Solved Memory Addresses! :/

[Ollie]

Sorry for spamming my threads here, but I've got quite a lot of questions and this forums is pretty helpful so yeah.

I tried getting static memory address for "Spider Solitaire" game's score value.

I managed to find this pointer:
0xffdd5f78 + 0xE8 + 0x14, which points to my score perfectly fine, but it's not static.

When I check what accesses this pointer, I can find "mov rax,SpiderSolitaire.exe+000b5f78"?

So what is this SpiderSolitaire.exe doing there, and how can i turn that into a memory address?

 

[Rake]

using System;
using System.Diagnostics;
using System.Runtime.InteropServices;

namespace RakeCSharp
{
    internal class RakeCSMem
    {
        [DllImport("kernel32.dll")]
        private static extern IntPtr OpenProcess(uint processAccess, bool bInheritHandle, int processId);

        [DllImport("kernel32.dll", SetLastError = true)]
        private static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [Out] byte[] lpBuffer, int dwSize, out IntPtr lpNumberOfBytesRead);

        public static IntPtr FindDMAAddy(IntPtr hProc, IntPtr ptr, int[] offsets)
        {
            var buffer = new byte[IntPtr.Size];
            foreach (int i in offsets)
            {
                ReadProcessMemory(hProc, ptr, buffer, buffer.Length, out var read);

                ptr = (IntPtr.Size == 4)
                ? IntPtr.Add(new IntPtr(BitConverter.ToInt32(buffer, 0)), i)
                : ptr = IntPtr.Add(new IntPtr(BitConverter.ToInt64(buffer, 0)), i);
            }
            return ptr;
        }

        public static IntPtr GetModuleBaseAddress(Process proc, string modName)
        {
            IntPtr addr = IntPtr.Zero;

            foreach (ProcessModule m in proc.Modules)
            {
                if (m.ModuleName == modName)
                {
                        addr = m.BaseAddress;
                        break;
                }
            }
                return addr;
        }

        private static void Main(string[] args)
        {
            Process process;

            process = Process.GetProcessesByName("ac_client")[0];

            var hProc = OpenProcess(0x001F0FFF, false, process.Id);

            var modBase = GetModuleBaseAddress(process, "ac_client.exe");

            var addr = FindDMAAddy(hProc, (IntPtr)0x50f4f4, new int[] { 0x374, 0x14, 0 });

            Console.WriteLine("0x" + addr.ToString("X"));
        }
    }
}

 

[Crazywink]

SpiderSolitaire.exe is referring to the program's base address. Something along the lines of.. (If you're doing it in C#.)

System.Diagnostics.Process[] processes = System.Diagnostics.Process.GetProcessesByName("SpiderSolitaire"); 

int baseAddy = processes[0].MainModule.BaseAddress.ToInt32();

Will return the base address, from which you add the proceeding address and offsets.

Crazywink

 

[Ollie]

Ah sorry, I forgot to mention that i'm using C++.

 

[Ollie]

This is what I use when getting the base address using C++: (Thanks to Flyte from Cheat Engine Forums for this)

DWORD GetModuleBase(HANDLE hProc, string &sModuleName) 
{ 
   HMODULE *hModules; 
   char szBuf[50]; 
   DWORD cModules; 
   DWORD dwBase = -1; 
   //------ 

   EnumProcessModules(hProc, hModules, 0, &cModules); 
   hModules = new HMODULE[cModules/sizeof(HMODULE)]; 
    
   if(EnumProcessModules(hProc, hModules, cModules/sizeof(HMODULE), &cModules)) { 
      for(int i = 0; i < cModules/sizeof(HMODULE); i++) { 
         if(GetModuleBaseName(hProc, hModules[i], szBuf, sizeof(szBuf))) { 
            if(sModuleName.compare(szBuf) == 0) { 
               dwBase = (DWORD)hModules[i]; 
               break; 
            } 
         } 
      } 
   } 

   delete[] hModules; 

   return dwBase; 
}

To use:

GetModuleBase(hProc, string("spidersolitaire.exe"));

Thanks but GetModuleBase() always returns 0xFFFFFFFF for some reason.