wicked357 How do I cheat? Reputation: 0
Joined: 04 Jan 2011 Posts: 7
|
Posted: Mon Oct 16, 2017 7:42 pm Post subject: Problem with value after offsets |
|
|
Quick overview. I have been through all the forums I have managed to write this code that is getting the base module address (Copied that function and cleaned it up) and I have processed all the offsets to get the pointer address that CE shows. The final address is the same as CE shows for the actual value.
I tested this by statically typing the address in read and it gets the correct value, I then also statically type the address in the read after all the offset adding. The weird thing is I am getting a different value after all that. Can someone point me in the right direction?
To reiterate after the processing of offsets I get 26CBAD796E8 as the final address which matches CE. I thought something was wrong with that, but after statically typing it in afterwords, I realized something else is happening.
Here is my code: EDITED** Cleaned up for readability / comments and removed the awful 5 if block deep statements.
Code: |
#include "stdafx.h"
#include <windows.h>
#include <iostream>
#include <psapi.h>
// Forward declarations
void Exception(const char* message);
UINT64 GetModuleBase(const HANDLE& handle);
// 64-Bit memory read
int main()
{
// Set the defaults
UINT64 offsets[] = { 0x2C8, 0x740, 0x160, 0x100, 0x28 };
HANDLE handle = NULL;
try {
// Find the window
HWND myapp= FindWindow(NULL, L"My App");
if ( ! myapp) {
Exception("Failed to find the window.");
}
// Get the Process ID
DWORD pid = NULL;
GetWindowThreadProcessId(myapp, &pid);
if ( ! pid) {
Exception("Failed getting the process ID.");
}
// Get the process handle
handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
if ( ! handle) {
Exception("Failed to get the process handle.");
}
// Before reading stuff from memory
INT64 before = 0;
ReadProcessMemory(handle, (LPCVOID)0x28e839e26e8, &before, 4, NULL); // <--- Value is read as 1040 (which is correct)
std::cout << "Before Reading and combining offsets: " << before << std::endl;
// Combine the Module address and the base offset, then read the value of the combined
UINT64 baseOffset = 0x01092710;
UINT64 moduleAddress = GetModuleBase(handle);
UINT64 combinedAddress = (UINT64)moduleAddress + baseOffset;
ReadProcessMemory(handle, (LPCVOID)combinedAddress, &combinedAddress, sizeof(combinedAddress), NULL);
// Iterate through the offsets and add them to the combinedAddress (moduleAddress + baseOffset)
std::cout << "myapp.exe(" << std::hex << moduleAddress << ") + " << std::hex << baseOffset << " = " << std::hex << combinedAddress << std::endl;
int offsetCount = sizeof(offsets) / sizeof(UINT64);
for (int index = 0; index < offsetCount; index++) {
std::cout << "[" << std::hex << combinedAddress << "+" << std::hex << offsets[index] << "] -> ";
// Add the offset to the combinedAddress
combinedAddress = combinedAddress + offsets[index];
// If it isn't the last offset read the value from the combinedAddress otherwise the value of the last offset is the final address
if ((index + 1) != offsetCount) {
ReadProcessMemory(handle, (LPCVOID)combinedAddress, &combinedAddress, sizeof(combinedAddress), NULL);
}
std::cout << std::hex << combinedAddress << std::endl;
}
// Read the final address value
INT64 value = 0;
ReadProcessMemory(handle, (LPCVOID)0x28e839e26e8, &value, 4, NULL); // <--- Value is read as 410 (which is wrong, from the example first read at this address)
std::cout << std::hex << combinedAddress << " = " << value << std::endl;
}
catch (const std::exception& ex) {
// Output the exception message that is thrown
std::cout << "Exception Caught!" << ex.what() << std::endl;
}
CloseHandle(handle);
return 0;
}
// Helper method to throw an exception to save contant retyping std:: etc...
void Exception(const char* message)
{
throw std::exception(message);
}
// Helper method to get the 64-Bit module address using the handle
UINT64 GetModuleBase(const HANDLE& handle)
{
DWORD bytesRequired = NULL;
if ( ! EnumProcessModules(handle, NULL, 0, &bytesRequired)) {
Exception("Failed Enum Process Modules, 1st iteration.");
}
if ( ! bytesRequired) {
Exception("Failed to get bytesRequired.");
}
LPBYTE moduleArrayBytes = (LPBYTE)LocalAlloc(LPTR, bytesRequired);
if ( ! moduleArrayBytes) {
Exception("Failed to get moduleArrayBytes.");
}
unsigned int moduleCount;
moduleCount = bytesRequired / sizeof(HMODULE);
HMODULE *moduleArray = (HMODULE *)moduleArrayBytes;
if ( ! EnumProcessModules(handle, moduleArray, bytesRequired, &bytesRequired)) {
Exception("Failed Enum Process Modules, 2nd iteration.");
}
UINT64 baseAddress = (DWORD_PTR)moduleArray[0];
LocalFree(moduleArrayBytes);
return baseAddress;
}
|
My output in console looks like this:
Before Reading and combining offsets: 1040
myapp.exe(7ff693a60000) + 1092710 = 26c945113a0
[26c945113a0+2c8] -> 26c94511650
[26c94511650+740] -> 26cbaabc000
[26cbaabc000+160] -> 26cb8f36400
[26cb8f36400+100] -> 26cbad796c0
[26cbad796c0+28] -> 26cbad796e8
26cbad796e8 = 410
|
|