|
NAMEscanmem - locate and modify variables in an executing process.SYNOPSISscanmem [options] [target-program-pid]DESCRIPTIONscanmem is an interactive debugging utility that can be used to isolate the address of a variable in an executing process by successively scanning the process' address space looking for matching values.By informing scanmem how the value of the variable changes over time, it can determine the actual location (or locations) of the variable by successively eliminating non-matches. scanmem determines where to look by searching for mappings with read/write permission, these are referred to as regions. Users can eliminate regions they believe are likely unrelated to the target variable (for example, located in a shared library unrelated to the variable in question), this will improve the speed of the scan, which can initially be quite slow in large programs. Once a variable has been found, scanmem can monitor the variable, or change it to a user specified value, either once, or continually over a period of time. scanmem works similarly to the "pokefinders" once commonly used to cheat at video games, this function is a good demonstration of how to use scanmem, and is used in the documentation. USAGEscanmem should be invoked with the process id of the program you wish to debug as an argument. Once started, scanmem accepts interactive commands. These are described below, however entering help at the > prompt will allow you to access scanmem's online documentation.The target-program-pid can be specified in decimal, hexadecimal, or octal using the standard C language notation (leading 0x for hexadecimal, leading 0 for octal, anything else is assumed to be decimal).
COMMANDSWhile in interactive mode, scanmem prints a decimal number followed by >, the number is the current number of possible candidates for the target variable that are known. The absence of said number indicates that no possible variables have been eliminated yet.The default scan data type is "int". It can be changed with the option command.
EXAMPLESCheat at nethack, on systems where nethack is not installed sgid.ATTENTION: scanmem usually requires root privileges. See KNOWN ISSUES for details. $ sudo scanmem `pgrep nethack` info: maps file located at /proc/14658/maps opened. info: 9 suitable regions found. Please enter current value, or "help" for other commands. > I enter how much gold I currently have (58 pieces) and let scanmem find the potential candidates. > 58 01/09 searching 0x79f000 - 0x7b0000..........ok 02/09 searching 0x7b0000 - 0x7cc000..........ok 03/09 searching 0x24d2000 - 0x24f3000..........ok 04/09 searching 0x7fcc04baa000 - 0x7fcc04bae000..........ok 05/09 searching 0x7fcc04de1000 - 0x7fcc04de2000..........ok 06/09 searching 0x7fcc051f7000 - 0x7fcc051fb000..........ok 07/09 searching 0x7fcc05227000 - 0x7fcc0522a000..........ok 08/09 searching 0x7fcc0522c000 - 0x7fcc0522d000..........ok 09/09 searching 0x7ffc8c113000 - 0x7ffc8c134000..........ok info: we currently have 16 matches. 16> list [ 0] 7b09e0, 1 + 3b09e0, exe, 58, [I64 I32 I16 I8 ] [ 1] 7b907a, 1 + 3b907a, exe, 58, [I8 ] [ 2] 24d4b6c, 2 + 2b6c, heap, 58, [I16 I8 ] [ 3] 24d567e, 2 + 367e, heap, 58, [I16 I8 ] [ 4] 24d5740, 2 + 3740, heap, 58, [I8 ] [ 5] 7fcc05229951, 6 + 2951, misc, 58, [I8 ] [ 6] 7ffc8c12ee28, 8 + 1be28, stack, 58, [I16 I8 ] [ 7] 7ffc8c132381, 8 + 1f381, stack, 58, [I8 ] [ 8] 7ffc8c132389, 8 + 1f389, stack, 58, [I8 ] [ 9] 7ffc8c132391, 8 + 1f391, stack, 58, [I8 ] [10] 7ffc8c132399, 8 + 1f399, stack, 58, [I8 ] [11] 7ffc8c1323a1, 8 + 1f3a1, stack, 58, [I8 ] [12] 7ffc8c1323a9, 8 + 1f3a9, stack, 58, [I8 ] [13] 7ffc8c1331a3, 8 + 201a3, stack, 58, [I8 ] [14] 7ffc8c13325f, 8 + 2025f, stack, 58, [I8 ] [15] 7ffc8c133264, 8 + 20264, stack, 58, [I8 ] 16> 16 potential matches were found. This is also displayed in the prompt. Many of them are quite unrelated, as they are part of the stack, belong to libraries or miscellaneous memory-mapped files. Even the heap is unlikely for a very old command line game. We could make scanmem eliminate these manually using the delete command, however just waiting until the amount of gold changes and telling scanmem the new value should be enough. I find some more gold, and tell scanmem the new value, 83. 16> 83 ..........info: we currently have 1 matches. info: match identified, use "set" to modify value. info: enter "help" for other commands. 1> list [ 0] 7b09e0, 1 + 3b09e0, exe, 83, [I64 I32 I16 I8 ] Only one of the 16 original candidates now has the value 83, so this must be where the amount of gold is stored. I'll try setting it to 10,000 pieces. 1> set 10000 info: setting *0x7b09e0 to 0x2710... 1> The resulting nethack status: Dlvl:1 $:10000 HP:15(15) Pw:2(2) AC:7 Exp:1 Conclusion: We've found and modified the gold value as I32 in static memory of the executable at virtual memory address 0x7b09e0. This address belongs to the region with id 1. Now it is important to know if this is a position-independent executable (PIE). We list the regions for this and check the load address of the executable. 1> lregions [ 0] 79f000, 69632 bytes, exe, 400000, rw-, /usr/lib/nethack/nethack.tty [ 1] 7b0000, 114688 bytes, exe, 400000, rw-, unassociated [ 2] 24d2000, 135168 bytes, heap, 24d2000, rw-, [heap] [ 3] 7fcc04baa000, 16384 bytes, misc, 7fcc04baa000, rw-, unassociated [ 4] 7fcc04de1000, 4096 bytes, misc, 7fcc04de1000, rw-, unassociated [ 5] 7fcc051f7000, 16384 bytes, misc, 7fcc051f7000, rw-, unassociated [ 6] 7fcc05227000, 12288 bytes, misc, 7fcc05227000, rw-, unassociated [ 7] 7fcc0522c000, 4096 bytes, misc, 7fcc0522c000, rw-, unassociated [ 8] 7ffc8c113000, 135168 bytes, stack, 7ffc8c113000, rw-, [stack] We are on x86_64 and 0x400000 is the static load address for executables there. This means that this is not a PIE and the gold is always stored at 0x7b09e0. This makes it easy to use a game trainer like GameConqueror which refills the gold value periodically. With a PIE we have to use the match offset (0x3b09e0 here) instead and an advanced game trainer with PIE support has to determine and add the current load address to it to get the current memory address of the gold value of the current game run. NOTESscanmem has been tested on multiple large programs, including the 3d shoot-em-up quake3 linux. scanmem is also tested on ARM platforms and comes with Android support since version 0.16.Obviously, scanmem can crash your program if used incorrectly. Some programs store values in multiple locations, this is why set will change all known matches. Address Space Layout Randomization (ASLR) together with position-independent executables (PIE), position-independent code (PIC) or dynamic memory on the heap causes variables to be loaded to different memory addresses at every game start. Advanced game trainers like ugtrain are required to periodically refill variables is such memory regions. KNOWN ISSUESscanmem usually requires root privileges for ptrace(2) because security modules control ptrace() capabilities. On x86 and x86_64 there is usually the Yama security module providing the file /proc/sys/kernel/yama/ptrace_scope. It is available since Linux 3.4. If this file contains "1", then only parents may ptrace() their children without root privileges. This means that scanmem would have to run the game. This is not possible as this would require major design changes. So we run scanmem as root.The first scan can be very slow on large programs, this is not a problem for subsequent scans as huge portions of the address space are usually eliminated. This could be improved in future, perhaps by assuming all integers are aligned by default. Suggestions welcome. The snapshot command uses memory inefficiently, and should probably not be used on large programs. HOMEPAGEhttps://github.com/scanmem/scanmemAUTHORSTavis Ormandy <taviso(a)sdf.lonestar.org> http://taviso.decsystem.org/Eli Dupree <elidupree(a)charter.net> WANG Lu <coolwanglu(a)gmail.com> Sebastian Parschauer <s.parschauer(a)gmx.de> Andrea Stacchiotti <andreastacchiotti(a)gmail.com> All bug reports, suggestions or feedback welcome. SEE ALSOgameconqueror(1) ptrace(2) proc(5) nethack(6) pidof(8)
Visit the GSP FreeBSD Man Page Interface. |