Today, I found this GitHub project about how to write to exe files with python programming language
The author say:
CS:GO radar hack achieved by patching one byte of game memory. Written in Python 3.
I don't test it, but good to know how can use these python modules.
The pymem Python library that allows you to interact with the memory of running Windows processes.
- Reading and writing memory values of other processes
- Scanning memory for byte patterns
- Allocating and freeing memory inside another process
- Accessing modules (DLLs) loaded by a process
- This is often used in game hacking, automation, or debugging tools.
NOTE: I used artificial intelligence to write this simple example, it is more productive in programs with more complex syntax, but the basics of programming must be known...
Let's see one example with edge browser open:
import pymem
import pymem.process
import re
# Open the Edge process (make sure it's running)
pm = pymem.Pymem("msedge.exe")
# Get the main module of the process
module = pymem.process.module_from_name(pm.process_handle, "msedge.exe")
base = module.lpBaseOfDll
size = module.SizeOfImage
# Read the module's memory
data = pm.read_bytes(base, size)
# Search for a test pattern (generic example)
pattern = re.search(rb'\x48\x89\x5C\x24\x08\x57\x48\x83', data)
if pattern:
address = base + pattern.start()
print(f"Pattern found at: {hex(address)}")
# Read 8 bytes from the found address
raw = pm.read_bytes(address, 8)
print("Raw bytes:", raw)
# Interpret the bytes as a little-endian integer
value = int.from_bytes(raw, byteorder='little')
print("Integer value:", value)
# Write a new value (e.g., 12345678)
new_value = (12345678).to_bytes(8, byteorder='little')
pm.write_bytes(address, new_value, 8)
print("Value overwritten with 12345678.")
else:
print("Pattern not found.")
# Close the process handle
pm.close_process()
What is that patern:
pattern = re.search(rb'\x48\x89\x5C\x24\x08\x57\x48\x83', data)These bytes correspond to x86-64 assembly instructions. For example:
48 89 5C 24 08 → mov [rsp+8], rbx
57 → push rdi
48 83 → the start of an instruction like add/sub/cmp with a 64-bit operandThis sequence is typical for the prologue of a function in compiled C++ code — saving registers to the stack.
This is a simple example, you don't see anything in edge because is just one search and one overwritten:
python pymem_exemple_002.py
Pattern found at: 0x7ff7180cb3d5
Raw bytes: b'H\x89\\$\x08WH\x83'
Integer value: 9459906709773125960
Value overwritten with 12345678.You replaced those 8 bytes with the integer 12345678, encoded as: 4E 61 BC 00 00 00 00 00 (in hex)
This corrupts the original instruction, which may crash Edge or cause undefined behavior.
Not crash, maybe my edge browser use protections (ASLR, DEP, CFG) that can make modification unstable.
--------
1. ASLR (Address Space Layout Randomization)
2. DEP (Data Execution Prevention)
3. CFG (Control Flow Guard)