enchong Posted November 14, 2009 Posted November 14, 2009 #include <NomadMemory.au3> #include<MemoryGetBaseAddressUDF.au3> SetPrivilege("SeDebugPrivilege", 1) $pid = ProcessExists("Tutorial.exe") ;Step 8: Multilevel pointers: (PW=525927) Global $Offset1[5] $Offset1[0] = 0 ; Is ALWAYS 0. $Offset1[1] = Dec("c") $Offset1[2] = Dec("14") $Offset1[3] = Dec("0") $Offset1[4] = Dec("18") $StaticOffset = Dec("60c20") $openmem = _MemoryOpen($pid) ; Open the memory $baseADDR = _MemoryGetBaseAddress($openmem, 1) $finalADDR = "0x" & Hex($baseADDR + $StaticOffset) ; Creates the final static address you read from. $Value = _MemoryPointerRead($finalADDR, $openmem, $Offset1) _MemoryClose($openmem) ;ConsoleWrite ( "Address = " & $Value[0] & @CRLF & "Value = " & $Value[1] & @CRLF) MsgBox(0,"Error!","Error no: "& $Value[0] & " value: " & $Value[1]) Why is it that the Static Offset Value is "60c20" and not "460c20"?
Authenticity Posted November 14, 2009 Posted November 14, 2009 Usually the image base is 0x400000. You could use it but it's not guaranteed that the next time the "recommended" allocation base will be so. You can see the allocation base in CE, subtract that from the memory address and use the new RVA as the offset from the image base. You get the image base using:$baseADDR = _MemoryGetBaseAddress($openmem, 1)..and I might be wrong.
enchong Posted November 14, 2009 Author Posted November 14, 2009 You can see the allocation base in CE, subtract that from the memory address and use the new RVA as the offset from the image base. What memory address should i subtract?Please explain !
Authenticity Posted November 14, 2009 Posted November 14, 2009 It's, RVA = memoryaddr - imagebase. In the Tutorial.exe example it's 0x00460C20 (memoryaddr) - 0x00400000 (imagebase) = 0x00060c20. The 0x00400000 value may not be so in each and every case. To get this value, click the Memory view button and search for AllocationBase. Search the CE forums if you don't understand these topics.
enchong Posted November 15, 2009 Author Posted November 15, 2009 (edited) so you mean the "0x00460C20"(memoryaddr) might be constant or not? Anyone, who can give their ideas? Edited November 15, 2009 by enchong
enchong Posted November 15, 2009 Author Posted November 15, 2009 (edited) okay... i think i got it now! PS: SOrry for the double post... Edited November 15, 2009 by enchong
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now