Jump to content
Sign in to follow this  
Demonic

Memory Scanning for a value

Recommended Posts

Demonic

So, I have a predicament.

For some values in a .exe I can find the Address and then a pointer offset to create a static address consistently used to read the memory of that part of the process.

However, some values I can not find a static address for, for whatever reason. As a result, I figured I would try and scan the memory values for that value in the addresses.

I attempted this code:

#Include <NomadMemory.au3>

HotKeySet("{ESC}", "_Exit")
HotKeySet("{NumPad0}", "_SearchToggle")

$AddressMin = 0x02000000    ; The range between which the variable is usually stored in memory
$AddressMax = 0x05000000

Const $iv_hWnd = "Process"
Const $iv_Process = "Process.exe"

Dim $iv_Pid = ProcessExists($iv_Process)    ; Opens the memory of the process by PID
Dim $iv_Memory = _MemoryOpen($iv_Pid)

$Searching = False
$Address = 0x05000000
$AddressFinal = 0

While 1

    
    If $Searching = True Then
        Dim $Value
        Dim $ValueWanted = 3455
        
        $Value = _MemoryRead($Address, $iv_Memory)
        ConsoleWrite("The Value at Memory Address: " & Hex($Address) & " is " & $Value & @CR)
        
        If $Value = $ValueWanted Then
            $Searching = False                              ; If found, records the address and ends the search
            $AddressFinal = $Address
        Else
            $Address -= 0x1                             ; Else checks the next address 0x1 lower then the previous
        EndIf
        
    EndIf
    
    If $AddressFinal > 0 Then
        Sleep(1000)
        $Value = _MemoryRead($AddressFinal, $iv_Memory)
        ConsoleWrite("The Value at Memory Address: " & Hex($AddressFinal) & " is " & $Value & @CR)
    EndIf
    
WEnd



Func _SearchToggle()
    If $Searching = False Then
        $Searching = True
    Else
        $Searching = False
    EndIf
EndFunc ;==> Toggles On or Off


Func _Exit()
    _MemoryClose($iv_Memory)
    Exit
EndFunc ;==> Close Memory & Exit

What this script essentially does:

- Searches for a value, in this case $ValueWanted in memory addresses

- Checks a memory address at the top of the range

- If the memory address holds that value, the search stops and the program starts constantly updating what that value is

Problems that I need you guys to assist me in addressing:

- Almost every time, there is more then one address that holds $ValueWanted, which means that I need a way to filter out which is correct and which is not. I could do this with an array after establishing which values hold the value I am searching for, changing the value manually and then rechecking to see which memory addresses hold the new value I want

This is inefficient however due to the speed at which the search occurs. It takes several seconds to search through just a mere 5000 addresses, and as there is millions, this is a huge issue.

I feel that the entire program will need rewritten to somehow find the value faster.

Notably, I read under the World of Warcraft Developement about Halu memory scanning for the addresses, however the code was so uncommented I could not understand at all.

Thanks if any help comes.

Share this post


Link to post
Share on other sites
Demonic

I suggest taking a look at the program from Spiro:

http://www.memoryhacking.com/

Great tool for mh. Maybe it can help you get some 'starting values', or offsets.

Thanks for the quick reply, however I do not believe that this will aid me much --

As I had said, I've already used a memory address-scanning program to find addresses and static offsets for some values. Some values, it seems however, cannot be found as a static address, which is why I am attempting to look into scanning through the addresses.

I will, however, look into this.

Thanks.

Edit:

I thought about it for a bit and the suggestion of that program made me wonder.

How does it check through over 7-million addresses in under a second to find out what they all are? Cause thats exactly what I need to do -- essentially a memory hacking program in my script.

Edited by Arakard

Share this post


Link to post
Share on other sites
Demonic

Edited script a bit.. still not there though.

Share this post


Link to post
Share on other sites
Intosia

How does it check through over 7-million addresses in under a second to find out what they all are? Cause thats exactly what I need to do -- essentially a memory hacking program in my script.

I bet my life that it uses assembler for that :mellow: You cant get that speed in high level language as AutoIt... You need C or C++ at most.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.