Jump to content

Memory UDF


Szhlopp
 Share

Recommended Posts

Hrm, ok well I usually mess around with CE with WoW, and I always find non static addresses that I have to find a pointer for, but I always find on another site the "Player Address" (Which is a address that contains all player data) plus its offset, and I could never find out how to find either of them =\. I always tend to have to do things the hard way when it comes to memory editing.

Link to comment
Share on other sites

  • 2 months later...
  • Replies 49
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

I tried this.

#include<NomadMemory.au3>
#include<MemoryGetBaseAddressUDF.au3>
$ID=_MemoryOpen(ProcessExists("Client.exe"))
$pid = ProcessExists("Client.exe")
$Offset = Dec("00466BBC")
$openmem = _MemoryOpen($pid)
$baseADDR = _MemoryGetBaseAddress($openmem, 1)
$FinalStatic = "0x" & Hex($baseADDR + $Offset)
MsgBox(0,"",$FinalStatic)
$read=_memoryread($finalstatic,$openmem)
MsgBox(0,"",$read)
_MemoryClose($ID)

But it returned a false adress :/

Link to comment
Share on other sites

  • 1 month later...

"Library.dll+offset" solution:

Func _MemoryModuleGetBaseAddress($iPID, $sModule)
    If Not ProcessExists($iPID) Then Return SetError(1, 0, 0)
    
    If Not IsString($sModule) Then Return SetError(2, 0, 0)
    
    Local   $PSAPI = DllOpen("psapi.dll")
    
    ;Get Process Handle
    Local   $hProcess
    Local   $PERMISSION = BitOR(0x0002, 0x0400, 0x0008, 0x0010, 0x0020) ; CREATE_THREAD, QUERY_INFORMATION, VM_OPERATION, VM_READ, VM_WRITE
    
    If $iPID > 0 Then
        Local $hProcess = DllCall("kernel32.dll", "ptr", "OpenProcess", "dword", $PERMISSION, "int", 0, "dword", $iPID)
        If $hProcess[0] Then
            $hProcess = $hProcess[0]
        EndIf
    EndIf
    
    ;EnumProcessModules
    Local   $Modules = DllStructCreate("ptr[1024]")
    Local   $aCall = DllCall($PSAPI, "int", "EnumProcessModules", "ptr", $hProcess, "ptr", DllStructGetPtr($Modules), "dword", DllStructGetSize($Modules), "dword*", 0)
    If $aCall[4] > 0 Then
        Local   $iModnum = $aCall[4] / 4
        Local   $aTemp
        For $i = 1 To $iModnum
            $aTemp =  DllCall($PSAPI, "dword", "GetModuleBaseNameW", "ptr", $hProcess, "ptr", Ptr(DllStructGetData($Modules, 1, $i)), "wstr", "", "dword", 260)
            If $aTemp[3] = $sModule Then
                DllClose($PSAPI)
                Return Ptr(DllStructGetData($Modules, 1, $i))
            EndIf
        Next
    EndIf
    
    DllClose($PSAPI)
    Return SetError(-1, 0, 0)
    
EndFunc

Feel free to include!

Based on ModuleSpy from wraithdu.

Link to comment
Share on other sites

  • 3 weeks later...

"Library.dll+offset" solution:

Func _MemoryModuleGetBaseAddress($iPID, $sModule)
    If Not ProcessExists($iPID) Then Return SetError(1, 0, 0)
    
    If Not IsString($sModule) Then Return SetError(2, 0, 0)
    
    Local   $PSAPI = DllOpen("psapi.dll")
    
    ;Get Process Handle
    Local   $hProcess
    Local   $PERMISSION = BitOR(0x0002, 0x0400, 0x0008, 0x0010, 0x0020) ; CREATE_THREAD, QUERY_INFORMATION, VM_OPERATION, VM_READ, VM_WRITE
    
    If $iPID > 0 Then
        Local $hProcess = DllCall("kernel32.dll", "ptr", "OpenProcess", "dword", $PERMISSION, "int", 0, "dword", $iPID)
        If $hProcess[0] Then
            $hProcess = $hProcess[0]
        EndIf
    EndIf
    
    ;EnumProcessModules
    Local   $Modules = DllStructCreate("ptr[1024]")
    Local   $aCall = DllCall($PSAPI, "int", "EnumProcessModules", "ptr", $hProcess, "ptr", DllStructGetPtr($Modules), "dword", DllStructGetSize($Modules), "dword*", 0)
    If $aCall[4] > 0 Then
        Local   $iModnum = $aCall[4] / 4
        Local   $aTemp
        For $i = 1 To $iModnum
            $aTemp =  DllCall($PSAPI, "dword", "GetModuleBaseNameW", "ptr", $hProcess, "ptr", Ptr(DllStructGetData($Modules, 1, $i)), "wstr", "", "dword", 260)
            If $aTemp[3] = $sModule Then
                DllClose($PSAPI)
                Return Ptr(DllStructGetData($Modules, 1, $i))
            EndIf
        Next
    EndIf
    
    DllClose($PSAPI)
    Return SetError(-1, 0, 0)
    
EndFunc

Feel free to include!

Based on ModuleSpy from wraithdu.

Sweet!!! Great job!

I'm going to test this fairly soon here. If it works I would gladly add this in!

Link to comment
Share on other sites

  • 2 weeks later...
  • 2 weeks later...

can someone give me an excample how to use _MemoryModuleGetBaseAddress please I tried this:

$iPID = WinGetProcess("Test")

$sModule = ("test.dll+1A128")

$baseADDR = _MemoryModuleGetBaseAddress($iPID, $sModule)

but it doesnt work :P

Link to comment
Share on other sites

  • 2 months later...
  • 4 weeks later...

After many tests with cheat engine this function DOES NOT work ... If you open a process with cheat engine and after you press memory view, on AlocationBase you see the correct address.

That address is different for each process , but using GetBaseAddress function from autoit you took for all exes the same address.

Usually 0x00400000 or for games 0x00350000

Any ideas why this happens ????

Link to comment
Share on other sites

  • 1 month later...

hey can some 1 help me? shouldnt this work? but it dont can some 1 tell me what i have done wrong?

Engine.exe is the process name

Address is 08FE965C

and its a static with cshell.dll+48965C

#include <NomadMemory.au3>
 #include <GUIConstants.au3>
 #include <GUIListBox.au3>
 #include <Misc.au3>
 #include <Array.au3>
 HotKeySet("{F2}","poke")
 
 
 Func poke()
$ID=_MemoryOpen(ProcessExists("Engine.exe"))
$iPID = WinGetProcess("cshell")
$sModule = "cshell.dll"
$iOffset = 0x48965C
$baseADDR = _MemoryModuleGetBaseAddress($iPID, $sModule) + $iOffset
 _MemoryWrite($BaseADDR, $ID, 550)
 _MemoryClose($iPID)
 EndFunc 
 
 While 1
     sleep(1000)
 WEnd
 
 
 
 Func _MemoryModuleGetBaseAddress($iPID, $sModule)
    If Not ProcessExists($iPID) Then Return SetError(1, 0, 0)
    
    If Not IsString($sModule) Then Return SetError(2, 0, 0)
    
    Local   $PSAPI = DllOpen("psapi.dll")
    
    ;Get Process Handle
    Local   $hProcess
    Local   $PERMISSION = BitOR(0x0002, 0x0400, 0x0008, 0x0010, 0x0020) ; CREATE_THREAD, QUERY_INFORMATION, VM_OPERATION, VM_READ, VM_WRITE
    
    If $iPID > 0 Then
        Local $hProcess = DllCall("kernel32.dll", "ptr", "OpenProcess", "dword", $PERMISSION, "int", 0, "dword", $iPID)
        If $hProcess[0] Then
            $hProcess = $hProcess[0]
        EndIf
    EndIf
    
    ;EnumProcessModules
    Local   $Modules = DllStructCreate("ptr[1024]")
    Local   $aCall = DllCall($PSAPI, "int", "EnumProcessModules", "ptr", $hProcess, "ptr", DllStructGetPtr($Modules), "dword", DllStructGetSize($Modules), "dword*", 0)
    If $aCall[4] > 0 Then
        Local   $iModnum = $aCall[4] / 4
        Local   $aTemp
        For $i = 1 To $iModnum
            $aTemp =  DllCall($PSAPI, "dword", "GetModuleBaseNameW", "ptr", $hProcess, "ptr", Ptr(DllStructGetData($Modules, 1, $i)), "wstr", "", "dword", 260)
            If $aTemp[3] = $sModule Then
                DllClose($PSAPI)
                Return Ptr(DllStructGetData($Modules, 1, $i))
            EndIf
        Next
    EndIf
    
    DllClose($PSAPI)
    Return SetError(-1, 0, 0)
    
EndFunc
Link to comment
Share on other sites

  • 1 month later...
  • 4 months later...

update: Thanks to avati for clarifiyng that the code doesn't work, post reported to mods as useless.

Allow me to start with stating that i'm a complete utter-n00b when it comes to coding;

Thanks for the effort on trying to simplify the whole memory reading thing, gives me headache and imho not only me;

OP, could you please point me to the field where I paste Game.dll+000B298C and get the real address ? Since I wasn't able to find such a variable, although this ability is advertised.

thanks!

Edited by v22
Link to comment
Share on other sites

"Library.dll+offset" solution:

Func _MemoryModuleGetBaseAddress($iPID, $sModule)
    If Not ProcessExists($iPID) Then Return SetError(1, 0, 0)
    
    If Not IsString($sModule) Then Return SetError(2, 0, 0)
    
    Local   $PSAPI = DllOpen("psapi.dll")
    
    ;Get Process Handle
    Local   $hProcess
    Local   $PERMISSION = BitOR(0x0002, 0x0400, 0x0008, 0x0010, 0x0020) ; CREATE_THREAD, QUERY_INFORMATION, VM_OPERATION, VM_READ, VM_WRITE
    
    If $iPID > 0 Then
        Local $hProcess = DllCall("kernel32.dll", "ptr", "OpenProcess", "dword", $PERMISSION, "int", 0, "dword", $iPID)
        If $hProcess[0] Then
            $hProcess = $hProcess[0]
        EndIf
    EndIf
    
    ;EnumProcessModules
    Local   $Modules = DllStructCreate("ptr[1024]")
    Local   $aCall = DllCall($PSAPI, "int", "EnumProcessModules", "ptr", $hProcess, "ptr", DllStructGetPtr($Modules), "dword", DllStructGetSize($Modules), "dword*", 0)
    If $aCall[4] > 0 Then
        Local   $iModnum = $aCall[4] / 4
        Local   $aTemp
        For $i = 1 To $iModnum
            $aTemp =  DllCall($PSAPI, "dword", "GetModuleBaseNameW", "ptr", $hProcess, "ptr", Ptr(DllStructGetData($Modules, 1, $i)), "wstr", "", "dword", 260)
            If $aTemp[3] = $sModule Then
                DllClose($PSAPI)
                Return Ptr(DllStructGetData($Modules, 1, $i))
            EndIf
        Next
    EndIf
    
    DllClose($PSAPI)
    Return SetError(-1, 0, 0)
    
EndFunc

Feel free to include!

Based on ModuleSpy from wraithdu.

always returns "0"
Link to comment
Share on other sites

update: Thanks to avati for clarifiyng that the code doesn't work, post reported to mods as useless.

Allow me to start with stating that i'm a complete utter-n00b when it comes to coding;

Thanks for the effort on trying to simplify the whole memory reading thing, gives me headache and imho not only me;

OP, could you please point me to the field where I paste Game.dll+000B298C and get the real address ? Since I wasn't able to find such a variable, although this ability is advertised.

thanks!

This DOES work. Let me explain Avati's post...

When you see the AllocationBase in CE, it's FOR that memory section. So yes, they don't always match, but it doesn't matter, as this provides you with the one you need. If for some reason it doesn't return the right value(I've seen it twice in all the things I've hacked), edit the IV_start address or whatever it's called. Should be like 0x00100000, change it to 0x00500000. But as I said, that shouldn't be nescessary.

If ANYONE is having problems reading the address, use my function http://www.autoitscript.com/forum/index.php?showtopic=99631

Sorry I've been gone for 5 months. So I having been on at all=)

Link to comment
Share on other sites

  • 3 months later...

it's FOR that memory section.

Before I start studying your script, I would like to know if I'm just going to waste my time.

It is my understanding that both Dynamic and Static addresses are called pointers, because they point to a different address, which is inside the Memory Viewer.

What I'm trying to do is read the value of that address that is found inside the Memory Viewer.

Can your script do that? Or does your script only deal with static addresses?

Edited by Chaki
Link to comment
Share on other sites

  • 6 months later...

Sorry to dig up a old thread. but is their anyway to use this with windows 7? I keep getting Failed to find correct allocation address which is error state 2. A shot of code below.. thanks! this code is working in windows XP just not W7

$BaseAddress = _MemoryGetBaseAddress($hMemory, 1)
   If $BaseAddress = 0 Then
      Select
         Case @error = 1
            MsgBox(0, "Error", "Error getting base address: " & @CRLF & "Invalid handle to open process")
         Case @error = 2
            MsgBox(0, "Error", "Error getting base address: " & @CRLF & "Failed to find correct allocation address")
         Case @error = 3
            MsgBox(0, "Error", "Error getting base address: " & @CRLF & "Failed to read from the specified process")
      EndSelect
   EndIf
Edited by Opeth
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...