3

the code i am trying to understand overwrites a section of a game process memory (window.h, WriteProcessMemory) in order to modify a parameter in the game (for example, strength). the values would most likely be integers

the code attempts replacement with this function 

WriteProcessMemory( GameHandle, (BYTE*)StrengthMemoryAddress, &StrengthValue, sizeof(StrengthValue), NULL);

where StrengthMemoryAddress is a pre-calculated dynamic address and StrengthValue is the following:

byte StrengthValue[] = { 0x39, 0x5, 0x0, 0x0 };

it replaces strength with 1337

my question is basically how the byte array works in this function. from google i know that the hex value of 1337 is 0x539.

how come you have to reverse it in the byte array? i see that he first puts 0x39 then 0x5, which i concluded probably combines to 0x539 in some reverse order. also, why do you need the extra 0x0 at the end - can't you just leave it out?

thanks

Improve this question
0

3 Answers 3

Reset to default
9

from google i know that the hex value of 1337 is 0x539.

Or it is 0x00000539 which is same but written as a 4 byte integer. Now if you write this integer in little endian way in memory you would have to store it in following order (Least significant byte - 0x39 - goes first):

Memory Address   Values
1000             0x39  
1001             0x05
1002             0x00
1003             0x00

So that has to do with endianness. You may want to read more on that topic.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

You were expecting the 0x39 to be the highest byte (Big Endian), but you ended up on an architecture where it is the lowest byte (Little Endian).

Looking at an int logically as:

[ BYTE 0 ][ BYTE 1 ][ BYTE 2 ][ BYTE 3 ]
 * 256^3    *256^2    *256       *1
  MSB                            LSB

But that does not mean the architecture you are on maps a char array in that way. In, fact it did the opposite.

value [what you expected]  [what you got]
       BIG ENDIAN           LITTLE ENDIAN
0x39      BYTE 0              BYTE 3
0x05      BYTE 1              BYTE 2
0x00      BYTE 2              BYTE 1
0x00      BYTE 3              BYTE 0

If you do not set all 4 bytes than the missing bytes are called uninialized memory and using it through the int you create is considered undefined behavior. This will likely just leave an unexpected value in the missing byte (whatever happened to be there before), but the compiler is free to do whatever it wants, like removing code you thought would do something, leading to very unexpected behavior for you.

Improve this answer

Comments

0

The numbers you're writing have to be in Little Endian format. I recommend you read up on Endianness.

As for the extra 0 at the end: You have to overwrite the entirety of the byte-length of the int, or you'll risk leaving behind old values which would corrupt the value of the int you're writing.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.