AutID Posted September 27, 2013 Share Posted September 27, 2013 Hello, In our offices we are sharing a small client so we can talk to each other either from other floors or from home. The problem is that the client is open to everyone which is not good. While trying to read or write i usually get lost from others chatting. I want to make a small gui that will display the chat so then i can handle it and display only the things i need from the users i select. To get the memory i used cheat engine. I am not really good at it but i maybe found a static address. Well since i restart the client and when i embedd it to the cheat engine the address works again. This is the output of the address.<?xml version="1.0"?> <CheatTable> <CheatEntries> <CheatEntry> <ID>7</ID> <Description>"pointerscan result"</Description> <Color>80000008</Color> <VariableType>String</VariableType> <Length>10</Length> <Unicode>0</Unicode> <ZeroTerminate>1</ZeroTerminate> <Address>"tc_client.exe"+00AB6884</Address> <Offsets> <Offset>A8</Offset> <Offset>4</Offset> <Offset>1C</Offset> <Offset>34C</Offset> <Offset>D0</Offset> </Offsets> </CheatEntry> </CheatEntries> </CheatTable> The problem is that i dont understand very well those addresses. In the cheat engine the address is written like this: P-> 101BB0F8 which i suppose it means that the address points to this address. It changes though when i restart the .exe but when i reload the window at the cheat engine it works again. How am i supposed to read that memory? This is a small producer:SetPrivilege("SeDebugPrivilege", 1) $PID = WinGetProcess("window") $Process = _MemoryOpen($PID) $MM_dll = _MemoryModuleGetBaseAddress($PID, "MM.dll") $Location = _ProcessGetLocation($PID) $read = _MemoryRead($MM_dll + 0x00AB6884, $Process) If @error Then ConsoleWrite(@error & @LF & @extended) ConsoleWrite($read & @LF) _MemoryClose($Process) I saw some examples on internet how to add offsets but didnt make it work :/ https://iblockify.wordpress.com/ Link to comment Share on other sites More sharing options...
FireFox Posted September 27, 2013 Share Posted September 27, 2013 Hi,I use the KryMemory UDF for the pointers.To get the offsets in cheat engine, search for a tutorial on google.Br, FireFox. Link to comment Share on other sites More sharing options...
AutID Posted September 27, 2013 Author Share Posted September 27, 2013 Hi,I use the KryMemory UDF for the pointers.To get the offsets in cheat engine, search for a tutorial on google.Br, FireFox. What tutorial? Please read the topic more carefully... There is an address up there with 5 offsets... I just dont know how to add the offsets to the address so i can read it... https://iblockify.wordpress.com/ Link to comment Share on other sites More sharing options...
water Posted September 27, 2013 Share Posted September 27, 2013 A simple calculation: Newaddress = baseaddress + offset. My UDFs and Tutorials: Spoiler UDFs:Active Directory (NEW 2022-02-19 - Version 1.6.1.0) - Download - General Help & Support - Example Scripts - WikiExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example ScriptsOutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - WikiOutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - DownloadOutlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - WikiPowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - WikiTask Scheduler (NEW 2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki Standard UDFs:Excel - Example Scripts - WikiWord - Wiki Tutorials:ADO - WikiWebDriver - Wiki Link to comment Share on other sites More sharing options...
FireFox Posted September 27, 2013 Share Posted September 27, 2013 What tutorial? Please read the topic more carefully... There is an address up there with 5 offsets... I just dont know how to add the offsets to the address so i can read it...I read it. Link to comment Share on other sites More sharing options...
AutID Posted September 27, 2013 Author Share Posted September 27, 2013 (edited) A simple calculation: Newaddress = baseaddress + offset. Yeah but how? It doesn't work like math for me. I tried adding all offests and each time i added one returning a consolewrite with a memoryread of the value to see if the main address was read but nothing... The memory point to the user name of the client which is me. But it doesnt return it... Although when i re-run the .exe and attach it to the cheat engine with the stored address it works... I turned it in a text instead of 4 bytes and then changing its value to see if it works and the value changed... That's why i am saying it works... I searched a little bit on google and founded some examples on an site called ownedcore which was for some games i suppose but i still cant make it work... I read it. Then my english are bad. Really bad. There is no other explanation Edited September 27, 2013 by AutID https://iblockify.wordpress.com/ Link to comment Share on other sites More sharing options...
AutID Posted September 28, 2013 Author Share Posted September 28, 2013 This is what i tried so far with the cheat engine output of the first post and it doesn't work...expandcollapse popup#RequireAdmin #include <NomadMemory.au3> Global $offset1 = 0xA8 Global $offset2 = 0x4 Global $offset3 = 0x1C Global $offset4 = 0x34C Global $offset5 = 0xD0 SetPrivilege("SetDebugPrivilege", 1) $PID = WinGetProcess("window") $Process = _MemoryOpen($PID) $MM_dll = _MemoryModuleGetBaseAddress($PID, "MM.dll") $read = _MemoryRead(Hex($MM_dll) + 0x00AB6884, $Process) $r = _MemoryRead($read,$Process) $r = _MemoryRead($r + $offset1,$Process) $r = _MemoryRead($r + $offset2,$Process) $r = _MemoryRead($r + $offset3,$Process) $r = _MemoryRead($r + $offset4,$Process) $r = _MemoryRead($r + $offset5,$Process) ConsoleWrite($r & @LF) _MemoryClose($Process) Func _MemoryModuleGetBaseAddress($iPID, $sModule) If Not ProcessExists($iPID) Then Return SetError(1, 0, 0) If Not IsString($sModule) Then Return SetError(2, 0, 0) Local $PSAPI = DllOpen("psapi.dll") Local $hProcess Local $PERMISSION = BitOR(0x0002, 0x0400, 0x0008, 0x0010, 0x0020) If $iPID > 0 Then Local $hProcess = DllCall("kernel32.dll", "ptr", "OpenProcess", "dword", $PERMISSION, "int", 0, "dword", $iPID) If $hProcess[0] Then $hProcess = $hProcess[0] EndIf EndIf Local $Modules = DllStructCreate("ptr[1024]") Local $aCall = DllCall($PSAPI, "int", "EnumProcessModules", "ptr", $hProcess, "ptr", DllStructGetPtr($Modules), "dword", DllStructGetSize($Modules), "dword*", 0) If $aCall[4] > 0 Then Local $iModnum = $aCall[4] / 4 Local $aTemp For $i = 1 To $iModnum $aTemp = DllCall($PSAPI, "dword", "GetModuleBaseNameW", "ptr", $hProcess, "ptr", Ptr(DllStructGetData($Modules, 1, $i)), "wstr", "", "dword", 260) If $aTemp[3] = $sModule Then DllClose($PSAPI) Return Ptr(DllStructGetData($Modules, 1, $i)) EndIf Next EndIf DllClose($PSAPI) Return SetError(-1, 0, 0) EndFunc ;==>_MemoryModuleGetBaseAddress https://iblockify.wordpress.com/ Link to comment Share on other sites More sharing options...
water Posted September 28, 2013 Share Posted September 28, 2013 "Does not work" is no very helpful. Do you get wrong results, error messages ...? I suggest to add some error checking to your script. There are a lot of functions in your script that return an error value or set @error in case of a problem. My UDFs and Tutorials: Spoiler UDFs:Active Directory (NEW 2022-02-19 - Version 1.6.1.0) - Download - General Help & Support - Example Scripts - WikiExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example ScriptsOutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - WikiOutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - DownloadOutlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - WikiPowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - WikiTask Scheduler (NEW 2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki Standard UDFs:Excel - Example Scripts - WikiWord - Wiki Tutorials:ADO - WikiWebDriver - Wiki Link to comment Share on other sites More sharing options...
AutID Posted September 28, 2013 Author Share Posted September 28, 2013 I set error check in every line but none of them returned an error https://iblockify.wordpress.com/ Link to comment Share on other sites More sharing options...
water Posted September 28, 2013 Share Posted September 28, 2013 Can you please always post the complete script you are testing with? So we know what to suggest next. My UDFs and Tutorials: Spoiler UDFs:Active Directory (NEW 2022-02-19 - Version 1.6.1.0) - Download - General Help & Support - Example Scripts - WikiExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example ScriptsOutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - WikiOutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - DownloadOutlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - WikiPowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - WikiTask Scheduler (NEW 2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki Standard UDFs:Excel - Example Scripts - WikiWord - Wiki Tutorials:ADO - WikiWebDriver - Wiki Link to comment Share on other sites More sharing options...
AutID Posted September 29, 2013 Author Share Posted September 29, 2013 expandcollapse popup#RequireAdmin #include <NomadMemory.au3> Global $offset1 = 0xA8 Global $offset2 = 0x4 Global $offset3 = 0x1C Global $offset4 = 0x34C Global $offset5 = 0xD0 SetPrivilege("SetDebugPrivilege", 1) $PID = WinGetProcess("window") If @error Then ConsoleWrite("Process get error: " & @error) $Process = _MemoryOpen($PID) If @error Then ConsoleWrite("Process open error: " & @error) $MM_dll = _MemoryModuleGetBaseAddress($PID, "MM.dll") If @error Then ConsoleWrite("MM_dll error: " & @error) $read = _MemoryRead(Hex($MM_dll + 0x00AB6884, $Process) If @error Then ConsoleWrite("Read error: " & @error) $r = _MemoryRead($read,$Process) If @error Then ConsoleWrite("r error: " & @error) ConsoleWrite($r & @LF) $r = _MemoryRead($r + $offset1,$Process) $r = _MemoryRead($r + $offset2,$Process) $r = _MemoryRead($r + $offset3,$Process) $r = _MemoryRead($r + $offset4,$Process) $r = _MemoryRead($r + $offset5,$Process) ConsoleWrite($r & @LF) _MemoryClose($Process) Func _MemoryModuleGetBaseAddress($iPID, $sModule) If Not ProcessExists($iPID) Then Return SetError(1, 0, 0) If Not IsString($sModule) Then Return SetError(2, 0, 0) Local $PSAPI = DllOpen("psapi.dll") Local $hProcess Local $PERMISSION = BitOR(0x0002, 0x0400, 0x0008, 0x0010, 0x0020) If $iPID > 0 Then Local $hProcess = DllCall("kernel32.dll", "ptr", "OpenProcess", "dword", $PERMISSION, "int", 0, "dword", $iPID) If $hProcess[0] Then $hProcess = $hProcess[0] EndIf EndIf Local $Modules = DllStructCreate("ptr[1024]") Local $aCall = DllCall($PSAPI, "int", "EnumProcessModules", "ptr", $hProcess, "ptr", DllStructGetPtr($Modules), "dword", DllStructGetSize($Modules), "dword*", 0) If $aCall[4] > 0 Then Local $iModnum = $aCall[4] / 4 Local $aTemp For $i = 1 To $iModnum $aTemp = DllCall($PSAPI, "dword", "GetModuleBaseNameW", "ptr", $hProcess, "ptr", Ptr(DllStructGetData($Modules, 1, $i)), "wstr", "", "dword", 260) If $aTemp[3] = $sModule Then DllClose($PSAPI) Return Ptr(DllStructGetData($Modules, 1, $i)) EndIf Next EndIf DllClose($PSAPI) Return SetError(-1, 0, 0) EndFunc ;==>_MemoryModuleGetBaseAddress https://iblockify.wordpress.com/ Link to comment Share on other sites More sharing options...
AutID Posted September 29, 2013 Author Share Posted September 29, 2013 This is a pic so it is all clear. I help you to help me https://iblockify.wordpress.com/ Link to comment Share on other sites More sharing options...
AutID Posted September 29, 2013 Author Share Posted September 29, 2013 Any ideas people?!?! https://iblockify.wordpress.com/ Link to comment Share on other sites More sharing options...
AutID Posted October 2, 2013 Author Share Posted October 2, 2013 As i am seeing the _MemoryModuleGetBaseAddress doesnt return the modules loaded with the process. Actually it returns an error -1.Searching on the internet for some solutions i found another function from @monoceres, _ProcessGetLoadedModules($iPID)Func _ProcessGetLoadedModules($iPID) Local Const $PROCESS_QUERY_INFORMATION=0x0400 Local Const $PROCESS_VM_READ=0x0010 Local $aCall, $hPsapi=DllOpen("Psapi.dll") Local $hProcess, $tModulesStruct $tModulesStruct=DllStructCreate("hwnd [200]") Local $SIZEOFHWND = DllStructGetSize($tModulesStruct)/200 $hProcess=_WinAPI_OpenProcess(BitOR($PROCESS_QUERY_INFORMATION,$PROCESS_VM_READ),False,$iPID) If Not $hProcess Then Return SetError(1,0,-1) $aCall=DllCall($hPsapi,"int","EnumProcessModules","ptr",$hProcess,"ptr",DllStructGetPtr($tModulesStruct),"dword",DllStructGetSize($tModulesStruct),"dword*","") If $aCall[4]>DllStructGetSize($tModulesStruct) Then $tModulesStruct=DllStructCreate("hwnd ["&$aCall[4]/$SIZEOFHWND&"]") $aCall=DllCall($hPsapi,"int","EnumProcessModules","ptr",$hProcess,"ptr",DllStructGetPtr($tModulesStruct),"dword",$aCall[4],"dword*","") EndIf Local $aReturn[$aCall[4]/$SIZEOFHWND] For $i=0 To Ubound($aReturn)-1 $aCall=DllCall($hPsapi,"dword","GetModuleFileNameExW","ptr",$hProcess,"ptr",DllStructGetData($tModulesStruct,1,$i+1),"wstr","","dword",65536) $aReturn[$i]=$aCall[3] Next _WinAPI_CloseHandle($hProcess) DllClose($hPsapi) Return $aReturn EndFuncThis function though doesnt returns the modules loaded with the proccess. It returns the ID of it.Guys please if you have some free time give me a hand here. https://iblockify.wordpress.com/ Link to comment Share on other sites More sharing options...
FireFox Posted October 2, 2013 Share Posted October 2, 2013 If you want to get the modules of a process, use the WinAPI function EnumProcessModules.Br, FireFox. Link to comment Share on other sites More sharing options...
AutID Posted October 5, 2013 Author Share Posted October 5, 2013 If you want to get the modules of a process, use the WinAPI function EnumProcessModules.Br, FireFox.The function in post #14 does that but it returns error. Actually the winapi can open the process. I dont know why... https://iblockify.wordpress.com/ Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now