Simple editing App’s RAM
Apps use variables and they are stored in RAM. It would be wonderful to have access to this memory, and fortunately for us it is really simple. We only need to use one app to achieve this.
Test app is designed to return secret data if the number is higher than 9 999 999, so if we want to increment the value manually, it would take a lot of time.
Cooldown between incementing value isn’t making this easier, so the only way to get secret key is to edit RAM (it’s also possible via reverse engineering, but it’s much harder)
First of all, we need to get acquainted” with the Cheat Engine. This app will allow us to search and edit RAM within the process.
By clicking on the desktop icon and choosing a Process we can begin to infiltrate the memory).
In target app after the initial value was 1, the first scan will be 1 with added parameter “Exact Value”, the type of value is set as 4 bytes because we can guess it? integer.
Now we have 204 624 addresses of variables that contain the value “1”. At this point, there is no way to tell where our target is without rescanning.
So, let’s increment the value to “2”
Target app is showing value “2” so, type “2” in Cheat Engine to search the value and press “rescan” afterwards. Now, we have found 408 values. It’s better but not good enough. Do it again, increment and search for value “3”.
We have found only 2 variables! Yaay \o/ (just kidding) In this situation you can try to add to the scope and increment both.
But now, finally we can figure out what address of the variable we are searching for.
In both, change variables to values to find out what will they change.
After clicking “Add 1” we get “101”. Now, it’s easy to say address 058A5F0C indicates the variable we are looking for.
Now, we can edit this variable to 9 999 999.
After all we have to click “Add 1” to add 1 more to the variable and update graphics, because it’s common not to change the visual representation of the variable without interaction with the app. The value will change, but the code won’t use or update this value in any way.
Now we can read these “secret” messages.