onestcoder Posted May 10, 2006 Share Posted May 10, 2006 (edited) Ok I was wondering if for example: My "sampleprogram.exe" is running and I wanted to write a script the will reading it's memory and bring back it's values to me from certain address's. Here are the addresses (i used Tsearch) to find them) Address = 1929998 Address = 1C6F530 Address = 1929994 Address = 1C6F52C I want my script to read into the exe and give me the Values form these Addresses. Because I want to be able to write some If statements based of the Values in the addresses Can this be done useing AutoIt? If so were should I start looking for information? Edited May 11, 2006 by onestcoder Need a website: http://www.iconixmarketing.com Link to comment Share on other sites More sharing options...
Simucal Posted May 10, 2006 Share Posted May 10, 2006 You will want to look into w0uters memory functions:http://www.autoitscript.com/forum/index.php?showtopic=19329 AutoIt Scripts:Aimbot: Proof of Concept - PixelSearching Aimbot with several search/autoshoot/lock-on techniques.Sliding Toolbar - Add a nice Sliding Toolbar to your next script. Click the link to see an animation of it in action!FontInfo UDF - Get list of system fonts, or search to see if a particular font is installed.Get Extended Property UDF - Retrieve a files extended properties (e.g., video/image dimensions, file version, bitrate of song/video, etc) Link to comment Share on other sites More sharing options...
onestcoder Posted May 11, 2006 Author Share Posted May 11, 2006 (edited) Wow.... There is a sea of pages that talk about this. But non on them seem to form a complete thought about this. I see references to the Mem.dll which I found and downloaded and all that. I guess there is no simple way doing this. So here is what I don't understand. I need this code: for the functions expandcollapse popup#region _Mem() Func _MemOpen($i_Pid, $i_Access = 0x1F0FFF, $i_Inherit = 0) Local $av_Return[2] = [DllOpen('kernel32.dll') ] Local $ai_Handle = DllCall($av_Return[0], 'int', 'OpenProcess', 'int', $i_Access, 'int', $i_Inherit, 'int', $i_Pid) If @error Then DllClose($av_Return[0]) SetError(1) Return 0 EndIf $av_Return[1] = $ai_Handle[0] Return $av_Return EndFunc;==>_MemOpen Func _MemRead($ah_Mem, $i_Address, $i_Size = 0) If $i_Size = 0 Then Local $v_Return = '' Local $v_Struct = DllStructCreate('byte[1]') Local $v_Ret While 1 $v_Ret = DllCall($ah_Mem[0], 'int', 'ReadProcessMemory', 'int', $ah_Mem[1], 'int', $i_Address, 'ptr', DllStructGetPtr($v_Struct), 'int', 1, 'int', '') $v_Ret = DllStructGetData($v_Struct, 1) If $v_Ret = 0 Then ExitLoop $v_Return &= Chr($v_Ret) $i_Address += 1 WEnd Else Local $v_Struct = DllStructCreate('byte[' & $i_Size & ']') Local $v_Ret = DllCall($ah_Mem[0], 'int', 'ReadProcessMemory', 'int', $ah_Mem[1], 'int', $i_Address, 'ptr', DllStructGetPtr($v_Struct), 'int', $i_Size, 'int', '') Local $v_Return[$v_Ret[4]] For $i = 0 To $v_Ret[4] - 1 $v_Return[$i] = DllStructGetData($v_Struct, 1, $i + 1) Next EndIf Return $v_Return EndFunc;==>_MemRead Func _MemWrite($ah_Mem, $i_Address, $v_Inject) Local $av_Call = DllCall($ah_Mem[0], 'int', 'WriteProcessMemory', 'int', $ah_Mem[1], 'int', $i_Address, 'ptr', DllStructGetPtr($v_Inject), 'int', DllStructGetSize($v_Inject), 'int', '') Return $av_Call[0] EndFunc;==>_MemWrite Func _MemClose($ah_Mem) Local $av_Ret = DllCall($ah_Mem[0], 'int', 'CloseHandle', 'int', $ah_Mem[1]) DllClose($ah_Mem[0]) Return $av_Ret[0] EndFunc;==>_MemClose Func _MemCreate($1, $2 = 0, $3 = 0, $4 = 0, $5 = 0, $6 = 0, $7 = 0, $8 = 0, $9 = 0, $10 = 0, $11 = 0, $12 = 0, $13 = 0, $14 = 0, $15 = 0, _ $16 = 0, $17 = 0, $18 = 0, $19 = 0, $20 = 0, $21 = 0, $22 = 0, $23 = 0, $24 = 0, $25 = 0, $26 = 0, $27 = 0, $28 = 0, $29 = 0, _ $30 = 0, $31 = 0, $32 = 0, $33 = 0, $34 = 0, $35 = 0, $36 = 0, $37 = 0, $38 = 0, $39 = 0, $40 = 0, $41 = 0, $42 = 0, $43 = 0, _ $44 = 0, $45 = 0, $46 = 0, $47 = 0, $48 = 0, $49 = 0, $50 = 0, $51 = 0, $52 = 0, $53 = 0, $54 = 0, $55 = 0, $56 = 0, $57 = 0, _ $58 = 0, $59 = 0, $60 = 0, $61 = 0, $62 = 0, $63 = 0, $64 = 0, $65 = 0, $66 = 0, $67 = 0, $68 = 0, $69 = 0, $70 = 0, $71 = 0, _ $72 = 0, $73 = 0, $74 = 0, $75 = 0, $76 = 0, $77 = 0, $78 = 0, $79 = 0, $80 = 0, $81 = 0, $82 = 0, $83 = 0, $84 = 0, $85 = 0, _ $86 = 0, $87 = 0, $88 = 0, $89 = 0, $90 = 0, $91 = 0, $92 = 0, $93 = 0, $94 = 0, $95 = 0, $96 = 0, $97 = 0, $98 = 0, $99 = 0) If IsString($1) Then $1 = StringSplit($1, '') Local $v_Helper = DllStructCreate('byte[' & UBound($1) & ']') For $i = 1 To UBound($1) - 1 DllStructSetData($v_Helper, 1, Asc($1[$i]), $i) Next Else Local $v_Helper = DllStructCreate('byte[' & @NumParams & ']') For $i = 1 To @NumParams DllStructSetData($v_Helper, 1, Eval($i), $i) Next EndIf Return $v_Helper EndFunc;==>_MemCreate Func _MemRev($v_DWORD) If UBound($v_DWORD) = 4 Then Return '0x' & Hex($v_DWORD[3], 2) & Hex($v_DWORD[2], 2) & Hex($v_DWORD[1], 2) & Hex($v_DWORD[0], 2) Local $v_Ret[4] = ['0x' & StringMid(Hex($v_DWORD, 8), 7, 2), '0x' & StringMid(Hex($v_DWORD, 8), 5, 2), '0x' & StringMid(Hex($v_DWORD, 8), 3, 2), '0x' & StringMid(Hex($v_DWORD, 8), 1, 2) ] Return $v_Ret EndFunc;==>_MemRev Func _MemAlloc($ah_Mem, $i_Size, $i_Address = 0, $i_AT = 4096, $i_Protect = 0x40) Switch @OSVersion Case "WIN_ME", "WIN_98", "WIN_95" $av_Alloc = DllCall($ah_Mem[0], 'int', 'VirtualAlloc', 'int', $i_Address, 'int', $i_Size, 'int', BitOR($i_AT, 0x8000000), 'int', $i_Protect) Case Else $av_Alloc = DllCall($ah_Mem[0], 'int', 'VirtualAllocEx', 'int', $ah_Mem[1], 'int', $i_Address, 'int', $i_Size, 'int', $i_AT, 'int', $i_Protect) EndSwitch Return $av_Alloc[0] EndFunc;==>_MemAlloc Func _MemFree($ah_Mem, $i_Address) Switch @OSVersion Case "WIN_ME", "WIN_98", "WIN_95" $av_Free = DllCall($ah_Mem[0], 'int', 'VirtualFree', 'int', $i_Address, 'int', 0, 'int', 0x8000) Case Else $av_Free = DllCall($ah_Mem[0], 'int', 'VirtualFreeEx', 'int', $ah_Mem[1], 'int', $i_Address, 'int', 0, 'int', 0x8000) EndSwitch Return $av_Free[0] EndFunc;==>_MemFree Func _MemText($ah_Mem, $s_Text) Local $i_Size = StringLen($s_Text) + 1 Local $i_Addr = _MemAlloc($ah_Mem, $i_Size) _MemWrite($ah_Mem, $i_Addr, _MemCreate($s_Text)) Return $i_Addr EndFunc;==>_MemText #endregion Combined with: $Process = "sampleprogram.exe" $Pid = ProcessExists($Process) $h_open = _MemOpen($pid) $Read = _MemRead($h_open,0x1929998,4) MsgBox(0, "Test Box", "TEst: " & $Read[0]) _MemClose($h_open) I guess wha I need to see is a full script that does a memory read completed so I can see how all the knowlege from all the threads has come together to do what I need done. Thanks in advance Edited May 11, 2006 by onestcoder Need a website: http://www.iconixmarketing.com Link to comment Share on other sites More sharing options...
Simucal Posted May 11, 2006 Share Posted May 11, 2006 I dont see what the problem is? I gave you a link to w0uters memory functions. Identify the process, open its memory, read the addresses into a variable. AutoIt Scripts:Aimbot: Proof of Concept - PixelSearching Aimbot with several search/autoshoot/lock-on techniques.Sliding Toolbar - Add a nice Sliding Toolbar to your next script. Click the link to see an animation of it in action!FontInfo UDF - Get list of system fonts, or search to see if a particular font is installed.Get Extended Property UDF - Retrieve a files extended properties (e.g., video/image dimensions, file version, bitrate of song/video, etc) Link to comment Share on other sites More sharing options...
Sardith Posted May 11, 2006 Share Posted May 11, 2006 (edited) Try this, it worked in my case.. but that was text. $Process = "sampleprogram.exe" $Pid = ProcessExists($Process) $h_open = _MemOpen($pid) $Read = _MemRead($h_open,0x1929998) MsgBox(0, "Test Box", "Test: " & $Read) _MemClose($h_open) Edited May 11, 2006 by Sardith [font="Verdana"]Valik:Get it straight - I'm not here to say please, I'm here to help - if my help's not appreciated then lotsa luck, gentlemen.[/font] Link to comment Share on other sites More sharing options...
onestcoder Posted May 11, 2006 Author Share Posted May 11, 2006 WOOOOOT I got it to work GREAT!!!! here is my script, I used Explorer.exe as the example cuz everyone has that running if you want to test it out. expandcollapse popup#include <String.au3> $Process = "Explorer.exe" $Pid = ProcessExists($Process) $h_open = _MemOpen($Pid) $Read0 = _MemRead($h_open, 0x3E0028, 4) $Read1 = _MemRead($h_open, 0x31F25, 4) $Read2 = _MemRead($h_open, 0x32E4D, 4) MsgBox(0, "Test Box", "Test: " & _HexadecimalToDecimal($Read0) & @CRLF & "Test: " & _HexadecimalToDecimal($Read1) & @CRLF & "Test: " & _HexadecimalToDecimal($Read2)) _MemClose($h_open) #region _Mem() Func _MemOpen($i_Pid, $i_Access = 0x1F0FFF, $i_Inherit = 0) Local $av_Return[2] = [DllOpen('kernel32.dll') ] Local $ai_Handle = DllCall($av_Return[0], 'int', 'OpenProcess', 'int', $i_Access, 'int', $i_Inherit, 'int', $i_Pid) If @error Then DllClose($av_Return[0]) SetError(1) Return 0 EndIf $av_Return[1] = $ai_Handle[0] Return $av_Return EndFunc ;==>_MemOpen Func _MemRead($ah_Mem, $i_Address, $i_Size = 0) If $i_Size = 0 Then Local $v_Return = '' Local $v_Struct = DllStructCreate ('byte[1]') Local $v_Ret While 1 $v_Ret = DllCall($ah_Mem[0], 'int', 'ReadProcessMemory', 'int', $ah_Mem[1], 'int', $i_Address, 'ptr', DllStructGetPtr ($v_Struct), 'int', 1, 'int', '') $v_Ret = DllStructGetData ($v_Struct, 1) If $v_Ret = 0 Then ExitLoop $v_Return &= Chr($v_Ret) $i_Address += 1 WEnd Else Local $v_Struct = DllStructCreate ('byte[' & $i_Size & ']') Local $v_Ret = DllCall($ah_Mem[0], 'int', 'ReadProcessMemory', 'int', $ah_Mem[1], 'int', $i_Address, 'ptr', DllStructGetPtr ($v_Struct), 'int', $i_Size, 'int', '') Local $v_Return[$v_Ret[4]] For $i = 0 To $v_Ret[4] - 1 $v_Return[$i] = DllStructGetData ($v_Struct, 1, $i + 1) Next EndIf Return $v_Return EndFunc ;==>_MemRead Func _MemWrite($ah_Mem, $i_Address, $v_Inject) Local $av_Call = DllCall($ah_Mem[0], 'int', 'WriteProcessMemory', 'int', $ah_Mem[1], 'int', $i_Address, 'ptr', DllStructGetPtr ($v_Inject), 'int', DllStructGetSize ($v_Inject), 'int', '') Return $av_Call[0] EndFunc ;==>_MemWrite Func _MemClose($ah_Mem) Local $av_Ret = DllCall($ah_Mem[0], 'int', 'CloseHandle', 'int', $ah_Mem[1]) DllClose($ah_Mem[0]) Return $av_Ret[0] EndFunc ;==>_MemClose Func _MemCreate($1, $2 = 0, $3 = 0, $4 = 0, $5 = 0, $6 = 0, $7 = 0, $8 = 0, $9 = 0, $10 = 0, $11 = 0, $12 = 0, $13 = 0, $14 = 0, $15 = 0, _ $16 = 0, $17 = 0, $18 = 0, $19 = 0, $20 = 0, $21 = 0, $22 = 0, $23 = 0, $24 = 0, $25 = 0, $26 = 0, $27 = 0, $28 = 0, $29 = 0, _ $30 = 0, $31 = 0, $32 = 0, $33 = 0, $34 = 0, $35 = 0, $36 = 0, $37 = 0, $38 = 0, $39 = 0, $40 = 0, $41 = 0, $42 = 0, $43 = 0, _ $44 = 0, $45 = 0, $46 = 0, $47 = 0, $48 = 0, $49 = 0, $50 = 0, $51 = 0, $52 = 0, $53 = 0, $54 = 0, $55 = 0, $56 = 0, $57 = 0, _ $58 = 0, $59 = 0, $60 = 0, $61 = 0, $62 = 0, $63 = 0, $64 = 0, $65 = 0, $66 = 0, $67 = 0, $68 = 0, $69 = 0, $70 = 0, $71 = 0, _ $72 = 0, $73 = 0, $74 = 0, $75 = 0, $76 = 0, $77 = 0, $78 = 0, $79 = 0, $80 = 0, $81 = 0, $82 = 0, $83 = 0, $84 = 0, $85 = 0, _ $86 = 0, $87 = 0, $88 = 0, $89 = 0, $90 = 0, $91 = 0, $92 = 0, $93 = 0, $94 = 0, $95 = 0, $96 = 0, $97 = 0, $98 = 0, $99 = 0) If IsString($1) Then $1 = StringSplit($1, '') Local $v_Helper = DllStructCreate ('byte[' & UBound($1) & ']') For $i = 1 To UBound($1) - 1 DllStructSetData ($v_Helper, 1, Asc($1[$i]), $i) Next Else Local $v_Helper = DllStructCreate ('byte[' & @NumParams & ']') For $i = 1 To @NumParams DllStructSetData ($v_Helper, 1, Eval($i), $i) Next EndIf Return $v_Helper EndFunc ;==>_MemCreate Func _MemRev($v_DWORD) If UBound($v_DWORD) = 4 Then Return '0x' & Hex($v_DWORD[3], 2) & Hex($v_DWORD[2], 2) & Hex($v_DWORD[1], 2) & Hex($v_DWORD[0], 2) Local $v_Ret[4] = ['0x' & StringMid(Hex($v_DWORD, 8), 7, 2), '0x' & StringMid(Hex($v_DWORD, 8), 5, 2), '0x' & StringMid(Hex($v_DWORD, 8), 3, 2), '0x' & StringMid(Hex($v_DWORD, 8), 1, 2) ] Return $v_Ret EndFunc ;==>_MemRev Func _MemAlloc($ah_Mem, $i_Size, $i_Address = 0, $i_AT = 4096, $i_Protect = 0x40) Switch @OSVersion Case "WIN_ME", "WIN_98", "WIN_95" $av_Alloc = DllCall($ah_Mem[0], 'int', 'VirtualAlloc', 'int', $i_Address, 'int', $i_Size, 'int', BitOR($i_AT, 0x8000000), 'int', $i_Protect) Case Else $av_Alloc = DllCall($ah_Mem[0], 'int', 'VirtualAllocEx', 'int', $ah_Mem[1], 'int', $i_Address, 'int', $i_Size, 'int', $i_AT, 'int', $i_Protect) EndSwitch Return $av_Alloc[0] EndFunc ;==>_MemAlloc Func _MemFree($ah_Mem, $i_Address) Switch @OSVersion Case "WIN_ME", "WIN_98", "WIN_95" $av_Free = DllCall($ah_Mem[0], 'int', 'VirtualFree', 'int', $i_Address, 'int', 0, 'int', 0x8000) Case Else $av_Free = DllCall($ah_Mem[0], 'int', 'VirtualFreeEx', 'int', $ah_Mem[1], 'int', $i_Address, 'int', 0, 'int', 0x8000) EndSwitch Return $av_Free[0] EndFunc ;==>_MemFree Func _MemText($ah_Mem, $s_Text) Local $i_Size = StringLen($s_Text) + 1 Local $i_Addr = _MemAlloc($ah_Mem, $i_Size) _MemWrite($ah_Mem, $i_Addr, _MemCreate($s_Text)) Return $i_Addr EndFunc ;==>_MemText #endregion Func _HexadecimalToDecimal($var) $result = 0 $sum = 0 $power = 0 Do $currentDigit = StringRight(_MemRev($var), $power + 1) $currentDigit = StringLeft($currentDigit, 1) If $currentDigit = "A" Then $currentDigit = 10 ElseIf $currentDigit = "B" Then $currentDigit = 11 ElseIf $currentDigit = "C" Then $currentDigit = 12 ElseIf $currentDigit = "D" Then $currentDigit = 13 ElseIf $currentDigit = "E" Then $currentDigit = 14 ElseIf $currentDigit = "F" Then $currentDigit = 15 EndIf $result = $currentDigit * 16 ^ $power $power = $power + 1 $sum = $sum + $result Until $currentDigit = "x" Return $sum EndFunc ;==>_HexadecimalToDecimal Need a website: http://www.iconixmarketing.com Link to comment Share on other sites More sharing options...
Sardith Posted May 11, 2006 Share Posted May 11, 2006 Your welcome... [font="Verdana"]Valik:Get it straight - I'm not here to say please, I'm here to help - if my help's not appreciated then lotsa luck, gentlemen.[/font] Link to comment Share on other sites More sharing options...
onestcoder Posted May 13, 2006 Author Share Posted May 13, 2006 (edited) Your welcome... Thank you w0uter, Saradith & Simucal ^^ Edited May 13, 2006 by onestcoder Need a website: http://www.iconixmarketing.com Link to comment Share on other sites More sharing options...
onestcoder Posted May 16, 2006 Author Share Posted May 16, 2006 Bof wrote this as a way to add pointers to the memory read function. anyone know how to use it? Func _MemReadPointer($ah_Mem, $i_Address, $i_Offset, $i_Size = 4, $negative = 0) if $negative Then Local $v_pointer = _MemRead($ah_Mem, '0x' & Hex(_MemHelper(_MemRead($ah_Mem, $i_Address, 4)) - $i_Offset), $i_Size) Else Local $v_pointer = _MemRead($ah_Mem, '0x' & Hex(_MemHelper(_MemRead($ah_Mem, $i_Address, 4)) + $i_Offset), $i_Size) EndIf Return $v_pointer EndFunc;==>_MemReadPointer Need a website: http://www.iconixmarketing.com Link to comment Share on other sites More sharing options...
nfwu Posted May 16, 2006 Share Posted May 16, 2006 After looking over the function a few times, it looks like a way to get the value that a pointer in memory is pointing to. Let's say the pointer is at 0xE362 (A stupid value: I know: It's just an example) The data at 0xE362 has a value of 0xD28F, which is the memory address of some data. This function simplifies the process of having to manually look up 0xE362 first to get 0xD28F then look up 0xD28F. Instead, you just call the function with the pointer's address, 0xE362. I hope you understand. #) TwitterOut of date stuff:Scripts: Sudoku Solver | Webserver | 3D library (Pure AutoIt) | Wood's GadgetsUDFs: _WoodUniqueID() | _DialogEditIni() | _Console*() | _GetIPConfigData() | _URLEncode/Decode() Link to comment Share on other sites More sharing options...
onestcoder Posted May 16, 2006 Author Share Posted May 16, 2006 After looking over the function a few times, it looks like a way to get the value that a pointer in memory is pointing to.Let's say the pointer is at 0xE362 (A stupid value: I know: It's just an example)The data at 0xE362 has a value of 0xD28F, which is the memory address of some data.This function simplifies the process of having to manually look up 0xE362 first to get 0xD28F then look up 0xD28F.Instead, you just call the function with the pointer's address, 0xE362.I hope you understand.#)So istead of this:$Read0 = _MemRead($h_open, 0xD28F, 4) ; being the address you used in your exampleI can use$Read0 = _MemReadPointer($h_open, 0xE362, 4) ; using the offset instead? Need a website: http://www.iconixmarketing.com Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now