❔ Reading Memory comes out backwards?
I'm learning assembly / how to read and write from it and having an issue reading memory as hex values... it for some reason comes out backwards?
The program I'm reading from is 64-bit
It should be 1B154, as that's what Decimel 110932 is in Hex.
110932 is the decimal value I'm trying to read from memory.
Whats going on here?
35 Replies
Endian-ness
Endianness
In computing, endianness is the order or sequence of bytes of a word of digital data in computer memory. Endianness is primarily expressed as big-endian (BE) or little-endian (LE). A big-endian system stores the most significant byte of a word at the smallest memory address and the least significant byte at the largest.
A little-endian system, ...
Interesting, is the TL;DR to just reverse the buffer after reading it?
BinaryPrimitives.ReverseEndianness Method (System.Buffers.Binary)
Learn more about the System.Buffers.Binary.BinaryPrimitives.ReverseEndianness in the System.Buffers.Binary namespace.
You can use that
Also in theory the code could run on both big endian and little endian machines so you might want to check and only reverse if it doesn't match what you want.
https://learn.microsoft.com/en-us/dotnet/api/system.bitconverter.islittleendian?view=net-7.0
Popzi.exe has crashed.
Erm, yes. Information, thank you. I appreciate it.
So like, basically, I need to do something to not have it do that
Surely I'm not the first person to run into this and there's a simple answer?
Simple answer to what exactly?
I pointed to the method you can use to reverse the endianness if for some reason you want to treat the value as a different endianness from the system you are currently running on.
Right, thank you! I've just gotta figure out how to use this method 🙂
There are also a lot of helper methods that you can use if you are trying to read a buffer directly into a numeric variable:
https://learn.microsoft.com/en-us/dotnet/api/system.buffers.binary.binaryprimitives?view=net-7.0
BinaryPrimitives Class (System.Buffers.Binary)
Reads bytes as primitives with specific endianness.
mtreit#6470
REPL Result: Success
Console Output
Compile: 619.415ms | Execution: 67.695ms | React with ❌ to remove this embed.
Well there we go, I was just about to ask how to actually use it, granted the MS docs are.......... the most helpful unhelpful documentation to put it nicely 🙂
If you are starting with a buffer you would use the inverse methods:
ReadInt32BigEndian
for instance.mtreit#6470
REPL Result: Success
Console Output
Compile: 711.954ms | Execution: 121.206ms | React with ❌ to remove this embed.
Blah, this is messy lol ,Int64 Int32, Int, UsInt64, IntPtr which are all the same but totally not the same things and now big and small edians that go back to front
Does C# know how to read memory? I just wanna say read this address here and be given the hex value of the address 😐
I wonder if I'm better off doing this in C++, which is something I'd have never thought I'd say
Memory is memory, the issues you are having with Endianness won't change if you switch how you read that memory.
I see, am just learning more now... Big Endian is already superior to everything else since it makes the most sense xd... Down the rabbit hole I go
Aa an aside, the original note that coined the term endian for how bytes are ordered is kind of a fun read:
https://www.rfc-editor.org/ien/ien137.txt
I think you're misunderstanding the problem
The problem isn't really related to the coding language
Both C# and c++ can only abstract this away by the type system which prevents reading bytes on their own.
If you're gonna read plain bytes as useful info, you need to know what info they represent
Including stuff like endianness
No coding language can fix that except by doing what c# is ALREADY doing: remember that for you via type system
You're the one choosing to interact with the bytes without it, and this problem is a natural concequence of that. Someone even showed you a helpful function to remove the busywork of choosing to interpret these yourself, so you only have the actual problem left to deal with
👍 Understood and yeah, I was just getting a little overwhelmed, went from the basics of reading memory to a PHD in physical memory and their real-world quirks very fast lol - I understand why it is the way it is now and am continuing to understand it 🙂
and thank you both for your help also! I appreciate it
Hope you manage to get it working! Good luck!
Ty! 🙂
So I managed to get it to read memory and spit out Hex in the right Endian, which is fantastic 😄 I'm just now looking at Writing back to memory and wonder if there's any Endians to worry about, or if C# takes care of that for us?
The hex I'm trying to write, is just what was read + 2, so
1B154
+ 2 = 1B156
Bytes are written in exactly the order you pass them in as.
There is no automatic conversion from one order to another when you are dealing with actual byte arrays / buffers.
Perfect, understood - So my error must lie somewhere within my handling of
WriteProcessMemory
it seems 🤔 granted it's not writing the bufferIs WriteProcessMemory returning false?
Yes
If so you need to call GetLastError and see what error is happening...
Writing directly to process memory is...the kind of thing I would not expect to work in many cases.
invalid access to memory location time
Which is success according to MS docs, so I'm assuming I've done it wrong
also throwing 0 🤔
check your openprocess flags
Ah, it has to be called literally right after the
WriteProcessMemory
call - Now showing error 5 🙂 Let's see!
Access is denied. 😎 being ran as adminall the subsequent functions that call setlasterror will clear all the previous error codes so yes, getlasterror will only return the last function's results
Being admin doesn't matter if you opened the process handle without the necessary flags that allow writing to memory
Aha, so that's what this does 😄 Ty!
Gave it full access (0x1F0FFF) - We're writing bytes! Awesome!!
you should really be using a source gen wrapper
cswin32 is fine
Was this issue resolved? If so, run
/close
- otherwise I will mark this as stale and this post will be archived until there is new activity.