1 files changed, 144 insertions, 0 deletions

diff --git a/md/writeup/scan_memory_for_variable.md b/md/writeup/scan_memory_for_variable.md
new file mode 100644
index 0000000..c3903db
--- /dev/null
+++ b/md/writeup/scan_memory_for_variable.md
@@ -0,0 +1,144 @@
+title:Scan memory for variable
+keywords:memory,scan,variable
+
+# Scan memory for variable
+
+Someday ago I was playing one game. And as I not so often playing
+games. I would like to change some variables in memory like ammo quantity
+or health. May be it is not very interesting to play game with "cheating"
+but there is much more interest to play with program.
+
+
+In such play can help scanmem
+
+
+Here is example of program that will help us to learn how to use scanmem:
+
+```c
+#include <stdio.h>
+#include <stdlib.h>
+ 
+unsigned int secret_dw = 1000; //variable to search
+unsigned int tmp;//for input variable
+ 
+ 
+int main()
+{
+    int i;
+    while ( secret_dw != -1 )
+    {
+        scanf("%u",&tmp);
+        printf("secret_dw was %u \n",secret_dw);
+        secret_dw = tmp;
+        tmp = 0; // This is to prevent from detecting tmp variable position
+    }
+    printf("\bExit\n");
+    return 0;
+}
+```
+
+here only two variables one secret_dw for value that we will search
+and second one tmp to save input. Also tmp will zeroed if not then we will
+find tmp and secret_dw.
+
+compile example with
+
+``
+make
+``
+
+and run
+
+```
+./example
+```
+
+And in parallel run
+```
+$ scanmem `pidof example`
+scanmem version 0.11
+Copyright (C) 2009,2010 Tavis Ormandy, Eli Dupree, WANG Lu
+Copyright (C) 2006-2009 Tavis Ormandy
+scanmem comes with ABSOLUTELY NO WARRANTY; for details type `show warranty'.
+This is free software, and you are welcome to redistribute it
+under certain conditions; type `show copying' for details.
+
+info: maps file located at /proc/1801/maps opened.
+info: 5 suitable regions found.
+Please enter current value, or "help" for other commands.
+
+As we searching 4 byte value of uint we defining it by setting up option
+0> option scan_data_type int32
+```
+
+Now we ready to start our game. At beginning we know our secret_dw value it is 1000 but we will not use it.
+Type 1 in example
+
+```
+secret_dw was 1000
+```
+
+in scanmem
+```
+0> 1
+info: 01/05 searching  0x8049000 -  0x804a000...........ok
+info: 02/05 searching 0xb763d000 - 0xb763e000...........ok
+info: 03/05 searching 0xb7787000 - 0xb778a000...........ok
+info: 04/05 searching 0xb77a7000 - 0xb77a9000...........ok
+info: 05/05 searching 0xbf9d4000 - 0xbf9f5000...........ok
+info: we currently have 58 matches.
+```
+
+As we can see 58 matches. WooHoo. Now type '1000'in example
+1000
+
+secret_dw was 1
+
+in scanmem
+
+```
+58> 1000
+..........info: we currently have 2 matches.
+```
+
+only 2 now
+
+scanmem has also many built in commands you can see them when type help.
+One of them is 'list'. Use it.
+```
+2> list
+[ 0]            0x8049680, 1000, [I32 ]
+[ 1]           0xbf9f2dd8, 1000, [I32 ]
+```
+
+Here is list of matched variables. Number,address,value,size. By address we see that
+our variable is with number 0.
+
+```
+2> set 0=999
+info: setting *0x8049680 to 0x3e7...
+2> list
+[ 0]            0x8049680, 1000, [I32 ]
+[ 1]           0xbf9f2dd8, 1000, [I32 ]
+```
+
+Now our variable is with value 999. When you type list it may be little
+bit confusing that values is the same. Go in example
+12
+
+secret_dw was 999
+
+Yes. We have changed our variable. Our goal is completed.
+
+Scanmem webpage scanmem[1]
+
+Source contains programm outputs and example code.
+
+
+
+## Links
+http://taviso.decsystem.org/scanmem.html  
+
+## Downloads
+scan_memory.tar.gz -
+2KiB - http://archive.main.lv/files/writeup/scan_memory_for_variable/scan_memory.tar.gz
\ No newline at end of file