Jump to content
Sign in to follow this  
AutID

MemoryRead + offsets

Recommended Posts

AutID

Hello,

In our offices we are sharing a small client so we can talk to each other either from other floors or from home.
The problem is that the client is open to everyone which is not good. While trying to read or write i usually get lost from others chatting.
I want to make a small gui that will display the chat so then i can handle it and display only the things i need from the users i select.

To get the memory i used cheat engine. I am not really good at it but i maybe found a static address. Well since i restart the client and when i embedd it to the cheat engine the address works again.
This is the output of the address.

<?xml version="1.0"?>
<CheatTable>
  <CheatEntries>
    <CheatEntry>
      <ID>7</ID>
      <Description>"pointerscan result"</Description>
      <Color>80000008</Color>
      <VariableType>String</VariableType>
      <Length>10</Length>
      <Unicode>0</Unicode>
      <ZeroTerminate>1</ZeroTerminate>
      <Address>"tc_client.exe"+00AB6884</Address>
      <Offsets>
        <Offset>A8</Offset>
        <Offset>4</Offset>
        <Offset>1C</Offset>
        <Offset>34C</Offset>
        <Offset>D0</Offset>
      </Offsets>
    </CheatEntry>
  </CheatEntries>
</CheatTable>
The problem is that i dont understand very well those addresses. In the cheat engine the address is written like this: P-> 101BB0F8 which i suppose it means that the address points to this address. It changes though when i restart the .exe but when i reload the window at the cheat engine it works again.

How am i supposed to read that memory?

This is a small producer:
SetPrivilege("SeDebugPrivilege", 1)
$PID = WinGetProcess("window")
$Process = _MemoryOpen($PID)
$MM_dll = _MemoryModuleGetBaseAddress($PID, "MM.dll")
$Location = _ProcessGetLocation($PID)
$read = _MemoryRead($MM_dll + 0x00AB6884, $Process)
If @error Then ConsoleWrite(@error & @LF & @extended)
ConsoleWrite($read & @LF)

_MemoryClose($Process)
I saw some examples on internet how to add offsets but didnt make it work :/

Share this post


Link to post
Share on other sites
FireFox

Hi,

I use the KryMemory UDF for the pointers.

To get the offsets in cheat engine, search for a tutorial on google.

Br, FireFox.


 

OS : Win XP SP2 (32 bits) / Win 7 SP1 (64 bits) / Win 8 (64 bits) | Autoit version: latest stable / beta.
Hardware : Intel(R) Core(TM) i5-2400 CPU @ 3.10Ghz / 8 GiB RAM DDR3.

My UDFs : Skype UDF | TrayIconEx UDF | GUI Panel UDF | Excel XML UDF | Is_Pressed_UDF

My Projects : YouTube Multi-downloader | FTP Easy-UP | Lock'n | WinKill | AVICapture | Skype TM | Tap Maker | ShellNew | Scriptner | Const Replacer | FT_Pocket | Chrome theme maker

My Examples : Capture toolIP Camera | Crosshair | Draw Captured Region | Picture Screensaver | Jscreenfix | Drivetemp | Picture viewer

My Snippets : Basic TCP | Systray_GetIconIndex | Intercept End task | Winpcap various | Advanced HotKeySet | Transparent Edit control

 

Share this post


Link to post
Share on other sites
AutID

Hi,I use the KryMemory UDF for the pointers.To get the offsets in cheat engine, search for a tutorial on google.Br, FireFox.

What tutorial? Please read the topic more carefully... There is an address up there with 5 offsets... I just dont know how to add the offsets to the address so i can read it...

Share this post


Link to post
Share on other sites
water

A simple calculation: Newaddress = baseaddress + offset.


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2018-12-03 - Version 1.4.11.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (2018-10-31 - Version 1.3.4.1) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
PowerPoint (2017-06-06 - Version 0.0.5.0) - Download - General Help & Support
Excel - Example Scripts - Wiki
Word - Wiki
 
Tutorials:

ADO - Wiki

 

Share this post


Link to post
Share on other sites
FireFox

What tutorial? Please read the topic more carefully... There is an address up there with 5 offsets... I just dont know how to add the offsets to the address so i can read it...

I read it.

 

OS : Win XP SP2 (32 bits) / Win 7 SP1 (64 bits) / Win 8 (64 bits) | Autoit version: latest stable / beta.
Hardware : Intel(R) Core(TM) i5-2400 CPU @ 3.10Ghz / 8 GiB RAM DDR3.

My UDFs : Skype UDF | TrayIconEx UDF | GUI Panel UDF | Excel XML UDF | Is_Pressed_UDF

My Projects : YouTube Multi-downloader | FTP Easy-UP | Lock'n | WinKill | AVICapture | Skype TM | Tap Maker | ShellNew | Scriptner | Const Replacer | FT_Pocket | Chrome theme maker

My Examples : Capture toolIP Camera | Crosshair | Draw Captured Region | Picture Screensaver | Jscreenfix | Drivetemp | Picture viewer

My Snippets : Basic TCP | Systray_GetIconIndex | Intercept End task | Winpcap various | Advanced HotKeySet | Transparent Edit control

 

Share this post


Link to post
Share on other sites
AutID

A simple calculation: Newaddress = baseaddress + offset.

Yeah but how? It doesn't work like math for me. I tried adding all offests and each time i added one returning a consolewrite with a memoryread of the value to see if the main address was read but nothing...

The memory point to the user name of the client which is me. But it doesnt return it... Although when i re-run the .exe and attach it to the cheat engine with the stored address it works... I turned it in a text instead of 4 bytes and then changing its value to see if it works and the value changed... That's why i am saying it works...

I searched a little bit on google and founded some examples on an site called ownedcore which was for some games i suppose but i still cant make it work...

I read it.

Then my english are bad. Really bad. There is no other explanation ;)

Edited by AutID

Share this post


Link to post
Share on other sites
AutID

This is what i tried so far with the cheat engine output of the first post and it doesn't work...

#RequireAdmin
#include <NomadMemory.au3>
Global $offset1 = 0xA8
Global $offset2 = 0x4
Global $offset3 = 0x1C
Global $offset4 = 0x34C
Global $offset5 = 0xD0
SetPrivilege("SetDebugPrivilege", 1)
$PID = WinGetProcess("window")
$Process = _MemoryOpen($PID)
$MM_dll = _MemoryModuleGetBaseAddress($PID, "MM.dll")
$read = _MemoryRead(Hex($MM_dll) + 0x00AB6884, $Process)
$r = _MemoryRead($read,$Process)
$r = _MemoryRead($r + $offset1,$Process)
$r = _MemoryRead($r + $offset2,$Process)
$r = _MemoryRead($r + $offset3,$Process)
$r = _MemoryRead($r + $offset4,$Process)
$r = _MemoryRead($r + $offset5,$Process)
ConsoleWrite($r & @LF)
_MemoryClose($Process)

Func _MemoryModuleGetBaseAddress($iPID, $sModule)
 If Not ProcessExists($iPID) Then Return SetError(1, 0, 0)
 If Not IsString($sModule) Then Return SetError(2, 0, 0)
 Local $PSAPI = DllOpen("psapi.dll")
 Local $hProcess
 Local $PERMISSION = BitOR(0x0002, 0x0400, 0x0008, 0x0010, 0x0020)
 If $iPID > 0 Then
  Local $hProcess = DllCall("kernel32.dll", "ptr", "OpenProcess", "dword", $PERMISSION, "int", 0, "dword", $iPID)
  If $hProcess[0] Then
   $hProcess = $hProcess[0]
  EndIf
 EndIf
 Local $Modules = DllStructCreate("ptr[1024]")
 Local $aCall = DllCall($PSAPI, "int", "EnumProcessModules", "ptr", $hProcess, "ptr", DllStructGetPtr($Modules), "dword", DllStructGetSize($Modules), "dword*", 0)
 If $aCall[4] > 0 Then
  Local $iModnum = $aCall[4] / 4
  Local $aTemp
  For $i = 1 To $iModnum
   $aTemp = DllCall($PSAPI, "dword", "GetModuleBaseNameW", "ptr", $hProcess, "ptr", Ptr(DllStructGetData($Modules, 1, $i)), "wstr", "", "dword", 260)
   If $aTemp[3] = $sModule Then
    DllClose($PSAPI)
    Return Ptr(DllStructGetData($Modules, 1, $i))
   EndIf
  Next
 EndIf

 DllClose($PSAPI)
 Return SetError(-1, 0, 0)
 

EndFunc   ;==>_MemoryModuleGetBaseAddress

Share this post


Link to post
Share on other sites
water

"Does not work" is no very helpful. Do you get wrong results, error messages ...?

I suggest to add some error checking to your script. There are a lot of functions in your script that return an error value or set @error in case of a problem.


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2018-12-03 - Version 1.4.11.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (2018-10-31 - Version 1.3.4.1) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
PowerPoint (2017-06-06 - Version 0.0.5.0) - Download - General Help & Support
Excel - Example Scripts - Wiki
Word - Wiki
 
Tutorials:

ADO - Wiki

 

Share this post


Link to post
Share on other sites
water

Can you please always post the complete script you are testing with? So we know what to suggest next.


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2018-12-03 - Version 1.4.11.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (2018-10-31 - Version 1.3.4.1) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
PowerPoint (2017-06-06 - Version 0.0.5.0) - Download - General Help & Support
Excel - Example Scripts - Wiki
Word - Wiki
 
Tutorials:

ADO - Wiki

 

Share this post


Link to post
Share on other sites
AutID

#RequireAdmin
#include <NomadMemory.au3>
Global $offset1 = 0xA8
Global $offset2 = 0x4
Global $offset3 = 0x1C
Global $offset4 = 0x34C
Global $offset5 = 0xD0
SetPrivilege("SetDebugPrivilege", 1)
$PID = WinGetProcess("window")
If @error Then ConsoleWrite("Process get error: " & @error)
$Process = _MemoryOpen($PID)
If @error Then ConsoleWrite("Process open error: " & @error)
$MM_dll = _MemoryModuleGetBaseAddress($PID, "MM.dll")
If @error Then ConsoleWrite("MM_dll error: " & @error)
$read = _MemoryRead(Hex($MM_dll + 0x00AB6884, $Process)
If @error Then ConsoleWrite("Read error: " & @error)
$r = _MemoryRead($read,$Process)
If @error Then ConsoleWrite("r error: " & @error)
ConsoleWrite($r & @LF)
$r = _MemoryRead($r + $offset1,$Process)
$r = _MemoryRead($r + $offset2,$Process)
$r = _MemoryRead($r + $offset3,$Process)
$r = _MemoryRead($r + $offset4,$Process)
$r = _MemoryRead($r + $offset5,$Process)
ConsoleWrite($r & @LF)

_MemoryClose($Process)

Func _MemoryModuleGetBaseAddress($iPID, $sModule)
 If Not ProcessExists($iPID) Then Return SetError(1, 0, 0)
 If Not IsString($sModule) Then Return SetError(2, 0, 0)
 Local $PSAPI = DllOpen("psapi.dll")
 Local $hProcess
 Local $PERMISSION = BitOR(0x0002, 0x0400, 0x0008, 0x0010, 0x0020)
 If $iPID > 0 Then
  Local $hProcess = DllCall("kernel32.dll", "ptr", "OpenProcess", "dword", $PERMISSION, "int", 0, "dword", $iPID)
  If $hProcess[0] Then
   $hProcess = $hProcess[0]
  EndIf
 EndIf
 Local $Modules = DllStructCreate("ptr[1024]")
 Local $aCall = DllCall($PSAPI, "int", "EnumProcessModules", "ptr", $hProcess, "ptr", DllStructGetPtr($Modules), "dword", DllStructGetSize($Modules), "dword*", 0)
 If $aCall[4] > 0 Then
  Local $iModnum = $aCall[4] / 4
  Local $aTemp
  For $i = 1 To $iModnum
   $aTemp = DllCall($PSAPI, "dword", "GetModuleBaseNameW", "ptr", $hProcess, "ptr", Ptr(DllStructGetData($Modules, 1, $i)), "wstr", "", "dword", 260)
   If $aTemp[3] = $sModule Then
    DllClose($PSAPI)
    Return Ptr(DllStructGetData($Modules, 1, $i))
   EndIf
  Next
 EndIf

 DllClose($PSAPI)
 Return SetError(-1, 0, 0)
 

EndFunc   ;==>_MemoryModuleGetBaseAddress

Share this post


Link to post
Share on other sites
AutID

As i am seeing the _MemoryModuleGetBaseAddress doesnt return the modules loaded with the process. Actually it returns an error -1.

Searching on the internet for some solutions i found another function from @monoceres, _ProcessGetLoadedModules($iPID)

Func _ProcessGetLoadedModules($iPID)
Local Const $PROCESS_QUERY_INFORMATION=0x0400
Local Const $PROCESS_VM_READ=0x0010
Local $aCall, $hPsapi=DllOpen("Psapi.dll")
Local $hProcess, $tModulesStruct
$tModulesStruct=DllStructCreate("hwnd [200]")
Local $SIZEOFHWND = DllStructGetSize($tModulesStruct)/200
$hProcess=_WinAPI_OpenProcess(BitOR($PROCESS_QUERY_INFORMATION,$PROCESS_VM_READ),False,$iPID)
If Not $hProcess Then Return SetError(1,0,-1)
$aCall=DllCall($hPsapi,"int","EnumProcessModules","ptr",$hProcess,"ptr",DllStructGetPtr($tModulesStruct),"dword",DllStructGetSize($tModulesStruct),"dword*","")
If $aCall[4]>DllStructGetSize($tModulesStruct) Then
$tModulesStruct=DllStructCreate("hwnd ["&$aCall[4]/$SIZEOFHWND&"]")
$aCall=DllCall($hPsapi,"int","EnumProcessModules","ptr",$hProcess,"ptr",DllStructGetPtr($tModulesStruct),"dword",$aCall[4],"dword*","")
EndIf
Local $aReturn[$aCall[4]/$SIZEOFHWND]
For $i=0 To Ubound($aReturn)-1

$aCall=DllCall($hPsapi,"dword","GetModuleFileNameExW","ptr",$hProcess,"ptr",DllStructGetData($tModulesStruct,1,$i+1),"wstr","","dword",65536)
$aReturn[$i]=$aCall[3]

Next
_WinAPI_CloseHandle($hProcess)
DllClose($hPsapi)
Return $aReturn
EndFunc
This function though doesnt returns the modules loaded with the proccess. It returns the ID of it.

Guys please if you have some free time give me a hand here.

Share this post


Link to post
Share on other sites
FireFox

If you want to get the modules of a process, use the WinAPI function EnumProcessModules.

Br, FireFox.


 

OS : Win XP SP2 (32 bits) / Win 7 SP1 (64 bits) / Win 8 (64 bits) | Autoit version: latest stable / beta.
Hardware : Intel(R) Core(TM) i5-2400 CPU @ 3.10Ghz / 8 GiB RAM DDR3.

My UDFs : Skype UDF | TrayIconEx UDF | GUI Panel UDF | Excel XML UDF | Is_Pressed_UDF

My Projects : YouTube Multi-downloader | FTP Easy-UP | Lock'n | WinKill | AVICapture | Skype TM | Tap Maker | ShellNew | Scriptner | Const Replacer | FT_Pocket | Chrome theme maker

My Examples : Capture toolIP Camera | Crosshair | Draw Captured Region | Picture Screensaver | Jscreenfix | Drivetemp | Picture viewer

My Snippets : Basic TCP | Systray_GetIconIndex | Intercept End task | Winpcap various | Advanced HotKeySet | Transparent Edit control

 

Share this post


Link to post
Share on other sites
AutID

If you want to get the modules of a process, use the WinAPI function EnumProcessModules.

Br, FireFox.

The function in post #14 does that but it returns error. Actually the winapi can open the process. I dont know why...

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×