2

I am working on a project where I am interfacing(?) with another program. This other program has no way for me to interface with it, so, I need to pull values out of memory. I have already found the addresses where these values are stored relative to the MZ Start address listed in the programs PE header. I simply need to look at that address and get its value. Is there a way to do this in Python, or will I need a different language?

I used Cheat Engine to find the memory address relative to the MZ Start address listed in the programs PE header. However, I have no way to interface with Cheat Engine in order to do something with the value it is looking at. Then I had the idea to manually look at that address while the program is running with a python script. However, I am unsure of where to begin.

Here's what I know:

First line of memory starts at address: 0x00CC0000

It always starts here.

Hexadecimal Address: 00CC0000(StartOfMem)+841984(Offset) = 0x01501984

This is where the pointer is stored in memory. I have verified that it is always in this location.

This pointer points to the memory address of a UI class object in the program I am trying to interface with, this object contains data I want to read.

If I dereference the pointer it will give me another memory address. Let's call this value AddressAtPointer.

I know the two things I am looking have an offset of 43C and 434 from AddressAtPointer and are 4 byte integers.

Is there a way for me to read the data at these specific memory addresses?

Tanner Balk
  • 21
  • 2

2 Answers2

2

Yes, this is possible. But, I will warn you that reading and writing to specific memory addresses is the wrong tool to solve this problem. The right tool is probably ctypes or SWIG. In particular, that would save you from needing to figure out what the right offsets are.

I figure you're going to ignore that advice, so here's how to write arbitrary memory addresses.

import ctypes
foo = ctypes.c_char.from_address(0x00000000)
foo.value = 1

This will write a byte of 0x01 to the address zero. You can change the address by changing 0x00000000. You can change the value written by changing the 1. You can change the size of the write by changing c_char to something else.

Reading a memory address is the same, except instead of foo.value = 1, you have variable = foo.value.

All of the above assumes you're in the same address space as your target.

Nick ODell
  • 15,465
  • 3
  • 32
  • 66
  • I need to read from that memory address. I know that the data at that is stored as a 4 byte integer value. (Technically its a bool, it is only ever 1 or 0). Would I just be able to do print(foo) and see what is at that address? Also, the address that I want to look at is being used by a separate program. – Tanner Balk Nov 09 '22 at 22:25
  • You can do that but it's OS specific. For Windows see https://stackoverflow.com/questions/1794579/how-can-i-read-the-memory-of-another-process-in-python-in-windows – Nick ODell Nov 09 '22 at 23:13
0

No -- Not through python directly. Python is a memory-safe language and therefore doesn't allow for interaction directly with memory. Your best bet might be using CPython to call a C function which does the memory-trickery that you want.

This is also an extremely fragile way of getting data: Memory addresses may not be the same between different machines, different operating systems, or even different executions of the same program (ASLR is a feature that randomizes memory addresses every time a program starts up, and this may be enabled)

Oren
  • 84
  • 10