7 replies to this topic

[Abystus]

So I've decided to try and port some functions I created to this library.  I am running into some issues converting a particular function shown below:

        public static IntPtr FindAddress(IntPtr StaticPointer, int[] Offsets)
        {
            try
            {
                byte[] tmp = new byte[4];
                IntPtr Address = BaseAddress + StaticPointer;
                foreach (int Offset in Offsets)
                {
                    ReadProcessMemory(WowGameHandle, Address, tmp, tmp.Length, 0);
                    Address = (IntPtr)BitConverter.ToInt32(tmp, 0) + Offset;
                    Array.Clear(tmp, 0, tmp.Length);
                }
                return Address;
            }
            catch (Exception ex) { return IntPtr.Zero; }
        }

That piece of code is used to resolve the correct address from pointers for several other functions which in-turn read/write, and works fine on it's own with no problems what so ever.  Now when I convert that to the following I get a few errors at run time about not being able to read 4 bytes from said address:

 

        public static IntPtr FindAddress(IntPtr StaticPointer, int[] Offsets)
        {
            try
            {
                IntPtr Address = MemSharp.Read<IntPtr>(StaticPointer); //From my understanding this is re-based, so no need for adding base address
                foreach (int Offset in Offsets)
                    Address = MemSharp.Read<IntPtr>(Address + Offset, false); //This should not be re-based because of 'false' flag
                return Address;
            }
            catch (Exception ex) { return IntPtr.Zero; }
        }

The said address is usually an invalid read which returns 0 + Offset which is not a valid address, and errors on the next read.  I'm unsure if the other method below is any different, or just an alternate way to do things but it also has the same issue:

        public static IntPtr FindAddress(IntPtr StaticPointer, int[] Offsets)
        {
            try
            {
                IntPtr Address = MemSharp[StaticPointer].Read<IntPtr>(); //From my understanding this is re-based, so no need for adding base address
                foreach (int Offset in Offsets)
                    Address = MemSharp[Address + Offset, false].Read<IntPtr>(); //This should not be re-based because of 'false' flag
                return Address;
            }
            catch (Exception ex) { return IntPtr.Zero; }
        }

I've searched and found these informative posts on stack overflow, but they did not seem to resolve my issue:

http://stackoverflow...ess-not-working

http://stackoverflow...urning-anything

 

MemSharp is definitely being set to the correct process id, as all of the processes information is listed on hover over of the variable during a break point:

 

 

 

I can already see the potential in making the switch (chose this over blackmagic and some others), but it's just getting these little things ironed out before I can actually commit .  Any help is appreciated in resolving the issue.

Edited by Abystus, 19 October 2013 - 08:51 AM.

[ZenLulz]

Hi Abystus and welcome on the board.

 

Your functions are correctly written and do the same work. I tested the first one with this code.

 

var staticAddress = IntPtr.Zero;

var offsets = new[] { 0x10 };


var finalAddress = FindAddress(staticAddress, offsets);


Console.WriteLine(MemSharp.ReadString(finalAddress, false));

           

Console.Read();

 

I altered the memory of my notepad++ to be like that.

 

 multi-level pointer.png   5.22KB   0 downloads

 

So, my static address is 0x400000, or 0x0 rebased. The value at this location is 0x400010, where I add an offset of 0x10, so the final destination is 0x400020. The function returns the value stored at this location, 0x400030. In my case, I perform a ReadString(...) on this address and I can read the string Hello!.

 

Be sure your address/offsets are right.

 

Cheers,

ZenLulz

[Abystus]

Well see the address and offsets work fine with the first function, and produce no errors at all, so I'd assume they should work with the new functions just fine.  I'll give it another look when I get a chance, but as far as I can tell everything is correct.  Thanks for taking a look into it.  Hopefully I'll get it figured out.  

Edited by Abystus, 19 October 2013 - 08:07 PM.

[ZenLulz]

I suggest to set up a breakpoint of this line :

 

Address = MemSharp.Read<IntPtr>(Address + Offset, false); //This should not be re-based because of 'false' flag

 

Thus, you can debug each time you are reading a new address and you will be able to detect the issue.

[Abystus]

I suggest to set up a breakpoint of this line :

 

Address = MemSharp.Read<IntPtr>(Address + Offset, false); //This should not be re-based because of 'false' flag

 

Thus, you can debug each time you are reading a new address and you will be able to detect the issue.

 

Well see the first function returns an address to read from, not a value at that address.  So say we have a pointer with 1 offset, then it would read the static pointer, then add the offset to that address and return meaning not reading the address + offset.  This function is designed just to return the pointers base address, not whats at that base address.  I've taken a look at the new code, and it appears I need to somehow make it through all the offsets without reading whats at the final one and instead return the address +final offset.  Not sure this makes sense, but coming from a non library depending setup I had to resolve the address of pointers before I could read them elsewhere, so that's why the function exists.  I am currently working with it to see if I can get that kind of functionality out of this, or if I even need to do this anymore due to how your library works.  Thanks for the quick responses!

 

Edit:

 

Looks like this works:

 

        public static IntPtr FindAddress(IntPtr StaticPointer, int[] Offsets)
        {
            try
            {
                IntPtr Address = BaseAddress + (int)StaticPointer; //Similar to before with the base + static pointer
                foreach (int Offset in Offsets)
                    Address = MemSharp.Read<IntPtr>(Address, false) + Offset; //This should not be re-based because of 'false' flag
                return Address;
            }
            catch (Exception ex) { return IntPtr.Zero; }
        }

Though, I feel there may be a simpler way to do that, but it should work for now.  If you have an suggestions on how to optimize that then it would be appreciated.

Edited by Abystus, 19 October 2013 - 08:36 PM.

[Abystus]

There is something odd though, I resolve the base address as 0x400000, but when looking at the base address in MemSharp, it shows it as 0x7FFDE000 (I was going to attempt to use MemSharp.Peb.BaseAddress).  Maybe this could possibly be the reason for the invalid reads before?  

 

 

        public static MemorySharp MemSharp;
        public static int SetProcessMemory
        {
            set
            {
                MemSharp = new MemorySharp(value); //Value is the processID
            }
        }

Edited by Abystus, 19 October 2013 - 09:02 PM.

[ZenLulz]

Ah yeah, I now understand the difference between the function with and without MemorySharp. In this case, I prefer not include the last offset in the array and use the functions you wrote for MemorySharp. I add the last offset directly into my code then.

 

If you want the same function you wrote but using MemorySharp, this one do the job.

public static IntPtr FindAddress2(IntPtr staticPointer, int[] offsets)
{
    try
    {
        // Read the static address
        var address = MemSharp.Read<IntPtr>(staticPointer);
        // Find the destination address by using the offsets but the last one
        for (var i = 0; i < offsets.Length - 1; i++)
        {
            address = MemSharp.Read<IntPtr>(address + offsets[i], false);
        }
        // Return the destination address with the lst offset
        return address + offsets[offsets.Length - 1];
    }
    catch (Exception) { return IntPtr.Zero; }
}

The address 0x7FFDE000 is the base address of the PEB (this is the name of the property where this value is shown). You can retrieve the base address of the application like that.

 

var baseAddress = MemSharp.Modules.MainModule.BaseAddress;

[Abystus]

Thanks for the example and break down. I think this should work well enough for me (still shorter than my original code that didn't use your library):

 

        public static IntPtr FindAddress(IntPtr StaticPointer, int[] Offsets)
        {
            try
            {
                IntPtr Address = MemSharp.Modules.MainModule.BaseAddress + (int)StaticPointer; //Working base address from MemSharp + Static Address
                foreach (int Offset in Offsets)
                    Address = MemSharp.Read<IntPtr>(Address, false) + Offset; //Read address and add each offset trailing
                return Address; //Return final address
            }
            catch (Exception ex) { return IntPtr.Zero; }
        }

 

Thanks for your quick responses and insight. I hope to see lots of updates for this very well laid out library. Keep up the great work!

Edited by Abystus, 19 October 2013 - 09:54 PM.