Memory Editing

Basic idea of Memory Scanning/Editing

Just like hacking can be split into 3 core parts, find something, edit something, check the results. For this hacking method you can apply the same core concept.

This is just like pressing CTRL + F, but for your memory. In our case, we want to use this to find numeric values like, our health, money, amount of items, coordinates, etc. After we found it, we just change it and check if it worked and we're done. This is a pretty straightforward and easy concept.

This is a basic visual representation of computer memory, dont worry, I'll explain everything down below.

Understanding Computers and Programs

You might be familiar with the concept of our computers "just being a bunch of 0's and 1's". But this is a very bad understanding about our computers and how we interact with them.

If we would just concatenate all the 0's and 1's together, our computer programs would be very, very slow. everything would lag. You can try this out by just writing a empty document with pages worth of 0's and 1's. Try editing in a 0 or 1, it will lag really hard.

This is why split our bits into bytes.

Bytes are very important to understand, it may seem confusing to what a bit or byte is, so let me explain it to you.

A bit (Binary Digit) is either a 1 or 0 (more importantly: On or Off) and only has 2 possible outcomes, while a byte is made out of a number of bits, generally 8 bits and has 256 possible outcomes (0-255).

You might also notice that, two hex-digits make up a byte, so a hex-digit is made up of a N-byte (4-bit).

History of the term "Byte"

IBM was the organisation to invent the byte and also the 8-bit byte with the IBM System/360. You might also know the Intel 8008 and other processors that first utilized 8 bits.

The term byte was invented by Werner Buchholz, at IBM. He created the term while working one the Stretch IBM Computer using 6-bit's as a byte.

The N-byte also known as a "half byte" or nibble, using 4-bit's as a byte was named after Louis Dooley, and the way Louis Dooley described the byte was as a undefined number of bits less than a computer's full word size.

Louis Dooley therefore is the creator of the modern term that we use for byte. Because Werner Buchholz specifically named the term after 6-bit's and in modern systems, we use 32-bit, 64-bit processors (A processor's full word length) with bytes of 8 bit's (less than the full word length).

Working with bits and bytes

We now understand that a byte is made up of 8 bit's. 00000000, 11111111, 01010101, 10110010 are all perfectly fine bytes.

Now let's build on our understanding of bytes.

a single byte can only hold up to 256, or in other words, 2 by the power of 8 (but not all 256 values at the same time).

If we wanted to store our health, usually being 100 (health), we can store that in a single byte and we would be just fine. The same goes for example; The set of characters we have.

However, if we wanted to store things like for example, in-game money, most likely, 256 wouldn't be enough to store all the money in.

That's why as a programmer we can group bytes together.

We could take 2 bytes and group them together. Then we could store up to 65.5 thousand numbers. Already sounds much more reasonable compared to 256.

We can group, 2 bytes, 3 bytes, 4 bytes, 5 bytes.... and so on.

Most commonly you will find 4 bytes grouped together. These can store up to 4.2 billion numbers and are amongst the most commonly used byte size.

The set of integers for example, is an infinite in size, so the computer will only represent a subset of integers. We know that a byte can only represent a subset of integer values that are 256, So in that case we would need to apply this grouping of bytes to get larger memory cells, to represent bigger integer values.

The computer provides us with several subsets of integer values:

2 bytes are used for short integers [-(2^15-1), 2^15]

4 bytes are used for normal integers [-(2^31-1), 2^31]

8 bytes are used for long integers [-(2^63-1), 2^63]

Memory Addresses

Each byte is associated with what we call a "Memory Address".

Some computers will impose special limitations on where the variable must be placed. Common restrictions are:

• short integers must be placed at an even address divisible by 2


• normal integers must be placed at an even address divisible by 4

We also can't start counting our addresses in the middle of a sequence of bytes, so we can only call the address at the start of the first byte.

If our variable starts at memory address 0 and ends at memory address 3, we can only refer to that variable by memory address 0, memory address 1, 2 or 3 are invalid.

We know that a byte is 8 bits and that a bit holds either a value of 0 or 1. Therefore we can safely conclude that yes, our computers memory is made up of just a bunch of 0's and 1's.

We also know what memory addresses are.

But how can we tell the amount of bytes we need and how do we know where the bytes have to be stored?

That's why something called a "Compiler" (a program with variables) exists.

When you define a variable in your program, it gets stored in your computers memory. The compiler will find a unused sequence of bytes in your memory where it can safely store the variable.

After it found a safe place to store your variable in, the variable's name, memory address, and byte size are remembered and stored inside the compiler.

If the variable now gets called after it's stored, the compiler will then generate native computer instructions to access the memory that's used to store the indicated variable in.

Memory Scanning

As stated above, memory scanning is like using CTRL + F, but for your memory. We scan numbers in our memory, usually 4 bytes long, as they're the most commonly used ones.

To understand this concept further, we have to "complexify" this CTRL + F understanding.

If you hit CTRL + F on a blog post, and type a very commonly used word like "and" as the search term, you will find tens to hundreds of results. In memory scanning, the entire memory is full of numbers, and because it's full of numbers, we get thousands or even millions of results.

This is mainly because bigger games can take up billions of numbers in our memory.

So how can we fix this issue?

Memory Values change all the time, in fact, if we were to search a 32 bit integer right now, from those thousands of result, some would already change their value almost imediately.

With this in mind, we can force our target value to change, this allows us to rapidly narrow down our search.

Now our health changes from 100, to 85, to 70, to 55.

If we start to scan for our health, that is 100 at the start, we get thousands of results. When our health drops to 85, and we scann all the numbers that previously were at value 100 and now changed to the value 85.

What we'll find is, that we get much less numbers now, because much less numbers have changed from value 100 to 85. If we continue this until we're at 55, we're going to be left with only a handful of number values, and our health is most likely within those few numbers.

You can notice right away that this is true when we change our value from 85 to 70, because our numbers will drastically decrease.

We're left with only 2 memory addresses now, if we changed our health one more time and searched for the result, we would most likely know exactly which address is storing the value of the player's health.

You might also encounter that all of the addresses change to the same outcome value, in that case, you have to just play around with all of the values and see which one is your health. it could be that some of them represent other variables related to your health.

If for some reason all of the addresses disappear in your final few searches, you might have a different data type. As health could also be stored in a single byte. It could also be a float or double. Or there could be a health related mechanism. In a lot of games, they might have passive healing back to 100 Health Points, which could've thrown us off.

That's why it's important for us to use the scientific method whenever we're engaged in any sort of hacking process.

Now to change our player's helath, we can just modify the memory address where our health is stored at, and our health should change. This might not be immediately visible, so make sure you update and take some damage to see if it worked.