Home/ Questions/Q 6113883
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T14:54:36+00:00

I have to find a button’s name in a running process memory in Mac

  • 0

I have to find a button’s name in a running process memory in Mac OSX and change it.

Supposing there is a “Test” application where it has a “Hello” button, is there any way to attach to “Test” application and change the “Hello!” button to “Bye!”?

I assume this could be done either using GDB or Xcode. If not, how can I do this?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Edit

    Assuming you are really looking for dynamic data (as opposed to what your sample seemed to suggest :)) you could always just work with the debugger commands. This will require you to have a sense of the possible memory range to scan (or you’ll simply get useless memory violations):

    Use gdb commands, loop constructs and libc functions

    # assume 0x1234 is a likely base address, say for the heap
(gdb) set $x=0x1234
(gdb) set $y = strdup("lookforthistext")
(gdb) while(0!=memcmp($x++, $y, 15) && $x<0x4321)
    >end
(gdb) p $x
(gdb) x $x

    This example scans the region 0x1234…0x4321 for the first match and prints/examines the output address.

    You can use similar tricks (strncpy…?) to overwrite the memory if you had access to it.
    Of course the program may fail dramatically if you do things like changing the length of a substring.. YMMV).

    Consider saving your concocted commands as a script (turn on logging, use .gdbinit or even create gdb functions; sadly I know little about the latter)

    Original answer:

    You “need to”? I doubt it. Your best bet is to work with the windowing/UI API’s of your operating system to retrieve the actual window that display the text and make it display another text (usually by sending it appropriate control messages). You’ll need plenty of COW powers (think: root) to pull that off.

    To answer the direct question:

    Usually, messages like this are constants (static data) and as such are either

    1. present in the data segment
    2. read (memory mapped pages) from resources

    Both of which are usually (these days at least) in read-only memory segments (think of sharing of memory mapped pages; this gives the kernel opportunity to share mapped regions of shared binary objects between processes – also it serves the obvious security purposes).

    On the upside, 

    strings myprogram | grep 'Hello"

    will tell you whether you can use sed, a hex editor or any other suitable editor to manipulate the binary even before it starts. There are two drawbacks I can think of here:

    1. it is not dynamic (you can’t have the text change on the fly)
    2. it may break code signing (meaning the executable might get rejected by the OS because it has been modified).
    • 0