Cheat Engine

iPromise · Posted: Thu Jun 10, 2010 9:51 pm Post subject: Read string from an address

Hello pros..

usually to read 4 bytes from an address we do:

Slugsnack · Posted: Thu Jun 10, 2010 10:02 pm Post subject:

you can't just read it like that. you need to find out how long the string is then copy it i guess. but if you're just comparing values which is what i'm guessing you're doing then you don't need to copy it at all.

if you do want to copy it then keep reading till you find a null terminator then copy all the memory up to there. of course that's for ansi/ascii strings only. have fun with widechar/unicode.

btw to compare strings you don't need the sizes

Uzeil · Moderator Reputation: 6 Joined: 21 Oct 2006 Posts: 2411

Reading 4-byte example:

int hi = $badf00d;
could translate to

(\/ hi's memory address)
0x00555555 = 0x0badf00d

So doing [0x00555555] would give you 0x0badf00d

Reading string example

string hello = 'Wazzaaa';

could translate to
(\/ hello's memory address)
0x00666666 = 0x00777777
0x00777777 = 'W', 'a', 'z', 'z', 'a', 'a', 'a', 00

For reading a string from memory in a high-level language like C or C++ you'd probably need to have the variable point to 0x00666666. In ASM you'd usually point to 0x00777777.

In other words, your variable is stored in static memory somewhere, which then points to where the string starts in some allocated memory somewhere(unless the string is static and constant, then skip the first step, the string would be located at 0x00777777. Or originally static but can be changed, in which case the memory it originally points to is pre-allocated in the binary)

Then the address where the string starts is USUALLY the beginning of the string, then the string stops when what's reading the string hits a byte of 00. This is call a null-terminated string. Some strings aren't null-terminated strings, so you'd have to look at the string structure first to figure it out. Or, since most strings are null-terminated, just take the null-terminated-string route to figure it out then go from there.

(Generally, if it isn't null-terminated, it has it's length stored somewhere. I'm sure some site somewhere could give a run-down on all the different somewhat-common string storing formats)

Slugsnack · Posted: Fri Jun 11, 2010 3:45 am Post subject:

in your case even in c/c++ pointing to 0x00777777 would be just fine. that would be a direct pointer and what is used in the majority of cases. whereas 0x00666666 would be a pointer to a pointer to the string. this is unlikely though unless the string is a local one. in which case your 0x00666666 might be an address on the stack.

even in the case when a string is put in dynamically allocated memory, the new string would be pointed to by the returned address of malloc or whatever

Uzeil · Moderator Reputation: 6 Joined: 21 Oct 2006 Posts: 2411

Right, and for those dynamically allocated strings, the returned address from <x allocation function> would be stored in a pointer(0x00666666 in this case, and the returned address would've been 0x00777777).

Really, having 0x00666666 wouldn't be a pointer to a pointer, because what it's pointing to IS the beginning of the string. The only case where this isn't necessary is when the string is not going to change(or the compiler/programmer knows that this string, when it does change, will be bounded by a certain size. Like in oopascal if you declared a variable of String[5])

Slugsnack · Posted: Fri Jun 11, 2010 9:56 am Post subject:

i guess it all depends on how you word a definition of a 'pointer'. to me any address that 'points' to an object is a pointer. as in if we have a string starting 0x00777777, i would say 0x00777777 is a pointer to a string.

therefore if we have 0x00666666 which has as its value 0x00777777 then i would say 0x00666666 is a pointer to 0x00777777. following my above definition it becomes a pointer to a pointer. but of course it really does depend on your definition which i think is quite open to interpretation.

according to you 0x00666666 is not a pointer. well let's say we had this piece of code :

Uzeil · Moderator Reputation: 6 Joined: 21 Oct 2006 Posts: 2411

The last line: Correct, but you misunderstood -- I'm saying that 0x00666666 in my example is a pointer, and that 0x00777777 is just the location of data.

Similarly, in the 0x00555555 example, I wouldn't call it a "pointer" because it holds...

OH WAIT LOL you're right Very Happy

If we treat 'reference' and 'pointer' interchangeable, then you could say that even 0x005555555 is a pointer. If you think in object oriented terms: If you pass by reference then when you change the value of that variable, the change stays. This holds true for 0x00555555.

...I don't know what I was on when I was thinking of pointers so differently. Hell I just wrote an algorithm before my first response about that uses an "array of pointer" to be able to manipulate any type of array.

Then again, I wonder if passing an array of DWORD would still work with that...

Because if you're to modify a POINTER...

AHHH I'M MINDFUCKING MYSELF.

Ok a pointer should POINT to something, right? So why would something be a POINTer if it doesn't POINT to anything else, as what you instead do is just read the value of that address -- no pointing is being done.

Phew, changed my mind I was right all along. Where's Dark_Byte to dickslap us both and tell us how it is.

Flyte · Posted: Fri Jun 11, 2010 12:17 pm Post subject:

A pointer is just an address value. You don't call any other type by its memory address so why would you call a pointer type by its memory address. You both aren't wrong in this situation, just Slugsnack is more 'correct'.

In fact the only thing I see wrong with the conversation is that I'm getting the feeling Uzeil thinks an array and a pointer are the same thing. Though, that could be just his last post being a clusterfuck.

Edit: To answer OP, just use strcpy since you're already in the address space.

Slugsnack · Posted: Fri Jun 11, 2010 12:23 pm Post subject:

passing an array of DWORD and an array of 'pointers' is the same thing. to the computer it just sees 4 bytes. when you are saying it is typed as a pointer it is just that somewhere along the way you have told the compiler the type of the elements of the array is lpvoid or something. a type is purely syntactic construct. it's only semantic meaning is that it gives the compiler a different way of interpreting with that same element. for example a dword could be a lpchar or could be lpdword. it's value is the same. the only difference is how the compiler generates code that use associated with this data.

you've hit the nail bang on the head. i am using reference and pointer interchangeably although imo it is arguable and probably more down to preference whether you do that or not.

and a pointer must always point to SOMETHING at least. even if that is invalid memory. a pointer is just to say that you are treating the value as a 4 byte address of something. that something might be 0 or it might be the address of a string, it doesn't matter. in MY eyes i say that is a pointer regardless.

Flyte · Posted: Fri Jun 11, 2010 12:39 pm Post subject:

Slugsnack · Posted: Fri Jun 11, 2010 12:47 pm Post subject:

of course in real programming types have much meaning and in context are 100% needed. i don't know how better to explain what i'm trying to say. although my words may be slightly confusing i believe the intention of what i was saying is clear. my point is obviously fallacious if you were to be pedantic about it. after all types affects the semantics of the entire program.

i'm pretty shit at explaining these things succinctly but uhh yeah.. for the sake of this discussion it simplifies matters to describe it the way i have