Cheat Engine

[snowboard789]

ok im not good with pointers and im not very familiar with cheat engine.

i find a string in the desired program and after playing with cheatengine i got something in the pointer scan that says:

address: 7FFDF018 offset 18, offset 18,offset 18,offset 30,points to (some hex address here)

and that hex address has the string im looking to read with c#.
ive changed the string and the hex address changed, but the pointer remained the same so this must be what im looking for right?

im completely lost with how to read the string from there.

IntPtr hProc = IntPtr.Zero;
Int32 dwBytesRead, Value;
int PROCESS_READ_ACCESS = (0x0010);
int iPID = AutoItX3Declarations.AU3_ProcessExists(snFname);
hProc = OpenProcess(PROCESS_READ_ACCESS, false, iPID); // iPID is your process id get it by your self using Process class
byte[] memory = new byte[6]; // can be more than 6 depends how many bytes you're interesting to read
ReadProcessMemory(hProc, (IntPtr)0x7FFDF018 /* your address */, out memory, memory.Length, out dwBytesRead);
Value = BitConverter.ToInt32(memory,0);

that doesn't work.

any ideas or example of how to read the string pointer's address value??

thank you

[NoMercy]

Use ReadProcessMemory() with the addr + offset + offset etc, there are a lot of examples.

The return value of ReadProcessMemory() is a void*, Blieve you can cast this

void* x;
RPM(..x);

char* string = (char*) x;

does that work?

[snowboard789]

(IntPtr)0x7FFDF018 + 0x12 + 0x12 + 0x12 + 0x12 + 0x82AD14

these are the numbers im getting with the pointer scan:
base address:7FFDF018 offset0:18,offset1:18,offset2:18,offset3:18,offset4:82AD14

address points to: 02A21D14 and here in this address is the string i want to read.

am i missing something?

when i try this code:
ReadProcessMemory(hProc, (IntPtr)0x7FFDF018 + 0x12 + 0x12 + 0x12 + 0x12 + 0x82AD14, out memory, memory.Length, out dwBytesRead);
memory var is null.

please help?

[atom0s]

If you are doing this in .NET you don't need OpenProcess. You can obtain a full accessible handle to the process by using the Process namespace.

http://msdn.microsoft.com/en-us/library/system.diagnostics.process.aspx

If you still want to use OpenProcess instead, be sure that you have proper permissions to obtain an 'all access' handle to the process you are attempting to open. If you don't have permissions to do so then it will fail which you should be checking the return value of OpenProcess anyway.

Set a breakpoint after your line:
hProc = OpenProcess(PROCESS_READ_ACCESS, false, iPID); // iPID is your process id get it by your self using Process class

And see what hProc is. If its NULL then either the process isn't running or you don't have permissions to obtain a full handle. If that's the case either set the proper token privileges or specifically pass what permissions you need to OpenProcess.

[snowboard789]

hi thanks but the hdproc is non Null.

this is what i have on cheatengine, can someone help me read the string in the addres this pointer points to in c#?

[FLiNG]

I don't know if you did it wrong or I just did it in the complex way, I always use ReadProcessMemory multiple times to read a multi-level pointer. Once for each level.

But I pretty sure you did it the wrong way, because there isn't just one pointer points straight to the address where contains the string.
The 1st pointer points to the 2nd pointer and then points to the 3rd pointer...etc, and the 5th pointer finally points to the address.

Here is an example how I read a 5th-level pointer:
baseaddress: 0x62A40948, offset0: 418, offset1: 7B8, offset2: 130, offset3: 4, offset4: F3 according to Cheat Engine.

[snowboard789]

first of all thank you very much for your code.

this is what i did to it:

IntPtr pHandle = pname.Handle; //Get the process handle
byte[] buffer = new byte[4];
byte[] bufferforstring = new byte[12];
int byteread;

//base address
int BaseAddress = 0x7FFDF018;

//read the 1st level pointer
ReadProcessMemory(pHandle, (IntPtr)BaseAddress, out buffer, 4, out byteread);
BaseAddress = BitConverter.ToInt32(buffer, 0) + 0x18; //Add offset 0

//read the 2nd level pointer
ReadProcessMemory(pHandle, (IntPtr)BaseAddress,out buffer, 4, out byteread);
BaseAddress = BitConverter.ToInt32(buffer, 0) + 0x18; //Add offset 1

//read the 3rd level pointer
ReadProcessMemory(pHandle, (IntPtr)BaseAddress,out buffer, 4, out byteread);
BaseAddress = BitConverter.ToInt32(buffer, 0) + 0x18; //Add offset 2

//read the 4th level pointer
ReadProcessMemory(pHandle, (IntPtr)BaseAddress,out buffer, 4, out byteread);
BaseAddress = BitConverter.ToInt32(buffer, 0) + 0x18; //Add offset 3

//read 5th level pointer
ReadProcessMemory(pHandle, (IntPtr)BaseAddress,out buffer, 4, out byteread);
//Add offset 4 and now you get the address where the pointer points to.
unchecked
{
BaseAddress = BitConverter.ToInt32(buffer, 0) + (int)0x827E3298;
}

//read the byte array for the string.
ReadProcessMemory(pHandle, (IntPtr)BaseAddress, out bufferforstring, 12, out byteread);

//Convert byte array to ASCII text string.
string thestring = System.Text.Encoding.ASCII.GetString(bufferforstring);

//Show and check if it is correct.
MessageBox.Show("The Address is : " + string.Format("{0:X}", BaseAddress) + "\n\nThe String is : " + thestring);

i had to put "out buffer" cause thats what readprocesmemory requires.
the problem is that after the function runs i get the error that buffer is not long enough. in the debugger buffer is truncated to 1 byte length when bytesread are 4 so the code fails. any ideas why this happens?
also cheat engine gives me the offset 4 to be very big which generates a "cannot convert long to int" error. i used unchecked code for now but this cant be right. clearly from other examples ive not seen an offset this big so maybe there is something wrong?

am i rgiht to translate offset0 (1 to 0x18 or am i doing stupid stuff?

hre is what i get from cheat engine exactly.

[FLiNG]

0x7FFD6000 + 0x827E3298 is too large for int32, but you can make BaseAddress an unsigned int (uint).
When an unsigned int32 exceed 0xFFFFFFFF, it goes back to 0x0000000 and start again, so you won't have the "cannot convert long to int" error.

So,
int BaseAddress = 0x7FFDF018;
change to:
uint BaseAddress = 0x7FFDF018;

BaseAddress = BitConverter.ToInt32(buffer, 0) + (int)0x827E3298;
change to
BaseAddress = BitConverter.ToUInt32(buffer, 0) + 0x827E3298;

all BitConverter.ToInt32(buffer, 0) change to BitConverter.ToUInt32(buffer, 0), and you don't have to use unchecked code anymore.

This is how it should look like

[snowboard789]

cool.

do you have any idea of why the readprocessmemory function reads 4 bytes but actually one byte is written to the buffer array, and then its length is 1 and this produces an error?

[Unbr0ken]

Seems to be that you have not found the correct pointer. Would be better and more specific if you try find the pointer with the function "Find out what writes to this address".

I say this because the pointer that you have found, points to three identical addresses. Look what i'm saying:



If you allow me, I would recommend find the correct pointer.

By the way, you should use my function to read a pointer string:

[snowboard789]

thanks,

yes it seems weird this pointer but, i cannot get it with what writes to this address cause when the value changes nothing is picked up by the debugger.

but everytime i launch the program always this pointer points to the specific string im looking for. its offsets change though.

[Unbr0ken]