AutoIT Example - Reading a value from memory menu

User Tag List

Results 1 to 11 of 11
  1. #1
    mechtn's Avatar Corporal
    Reputation
    5
    Join Date
    Jan 2012
    Posts
    29
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    AutoIT Example - Reading a value from memory

    Hey everyone! Just wanted to share a code example here with everyone. Hope someone finds this helpful.

    The memory offsets will change over time as patches occur and new ones are found. So remember this will have to be changed as new offsets come out.

    This returns my Health % from 0-100.

    Code:
            #RequireAdmin
            SetPrivilege("SetDebugPrivilege", 1)
            #include <NomadMemory2.au3>
    
            Global $PID
            Global $sModule = "MemoryMan.dll"
            Global $StaticOffset
            Global $openmem
    
            $PID = ProcessExists("swtor.exe")
    
    	If $PID == 0 Then
    		MsgBox(4096,"Error","SWTOR not running!",3)
    		Return
    	EndIf
    	$openmem = _MemoryOpen($PID)
    
    	If @error Then
    		Return
    	EndIf
    
    	Local $Offset[1]
            $Offset[0] = 0 ; Is ALWAYS 0.
    
    	$StaticOffset = Dec("27E8C")
    
    	$baseADDR = _MemoryModuleGetBaseAddress($PID, $sModule)
    	$finalADDR = "0x" & Hex($baseADDR + $StaticOffset)
    
    	$r = _MemoryRead($finaladdr,$openmem)
    	$r = _MemoryRead($r + 0x798,$openmem)
    	$r = _MemoryRead($r + 0x504,$openmem)
    	$r = _MemoryRead($r + 0x14,$openmem)
    	$r = _MemoryRead($r + 0x8,$openmem)
    	$r = _MemoryRead($r + 0x40,$openmem, "float")
    
           ConsoleWrite("Pointer Value:" & $r & @CRLF)
    Last edited by mechtn; 01-18-2012 at 10:27 AM.

    AutoIT Example - Reading a value from memory
  2. #2
    zxzwa's Avatar Member
    Reputation
    7
    Join Date
    Aug 2006
    Posts
    112
    Thanks G/R
    0/3
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Wonderful! Will test it today! I wanted to learn more about memory reading. Do you know how to do it in other languages like C++? +rep

    Edit: and could you please explain the code a little bit? Thanks
    Last edited by zxzwa; 01-18-2012 at 10:23 AM.

  3. #3
    zewt's Avatar Member
    Reputation
    13
    Join Date
    Nov 2008
    Posts
    127
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Works perfectly Thank you this was exactly what i was looking for!
    Last edited by zewt; 01-19-2012 at 01:11 PM.

  4. #4
    Nomoko's Avatar Member
    Reputation
    7
    Join Date
    Dec 2011
    Posts
    60
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hm i tried it just for the fun yesterday, but for some reasons when i read the first pointer it gives me something like 0000000CD42234 ... so it adds 0000000 to the front of the address, how comes it does it ? (It then points to a 0 value) Has it something to do with my nomadmemory? or where is the problem ? Thanks in advance

  5. #5
    mechtn's Avatar Corporal
    Reputation
    5
    Join Date
    Jan 2012
    Posts
    29
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Nomoko - I noticed mine does that too. I posted the code also as an example on the AutoIT forums and was told that my code was pretty sloppy SO.... I'm working on cleaning it up some based on some suggestions that were made to me. I get the extra 0's too however my last pointer does return a good value. I tried using some other methods to detect the swtor.exe process by its window name and when doing so it didn't return the correct values so make sure your still trying to open the process swtor.exe.

  6. #6
    pinny's Avatar Active Member
    Reputation
    29
    Join Date
    Jan 2010
    Posts
    211
    Thanks G/R
    7/2
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Any idea on how to get this to work?

  7. #7
    zewt's Avatar Member
    Reputation
    13
    Join Date
    Nov 2008
    Posts
    127
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    this is working for me as-is... all that had to change is static address, and offset values.

  8. #8
    gthm's Avatar Member
    Reputation
    6
    Join Date
    Jan 2012
    Posts
    7
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    This is great! Thanks for sharing

    I have been looking for a good way of bypassing memory randomization on windows 7.

    Base (of memoryMan.dll) + (some distance) is staying the same value even after restarting my swtor client!!!

    Thank you very much for sharing
    Last edited by gthm; 01-29-2012 at 06:49 PM.

  9. #9
    gthm's Avatar Member
    Reputation
    6
    Join Date
    Jan 2012
    Posts
    7
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    This is sweet! thanks a ton.

    For those out there who want something more of a complete working package I added in the function calls for _MemoryModuleGetBaseAddress and SetPrivilege
    This will start at the first address and then loop through the next X addresses and display their values. I am going to use this for searching for memory offsets by value but it could be easily modified for changing a specific value very easily

    Code:
    	#RequireAdmin
    	SetPrivilege("SetDebugPrivilege", 1)
    	#include <nomadMemory.au3>
    
    	Global $searchString = "4621" ;the value I am searching for (x offset although this may be wrong its an example)
    	Global $numOffsetsToSearch = 100;
    	Global $PID
    	Global $sModule = "MemoryMan.dll"
    	Global $StaticOffset
    	Global $openmem
    
    	$PID = ProcessExists("swtor.exe")
    
    	If $PID == 0 Then
    		MsgBox(4096,"Error","SWTOR not running!",3)
    		Return
    	EndIf
    	$openmem = _MemoryOpen($PID)
    
    	If @error Then
    		Return
    	EndIf
    
    	Local $Offset[1]
    	$Offset[0] = 0 ; Is ALWAYS 0.
    	$StaticOffset = Dec("27E8C")
    	$baseADDR = _MemoryModuleGetBaseAddress($PID, $sModule)
    	MsgBox(0, "Base address", "Base:" & $baseADDR)
    	$finalADDR = "0x" & Hex($baseADDR + $StaticOffset)
    	MsgBox(0, "Final address", "Final:" & $finalADDR)
    	$i = 0
    	While $i < $numOffsetsToSearch
    		$r = _MemoryRead("0x" & Hex($baseADDR+ $i),$openmem)
    		If $r == 0 Then
    			;ignore 0 values completely
    		Else
    			If $r == $searchString Then
    				MsgBox(0, "Found it! @ i(base + distance):" & $i & " val:" & $r)
    			Else
    				MsgBox(0, "value of i", "i:" & $i & " val:" & $r)
    			EndIf
    		EndIf
    		$i = $i+1
    	WEnd
    
    	$r = _MemoryRead($r + 0x798,$openmem)
    	$r = _MemoryRead($r + 0x504,$openmem)
    	$r = _MemoryRead($r + 0x14,$openmem)
    	$r = _MemoryRead($r + 0x8,$openmem)
    	$r = _MemoryRead($r + 0x40,$openmem, "float")
    
    	ConsoleWrite("Pointer Value:" & $r & @CRLF)
    	;MsgBox(0, "value of r", "r val:" & $r)
    
    ;=================================================================================================
    ; Function:   _MemoryModuleGetBaseAddress($iPID, $sModule)
    ; Description:     Found this on the internets, seems to open up a DLL running within a process and
    ;					gets the base offset?
    ; Parameter(s):  $PID - process id
    ;               $sModule String representing the name of the DLL (not entireley sure)
    ; Requirement(s):   The $ah_Handle returned from _MemoryOpen.
    ; Return Value(s):  On Success - Returns the destination address.
    ;               On Failure - Returns 0.
    ; Author(s):        Unknown
    ; Note(s):      This is NOT my code, and im not even sure if its what is required
    ;=================================================================================================
    
    	Func _MemoryModuleGetBaseAddress($iPID, $sModule)
    	If Not ProcessExists($iPID) Then Return SetError(1, 0, 0)
    	If Not IsString($sModule) Then Return SetError(2, 0, 0)
    	Local   $PSAPI = DllOpen("psapi.dll")
    	;Get Process Handle
    
    	Local   $hProcess
    	Local   $PERMISSION = BitOR(0x0002, 0x0400, 0x0008, 0x0010, 0x0020) ; CREATE_THREAD, QUERY_INFORMATION, VM_OPERATION, VM_READ, VM_WRITE
    	If $iPID > 0 Then
    		Local $hProcess = DllCall("kernel32.dll", "ptr", "OpenProcess", "dword", $PERMISSION, "int", 0, "dword", $iPID)
    		If $hProcess[0] Then
    			$hProcess = $hProcess[0]
    		EndIf
    	EndIf
    	;EnumProcessModules
    	Local   $Modules = DllStructCreate("ptr[1024]")
    	Local   $aCall = DllCall($PSAPI, "int", "EnumProcessModules", "ptr", $hProcess, "ptr", DllStructGetPtr($Modules), "dword", DllStructGetSize($Modules), "dword*", 0)
    	If $aCall[4] > 0 Then
    		Local   $iModnum = $aCall[4] / 4
    		Local   $aTemp
    		For $i = 1 To $iModnum
    			$aTemp =  DllCall($PSAPI, "dword", "GetModuleBaseNameW", "ptr", $hProcess, "ptr", Ptr(DllStructGetData($Modules, 1, $i)), "wstr", "", "dword", 260)
    			If $aTemp[3] = $sModule Then
    				DllClose($PSAPI)
    				Return Ptr(DllStructGetData($Modules, 1, $i))
    			EndIf
    		Next
    	EndIf
    	DllClose($PSAPI)
    	Return SetError(-1, 0, 0)
    EndFunc
    ;**
    
    ;=================================================================================================
    ; Function:   SetPrivilege( $privilege, $bEnable )
    ; Description:     Found this on the internets
    ; Parameter(s):  $PID - process id
    ; Author(s):        Unknown
    ; Note(s):      This is NOT my code, and im not even sure if its what is required
    ;=================================================================================================
    Func SetPrivilege( $privilege, $bEnable )
        Const $MY_TOKEN_ADJUST_PRIVILEGES = 0x0020
        Const $MY_TOKEN_QUERY = 0x0008
        Const $MY_SE_PRIVILEGE_ENABLED = 0x0002
        Local $hToken, $SP_auxret, $SP_ret, $hCurrProcess, $nTokens, $nTokenIndex, $priv
        $nTokens = 1
        $LUID = DLLStructCreate("dword;int")
        If IsArray($privilege) Then $nTokens = UBound($privilege)
        $TOKEN_PRIVILEGES = DLLStructCreate("dword;dword[" & (3 * $nTokens) & "]")
        $NEWTOKEN_PRIVILEGES = DLLStructCreate("dword;dword[" & (3 * $nTokens) & "]")
        $hCurrProcess = DLLCall("kernel32.dll","hwnd","GetCurrentProcess")
        $SP_auxret = DLLCall("advapi32.dll","int","OpenProcessToken","hwnd",$hCurrProcess[0],   _
                "int",BitOR($MY_TOKEN_ADJUST_PRIVILEGES,$MY_TOKEN_QUERY),"int*",0)
        If $SP_auxret[0] Then
            $hToken = $SP_auxret[3]
            DLLStructSetData($TOKEN_PRIVILEGES,1,1)
            $nTokenIndex = 1
            While $nTokenIndex <= $nTokens
                If IsArray($privilege) Then
                    $priv = $privilege[$nTokenIndex-1]
                Else
                    $priv = $privilege
                EndIf
                $ret = DLLCall("advapi32.dll","int","LookupPrivilegeValue","str","","str",$priv,   _
                        "ptr",DLLStructGetPtr($LUID))
                If $ret[0] Then
                    If $bEnable Then
                        DLLStructSetData($TOKEN_PRIVILEGES,2,$MY_SE_PRIVILEGE_ENABLED,(3 * $nTokenIndex))
                    Else
                        DLLStructSetData($TOKEN_PRIVILEGES,2,0,(3 * $nTokenIndex))
                    EndIf
                    DLLStructSetData($TOKEN_PRIVILEGES,2,DllStructGetData($LUID,1),(3 * ($nTokenIndex-1)) + 1)
                    DLLStructSetData($TOKEN_PRIVILEGES,2,DllStructGetData($LUID,2),(3 * ($nTokenIndex-1)) + 2)
                    DLLStructSetData($LUID,1,0)
                    DLLStructSetData($LUID,2,0)
                EndIf
                $nTokenIndex += 1
            WEnd
            $ret = DLLCall("advapi32.dll","int","AdjustTokenPrivileges","hwnd",$hToken,"int",0,   _
                    "ptr",DllStructGetPtr($TOKEN_PRIVILEGES),"int",DllStructGetSize($NEWTOKEN_PRIVILEGES),   _
                    "ptr",DllStructGetPtr($NEWTOKEN_PRIVILEGES),"int*",0)
            $f = DLLCall("kernel32.dll","int","GetLastError")
        EndIf
        $NEWTOKEN_PRIVILEGES=0
        $TOKEN_PRIVILEGES=0
        $LUID=0
        If $SP_auxret[0] = 0 Then Return 0
        $SP_auxret = DLLCall("kernel32.dll","int","CloseHandle","hwnd",$hToken)
        If Not $ret[0] And Not $SP_auxret[0] Then Return 0
        return $ret[0]
    EndFunc  ;==>SetPrivilege
    NomadMemory.au3 can be found here:
    [AutoIt] NomadMemory.au3 - Pastebin.com

  10. #10
    mechtn's Avatar Corporal
    Reputation
    5
    Join Date
    Jan 2012
    Posts
    29
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Glad you guys like it. I've got a full framework done for reading and walking memory pointers in c# now. Just need to hook up with someone that knows how to reverse the memory addresses. I'm also using IDA to disassemble the swtor.exe and i'm poking around it in now too learning Assembly. It's as much fun learning to reverse engineer as it is to play.

  11. #11
    fnop's Avatar Member
    Reputation
    1
    Join Date
    Jan 2012
    Posts
    2
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by mechtn View Post
    Nomoko - I noticed mine does that too. I posted the code also as an example on the AutoIT forums and was told that my code was pretty sloppy SO.... I'm working on cleaning it up some based on some suggestions that were made to me. I get the extra 0's too however my last pointer does return a good value. I tried using some other methods to detect the swtor.exe process by its window name and when doing so it didn't return the correct values so make sure your still trying to open the process swtor.exe.
    It's my guess that those extra 0's are the effect of 64bit operating systems.

Similar Threads

  1. [newbie guide] How to (not) get values from memory
    By zdud in forum Diablo 3 Memory Editing
    Replies: 0
    Last Post: 08-22-2012, 06:05 AM
  2. Read KnownSpell Array from memory
    By Edder in forum WoW Memory Editing
    Replies: 2
    Last Post: 05-12-2012, 06:46 AM
  3. [Question] Reading DBC's from memory?
    By -Ryuk- in forum WoW Memory Editing
    Replies: 7
    Last Post: 09-05-2011, 04:52 PM
  4. [Guide][VB.NET] Read a string from memory
    By Gothian in forum Programming
    Replies: 14
    Last Post: 08-18-2008, 04:39 PM
  5. [Guide][VB.NET] Reading a String From Memory
    By Gothian in forum WoW Memory Editing
    Replies: 14
    Last Post: 01-18-2008, 12:08 PM
All times are GMT -5. The time now is 11:48 AM. Powered by vBulletin® Version 4.2.3
Copyright © 2024 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2024 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search