C++

Forum

 
reading readprocessmemory

tony1420 (29)
OK so i am trying to read data from a game but i get a very long number that does not match what i should be getting not sure if i am entering the address wrong and getting values from another source or the return value is not a int. I understand that the address and offset are hex numbers and reasoning behind my code are from the documentation along with examples that i seen but problem with that is most examples of readprocessmemory are about hacking which i am not trying to do, i just want to be able to read different kinds of data from the client.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
 
 DWORD buff2;
   DWORD address= {0x0008E4C0};
   DWORD offset= {0x2FC};
   DWORD temp;
   unsigned long _numread;

GetWindowThreadProcessId(hGameWindow, &_hwnd_tmp);
HANDLE _hwnd2 = OpenProcess(PROCESS_ALL_ACCESS, false, _hwnd_tmp);

 ReadProcessMemory(_hwnd2, (LPVOID)address, &temp, sizeof(temp), &_numread);
   buff2 = temp + offset;
   ReadProcessMemory(_hwnd2, (LPVOID)buff2, &temp, sizeof(temp), &_numread);
cout << "read " << temp << endl; 
   
    //Clean up
   CloseHandle(_hwnd2);
}
   system("PAUSE");
ultifinitus (1446)
You're code looks fine at first glance, for reference here's some code I used a year or so ago that functions just fine.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
 
char getbytefromprocess(DWORD pid, uint64_t loc) {
  HANDLE pHandle;
  SYSTEM_INFO si;
  MEMORY_BASIC_INFORMATION mbi;
  LPVOID lpMem;
  DWORD ret, totalRead;

  pHandle = OpenProcess(PROCESS_ALL_ACCESS, 0, pid);
  if (pHandle == NULL) {
    return '\0'; //do something with your error
  }

  lpMem = (void*)loc;

  char buf;
  ReadProcessMemory(pHandle, lpMem, (LPVOID)(&buf), 1, &totalRead);

  CloseHandle(pHandle);
  return buf;
}


One thing you may want to keep in mind is in windows the addresses are unlikely to stay static, so the address you're using may not function as you would expect. Back in the day I wrote a little class to get the offset of a program based on known bytes, you may have to do something similar to that (think cheatengine)
Last edited on
tony1420 (29)
yes but even if the address changes after restarting i still do not get the proper values when the client is still active
ultifinitus (1446)
Your response seems to agree with what I said- but perhaps you misunderstand.

This address DWORD address= {0x0008E4C0}; is probably not going to stay the same if you close the other program then open it. I don't remember what the term is, something like virtual memory space, but essentially your position in ram is paged from a virtual space to actual ram space, and that actual space can vary wildly between executions of your program- there may be a way to get the offset from an hwnd or process handle, but I'm not familiar with it.
tony1420 (29)
I understand what you are saying but maybe i was not clear with what i was saying. Say i found the address that holds the number 10 in it and i run the program what cout's is not 10. I know that address is 10 because i used cheat engine. Yes the address changes when you restart the client but at the time of finding the address it should remain 10 but i do not get 10 i get a very different long number. My question is am i reading the address properly or not? the third argument holds the value of the readprocessmemory do i have to convert it to something else?
ultifinitus (1446)
If you're not getting the value that you know is at that point in ram then you're not reading it correctly.

What are you expecting? If you're expecting 10, but getting something completely different you could be trying to read a value that is a different size, for instance you're trying to read a short variable which has a value of 10 00000000 00001010 but it tries to read 4 bytes instead of two 00000000 00001010 00010000 11111111 where the first two bytes are indeed 10, the value could be very different.

I don't know much about your situation so it could be any number of things. But my first guess would be variable size, second guess would be bad memory location, third would be faulty code. If the first two are correct modify my getcharfromprocess to return the variable size you would like (maybe make a templatized version) or ask me to do the same thing so you know you're using working code. I bet it is one of the first two though.

Topic archived. No new replies allowed.