ReadProcessMemory

Hello, I am using "ReadProcessMemory" to view variables from other applications, but the problem is, the addresses change every time the other application is opened.
How do I find the correct address every time?
There are a couple of ways to go about it, I'll tell you the ones I know:

1. Use a memory scanning tool to find out your address and then find the pointer + offset ( ollydbg, Cheat Engine etc...)

once you have found the pointer + offset do this:
1
2
3
4
5
6
unsigned long pointer = 0x123456; // arbitrary numbers
unsigned long offset = 0xEC; // arbitrary numbers

unsigned long  address = pointer + offset;

ReadProcessMemory(appHandle, (LPVOID)address, (LPVOID) &buffer, buffersize, 0);


declare a buffer to hold your value and the size of the buffer and that should be it.

The second method requires more work:

2. Read through every address (filtering out as necessary with VirtualQueryEx) until you hit the desired bytes.

So lets say your value in bytes is 01 02 03 04 05 06 just read the memory and repeat until you get these bytes, also there should be a range that you can filter, for example the address should be within these memory region:
 
0x400000  - 0x600000


just look at where the addresses you get and you should be able to determine.
You're not supposed to be able to find them.
http://en.wikipedia.org/wiki/ASLR#Microsoft_Windows

I love this bit, typical of system security under Window.
ASLR in 32-bit Windows Vista may not be as robust as expected, and Microsoft has acknowledged a weakness in its implementation
Last edited on
Nybble, I am using cheat engine to find the address.
How do I find the pointer and offset?
Thanks.
Go through the Cheat engine tutorial, it should be on your Cheat Engine folder, double click tutorial.exe
@Nybble
Thanks, I'll check that out soon.
Nybble, I have the base pointer ("example.exe+01D3A1"). How do I pass that type of address?
Last edited on
Topic archived. No new replies allowed.