Friday, May 6, 2011

How does Cheat O'Matic work?

How does this program access other processes memory? How can it write into the address space of another process? Wasn't it supposed to segfault or something?

From stackoverflow
  • A program with a system privilege level is capable of mapping physical addresses to its own virtual address.

    Cheat O'Matic (and poke) maps the physical address of whatever program it is trying to scan into its own virtual space.

    Once this is done, it scans all the bytes for the target value you enter. It isolates the correct memory address by asking the user to altering the address to known values and basically does a diff between the old and new memory to find the changes.

    morechilli : On windows the functions VirtualAllocEx and VirtualQueryEx allow you to read and write in the memory of another process.
    Martinho Fernandes : @morechilli: if you put that in an answer, I'll accept it.
  • One way to do it is to inject a DLL (Google for 'Dll injection') into the address process that you want to spy on: that DLL is then inside the process and can do things with the process' memory. The spy process can use an Interprocess Communication method (pipes, sockets, anything) to talk with the DLL which it injected into the other process.

    Injecting a DLL takes administrator priviledge (e.g. to set a relevent entry in the system registry).


Post a Comment