发表新帖
发表新帖

Scanning and Editing Android App Memory Values Programmatically

前端 未结
关注
2 728
臣服心动
臣服心动 2020-12-24 15:11

I\'ve been using a few Android apps that hook onto another process, scan its allocated memory and edit it. Obviously, I was using it to mess around with some games.

相关标签:
2条回答
  • 庸人自扰
    2020-12-24 15:54

    Putting this here for posterity

    After a fair bit of research (read, 5 days straight), as far as Linux is concerned, one may attach to a process, read its memory and detach by simply doing this:

    Heavily commented for the newbies like me, uncomment and whatever if you're better

    #include <sys/ptrace.h> //For ptrace()
#include <sys/wait.h>   //For waitpid()

int main () {
    int pid     = 1337; //The process id you wish to attach to
    int address = 0x13371337; //The address you wish to read in the process

    //First, attach to the process
    //All ptrace() operations that fail return -1, the exceptions are
    //PTRACE_PEEK* operations
    if (ptrace(PTRACE_ATTACH, pid, NULL, NULL) == -1) {
        //Read the value of errno for details.
        //To get a human readable, call strerror()
        //strerror(errno) <-- Returns a human readable version of the
        //error that occurred
        return 0;
    }

    //Now, attaching doesn't mean we can read the value straight away
    //We have to wait for the process to stop
    int status;
    //waitpid() returns -1 on failure
    //W.I.F, not W.T.F
    //WIFSTOPPED() returns true if the process was stopped when we attached to it
    if (waitpid(pid, &status, 0) == -1 || !WIFSTOPPED(status)) {
        //Failed, read the value of errno or strerror(errno)
        return 0;
    }

    errno = 0; //Set errno to zero
    //We are about to perform a PTRACE_PEEK* operation, it is possible that the value
    //we read at the address is -1, if so, ptrace() will return -1 EVEN THOUGH it succeeded!
    //This is why we need to 'clear' the value of errno.
    int value = ptrace(PTRACE_PEEKDATA, pid, (void*)addr, NULL);
    if (value == -1 && errno != 0) {
        //Failed, read the value of errno or strerror(errno)
        return 0;
    } else {
        //Success! Read the value
    }

    //Now, we have to detach from the process
    ptrace(PTRACE_DETACH, pid, NULL, NULL);
    return 0;
}

    References:

    http://linux.die.net/man/2/ptrace

    http://linux.die.net/man/2/waitpid

    How does this relate to editing Android app memory values?

    Well, the headers for ptrace and wait exist in the Android NDK. So, to read/write an app's RAM, you will need native code in your app.

    Also, ptrace() requires root privileges.

    Why did it take you this long? I've never written this kind of code before.

    0 讨论(0)
  • Happy的楠姐
    2020-12-24 16:08

    As far as Linux is concerned, it's forbidden by kernel to modify other memory that belongs to other processes (by the way, this is why there are no viruses on Linux). What you are actually doing is editing Shared Preferences. They are written in plain text, and that means they can be edited if you have access to them(root). You can check out CheatDroid application at Play Store. Also, if you want to develop similar app yourself, you can also check this link to create your first root app. http://www.xda-developers.com/android/how-to-build-an-android-app-part-2-writing-a-root-app-xda-tv/

    0 讨论(0)
 看不清?
提交回复
热议问题