please! Having trouble with memory reading/writing

[bobsd]

Been trying to updated and fix some offsets for a project I've found but I've never really seen this type of reading before.

this.MyLevel = this.Mem.ReadInt(this.Mem.Pointer(this.mainModule, 24246038, 10, 28, 62, 9));

I think I know that 24246038 = a signed 32 bit int. but what are the rest that come after it and before it? How does this differ from just using an offset?

Please help!

[abuckau907]

This is all just assumptions w/o seeing the code for the 2 functions mentioned, but

.ReadInt() looks to take 1 parameter which is an address (just a note)

This means that .Pointer() returns an address for ReadInt() to read. (just a note)

Code:

this.Mem.Pointer(this.mainModule, 24246038, 10, 28, 62, 9)

From experience it looks like this function is stepping through a list of pointers, and takes 2 things:
1) the start address
2) a list of offsets -- each offset has a corresponding pointer dereference associated with it

It probably adds the first offset to the start addr and reads an addr from that memory location(ie. dereferenced the pointer - read it's value). It adds the next offset from the list and repeats this "dereference" for each offset in the list.

order of operations:

aa = ReadMemAddr(mainModule + 24246038)

bb = ReadMemAddr(aa + 10)

cc = ReadMemAddr(bb + 28)

dd = ReadMemAddr(cc + 62)

// could be 1 or the other, depending on YOUR specific pointer/offset list. Could be either.
ee = ReadMemaddr(dd + 9) // dereference final one
or
ee = dd + 9 // no dereference

ee is the address of the 'MyLevel' variable.

edit: If the pointer list doesn't work any more, it's generally not just a matter of tweaking one of the numbers to find the right one. Easiest way would be to use CE's "PointerScan" function to find one for you.

[bobsd]

This is all just assumptions w/o seeing the code for the 2 functions mentioned, but

.ReadInt() looks to take 1 parameter which is an address (just a note)

This means that .Pointer() returns an address for ReadInt() to read. (just a note)

Code:

this.Mem.Pointer(this.mainModule, 24246038, 10, 28, 62, 9)

From experience it looks like this function is stepping through a list of pointers, and takes 2 things:
1) the start address
2) a list of offsets -- each offset has a corresponding pointer dereference associated with it

It probably adds the first offset to the start addr and reads an addr from that memory location(ie. dereferenced the pointer - read it's value). It adds the next offset from the list and repeats this "dereference" for each offset in the list.

order of operations:

aa = ReadMemAddr(mainModule + 24246038)

bb = ReadMemAddr(aa + 10)

cc = ReadMemAddr(bb + 28)

dd = ReadMemAddr(cc + 62)

// could be 1 or the other, depending on YOUR specific pointer/offset list. Could be either.
ee = ReadMemaddr(dd + 9) // dereference final one
or
ee = dd + 9 // no dereference

ee is the address of the 'MyLevel' variable.

edit: If the pointer list doesn't work any more, it's generally not just a matter of tweaking one of the numbers to find the right one. Easiest way would be to use CE's "PointerScan" function to find one for you.

Thanks, I've tried to use the method for some time by adding the address manually in my uce but keeps ending up with values = ?????

I know that private string mainModule = "PROCESS.exe";
and private ProcessMemory Mem = new ProcessMemory("PROCESS");
but that is about it.

Here is the function.cs
pastebin[dot]com[slash]8SKf95uA

//mpgh is not letting me post links.

[abuckau907]

public int Pointer(string Module, int pOffset, int pOffset2, int pOffset3, int pOffset4, int pOffset5)
{
return this.ReadInt(this.ReadInt(this.ReadInt(this.ReadIn t(this.DllImageAddress(Module) + pOffset) + pOffset2) + pOffset3) + pOffset4) + pOffset5;
}

^^not even going to talk about how it's all overloaded, but..

I still think my previous comment was correct? Except I assumed mainModule was the addr of the beginning of the module, not the name of the module - one more step required : )

moduleBase = DllImageAddress(mainModule) // looks up module.BaseAddress

aa = ReadInt(moduleBase + 24246038)

bb = ReadInt(aa + 10)

cc = ReadInt(bb + 28)

dd = ReadInt(cc + 62)

// could be 1 or the other, depending on YOUR specific pointer/offset list. Could be either.
ee = ReadInt(dd + 9) // dereference final one
or
ee = dd + 9 // no dereference

If you don't understand every single line in the source code, that's a problem, and you should probably re-write your own memory library from scratch. Pointer list(and offsets) isn't exactly a hard concept- Read/Follow the addr until you arrive at the final location.

edit: "Thanks, I've tried to use the method for some time by adding the address manually in my uce but keeps ending up with values = ?????"
sounds like your pointer list is wrong. I think "?????" means the ram address isn't actually being used by the program and thus has no value.(?)
Manually find where 'MyLevel' is stored and use PointerScan feature to find a pointer list to that location.

[bobsd]

So, to input them all into a program like cheat engine I would do this: prntscr[dot]com[slash]27cqrl ?

[abuckau907]

I'm not sure what you mean.

(to include images inside your post try using [ img ] www dot address dot com / filename . jpg [/img] -remove the spaces)


Um looks like your offset list is wrong? I'm not sure where you're getting them,
but in the second step, [0AF90663+28698068] doesn't result in a valid addr. Which causes the next 4 pointers to be invalid as well.


In this picture you're reading an addr directly from the beginning of the module.
Underlined in red is the module base & size; base = 0x1A73000

the first operation (I see in the picture) is
[0x1A73000] -> 0AF90663
and the second is
[0AF90663+28698068]-> ?????

but I thought we said

aa = ReadInt(mainModuleBase + firstOffset)

NOT

aa = ReadInt(mainModuleBase)

-I think instead of the bottom box containing module base (because CE is automatically trying to dereference it), you have to manually calculate yourself the moduleBase + 28698068, and put that in the first box (then fix the list of offsets). The rest of the pointers should display w/ valid addresses if that list actually exists.

I'm not very firmiliar with CE, sry. Try using 1a7300+28698068 in the first box (and fixing offset list).
(I couldn't tell you if a number shown in CE is hex or decimal unless it had a-f in it..)

[bobsd]

Nothing is really working :/ tried many combos and ways.

so we have this currently : this.Mem.Pointer(this.mainModule, 24246038, 10, 28, 62, 9)
I looked at past versions of the project and found that the only thing that is changing is this.Mem.Pointer(this.mainModule, [THIS], 10, 28, 62, 9)
idk if that can help the issue.

// was reading through it again.
//this finds the base address of the process. correct?
public int ImageAddress()
{
this.BaseAddress = 0;
this.myProcessModule = this.MyProcess[0].MainModule;
this.BaseAddress = (int) this.myProcessModule.BaseAddress;
return this.BaseAddress;
}

// does this means that it adds the base address to the 1st pOffset in the code? like (24246038+Base) ?
public int ImageAddress(int pOffset)
{
this.BaseAddress = 0;
this.myProcessModule = this.MyProcess[0].MainModule;
this.BaseAddress = (int) this.myProcessModule.BaseAddress;
return pOffset + this.BaseAddress;
}

[abuckau907]

possibly, but I'm not going to help you on a wild goose chase : ) ...re-write your own memory library and|or ask a specific question.

edit: u edited your post- I'm out the door door for work, will update later*

edit:

...
// was reading through it again.
//this finds the base address of the process. correct?
public int ImageAddress()
{
this.BaseAddress = 0;
this.myProcessModule = this.MyProcess[0].MainModule;
this.BaseAddress = (int) this.myProcessModule.BaseAddress;
return this.BaseAddress;
}

// does this means that it adds the base address to the 1st pOffset in the code? like (24246038+Base) ?
public int ImageAddress(int pOffset)
{
this.BaseAddress = 0;
this.myProcessModule = this.MyProcess[0].MainModule;
this.BaseAddress = (int) this.myProcessModule.BaseAddress;
return pOffset + this.BaseAddress;
}

1. yes.
2. yes.

going back to answer your original question..

this.MyLevel = this.Mem.ReadInt(this.Mem.Pointer(this.mainModule, 24246038, 10, 28, 62, 9));

I think I know that 24246038 = a signed 32 bit int. but what are the rest that come after it and before it? How does this differ from just using an offset?

the rest that comes after it (and it is itsself) is a list of offsets, used to follow a pointer list.

Code:

    public int Pointer(string Module, int pOffset, int pOffset2, int pOffset3, int pOffset4, int pOffset5)
    {
      return this.ReadInt(this.ReadInt(this.ReadInt(this.ReadInt(this.DllImageAddress(Module) + pOffset) + pOffset2) + pOffset3) + pOffset4) + pOffset5;
    }

1)the innermost expression is:

Code:

this.ReadInt(this.DllImageAddress(Module) + pOffset)

DllImageAddress(Module); returns the .BaseAddress of the module
then add pOffset
then call ReadInt()
IE. ReadInt() gets passed the address (module.baseaddress + pOffset), and returns the value (an addr) it just read.

2) next is

Code:

this.ReadInt(this.ReadInt(this.DllImageAddress(Module) + pOffset) + pOffset2)

Simply calls this.ReadInt() on the addr obtained from step 1..

3) next is

Code:

this.ReadInt(this.ReadInt(this.ReadInt(this.DllImageAddress(Module) + pOffset) + pOffset2) + pOffset3)

Same as above. Calls .ReadInt(), but with the address obtained from step 2.

4) next is

Code:

this.ReadInt(this.ReadInt(this.ReadInt(this.ReadInt(this.DllImageAddress(Module) + pOffset) + pOffset2) + pOffset3) + pOffset4)

Same as above. Calls .ReadInt(), but with the address obtained from step 3.

5) next is

Code:

+ pOffset5;

^^So. Simply add pOffset5 to the value obtained in step 4. Do not Read() an address from this location: this is the final addr.

pseudo code:
aa = ReadInt(moduleBase + offset1)
bb = ReadInt(aa + offset2)
cc = ReadInt(bb + offset3)
dd = ReadInt(cc + offset4)
ee = dd + offset5
--------------------------
It not much different from using a single offset: same process, repeated several times.

[bobsd]

You were right all along. Finally figured it out. Surprisingly you have to turn them all into hex (wasn't thinking that I would have to do that again for some reason).
The base was actually : Process.exe (again, was thinking it would be different)
Also had to change CE scanning process a different way

Now I get how it all goes into play.

Thank you again for all of your hard work to help me out!!