Results 1 to 12 of 12

Thread: can simba read memory

  1. #1
    Join Date
    Jan 2012
    Posts
    190
    Mentioned
    0 Post(s)
    Quoted
    10 Post(s)

    Default can simba read memory

    hey im wonderin if simba can get a process memory / read and write to ?
    if so may please kindly show tutorial ..
    i downloaded this as well http://memoryhacking.com/ its obviously awesome and perhaps it can be of some use
    and if any1 knows how to read 32bit memory regions with only access to 16bit registers please explain
    Attached Images Attached Images

  2. #2
    Join Date
    Feb 2011
    Location
    The Future.
    Posts
    5,600
    Mentioned
    396 Post(s)
    Quoted
    1598 Post(s)

    Default

    Everyone seems to want to do memory reading lately..

    https://villavu.com/forum/showthread...32#post1385632


    but try that or roll your own.
    I am Ggzz..
    Hackintosher

  3. #3
    Join Date
    Jul 2016
    Posts
    156
    Mentioned
    2 Post(s)
    Quoted
    81 Post(s)

    Default

    I'm a bit confused. I skimmed through this thread and the thread that Brandon linked. Are you trying to manipulate physical addresses directly? I don't see why that would be beneficial.

  4. #4
    Join Date
    Dec 2010
    Posts
    483
    Mentioned
    30 Post(s)
    Quoted
    328 Post(s)

    Default

    Quote Originally Posted by Suburbia View Post
    I'm a bit confused. I skimmed through this thread and the thread that Brandon linked. Are you trying to manipulate physical addresses directly? I don't see why that would be beneficial.
    He's trying to read memory from a foreign process. If by manipulate you mean write to said memory, then no that is not something he ever mentioned. Though, both are hugely beneficial depending on the use-case.

    What is it you don't understand?

  5. #5
    Join Date
    Jul 2016
    Posts
    156
    Mentioned
    2 Post(s)
    Quoted
    81 Post(s)

    Default

    Quote Originally Posted by the bank View Post
    He's trying to read memory from a foreign process. If by manipulate you mean write to said memory, then no that is not something he ever mentioned. Though, both are hugely beneficial depending on the use-case.

    What is it you don't understand?
    I don't know how it is in Windows, but all my comments pertain to memory management in Linux
    "He's trying to read memory from a foreign process."
    1. Which contradicts the idea of the user space. Processes can't access the address space of another process (it's meaningless).

  6. #6
    Join Date
    Feb 2011
    Location
    The Future.
    Posts
    5,600
    Mentioned
    396 Post(s)
    Quoted
    1598 Post(s)

    Default

    Quote Originally Posted by Suburbia View Post
    I don't know how it is in Windows, but all my comments pertain to memory management in Linux
    "He's trying to read memory from a foreign process."
    1. Which contradicts the idea of the user space. Processes can't access the address space of another process (it's meaningless).


    I'm sorry, but that isn't true.. at all.. How else would debuggers and break-points work?

    Linux has ptrace: http://man7.org/linux/man-pages/man2/ptrace.2.html
    Windows has ReadProcessMemory/WriteProcessMemory/FlushInstructionCache and ContinueDebugEvent.

    On Linux hooking works with LD_PRELOAD or ELF hooking. On OSX hooking works with DYLD_INSERT_LIBRARIES or DYLD_INTERPOSE and on Windows it works with PE-Injection or ShortJmp + CreateThread, IAT, etc..


    Different techniques.. same result. In any case, OP wants to read another process' memory (I assume NXT in this case.. to emulate reflection/cheat-engine).
    I am Ggzz..
    Hackintosher

  7. #7
    Join Date
    Jul 2016
    Posts
    156
    Mentioned
    2 Post(s)
    Quoted
    81 Post(s)

    Default

    Quote Originally Posted by Brandon View Post
    I'm sorry, but that isn't true.. at all.. How else would debuggers and break-points work?

    Linux has ptrace: http://man7.org/linux/man-pages/man2/ptrace.2.html
    Windows has ReadProcessMemory/WriteProcessMemory/FlushInstructionCache and ContinueDebugEvent.

    On Linux hooking works with LD_PRELOAD or ELF hooking. On OSX hooking works with DYLD_INSERT_LIBRARIES or DYLD_INTERPOSE and on Windows it works with PE-Injection or ShortJmp + CreateThread, IAT, etc..


    Different techniques.. same result. In any case, OP wants to read another process' memory (I assume NXT in this case.. to emulate reflection/cheat-engine).
    Two things.
    1.
    ptrace is a system call. Yes what I should have said is user process can't acceess the address space of another process.

    2.
    ptrace is when you have a child/parent relationship. That was never specified by the OP.

    On a different note, my concern wasn't about accessing the address space of another process. I thought the OP wanted to use physical addresses instead of virtual addresses.

  8. #8
    Join Date
    Feb 2011
    Location
    The Future.
    Posts
    5,600
    Mentioned
    396 Post(s)
    Quoted
    1598 Post(s)

    Default

    Quote Originally Posted by Suburbia View Post
    ptrace is when you have a child/parent relationship. That was never specified by the OP.
    Where exactly did you read that it can only be used for child processes? There are debuggers for Linux where you can "Attach" to a process that is already running.. PTrace can be used to do that, so long as ptrace_scope isn't set to 1 or it isn't protected (prctl PR_SET_DUMPABLE to stop non-root processes from tracing).. otherwise you can only debug child-processes. So you are half right.

    I used the following (https://pastebin.com/tYK5QQ5a) to read RS3's memory on an old Linux-Mint machine.. it did require Sudo but oh well..


    As for it being a system call.. why does that matter though? ReadProcessMemory is a UserSpace call that calls the kernel call, NtReadProcessMemory and other kernel calls.. the same way that STrace calls PTrace.


    Whatever gets the job done I guess but yes, OP is talking about Windows most likely.
    Last edited by Brandon; 05-09-2017 at 02:03 AM.
    I am Ggzz..
    Hackintosher

  9. #9
    Join Date
    Jul 2016
    Posts
    156
    Mentioned
    2 Post(s)
    Quoted
    81 Post(s)

    Default

    Quote Originally Posted by Brandon View Post
    Where exactly did you read that it can only be used for child processes? There are debuggers for Linux where you can "Attach" to a process that is already running.. PTrace can be used to do that, so long as ptrace_scope isn't set to 1 or it isn't protected (prctl PR_SET_DUMPABLE to stop non-root processes from tracing).. otherwise you can only debug child-processes. So you are half right.

    I used the following (https://pastebin.com/tYK5QQ5a) to read RS3's memory on an old Linux-Mint machine.. it did require Sudo but oh well..


    As for it being a system call.. why does that matter though? ReadProcessMemory is a UserSpace call that calls the kernel call, NtReadProcessMemory and other kernel calls.. the same way that STrace calls PTrace.


    Whatever gets the job done I guess but yes, OP is talking about Windows most likely.
    Once again I should have specified for many linux distros ptrace protection is enabled by default. On my system (4.10.13-1-ARCH) ptrace protection is enabled and I know Ubuntu has the same default behavior (https://wiki.ubuntu.com/SecurityTeam...ace_Protection).
    Can you work around that? Yes. Is it safe? Probably not.

    To me it matters that it is a system call because:
    The OP asked if SIMBA could do something. He didn't ask if SIMBA could ask the kernel to do something.

    My confusion stemmed over the fact that I did not consider skipping around built-in memory protection. Until now I was operating under the assumption that the base and limit register were doing their jobs. I have no prior experience with code injection. I see now this is possible, and in Windows you're looking at WriteProcessMemory.

    So yes this is possible, but the thing I still don't understand is when this would be useful for botting?

    I guess I need to have my eyes open a bit wider. With something like ptrace I've only seen it in kernel code, and never considered creative ways it could be used.

  10. #10
    Join Date
    Dec 2010
    Posts
    483
    Mentioned
    30 Post(s)
    Quoted
    328 Post(s)

    Default

    Quote Originally Posted by Suburbia View Post
    So yes this is possible, but the thing I still don't understand is when this would be useful for botting?
    When is reading memory belonging to the game useful for botting..?

    Writing memory, not so much. But you can do some fun stuff like directly invoking game functions.

  11. #11
    Join Date
    Feb 2011
    Location
    The Future.
    Posts
    5,600
    Mentioned
    396 Post(s)
    Quoted
    1598 Post(s)

    Default

    Quote Originally Posted by Suburbia View Post
    So yes this is possible, but the thing I still don't understand is when this would be useful for botting?

    I guess I need to have my eyes open a bit wider. With something like ptrace I've only seen it in kernel code, and never considered creative ways it could be used.


    In Java, you have reflection. You can reflect the fields of the client and retrieve player data, player tile, model vertices, item id's, etc.. This is possible because Java uses an intermediate language (Byte-Code).. It's not compiled to assembly so its reversible and easier to read. When you reflect the field, the JVM will give you the value of said field.. You don't have to find the memory location and pointers and stuff. You say: "FindClass('Player').. getField(playerClass, 'name').. and voila, you have the player's name..
    You can launch the same jar file thousands of times, and the fields will be at the same location (in some class file in the jar). Each time the JVM will retrieve the exact value you want. In Java, you want to call one of the functions, you can do so with ease (very few lines of code). To use reflection, you most likely will use a custom loader (IE: SMART, Powerbot, RSBuddy, etc) and they give you access to fields within the jar..


    Then we have languages like C and C++ which compiles to Assembly.. harder to read and understand and cannot be reversed back into its original form except by doing it manually.. However, the programs allocate memory, write to registers, etc.. You can read this memory to figure out what is on screen, the ID's of items, etc. You are essentially finding all the memory locations and pointers and values yourself. However, every time the application launches, the location of the stuff we want will be different (at some offset from the main-entry-point/base-address of the application). You need to find that offset and read the memory at that offset to get the value of whatever it is you're looking for (ItemID, Money-Amount, Model Vertices, etc.. You want the player's name? You need to open that process, find the address of the player structure relative to the base-address/main-entry point of the program, then find the player name offset relative to the player structure offset which you previously found. Then you need to read that address and voila you have the player's name.
    If you want to call a function, you'd have to write the arguments to the process by allocating memory for them in the process, create a remote-thread in the process that calls the function at the address specified using the arguments you allocated, free the arguments, destroy the thread, get the return value of the function. This allows you to use the official client provided by Jagex without creating a loader (not that you can anyway), etc.


    In both cases, you do this so that you don't have to "Inject" into the process and hook anything. You can just read it remotely. Another example is Sims or something.. you can write to the Sims process that you have 1b dollars and voila, you have 1b dollars. (Not sure if Sims has money btw). Or for CS1.6, you want perfect aim with no recoil but don't want to inject into the process and get caught? Then just write to the process that you gun has a recoil of 0 and that you have god-mode.. Cheat-Engine does this.


    OSRS = Java.
    RS3/NXT = C++.
    Last edited by Brandon; 05-09-2017 at 03:16 AM.
    I am Ggzz..
    Hackintosher

  12. #12
    Join Date
    Jul 2016
    Posts
    156
    Mentioned
    2 Post(s)
    Quoted
    81 Post(s)

    Default

    Quote Originally Posted by Brandon View Post
    In Java, you have reflection. You can reflect the fields of the client and retrieve player data, player tile, model vertices, item id's, etc.. This is possible because Java uses an intermediate language (Byte-Code).. It's not compiled to assembly so its reversible and easier to read. When you reflect the field, the JVM will give you the value of said field.. You don't have to find the memory location and pointers and stuff. You say: "FindClass('Player').. getField(playerClass, 'name').. and voila, you have the player's name..
    You can launch the same jar file thousands of times, and the fields will be at the same location (in some class file in the jar). Each time the JVM will retrieve the exact value you want. In Java, you want to call one of the functions, you can do so with ease (very few lines of code).


    Then we have languages like C and C++ which compiles to Assembly.. harder to read and understand and cannot be reversed back into its original form except by doing it manually.. However, the programs allocate memory, write to registers, etc.. You can read this memory to figure out what is on screen, the ID's of items, etc. You are essentially finding all the memory locations and pointers and values yourself. However, every time the application launches, the location of the stuff we want will be different (at some offset from the main-entry-point/base-address of the application). You need to find that offset and read the memory at that offset to get the value of whatever it is you're looking for (ItemID, Money-Amount, Model Vertices, etc.. You want the player's name? You need to open that process, find the address of the player structure relative to the base-address/main-entry point of the program, then find the player name offset relative to the player structure offset which you previously found. Then you need to read that address and voila you have the player's name.
    If you want to call a function, you'd have to write the arguments to the process by allocating memory for them in the process, create a remote-thread in the process that calls the function at the address specified using the arguments you allocated, free the arguments, destroy the thread, get the return value of the function.


    OSRS = Java.
    RS3/NXT = C++.
    Yep that resolves it for me. I thought this was intended for RS3/OSRS.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •