Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


5 bytes long pointer addresses

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
JMC17
How do I cheat?
Reputation: 0

Joined: 26 Nov 2015
Posts: 7

PostPosted: Thu Nov 26, 2015 8:30 am    Post subject: 5 bytes long pointer addresses Reply with quote

Edit: Sorry for the lack of information, I had everything set up nicely but this forum is not allowing me to post any links, images or anything that would help you understand my question.

I bought myself a G13(Sorry can't post links yet apparently) a few weeks ago and I've been fiddling around with the LCD display.

I can read an address in memory and show it on the LCD interface using Barloggg's applet (Same thing, would give a link but i'm no allowed)

The problem is I keep finding pointers with 5 bytes long addresses and when I limit the pointer scan to 00000000 - FFFFFFFF I just can't find a pointer that sticks.
(Apparently can't post images either)

Both Barloggg's applet and my own c# script fails to read the mem.
I can't speak for Barloggg's method but in mine, I use
Code:
  [DllImport("kernel32.dll")]
        static extern bool ReadProcessMemory(int hProcess,
          int lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesRead);
        const int PROCESS_WM_READ = 0x0010;


Of course, using this code, the "0x01" in byte[]{0x01,0x53,0xD1,0xB5,0x80} gets truncated so I end up with byte[]{0x53,0xD1,0xB5,0x80} which points to the wrong address.

If I try to send a long address or an Int64, it fills the empty bytes with 00s, which reads to the wrong address .
(I assume because I get an access violation error: reading or writing to protected memory)
So for example instead of reading byte[]{0x80,0x4E,0xFB,0x50} it'll read byte[]{0x00,0x00,0x00,0x00,0x80,0x4E,0xFB,0x50} and produce the access violation error.
(Entering the address in CE sends me to the right address (804EFB50))

I'd post the code i'm running but after a day of debugging, it has become a huge mess.
It's just conversions, the data feedback I get is right before reading the memory and is done this way:
Code:
   Console.WriteLine("MemToolReading: " + BitConverter.ToString((BitConverter.GetBytes(address))));

The address in this case is an Int64 and is converted this way before being sent to be read:
Code:
            byte[] bs = new byte[] {0x00, 0x00, 0x00, 0x00, 0x80, 0x4E, 0xFB, 0x50  };
            Int64 zz = BitConverter.ToInt64(bs,0);


I don't know what else to try, feels like I have tried everything.
I could use other methods like injecting and rerouting the ASM code into a codecave and exposing the register containing the address containing the value
but I was hoping for something quicker, since this is something i'll have to do on many games.

It's bugging the hell out of me. I want to know what i'm doing wrong, how the hell am I supposed to read a 5 bytes address?
Is there a way to calculate the final address without having to read 5 bytes addresses?


Last edited by JMC17 on Thu Nov 26, 2015 10:14 am; edited 1 time in total
Back to top
View user's profile Send private message
Zanzer
I post too much
Reputation: 126

Joined: 09 Jun 2013
Posts: 3278

PostPosted: Thu Nov 26, 2015 9:33 am    Post subject: Reply with quote

I'm not certain why you are coding an array of bytes and then converting it to a 64 bit integer...
Why aren't you simply writing:
Code:
Int64 zz = 0x804EFB50;

But that's besides the point. Your problem is that you're writing the value backwards.
0x804EFB50 is stored in memory as bytes: 0x50, 0xFB, 0x4E, 0x80

And 64-bit applications can use 64-bits to address memory.
So you should be reading 8 bytes in as the possible address.
Back to top
View user's profile Send private message
JMC17
How do I cheat?
Reputation: 0

Joined: 26 Nov 2015
Posts: 7

PostPosted: Thu Nov 26, 2015 10:01 am    Post subject: Reply with quote

It's been a long day, that's how I did it at first but changed it to possibly reverse the array.

I understand, I tried both in little endian and big endian:
Code:
            Int64 hh = 0x804EFB50;
             byte[] bs = BitConverter.GetBytes(hh);
             Array.Reverse(bs);
             Int64 zz = BitConverter.ToInt64(bs, 0);

(which reads "00-00-00-00-80-4E-FB-50")

and

Code:
            Int64 hh = 0x804EFB50;
             byte[] bs = BitConverter.GetBytes(hh);
             //Array.Reverse(bs);
             Int64 zz = BitConverter.ToInt64(bs, 0);

(which reads "50-FB-4E-80-00-00-00-00")


Quote:

And 64-bit applications can use 64-bits to address memory.
So you should be reading 8 bytes in as the possible address.


Do you mean this?
Code:
        [DllImport("kernel32.dll")]
        static extern bool ReadProcessMemory(int hProcess,
          Int64 lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesRead);
        const int PROCESS_WM_READ = 0x0010;


If so, that's what i'm using right now to read the 64bit address.
Back to top
View user's profile Send private message
Zanzer
I post too much
Reputation: 126

Joined: 09 Jun 2013
Posts: 3278

PostPosted: Thu Nov 26, 2015 10:14 am    Post subject: Reply with quote

You will need to show how you are using ReadProcessMemory.

What I meant was, why aren't you simply using:
Code:
Int64 zz = 0x804EFB50;
ReadProcessMemory(hProcess, zz, lpBuffer, 8, lpNumberOfBytesRead);

Why are you trying to convert that address to an array of bytes and then back?
Back to top
View user's profile Send private message
JMC17
How do I cheat?
Reputation: 0

Joined: 26 Nov 2015
Posts: 7

PostPosted: Thu Nov 26, 2015 10:30 am    Post subject: Reply with quote

You're right, that's shorter and simple.

I'm using a simple DLL I wrote to read/write mem. I'll write down the relevant parts:



Code:

  public class MemTool
    {
        [DllImport("kernel32.dll")]
         static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);

        [DllImport("kernel32.dll")]
        static extern bool ReadProcessMemory(int hProcess,
          Int64 lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesRead);
        const int PROCESS_WM_READ = 0x0010;

   public static byte[] ReadMem(string processname, Int64 address, int size)
        {
            Process process;
            IntPtr processHandle;
            if (processname == Process.GetCurrentProcess().ProcessName)
            {
                process = Process.GetCurrentProcess();
                processHandle = OpenProcess(PROCESS_WM_READ, false, process.Id);
                Console.WriteLine("Self");
            }
            else
            {
                process = Process.GetProcessesByName(processname)[0];
                processHandle = OpenProcess(PROCESS_WM_READ, false, process.Id);
                Console.WriteLine("Other");
            }
           
            int bytesRead = 0;
            byte[] buffer = new byte[size];
            ReadProcessMemory((int)processHandle, address, buffer, buffer.Length, ref bytesRead);
            return buffer;
        }

    }


and in my console app I fire it this way:
Code:
           
Int64 zz = 0x50FB4E80;
byte[] StepZ = MemTool.ReadMem("Fallout4", zz, 4);


I'm sorry for the silly variable names.. I'm literally bashing my keyboard when entering var names at this point.
Back to top
View user's profile Send private message
Zanzer
I post too much
Reputation: 126

Joined: 09 Jun 2013
Posts: 3278

PostPosted: Thu Nov 26, 2015 10:38 am    Post subject: Reply with quote

Didn't notice before, but hProcess should be an IntPtr, not an int. You need to fix your declaration.
You should probably change lpBaseAddress to an IntPtr as well.
And I'm sure you're aware that addresses are dynamic, so 0x50FB4E80 will not always be correct.
Back to top
View user's profile Send private message
JMC17
How do I cheat?
Reputation: 0

Joined: 26 Nov 2015
Posts: 7

PostPosted: Thu Nov 26, 2015 11:35 am    Post subject: Reply with quote

Sweet, thanks! It's working great now.
I kept running into overflow issues until I built my projects in x64 only.

Quote:
And I'm sure you're aware that addresses are dynamic, so 0x50FB4E80 will not always be correct.

Of course! I was building up the pointer path when I started running into issues with the 64bit address. I'm hopeful those issues will be solved by using this approach.

This is the working code:

Code:

public class MemTool
    {
     [DllImport("kernel32.dll")]
         static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
        const int PROCESS_WM_READ = 0x0010;

        [DllImport("kernel32.dll")]
        public static extern Int32 ReadProcessMemory(
            IntPtr hProcess,
            IntPtr lpBaseAddress,
            [In, Out] byte[] buffer,
            UInt32 size,
            out IntPtr lpNumberOfBytesRead
            );

  public static byte[] ReadMem(string processname, IntPtr address, uint size, out int bytesread)
        {
            Process process;
            IntPtr processHandle;
            if (processname == Process.GetCurrentProcess().ProcessName)
            {
                process = Process.GetCurrentProcess();
                processHandle = OpenProcess(PROCESS_WM_READ, false, process.Id);
                Console.WriteLine("Self");
            }
            else
            {
                process = Process.GetProcessesByName(processname)[0];
                processHandle = OpenProcess(PROCESS_WM_READ, false, process.Id);
                Console.WriteLine("Other");
            }


            byte[] buffer = new byte[size];
            IntPtr ptrbytesread;
            ReadProcessMemory(processHandle, address, buffer, size, out ptrbytesread);
            bytesread = ptrbytesread.ToInt32();

            return buffer;

        }

    }


And you fire it this way
Code:

            int br;
            IntPtr zz = new IntPtr(0x804EFB50);
            byte[] StepZ = MemTool.ReadMem("Fallout4", zz, 4,out br);
            Console.WriteLine("FlagZ: " + MemTool.BytesToString(StepZ));
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites