7 replies to this topic

[Zac]

Hello!

Not sure if this belongs here... but I thought I would post anyways.

Been looking at MemorySharp and am trying to read a value from a game. The only problem is I am not sure if I am doing this correctly...
 

private void button1_Click(object sender, EventArgs e)

        {

            using (var memory = new MemorySharp(ApplicationFinder.FromProcessName("LolClient").First()))

            {

                var myValue = memory.Read<IntPtr>(memory["Adobe AIR.dll"].Read<IntPtr>(0x012FA3D4) + 0x168 + 0x9c + 0x6c + 0x3f0 + 0x2a0, false);

                label1.Text = Convert.ToString(myValue);

            }

        }

 

So the pointer is "Adobe AIR.dll"+0x012FA3D4 and the offsets are 0x168 + 0x9c + 0x6c + 0x3f0 + 0x2a0, but when I try this it always returns 0....
Did i structure it wrong or am I simply not doing this correctly?

Thanks..
 

Edited by Zac, 10 March 2014 - 09:32 AM.

[ZenLulz]

Hello Zac and welcome to the board,
 
Yes, you posted at the correct place !
 
In order to read a multiple level pointer, you need to read each offset separately. Also, I recommend you to store the MemorySharp instance somewhere else than in the function body.
Here is an example of reading a string using an array of offsets.
 

public class LolMemory : IDisposable

{

    private readonly MemorySharp _mem;

    public LolMemory()

    {

        _mem = new MemorySharp(ApplicationFinder.FromProcessName("notepad++").First());

    }

    public string Value

    {

        get

        {

            var ptr = _mem.Read<IntPtr>(new IntPtr(0x4f6000), false);

            var offsets = new[] { 0x10 };

            foreach (var offset in offsets)

            {

                ptr = _mem[ptr + offset, false].Read<IntPtr>(); // false is here to avoid rebasing

            }

            return _mem.ReadString(ptr, false, 10);

        }

    }

    public void Dispose()

    {

        _mem.Dispose();

    }

}

 
The key point is the foreach, that enumerates all the offsets and read the its content. Custom the sample as you wish.
 
Happy reversing with your LoL bot.
 
EDIT: This Stackoverflow posts can be useful for you: MemorySharp setting offset to an address not working
 
Best,
ZenLulz

Edited by ZenLulz, 10 March 2014 - 02:43 PM.
Stackoverflow link added

[Zac]

Thanks for the quick reply!, Not home at the moment but just looking at that I have a few questions,

My base pointer is  "Adobe AIR.dll"+0x012FA3D4 so how would I go about using that with the code above? 

[ZenLulz]

In your case, you have to assign the variable ptr with this ling, extracted from your first post.

 

var ptr = memory["Adobe AIR.dll"].Read<IntPtr>(0x012FA3D4);

 

If it's doesn't work, try to set a breakpoint and analyse how the memory is read.

 

Best,

ZenLulz

[Zac]

In your case, you have to assign the variable ptr with this ling, extracted from your first post.

 

var ptr = memory["Adobe AIR.dll"].Read<IntPtr>(0x012FA3D4);

 

If it's doesn't work, try to set a breakpoint and analyse how the memory is read.

 

Best,

ZenLulz

That worked! Thank you:)
Here is the finished bit below.
Also, How would I go about writing to that address now?

 public string Value
        {
            get
            {
                var ptr = _mem["Adobe AIR.dll"].Read<IntPtr>(0x012FA3D4);
                var offsets = new[] { 0x168, 0x9c, 0x6c, 0x3f0, 0x2a0 };
                foreach (var offset in offsets)
                {
                    ptr = _mem[ptr + offset, false].Read<IntPtr>();
                }
                return ptr.ToString();
            }
        }

Edited by Zac, 13 March 2014 - 09:11 PM.

[ZenLulz]

You can read to a pointer address using the Write methods in your MemorySharp instance.

 

Best,

ZenLulz

[Zac]

You can read to a pointer address using the Write methods in your MemorySharp instance.

 

Best,

ZenLulz

 

I assume you mean write to a pointer.. been playing around with it for a bit and can't get it working.
 

public class LolMemory2 : IDisposable
    {
        private readonly MemorySharp _mem;
        public LolMemory2()
        {
            _mem = new MemorySharp(ApplicationFinder.FromProcessName("LolClient").First());
        }
        public string Value
        {
            get
            {
                var ptr = _mem["Adobe AIR.dll"].Read<IntPtr>(0x012FA3D4);
                var offsets = new[] { 0x168, 0x9c, 0x6c, 0x3f0, 0x2a0 };
                foreach (var offset in offsets)
                {
                    ptr = _mem[ptr + offset, false].Read<IntPtr>();
                    
                }
                _mem[ptr].Write<Int32>(1);
                return null;
            }
        }
        public void Dispose()
        {
            _mem.Dispose();
        }
    }

Tried the above but clearly I am doing something wrong, on a side note is there a way to donate to you directly? I want to throw you a few $ when I get the chance for the help you have given me.

[ZenLulz]

Hey Zac,

 

Sorry for the delay. I was trying to reproduce your code on another process when I saw the issue.

 

In fact, the getter directly returns the content of the pointer and using the same approach, the setter tries to write your integer at the address of the content of the pointer. Your code writes the integer one step too far.

In order to fix that case, you should remove the last offset in your array and add it in the Write method.

 

Your class becomes:

 

public class LolMemory2 : IDisposable

    {

        private readonly MemorySharp _mem;

        private readonly int[] _offsets;

        public LolMemory2()

        {

            _mem = new MemorySharp(ApplicationFinder.FromProcessName("LolClient").First());

            _offsets = new[] { 0x168, 0x9c, 0x6c, 0x3f0 };

        }

        public string Value

        {

            get

            {

                var ptr = _mem["Adobe AIR.dll"].Read<IntPtr>(0x012FA3D4);

                foreach (var offset in _offsets)

                {

                    ptr = _mem[ptr + offset, false].Read<IntPtr>();

                }

                return _mem[ptr].ReadString(0x2a0);

            }

            set

            {

                var ptr = _mem["Adobe AIR.dll"].Read<IntPtr>(0x012FA3D4);

                foreach (var offset in _offsets)

                {

                    ptr = _mem[ptr + offset, false].Read<IntPtr>();

                }

                _mem[ptr].Write(0x2a0, value);

            }

        }

        public void Dispose()

        {

            _mem.Dispose();

        }

    }

 

I edited the getter according the array edition. Let me know if it's alright for you.

 

Edit: Any donation is greatly appreciated ! You can donate on PayPal here if you like my work. Thanks

 

Best,

ZenLulz

Edited by ZenLulz, 26 April 2014 - 04:59 PM.
Donation link