Base Address + pointer + offset = 0 :(

[mrdennis87]

So just an update, seems like C# Is a lot like vb6 I have learned a lot so far today. Right now I am currently loading all of the modules of a process, and getting the base addresses of them. Also This includes the Main Module base address. I'm assuming the Main Module Base Address is the one I'm going for. If you guys knows C#, maybe I can get a little help modifying the current code. Right now it starts a process, and then grabs all of the modules and addresses. I am trying to assign the string "MyProcess" to the wow process or any other process for that matter ^__^ if you could show me an example or explain more of how to assign a string to a process to gather info from it, I am listening and wiling to learn. Here is the current code:

Process myProcess = new Process();
// Get the process start information of notepad.
ProcessStartInfo myProcessStartInfo = new ProcessStartInfo("Notepad.exe");
// Assign 'StartInfo' of notepad to 'StartInfo' of 'myProcess' object.
myProcess.StartInfo = myProcessStartInfo;
// Create a notepad.
myProcess.Start();
System.Threading.Thread.Sleep(1000);
ProcessModule myProcessModule;
// Get all the modules associated with 'myProcess'.
ProcessModuleCollection myProcessModuleCollection = myProcess.Modules;
listBox1.Items.Add("Base addresses of the modules associated "
+ "with 'notepad' are:");
// Display the 'BaseAddress' of each of the modules.
for (int i = 0; i < myProcessModuleCollection.Count; i++)
{
myProcessModule = myProcessModuleCollection[i];
listBox1.Items.Add(myProcessModule.ModuleName + " : "
+ myProcessModule.BaseAddress);
}
// Get the main module associated with 'myProcess'.
myProcessModule = myProcess.MainModule;
// Display the 'BaseAddress' of the main module.
listBox1.Items.Add("The process's main module's base address is: "
+ myProcessModule.BaseAddress);
myProcess.CloseMainWindow();
}

[Xartrick]

Process Class (System.Diagnostics)
Process.GetProcessesByName Method (String) (System.Diagnostics)

Code:

Process[] oProcesses = Process.GetProcessesByName("Wow");

foreach (Process oProcess in oProcesses) {
    ProcessModuleCollection oModules = oProcess.Modules;
    
    Console.WriteLine(oProcess.ProcessName + " (" + oProcess.Id + ")");
    Console.WriteLine("BaseAddress: " + oProcess.MainModule.BaseAddress);
    
    foreach (ProcessModule oModule in oModules) {
        Console.WriteLine(oModule.ModuleName + " - " + oModule.BaseAddress);
    }
}

Result:

Code:

Wow (3944)

BaseAddress: 3932160

Wow.exe - 3932160
ntdll.dll - 2006122496
kernel32.dll - 1968570368
KERNELBASE.dll - 1971388416
USER32.dll - 1971716096
GDI32.dll - 1984561152
LPK.dll - 2005925888
USP10.dll - 1972764672
msvcrt.dll - 1976631296
ADVAPI32.dll - 1974337536
sechost.dll - 2001797120
RPCRT4.dll - 1981284352
SspiCli.dll - 1967718400
CRYPTBASE.dll - 1967652864
OPENGL32.dll - 1390411776
GLU32.dll - 1391919104
DDRAW.dll - 1766457344
DCIMAN32.dll - 1807613952
SETUPAPI.dll - 1982857216
CFGMGR32.dll - 1975058432
OLEAUT32.dll - 1973420032
ole32.dll - 1978728448
DEVOBJ.dll - 1974009856
dwmapi.dll - 1920532480
d3d9.dll - 1920729088
VERSION.dll - 1964572672
d3d8thk.dll - 1920663552
IMM32.dll - 1969684480
MSCTF.dll - 1977352192
WININET.dll - 1980235776
SHLWAPI.dll - 1968111616
urlmon.dll - 2000158720
CRYPT32.dll - 1975255040
MSASN1.dll - 1968504832
iertutil.dll - 1985150976
WS2_32.dll - 1971126272
NSI.dll - 1974992896
DINPUT8.dll - 1948647424
HID.DLL - 1961230336
SHELL32.dll - 1987248128
WINMM.dll - 1930952704
MSACM32.dll - 1915224064
apphelp.dll - 1962409984
AcSpecfc.DLL - 1391394816
COMCTL32.dll - 1922957312
mscms.dll - 1765408768
USERENV.dll - 1961754624
profapi.dll - 1963589632
MPR.dll - 1964179456
COMDLG32.dll - 1978204160
msi.dll - 1885863936
AcLayers.DLL - 1831206912
WINSPOOL.DRV - 1919811584
comctl32.dll - 1909587968
dnsapi.DLL - 1899954176
iphlpapi.DLL - 1935212544
WINNSI.DLL - 1935147008
mswsock.dll - 1927675904
wshtcpip.dll - 1927610368
RASAPI32.dll - 1934753792
rasman.dll - 1961033728
rtutils.dll - 1862402048
sensapi.dll - 1913454592
NLAapi.dll - 1901330432
rasadhlp.dll - 1899429888
napinsp.dll - 1901264896
pnrpnsp.dll - 1901133824
wshbth.dll - 1900281856
winrnr.dll - 1899888640
WLIDNSP.DLL - 1899692032
PSAPI.DLL - 1980170240
mdnsNSP.dll - 1899495424
wship6.dll - 1862336512
fwpuclnt.dll - 1898577920
ntmarta.dll - 1927938048
WLDAP32.dll - 2001469440
uxtheme.dll - 1907490816
WINTRUST.dll - 1976434688
d3d11.dll - 1382809600
dxgi.dll - 1937571840
xfire_toucan_45547.dll - 268435456
WSOCK32.dll - 1931411456
MSIMG32.dll - 1957560320
MSVCR71.DLL - 2083782656
wth.dll - 1948581888
MSVCR90.dll - 1934032896
atidxx32.dll - 1862991872
icm32.dll - 1498808320
CLBCatQ.DLL - 1982267392
MMDevApi.dll - 1920204800
PROPSYS.dll - 1918173184
AUDIOSES.DLL - 1915420672
wdmaud.drv - 1915748352
ksuser.dll - 1922629632
AVRT.dll - 1915682816
msacm32.drv - 1915355136
midimap.dll - 1915158528

[mrdennis87]

Process Class (System.Diagnostics)
Process.GetProcessesByName Method (String) (System.Diagnostics)

Code:

Process[] oProcesses = Process.GetProcessesByName("Wow");

foreach (Process oProcess in oProcesses) {
    ProcessModuleCollection oModules = oProcess.Modules;
    
    Console.WriteLine(oProcess.ProcessName + " (" + oProcess.Id + ")");
    Console.WriteLine("BaseAddress: " + oProcess.MainModule.BaseAddress);
    
    foreach (ProcessModule oModule in oModules) {
        Console.WriteLine(oModule.ModuleName + " - " + oModule.BaseAddress);
    }
}

Result:

Code:

Wow (3944)

BaseAddress: 3932160

Wow.exe - 3932160
ntdll.dll - 2006122496
kernel32.dll - 1968570368
KERNELBASE.dll - 1971388416
USER32.dll - 1971716096
GDI32.dll - 1984561152
LPK.dll - 2005925888
USP10.dll - 1972764672
msvcrt.dll - 1976631296
ADVAPI32.dll - 1974337536
sechost.dll - 2001797120
RPCRT4.dll - 1981284352
SspiCli.dll - 1967718400
CRYPTBASE.dll - 1967652864
OPENGL32.dll - 1390411776
GLU32.dll - 1391919104
DDRAW.dll - 1766457344
DCIMAN32.dll - 1807613952
SETUPAPI.dll - 1982857216
CFGMGR32.dll - 1975058432
OLEAUT32.dll - 1973420032
ole32.dll - 1978728448
DEVOBJ.dll - 1974009856
dwmapi.dll - 1920532480
d3d9.dll - 1920729088
VERSION.dll - 1964572672
d3d8thk.dll - 1920663552
IMM32.dll - 1969684480
MSCTF.dll - 1977352192
WININET.dll - 1980235776
SHLWAPI.dll - 1968111616
urlmon.dll - 2000158720
CRYPT32.dll - 1975255040
MSASN1.dll - 1968504832
iertutil.dll - 1985150976
WS2_32.dll - 1971126272
NSI.dll - 1974992896
DINPUT8.dll - 1948647424
HID.DLL - 1961230336
SHELL32.dll - 1987248128
WINMM.dll - 1930952704
MSACM32.dll - 1915224064
apphelp.dll - 1962409984
AcSpecfc.DLL - 1391394816
COMCTL32.dll - 1922957312
mscms.dll - 1765408768
USERENV.dll - 1961754624
profapi.dll - 1963589632
MPR.dll - 1964179456
COMDLG32.dll - 1978204160
msi.dll - 1885863936
AcLayers.DLL - 1831206912
WINSPOOL.DRV - 1919811584
comctl32.dll - 1909587968
dnsapi.DLL - 1899954176
iphlpapi.DLL - 1935212544
WINNSI.DLL - 1935147008
mswsock.dll - 1927675904
wshtcpip.dll - 1927610368
RASAPI32.dll - 1934753792
rasman.dll - 1961033728
rtutils.dll - 1862402048
sensapi.dll - 1913454592
NLAapi.dll - 1901330432
rasadhlp.dll - 1899429888
napinsp.dll - 1901264896
pnrpnsp.dll - 1901133824
wshbth.dll - 1900281856
winrnr.dll - 1899888640
WLIDNSP.DLL - 1899692032
PSAPI.DLL - 1980170240
mdnsNSP.dll - 1899495424
wship6.dll - 1862336512
fwpuclnt.dll - 1898577920
ntmarta.dll - 1927938048
WLDAP32.dll - 2001469440
uxtheme.dll - 1907490816
WINTRUST.dll - 1976434688
d3d11.dll - 1382809600
dxgi.dll - 1937571840
xfire_toucan_45547.dll - 268435456
WSOCK32.dll - 1931411456
MSIMG32.dll - 1957560320
MSVCR71.DLL - 2083782656
wth.dll - 1948581888
MSVCR90.dll - 1934032896
atidxx32.dll - 1862991872
icm32.dll - 1498808320
CLBCatQ.DLL - 1982267392
MMDevApi.dll - 1920204800
PROPSYS.dll - 1918173184
AUDIOSES.DLL - 1915420672
wdmaud.drv - 1915748352
ksuser.dll - 1922629632
AVRT.dll - 1915682816
msacm32.drv - 1915355136
midimap.dll - 1915158528

Ty Xartrick, that is exactly what I was wondering. I can get the base address now. The thing that's confusing me though, is when I get the base address using nomads AutoIt script. I can then add that base address + &H42788 which is the static offset. And then get the value, and add that value to &H11CC and get my hp every single time. I'm messing with this base address that C# is giving me, and it's not the same one as the AutoIt script is giving. Also I can not get an hp value using the base address from the C# code. I would still get the base address, add it to &h42788, get the value and then add that new pointer to my &h11cc offset, which should give me my hp. Is this base address rebased where I am going to have to take a value off of it before adding the first offset? Sorry if it's confusing, I am definitely learning a lot from you guys, and I appreciate the time your taking to help me

Also, from what I'm reading, it's saying CE gives you the entry point base address. When I retrieve the entry point, and regular base address they're the same though so I'm guessing either one will work.

[Frosttall]

Could you write here an example how you're calculating the addresses exactly?

The function is correct so far

[mrdennis87]

Could you write here an example how you're calculating the addresses exactly?

The function is correct so far

Well once I get the base address..Right now it's 0x00000000013A0000 Of Which I am using "&H13A0000" and adding "&H42788" which is the static offset I found that will point to the pointer that will give me my values. Then using that new pointer I add "&11CC" as it's offset, which will give me my hp, or I can use "&H11D0" and it will give me my mana value. I can grab the base address and in vb6 can get my values every time, here is the code in vb6 I am using to read the memory.:

lblpointer.Caption = ReadMemory(&H13A0000 + &HA42788 ) << Base Address plus static offset

lblhp.Caption = ReadMemory(lblpointer.Caption + &H11CC) << New pointer from adding the above, plus offset for hp gives me my hp

So now the caption of "lblhp" will show my hp.. which works everytime. Just can't get it to work using base address from C# Code for some reason it's a different base address..

So right now AutoIt script is giving me " 0x00000000013A0000" as the base address, which works. And the C# code is giving me this one "20578304".

[Xartrick]

Please use variable instead of control's caption
Control's caption is a string and pointer are usually IntPtr.

What is the return type of ReadMemory function?

[mrdennis87]

Please use variable instead of control's caption
Control's caption is a string and pointer are usually IntPtr.

What is the return type of ReadMemory function?

I'm reading the values, using vb6 code..(I'm learning C# though)

Private Function ReadMemory(Address As Long) As Long
Dim ProcessID As Long, processHandle As Long
If tHvnd = 0 Then
Me.Caption = tHvnd & "hmm"
Exit Function
End If
GetWindowThreadProcessId tHvnd, ProcessID
processHandle = OpenProcess(&H10, False, ProcessID)
If processHandle = 0 Then
Me.Caption = Description
Exit Function
End If
ReadProcessMemory processHandle, Address, ReadMemory, 4, 0&
CloseHandle processHandle
End Function

This is the function I am using to read the memory in vb6.

I understand what your saying though, in C# you have to convert using like IntPtr(hex value) I believe.. I just started learning it today :\ C# that is.. vb6 I've been programming in for 7 years now.

[Jadd]

Don't use UIntPtr/IntPtr. It's a huge ****-up.

[Xartrick]

Learn C#.NET, it will come more easier .

Don't use UIntPtr/IntPtr. It's a huge ****-up.

Why?

[Jadd]

Why?

Neither of them have any operators. This is mainly why I hate it.

[Xartrick]

Neither of them have any operators. This is mainly why I hate it.

Just make a cast (obviously, this type is useless if you make a cast to an other data type).

I hate it now .

[Frosttall]

Well I usually read pointers simply as uint and don't mess around with IntPtr or UIntPtr.
IMO should you first write a correct API (to read uint, int, float, double and so on) for memreading before you try to work with the readed values.

P.S. 0x00000000013A0000 = 20578304

A problem of IntPtr is, that its size depends on your system (whether it's 32 or 64bit). On a 32 bit system has it a size of 32bit - 4 bytes and on 64bit a size of 64 bit - 8 bytes.

But as you should start to work with 32-bit Wow should you only work with uint because it always has a size of 4 bytes and doesn't depend on your system.

[Jadd]

Casting a platform-specific type is redundant. It's much easier to use this with build defines:

Code:

#if WIN32
    using DWORD_PTR = System.UInt32;
#else
    using DWORD_PTR = System.UInt64;
#endif

The only downside is that DWORD_PTR needs to be set on all source files that contain usage of it. But it's a small price to pay for operator support

[mrdennis87]

I am learning C# I installed visual studio and have been reading up and learning about the language all day. I am switching over from vb to C# but I am trying to figure out why this C# code isn't giving the right base address. Is it because I have to convert it, or change it somehow ? I'm reading the code, and everything seems to make sense so I'm stuck at this point :\ I am using this line here

listBox1.Items.Add("BaseAddress: " + oProcess.MainModule.BaseAddress);

which adds it to the listbox, but my guess is I'm either not converting it to the right type before adding to the listbox, or there is something I'm missing.

[mrdennis87]

Well I usually read pointers simply as uint and don't mess around with IntPtr or UIntPtr.
IMO should you first write a correct API (to read uint, int, float, double and so on) for memreading before you try to work with the readed values.

P.S. 0x00000000013A0000 = 20578304

A problem of IntPtr is, that its size depends on your system (whether it's 32 or 64bit). On a 32 bit system has it a size of 32bit - 4 bytes and on 64bit a size of 64 bit - 8 bytes.

But as you should start to work with 32-bit Wow should you only work with uint because it always has a size of 4 bytes and doesn't depend on your system.

Btw I am using a 64 bit OS .. So the C# code is right BUT how do you get 20578304 out of 0x00000000013A0000 ? that's my question now lol