ReadProcessMemory

Mar 5, 2013 at 2:55am
Hello, I am using "ReadProcessMemory" to view variables from other applications, but the problem is, the addresses change every time the other application is opened.
How do I find the correct address every time?
Mar 5, 2013 at 5:49am
There are a couple of ways to go about it, I'll tell you the ones I know:

1. Use a memory scanning tool to find out your address and then find the pointer + offset ( ollydbg, Cheat Engine etc...)

once you have found the pointer + offset do this:
1
2
3
4
5
6
unsigned long pointer = 0x123456; // arbitrary numbers
unsigned long offset = 0xEC; // arbitrary numbers

unsigned long  address = pointer + offset;

ReadProcessMemory(appHandle, (LPVOID)address, (LPVOID) &buffer, buffersize, 0);


declare a buffer to hold your value and the size of the buffer and that should be it.

The second method requires more work:

2. Read through every address (filtering out as necessary with VirtualQueryEx) until you hit the desired bytes.

So lets say your value in bytes is 01 02 03 04 05 06 just read the memory and repeat until you get these bytes, also there should be a range that you can filter, for example the address should be within these memory region:
 
0x400000  - 0x600000


just look at where the addresses you get and you should be able to determine.
Mar 5, 2013 at 11:08am
You're not supposed to be able to find them.
http://en.wikipedia.org/wiki/ASLR#Microsoft_Windows

I love this bit, typical of system security under Window.
ASLR in 32-bit Windows Vista may not be as robust as expected, and Microsoft has acknowledged a weakness in its implementation
Last edited on Mar 5, 2013 at 11:10am
Mar 5, 2013 at 4:31pm
Nybble, I am using cheat engine to find the address.
How do I find the pointer and offset?
Thanks.
Mar 5, 2013 at 11:03pm
Go through the Cheat engine tutorial, it should be on your Cheat Engine folder, double click tutorial.exe
Mar 5, 2013 at 11:39pm
@Nybble
Thanks, I'll check that out soon.
Mar 6, 2013 at 11:43pm
Nybble, I have the base pointer ("example.exe+01D3A1"). How do I pass that type of address?
Last edited on Mar 8, 2013 at 5:45am
Topic archived. No new replies allowed.