I am writing a memory viewer using x86 assembler
Code:
__asm {
push eax
mov eax, offset starthex
mov al, [eax]
mov thebyte, al
pop eax
}
starthex = 0x0042EECA (i.e. the address i wanna read from)
All I get is the lower byte of the address that I am trying to read from (i.e. 0x0042EECA returns CA). What am I doing wrong?
Please help!
try making thebyte into an unsigned long and using this ASM
Code:
__asm {
push eax
mov eax, offset starthex
mov eax, [eax]
mov thebyte, eax
pop eax
}
Basically your code fragment only reads one byte of data when you want to read 4 bytes of data (i.e. one unsigned long worth)
AFAIK, al is just the lower byte of the register. While ax is the lower 16-bits, and eax is the full 32-bit.
Absolutely no effect jonwil, and tokumaru? I knew that already. I only want to read 1 byte of data at a time for the hex viewer. Are some areas of memory unreadable on a x86, Windows XP computer?
Plus, as I said before, all I get is the lower 8-bits of the address that I am trying to read from. I only want 8-bits, but I seems like I am getting the databus back each time or something.
Fixed! It's mov eax, starthex, not mov eax, offset starthex, thanks anyway.
WedNESday wrote:
Are some areas of memory unreadable on a x86, Windows XP computer?
Yes, but instead of getting bus capacitance, you get an interrupt. The i386 CPU has a built-in mapper with 4 KiB pages, and if a page is unmapped, the mapper issues a "page fault" interrupt. If the app doesn't have a handler for this interrupt, like most apps, it falls back to the operating system's handler, which dumps core and terminates the application.
Unmapped areas include any I/O areas, other apps, and most of the kernel. Those are mapped into the kernel's address space, and apps are supposed to call the kernel through APIs, which are mapped into the apps' address space.
Basically I want to hack a game and I want to view the memory of the game as I run it in a window, that way I can see the hex values as they are changed. I don't seem to be able to find the game anywhere in memory, and it uses about 256MB RAM. Does anyone know how I can find the game in memory? Also, is it possible to actually do such a thing?
Under Windows, each process is mapped into what amounts to a separate memory bank. It's possible to use operating system services to view another process's memory, but 1. you may have to be a member of Administrators to make this work, and 2. lots of programs use rootkit-style code to make their copy prevention robust against debuggers like the one you're trying to write.
So how do I handle General Protection Faults when I access memory using x86 assembler?
Start with
debug and
anti-debug.
Sorry, but I don't see anything there that would help me write any code for my program.
I think
Creating a Basic Debugger might be more useful.
Thanks, I'm working on it now, but when I include the file psapi.h, all i get is a hundred error messages. Could you supply any source code tepples? (You've already been very helpful anyway)
WedNESday wrote:
Thanks, I'm working on it now, but when I include the file psapi.h, all i get is a hundred error messages.
Paste the first three, and people might be able to help you troubleshoot them.
I think I've managed to fix them now. The file psapi.h used variables defined in other header files. It seems to work now, but'll I post again if anything else goes wrong.