Lua - Process Start Address Опции

[Drakono]

Hi.

Does anybody know how to check start address of dynamically allocated memory for the process?

Want to automate my script by loading the start address on it's own.
Currently I'm launching Cheat Engine every time to check process start address.

[DarkMaster]

You can use readmem() function for it. If you have dynamic memory - you need to find chain to target address (you can do it in cheat engine or artmoney), also i recommend to try to find a relative address from dll, where placed target value.

[Drakono]

My bad. I meant start address of the executable so that my pointers work inside script without checking it every time in CE. If what you said is exactly that then after reading your explanation I can sadly say that I do not know how to do it. Could you point me in correct direction?
Maybe some way to do this using ffi.C option which I currently use to read double values in memory.

Currently use this type of ffi code to read double. Maybe that could be reused?

Код

local ffi = require("ffi")
local user, kernel = ffi.load('User32'), ffi.load('Kernel32')
ffi.cdef[[
    int OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
    int GetWindowThreadProcessId(int hWnd, int *lpdwProcessId);
    bool CloseHandle(int hObject);
    bool ReadProcessMemory(int hProcess, int lpBaseAddress, void *lpBuffer, int nSize, int *lpNumberOfBytesRead);
    int GetModuleHandleA(const char *lpModuleName);
]]
function readDouble(address)
    if workwindow() == 0 then log('No Workwindow') return -1 end

    local PID, pointer_double = ffi.new('unsigned long[1]'), ffi.new('double[1]')
    user.GetWindowThreadProcessId(workwindow(), PID)
    local process = kernel.OpenProcess(PROCESS_VM_READ, true, PID[0])
    if process > 0 then
        kernel.ReadProcessMemory(process, address, pointer_double, 8, nil)
        kernel.CloseHandle(process);
        return tonumber(pointer_double[0])
    end
    --log('Proccess not open.')
    end_script () --
end

Sorry for the trouble I create.

Сообщение отредактировал DarkMaster - 1.11.2023, 5:51

[DarkMaster]

you doesn't declare PROCESS_VM_READ. It have no value and nil will be passed to kernel.OpenProcess().
I dont understand what you try to say, when you write about "start address of the executable". In general it always something like 0x0. You dont have access to physical address inside operation system, you always work with virtual address (provided by operation system). Cheat Engine, uopilot and any kind of program using virtual address and it can be same in many processes. Its a reason why you need a handle to open process for start to read memory.
Pointer finding: https://stackoverflow.com/questions/5122022...-address-offset
For read int you can use readmem() function.
Example:

Код

-- you need to have right handle
-- in workwindow().
-- use ctrl+a or findwindow for it.
local pointer = 0
pointer = readmem(0x00001234, "d") + 0x28
pointer = readmem(pointer, "d") + 0x15
pointer = readmem(pointer, "d") + 0x72
local address = readmem(pointer, "d") + 0x68
local value     = readDouble(address)
log(value)

Сообщение отредактировал DarkMaster - 1.11.2023, 6:12

[Drakono]

Sorry again.
I do have

local PROCESS_VM_READ = 0x0010

It didn't copy properly it was above ffi.
I already use pointers in my script. I have pointers from player address for every variable about character.
I also have pointer to player address. Problem is that it needs start address from which first offset goes.
On screenshot attached I have found HP which is "static" in CE. My pointer to hp looks like this:

local gameMemStart = 0xCF0000 -- same as underlined on screenshot (which I have to check every time in CE)
local playerHP = readmem (gameMemStart + 0x7B774C, "D") -- same as the green static address/pointer on the search list of CE

My problem is that this "static" address changes every time I open the game client.
Tried doing 14 levels of pointerscan to this gameMemStart address in CE (took me 4 hours) and found no pointers.

In Cheat Engine when you expand "Memory Scan Options" dropdown list you can see all modules associated with the process to which CE is attached. On the list I select the "xxxGameClientNamexxx.exe".

My bad that I didn't describe it properly.

[DarkMaster]

Any way it have pointer to static. 14 levels its too much, but i recommend to try pointers chain (levels) with more wide offsets. I recommend to try 8192 and 16384 like offset. Dont use scan inside only one module (dll/exe) because you have great chance to skip right pointer in heap memory.

My problem is that this "static" address changes every time I open the game client.

Usually it calls "block". You have a block with static offsets inside. You need to find pointer to that block. You have a lot of options for it. You can try to find pointer to that block or to any data inside block. Sometimes much more easy to find pointers chain to hp/mana then block start.

Any way right solve - pointers. You can try to find value by pilot (simple "for" and "readDouble"), but it will be slow and you cant take memory map by standard function. You cant know which addresses allocated and restrictions of access.

Сообщение отредактировал DarkMaster - 2.11.2023, 13:45

[Cockney]

May be usefull https://stackoverflow.com/a/59557337