000 - 0x081d4000...........ok
info: we currently have 38 matches.
38>

There are 38 possible matches, I wait until my gold level changes and enter the new value (15 pieces)

38> 15
info: we currently have 1 matches.
info: match identified, use "set" to modify value.
info: enter "help" for other commands.
1> list
[00] 0x081d6d88 { 15} (unassociated, typically .bss)
1> set 10000
info: setting *0x081d6d88 to 10000...
1>

Excellent, only one possible match. I use the set command to set it to 10,000. The resulting nethack screen is below.

Taviso the Digger          St:17 Dx:9 Co:15 In:14 Wi:13 Ch:9  Lawful
Dlvl:1 $:10000 HP:7(15) Pw:1(1) AC:9 Exp:1 Burdened

scanmem is distributed with a man page that describes all of the commands.

A flash demo of scanmem in action is available here.

Download

You can download the latest version of scanmem from here (sig).

MD5(scanmem-0.07.tar.gz)= a28baa2cf69b58b2773e379a49dae11c

Contact

All bug reports, suggestions or feedback is appreciated.

You can contact me at <taviso (a) sdf lonestar org>

Edited by Matematician
  • Upvote 1

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...