How to get all memory addresses (pointers) used by an application

[azertyhnbv]

Hello,

I've made a vb .NET program that is able to write a value to a memory address of a game. Random video showing what I'm doing:



But to get that address I always need to use Cheat Engine. And now I'd like to make my program do it all itself.

My idea was to get all memory addresses of a certain application, get their values and then look for the right value and so get the address.
Here comes my question: How can i see which addresses are made by which application? (in Cheat Engine: you have to select the process you want to search in)

Please also say if this is the right way to do this.

Thanks in advance,
Peter

[silentus]

In VB.NET ? I made a thing like this, but forget about it... scanning whole memory will take lots of hours (if not days)
I used 2 threads and 2 loops and it still was slow a f*** so for operations like this its better to use some more low level programming language (c++ for example)
You could basically search for a pointer to this addres (that would be static) or search for it if someone found it already, then just get the value from that pointer and add the offset to it (remember, its HEX !)
(PS you can say you can use 30 loops and divide the memory into 30 parts, but it WONT work (well it will if you have a processor with 30 threads (cores)) ofc it wont give you any errors, but the threads wont go all in the same time, because the code will be put in a queue and wait till the previous operation is finished.

[Pingo]

@silentus
You can scan an entire process just as fast as CE if you know how to code it in vb.
@azertyhnbv
I personally think halo is a good place to start training games.
It's been years since i touched halo but it still stuck with me.

Don't scan the memory for the value. You can just patch the instruction that writes to it.
That way you won't need to scan for your ammo address for any normal type gun.
The plasma guns have another instruction you need to patch

Let me know how you get on.

[azertyhnbv]

Thanks for replying.

@silentus
Don't scan the memory for the value. You can just patch the instruction that writes to it.
That way you won't need to scan for your ammo address for any normal type gun.
The plasma guns have another instruction you need to patch

What do you mean with "You can just patch the instruction that writes to it."?

Also, do you know if there is a statement for getting 1 address of an application? (fill in the process name and some more things and then get the address)

[Pingo]

Do the CE built in tutorial and it should answer your question.
You're basically getting the instructions that access your ammo address and replacing it with something else.
In your case, you replace the instruction that decreases ammo with a NOP (No OPeration).
So when you shoot any of your human weapons, your ammo never decreases.
Same method for plasma weapons.

Do the tutorial and you'l see. Halo is a simple game to master once you know the basics.

[atom0s]

Use VirtualQueryEx to loop through the accessible pages in the processes memory. Then inside each page scan for the value(s) you need.

In your case for what you want to do, you should look into:
- Pointers
- Signature scanning / pattern scanning / Array Of Bytes

You can avoid the scanning all together if you can find a valid pointer or a function you can hook / read the pointer from using a signature.

[[MPGH]master131]

In VB.NET ? I made a thing like this, but forget about it... scanning whole memory will take lots of hours (if not days)
I used 2 threads and 2 loops and it still was slow a f*** so for operations like this its better to use some more low level programming language (c++ for example

@silentus
You can scan an entire process just as fast as CE if you know how to code it in vb.

https://www.mpgh.net/forum/33-visual-...editor-v*****ml

[Pingo]

@master131
Yea i thought about linking him to your scanner but i think he's after code.
Good scanner btw, worked fine for me.

[azertyhnbv]

Thanks again for all the help.

@master131
Your application does something I want to do too: scan all memory used by an application.
Did you make this in vb? And what statement did u use to get all memory addresses?

@atom0s
Is VirtualQueryEx what I need? I can only find 1 sample in vb.net (VB.NET - Reading a structure using a pointer) but I don't understand what they're doing and what they will get.
It would be nice if i didn't have to scan but how can I find a signature?

[Pingo]

@azertyhnbv
I already told you the easiest solution for this game.
Besides, why would you want to scan the entire process when the address changes everytime you die and there is an address for each weapon.

Seems kindof overkill and pointless.
These are the instructions that access human weapons
[IMG]https://i203.photobucke*****m/albums/aa29/Baxter_esa/haloce_zps8b538880.png[/IMG]

The one highlighted is the one you want to patch.
Ideally you would want to write it as a byte array but since its only 4 bytes long, you can still do it as an integer like this.
Not sure which memory class you're using but

To Patch it
WriteInteger("haloce", &H4C7616, &H90909090)

To Unpatch it
WriteInteger("haloce", &H4C7616, &H08468966)

Once patched, your ammo will never decrease.
haloce v1.09 latest

[azertyhnbv]

This seems to be a very nice way to do it. I'm really short on time today and tomorrow, so I'll try it friday or saturday.

I was asking for a way to scan the entire process because I want to make a similar program for another (online) game.
I want to get my health (and automaticly use potions if low), I can search the address with CE every time but I'm lazy and want my program to find it.
There is no way I can stop my health from going down, so I really have to scan everything and find the right address.
Is this right? Is this possible with VirtualQueryEx?

Peter

[Pingo]

You would use VirtualQueryEx for scanning the entire process but if this address is in a range of addresses, you can do it without.
See how you get on if you still need help, i'll throw some code at ya.

[atom0s]

This seems to be a very nice way to do it. I'm really short on time today and tomorrow, so I'll try it friday or saturday.

I was asking for a way to scan the entire process because I want to make a similar program for another (online) game.
I want to get my health (and automaticly use potions if low), I can search the address with CE every time but I'm lazy and want my program to find it.
There is no way I can stop my health from going down, so I really have to scan everything and find the right address.
Is this right? Is this possible with VirtualQueryEx?

Peter

VirtualQueryEx will help you with finding the memory pages inside the process that you can access without having exceptions thrown.
Granted, you can use VirtualProtectEx to adjust the page protections on the pages you don't properly have access to as well.

But you would loop the VirtualQueryEx call to step each page to obtain the page base address, size and protection. If the protection is valid for you to read it, you can dump it using ReadProcessMemoy, then scan the memory dump for the value you are looking for and so on.

[azertyhnbv]

I've been searching for a nice example of VirtualQueryEx in vb.net; I only found 2 interesting ones: READ STRING FROM PROCESS and vb.net ReadProcessMemory and VirtualProtectEx example..

To make things easier, let's search for a string in notepad.

What I got from the first link:

Code:

Imports VB = Microsoft.VisualBasic
Imports System.Runtime.InteropServices
Public Class Form1
    Inherits System.Windows.Forms.Form
    Structure OSVERSIONINFO
        Dim dwOSVersionInfoSize As Integer
        Dim dwMajorVersion As Integer
        Dim dwMinorVersion As Integer
        Dim dwBuildNumber As Integer
        Dim dwPlatformId As Integer
        <VBFixedString(128)> Dim szCSDVersion As Char
    End Structure
    Structure MEMORY_BASIC_INFORMATION ' 28 bytes
        Dim BaseAddress As Integer
        Dim AllocationBase As Integer
        Dim AllocationProtect As Integer
        Dim RegionSize As Integer
        Dim State As Integer
        Dim Protect As Integer
        Dim lType As Integer
    End Structure
    Structure SYSTEM_INFO ' 36 Bytes
        Dim dwOemID As Integer
        Dim dwPageSize As Integer
        Dim lpMinimumApplicationAddress As Integer
        Dim lpMaximumApplicationAddress As Integer
        Dim dwActiveProcessorMask As Integer
        Dim dwNumberOrfProcessors As Integer
        Dim dwProcessorType As Integer
        Dim dwAllocationGranularity As Integer
        Dim wProcessorLevel As Short
        Dim wProcessorRevision As Short
    End Structure

    Private Declare Function GetVersionEx Lib "kernel32" Alias "GetVersionExA" (ByRef LpVersionInformation As OSVERSIONINFO) As Integer
    Private Declare Function VirtualQueryEx Lib "kernel32" (ByVal hProcess As IntPtr, ByVal lpAddress As UInteger, ByRef lpBuffer As MEMORY_BASIC_INFORMATION, ByVal dwLength As Integer) As Integer
    'Private Declare Function VirtualQueryEx Lib "kernel32" (ByVal hProcess As Long, ByRef lpAddress As Long, ByRef lpBuffer As MEMORY_BASIC_INFORMATION, ByVal dwLength As Long) As Object
    'Private Declare Function VirtualQueryEx& Lib "kernel32" (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal lpBuffer As MEMORY_BASIC_INFORMATION, ByVal dwLength As Long)
    Private Declare Sub GetSystemInfo Lib "kernel32" (ByRef lpSystemInfo As SYSTEM_INFO)
    Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Integer, ByVal blnheritHandle As Integer, ByVal dwAppProcessId As Integer) As Integer
    Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Integer) As Integer
    Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Integer, ByRef lpBaseAddress As Integer, ByRef lpBuffer As String, ByVal nSize As Integer, ByRef lpNumberOfBytesWritten As Integer) As Integer
    'Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Integer, ByRef lpBaseAddress As integer, ByRef lpBuffer As string, ByVal nSize As Integer, ByRef lpNumberOfBytesWritten As Integer) As Integer
    Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Integer, ByRef lpBaseAddress As Integer, ByRef lpBuffer As String, ByVal nSize As Integer, ByRef lpNumberOfBytesWritten As Integer) As Integer
    Private Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hWnd As Integer, ByRef lpdwProcessId As Integer) As Integer
    Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As Integer, ByVal lpWindowName As Integer) As Integer
    Private Declare Function GetParent Lib "user32" (ByVal hWnd As Integer) As Integer
    Private Declare Function GetWindow Lib "user32" (ByVal hWnd As Integer, ByVal wCmd As Integer) As Integer

    Const GW_HWNDNEXT As Short = 2
    Const PROCESS_VM_READ As Short = (&H10)
    Const PROCESS_VM_WRITE As Short = (&H20)
    Const PROCESS_VM_OPERATION As Short = (&H8)
    Const PROCESS_QUERY_INFORMATION As Short = (&H400)
    Const PROCESS_READ_WRITE_QUERY As Integer = PROCESS_VM_READ + PROCESS_VM_WRITE + PROCESS_VM_OPERATION + PROCESS_QUERY_INFORMATION
    Public Const PROCESS_ALL_ACCESS As Integer = &H1F0FFF
    Const MEM_PRIVATE As Integer = &H20000
    Const MEM_COMMIT As Short = &H1000

    Private Sub Button1_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles Button1.Click
        Dim pid As Integer, hProcess As Integer, hWin As Integer
        Dim lpMem As Integer, ret As Integer, lLenMBI As Integer
        Dim lWritten As Integer, CalcAddress As Integer, lPos As Integer
        Dim sBuffer As String = ""
        Dim sSearchString As String = ""
        Dim si As SYSTEM_INFO
        Dim mbi As MEMORY_BASIC_INFORMATION


        sSearchString = "34,56,23,74,69" 'THIS IS WHAT I NEED TO FOUND

        'Open process with required access
        hProcess = OpenProcess(PROCESS_ALL_ACCESS, False, game_hwnd)
        lLenMBI = Len(mbi)
        'Determine applications memory addresses range
        GetSystemInfo(si)
        lpMem = si.lpMinimumApplicationAddress
        'Scan memory
        Do While lpMem < si.lpMaximumApplicationAddress
            mbi.RegionSize = 0


            ret = VirtualQueryEx(hProcess, lpMem, mbi, lLenMBI) 'HERE THE DEBUGGER STOPS WITH ERROR: "PInvoke restriction: cannot return variants."
            'FROM HERE I DON'T KNOW IF THE PROGRAM WORKS

            If ret = lLenMBI Then
                If ((mbi.lType = MEM_PRIVATE) And (mbi.State = MEM_COMMIT)) Then ' this block is In use by this process
                    If mbi.RegionSize > 0 Then
                        sBuffer = StrDup(mbi.RegionSize, 0)
                        'Read region into string
                        ReadProcessMemory(hProcess, mbi.BaseAddress, sBuffer, mbi.RegionSize, lWritten)
                        'Check if region contain search string
                        lPos = InStr(1, sBuffer, sSearchString, CompareMethod.Text)
                        If lPos Then
                            CalcAddress = mbi.BaseAddress + lPos
                            ret = MsgBox("Search string was found at address " & CalcAddress)
                            Exit Do
                        End If
                    End If
                End If
                'Increase base address for next searching cicle. Last address may overhead max Long value (Windows use 2GB memory, which is near max long value), so add Error checking
                On Error GoTo Finished
                lpMem = mbi.BaseAddress + mbi.RegionSize
                On Error GoTo 0
            Else
                Exit Do
            End If
        Loop
Finished:
        CloseHandle(hProcess)
    End Sub


    Public Function game_hwnd() As Long
        Dim procList() As Process = Process.GetProcesses()
        Dim iProcID As Integer
        For i As Integer = 0 To UBound(procList)
            Dim strProcName As String = procList(i).ProcessName
            If strProcName = "notepad" Then
                iProcID = procList(i).Id
                Exit For
            End If
        Next
        Return iProcID
    End Function

End Class

I took the first code the user posted, because I had no idea what he was doing in the second one.
I changed the declaration of VitualQueryEx, like someone said and filled in strProcName = "notepad" . I didn't delete his annotations.
This gave an error ("Argument 'Character' is not a valid value.") at sBuffer = StrDup(mbi.RegionSize, 0) . I have no idea what i should put there.

I didn't do anything with the second link (I didn't understand what he was doing) but I put it in here because it's a release and looks useful.

That's what I got for now, I hope someone knows how to do it.

[azertyhnbv]

Can someone please give me a working example of code?