[WoW 5.4.8.18414] discussion about memory address variation

[Link88]

Hi,

I'm working on a program that reads specific informations from the memory and does other stuff (that are irrilevent for the purpose of this thread).

So I have understood that the address read by Cheat Engine has a fixed offset from the address read directly by the program.

The code that scans every address searching for the build (for debugging purpose only) after connecting to the relative process is:

Code:

for (int i = 0; i<0xFFFFFFF; ++i) {
	if (read<uint32>(hWow, u32WowBase + i) == 18414) {
		cout << std::hex << i << endl;
	}
}

this is the result that I found:


The black part contains the addresses found by the program while the white part obviously contains the addresses found by Cheat Engine.

As you can see they differ everytime (except the address 0x40ee69e that dunno why it has been found, and if you want please explain me why) by 4 at the 6th number from the right.

That's good I can translate address, read them and do my job.

The only "tiny" problem is that the memory addresses are different for every computer that launches the wow 5.4.8 client.

Here is the result of my program running on another computer:


The addresses are completely different (and I don't need to check those addresses with cheat enginge because my purpose is to find address for all the data I need that are the same for every client that launches the program) from the ones found with the same program but with my computer.

Note just to give you more info:
Running the program on Wotlk WoW clients with the version 3.3.5 and searching for its build number that is 12340, the addresses are the same for every computer that runs the program.

This answer is related to 5.4.8.18414 WoW client only:
Can you please explain me how can I found memory address that are the same regardlessly the computer that runs the program?

Please be specific in order to avoid misunderstanding by me (I'm a newbie of this WoW memory editing world), thank you very much!

[Corthezz]

By using static offsets and pointers. This matter is not related to the patch or anything.

[Link88]

By using static offsets and pointers. This matter is not related to the patch or anything.

Can you please be more specific is possible? Like linking me some threads in this forum or anything else.

In the meanwhile, following your tip I'm studying how to work with pointers with Cheat Engine.

Thank you

[Jadd]

The memory addresses are relative to the location at which Wow.exe is loaded into. In 3.3.5 it is always loaded at 0x00400000 because ASLR is disabled. IIRC 4.0 and onward were compiled with ASLR enabled, so the base address can differ.

[Link88]

The memory addresses are relative to the location at which Wow.exe is loaded into. In 3.3.5 it is always loaded at 0x00400000 because ASLR is disabled. IIRC 4.0 and onward were compiled with ASLR enabled, so the base address can differ.

Clear and interesting.

So I think that the key is to find the pointer address of the data I'm looking for and read the pointed value instead of the direct address value.

Admitting that I'm right, have the pointers a fixed value that scales between any computer?

I must find something that is static and let me start from the same position for every computer that runs the program.

edit: searching in the forum my friend found this thread (Finding the BaseAddress when ASLR is enabled) that seems to be exactly what I need. I'll give it a try

[Link88]

I've read that thread and tried the solutions they say.

Especially this one always returns 0x00400000 as base address even with 5.4.8 client.

Any idea on how to face this searching for the real base variable address ?

When I have found the base address should I only add the offset listed here and the job is done right?

[Link88]

The memory addresses are relative to the location at which Wow.exe is loaded into. In 3.3.5 it is always loaded at 0x00400000 because ASLR is disabled. IIRC 4.0 and onward were compiled with ASLR enabled, so the base address can differ.

I'm using this function:

Code:

DWORD GetBaseAddress(DWORD pid, char *procName, DWORD &size)
{
    WCHAR wmsg[MAX_PATH];
    MultiByteToWideChar(CP_ACP, 0, procName, -1,  wmsg, MAX_PATH);

    MODULEENTRY32  pe;
    HANDLE thSnapshot;
    BOOL retval, ProcFound = false;

    thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pid);

    if(thSnapshot == INVALID_HANDLE_VALUE)
    {
        //cout << "Error: unable to create toolhelp snapshot" << endl;
        return false;
    }

    pe.dwSize = sizeof(MODULEENTRY32);
    retval = Module32First(thSnapshot, &pe);

	wcout << "wmsg: " << wmsg << endl;
    while(retval)
	{
		wcout << "pe.szModule: " << pe.szModule << endl;
        if(_wcsicmp(pe.szModule, wmsg)==0 )
        {
			cout << "FOUND" << endl;
            ProcFound = true;
			// Commented for debugging purpose
			//break;
		}

		cout << "modBaseAddr " << std::hex << (DWORD)pe.modBaseAddr << endl;

        retval    = Module32Next(thSnapshot,&pe);
		pe.dwSize = sizeof(MODULEENTRY32);
    }

    CloseHandle(thSnapshot);
    if(ProcFound)
    {
        size = pe.modBaseSize;
        return (DWORD)pe.modBaseAddr;
    }
    return false;
}

For testing purpose I print every process base address and this is the result:


BaseAddress is 0x400000, test made on Windows 10, WoW client 5.4.8.

Going to read at the given baseaddress (which we assume it is bad since ASLR is enabled) plus the offset found in the relative thread for x64 which is 0x1274FE4 the result is:


Any idea?

[Jadd]

You're reading a 64 bit offset from a 32 bit process?

[Link88]

You're reading a 64 bit offset from a 32 bit process?

I tried both B94E74 and 1274FE4 without success:

[Jadd]

Post your full code.

[Link88]

Here is:

Code:

    DWORD dwWowPid = GetWowProc();
    if (!dwWowPid)              // get wow PID
    {        
        printError ("WoW is not running...\n");
        system("PAUSE");
        exit(0);
	}

    DWORD size;

    UINT u32WowBase = GetBaseAddress(dwWowPid,"wow.exe", size);
    HANDLE hWow = NULL;

    if ((hWow = OpenProcess(PROCESS_VM_READ, false, dwWowPid)) == NULL)
    {
        printError ("Unable to open WoW process... try running as administrator\n");
        system("PAUSE");
        exit(0);
    }

	InfoDumpAddress *addr = new InfoDumpAddress548();

	cout << "Base " << std::hex << u32WowBase << endl;
	cout << "Offset " << std::hex << addr->BuildNumber << endl;
	cout << "Address " << std::hex << u32WowBase + addr->BuildNumber << endl;
	cout << "Client build " << (read<uint32>(hWow, u32WowBase + addr->BuildNumber)) << endl;
	system("PAUSE");
	exit(0);

where:

GetWoWProc() calls the following method:

Code:

DWORD GetTargetThreadIdFromProcname(char *procName)
{
    WCHAR wmsg[MAX_PATH];
    MultiByteToWideChar(CP_ACP, 0, procName, -1,  wmsg, MAX_PATH);

    PROCESSENTRY32 pe;
    HANDLE thSnapshot;
    BOOL retval, ProcFound = false;

    thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

    if(thSnapshot == INVALID_HANDLE_VALUE)
    {
        //cout << "Error: unable to create toolhelp snapshot" << endl;
        return false;
    }

    pe.dwSize = sizeof(PROCESSENTRY32);

    retval = Process32First(thSnapshot, &pe);

    while(retval)
    {
        if(_wcsicmp(pe.szExeFile, wmsg)==0 )
        {
            ProcFound = true;
            break;
        }
        retval    = Process32Next(thSnapshot,&pe);
        pe.dwSize = sizeof(PROCESSENTRY32);
    }

    CloseHandle(thSnapshot);

    if(ProcFound)
        return pe.th32ProcessID;
    return false;
}

GetBaseAddress():

Code:

DWORD GetBaseAddress(DWORD pid, char *procName, DWORD &size)
{
    WCHAR wmsg[MAX_PATH];
    MultiByteToWideChar(CP_ACP, 0, procName, -1,  wmsg, MAX_PATH);

    MODULEENTRY32  pe;
    HANDLE thSnapshot;
    BOOL retval, ProcFound = false;

    thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pid);

    if(thSnapshot == INVALID_HANDLE_VALUE)
    {
        //cout << "Error: unable to create toolhelp snapshot" << endl;
        return false;
    }

    pe.dwSize = sizeof(MODULEENTRY32);
    retval = Module32First(thSnapshot, &pe);

	wcout << "wmsg: " << wmsg << endl;
    while(retval)
	{
		wcout << "pe.szModule: " << pe.szModule << endl;
        if(_wcsicmp(pe.szModule, wmsg)==0 )
        {
			cout << "FOUND" << endl;
            ProcFound = true;
			// Commented for debugging purpose
			break;
		}

		cout << "modBaseAddr " << std::hex << (DWORD)pe.modBaseAddr << endl;

        retval    = Module32Next(thSnapshot,&pe);
		pe.dwSize = sizeof(MODULEENTRY32);
    }

    CloseHandle(thSnapshot);
    if(ProcFound)
    {
        size = pe.modBaseSize;
        return (DWORD)pe.modBaseAddr;
    }
    return false;
}

addr->BuildNumber is either B94E74 or 1274FE4

I would like to see "18414" as client build

[Jadd]

Looks fine to me (apart from really ugly,) only thing notice is that you're reading game build as uint32. The ones from Torpedoes' dump is a string. Adjust your code to read a string or test another offset which you know is an integer value.

[Link88]

Looks fine to me (apart from really ugly,) only thing notice is that you're reading game build as uint32. The ones from Torpedoes' dump is a string. Adjust your code to read a string or test another offset which you know is an integer value.

Well I have tried both int32 and string and the result is not satisfying:


I could try some other data (and I tried without success) but what I need at first before going on is to retrieve at 100% the build number because it is the discriminating that makes the program points to me different address list for different WoW version (the 3.3.5 address list already works correctly).

[Jadd]

Only other thing I can think of is that you have the wrong wow build. Did you try reading it in Cheat Engine? (Wow.exe+B94E74)

[shauren]

I've been using this code since 4.3.4 (x86)
wow-tools/ProcessTools.cpp at master * Shauren/wow-tools * GitHub
Reading build from file properties instead of any place in memory has not failed me yet