Heap Scanning

From The Ghar Station Wiki
Jump to: navigation, search

Heap Scanning is the process of reading the details within RIFT memory space.

The particulars of actually capturing the memory are not covered here, only discussion of the "HoT" allocator.

RIFT uses two main methods to allocate memory.

  1. Heaps
  2. HotAllocators

The Heap is the standard C malloc heap. Generally this is only used by 3rd party libraries or other small functions.

The HotAllocator is a special allocator that manages it's own heap, also known as a "Tagged" heap.


HotAllocators

HotAllocators use the Win32 function VirtualAlloc to create memory.

RIFT creates two different types of Allocators, "General Purpose" and "Specialized".

The general purpose allocator is named "HoTAllocator" (where HoT stands for "Heroes of Telara" the original name of RIFT). The specialized Allocators use names like "Gamebryo" or "Audio" to indicate their purpose.

As of this writing, the allocators used are:

  • HoTAllocator
  • Audio
  • Gamebryo
  • Scaleform
  • Tsunami
  • DDB
  • PropertySystem
  • ClothSim
  • Network
  • HoTPhysics
  • HttpRequest
  • TwnFxMemory
  • ExpressionMemory
  • ClientRenderable
  • ClientEntity

Obfuscation

RIFT uses a variety of methods to obfuscate and prevent easy reading of it's memory.

One method is the use of encrypted memory pointers. When used, encryption is done via a simple XOR with a fixed value. As of this writing, encryption for the memory allocators appears to be disabled and not used (however it was enabled in some past builds).

Another method is the addition of random bytes to memory allocations. As of this writing, this ability appears to be disabled by setting a memory location.

Globally Linked List

Allocators are created and inserted into a global linked list. The first allocator is always "HotAllocator". You can find the this allocator by finding the string "HoTAllocator" and then doing a search for the address of that string. That will give you the Heap Allocator object that will contain references to the next and previous in the linked list.


Allocator heap memory

When an allocator is first created it creates a memory block and adds an initial memory entry that is 0x1E0 in size. This is the Heap header block and contains links to further heap blocks, sizes of heaps and other information about allocations.

When an allocation of memory is requested, the memory block is filled by the allocator with new memory entries. Memory allocations for memory entries are rounded to the next 8 bytes.

When the block is full, a new memory block is allocated and a pointer stored in the header entry to a "heap footer".

Heaps generally end with a repeating sequence of 3 "00 00 00 07" bytes. However, if there is only a single memory block, this may not exist.

Heap footer

The heap footer is a structure that defines where a block of memory starts and how big it is. It also contains a pointer to the next heap memory block (and footer) if this memory block is full.

Deleted entries

It is unknown how memory entries are tagged as deleted.

Memory Entries

Each memory entry is specific to it's purpose. There is no way specific way to determine what the memory entry represents apart from guessing based on the size of the allocation and the allocator that is used. For example, every ClientEntity block is always the same size and uses the same Heap Allocator "ClientEntity".

Every memory entry is made up of: - an unknown int - It is unknown what this value represents. - A "data size" int. This value rounded DOWN to the nearest 8 is the amount of data allocated in this entry. - data - The data for this entry padded by zero to the next highest 8 byte boundary. The contents depend on the use of this entry.

Property System

RIFT uses a "property system" to add properties to objects. This is how links between ClientRenderable and it's model are gathered. All property system allocations are made on the "PropertySystem" heap.

ClientRenderable

Client renderable blocks contain rotation, scale, position and links to Gamebryo. The always (as of writing) take up 1416 bytes of memory.

ClientEntity

Contains details about the entities, including TEMPLATEID (as per the items.xml file from RIFT CDN)