Помощь - Поиск - Пользователи - Календарь
Полная версия: Выполните сканирование памяти в pilot с помощью readmem
UoKit.com Форумы > Кликер > UO Pilot
neves
4.12.2020, 17:01
Hi, guys.
I am trying to find a memory address which I want to manipulate.
The only thing I know is the initial value of the memory address -> 349.3998718 , "F".
I know you would suggest me, to find the offsets of the memory address, but this game have updates every week and all offsets changes. sad.gif
My idea is to perform a memory scan similar to the CE scanning.
I already tried something, but I think I'm on the wrong way.
First I tried to find the base address of the process, then I started reading address by address, each time increasing the memory address.
Here is what I tried:
Код
local workwinpd = workwindow()
local base_address = relativeaddress2absolute("game.exe" , workwinpd)
local i = 0
while readmem(dec2hex(base_address + dec2hex(i)),"F","game.exe") ~= 349.3998718 do
    i = i + 4
    log(readmem(dec2hex(base_address + dec2hex(i)),"F","game.exe"))
end

This code prints some values, but it's really slow! ~60 scans per second.
CE's scan is extremely fast, when I write the value immediately shows the address.
Also I am not sure if I find the base address correctly.

How to perform a memory scan in pilot, similar to CE's scan?
Have anyone tried to complete such task in the pilot using readmem()?
Is there any other way doing this, without readmem?
DarkMaster
4.12.2020, 18:30
Readmem is rly slow becouse it have some sins from old syntax. Try to use that code for read float. https://forum.uokit.com/index.php?s=&sh...st&p=437715
neves
5.12.2020, 23:03
Цитата(DarkMaster @ 4.12.2020, 18:30) *

Readmem is rly slow becouse it have some sins from old syntax. Try to use that code for read float. https://forum.uokit.com/index.php?s=&sh...st&p=437715

Works good and it's much more faster than readmem(). ~600 addresses per second
But is this actually the fastest possible memory reading in the pilot?
Код
local base_address = dec2hex(relativeaddress2absolute("game.exe" , workwinpd))
local i = 0
while readmemory(base_address + dec2hex(i)) ~= 97.799652 do
    i = i + 2
end
local address = dec2hex(base_address + dec2hex(i))
log(address)
cirus
5.12.2020, 23:29
Цитата
But is this actually the fastest possible memory reading in the pilot?

Не нужно каждый раз открывать и закрывать процесс, это занимает много времени. Открыть процесс, поиск в памяти, закрыть процесс.
Цитата
OpenProcess
while ReadProcessMemory
end
CloseHandle

Цитата
i = i + 2

float 4 bytes.
neves
6.12.2020, 2:36
Цитата(cirus @ 5.12.2020, 23:29) *

Не нужно каждый раз открывать и закрывать процесс, это занимает много времени. Открыть процесс, поиск в памяти, закрыть процесс.
float 4 bytes.

Спасибо.
cirus
21.12.2020, 3:52
find memory rounding float
Код
--lua
local ffi = require("ffi")

local PROCESS_VM_READ = 0x0010
local PROCESS_VM_WRITE = 0x0020
local PROCESS_VM_OPERATION = 0x0008
local PROCESS_QUERY_INFORMATION = 0x0400
local MEM_COMMIT = 0x1000
local MEM_PRIVATE = 0x20000
local TRUE = true
local C = ffi.C

ffi.cdef[[
    typedef unsigned short WORD;
    typedef unsigned long DWORD;
    typedef const void* LPCVOID;
    typedef bool BOOL;
    typedef struct _SYSTEM_INFO {
        union { DWORD dwOemId; struct { WORD wProcessorArchitecture;  WORD wReserved; } DUMMYSTRUCTNAME;} DUMMYUNIONNAME;
        DWORD  dwPageSize; DWORD lpMinimumApplicationAddress; DWORD lpMaximumApplicationAddress; DWORD dwActiveProcessorMask; DWORD dwNumberOfProcessors;
        DWORD dwProcessorType; DWORD dwAllocationGranularity; WORD wProcessorLevel; WORD wProcessorRevision; } SYSTEM_INFO, *LPSYSTEM_INFO;
    typedef struct _MEMORY_BASIC_INFORMATION { DWORD BaseAddress; DWORD AllocationBase; DWORD AllocationProtect; DWORD RegionSize; DWORD  State;
        DWORD  Protect; DWORD  Type; } MEMORY_BASIC_INFORMATION, *PMEMORY_BASIC_INFORMATION;
    void GetSystemInfo(LPSYSTEM_INFO lpSystemInfo);
    DWORD VirtualQueryEx(int hProcess, DWORD lpAddress, PMEMORY_BASIC_INFORMATION lpBuffer, DWORD dwLength);
    int OpenProcess(DWORD dwDesiredAccess, BOOL  bInheritint, DWORD dwProcessId);
    BOOL CloseHandle(int hObject);
    BOOL ReadProcessMemory(int hProcess, int lpBaseAddress, void *lpBuffer, int nSize, int *lpNumberOfBytesRead);
]]


function findmemory_f(data)
    if workwindow() == 0 then log ('Нет привязки к окну\r\nNo binding to the window') return nil, -1 end

    local result = {}
    local count = 0
    local prc = C.OpenProcess(bit.bor(PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_VM_OPERATION, PROCESS_QUERY_INFORMATION), TRUE, workwindowpid())
    if prc ~= 0 then
        local si = ffi.new('SYSTEM_INFO')
        local mbi = ffi.new('MEMORY_BASIC_INFORMATION')
        C.GetSystemInfo(si)
        local start_address = si.lpMinimumApplicationAddress
        local end_address = si.lpMaximumApplicationAddress

        while start_address < end_address do
            C.VirtualQueryEx(prc, start_address, mbi, ffi.sizeof(mbi))
            if mbi.Type == MEM_PRIVATE and mbi.State == MEM_COMMIT then
                local array = ffi.new('float[?]', mbi.RegionSize/4)
                    if C.ReadProcessMemory(prc, mbi.BaseAddress, array, mbi.RegionSize, nil) then
                        for i=0, mbi.RegionSize/4-1 do
                            if math.floor(array[i]) == math.floor(data) then
                                result[#result+1] = string.format("0x%x", mbi.BaseAddress+i*4)
                                count = count + 1
                            end
                        end
                end
            end
            start_address = start_address + mbi.RegionSize
        end
        C.CloseHandle(prc)
    else
        log('Процесс не открылся\r\nThe process did not open')
    end

    if count == 0 then return nil, 0 end
    return result, count
end


log 'clear' log 'mode compact'

local addr, count = findmemory_f(84380)   -- search float
hint ( count )
if count > 0 then
    for i=1, count do
        log(addr[i])
    end
end
neves
22.12.2020, 2:30
Цитата(cirus @ 21.12.2020, 2:52) *

find memory rounding float
Код
--lua
local ffi = require("ffi")

local PROCESS_VM_READ = 0x0010
local PROCESS_VM_WRITE = 0x0020
local PROCESS_VM_OPERATION = 0x0008
local PROCESS_QUERY_INFORMATION = 0x0400
local MEM_COMMIT = 0x1000
local MEM_PRIVATE = 0x20000
local TRUE = true
local C = ffi.C

ffi.cdef[[
    typedef unsigned short WORD;
    typedef unsigned long DWORD;
    typedef const void* LPCVOID;
    typedef bool BOOL;
    typedef struct _SYSTEM_INFO {
        union { DWORD dwOemId; struct { WORD wProcessorArchitecture;  WORD wReserved; } DUMMYSTRUCTNAME;} DUMMYUNIONNAME;
        DWORD  dwPageSize; DWORD lpMinimumApplicationAddress; DWORD lpMaximumApplicationAddress; DWORD dwActiveProcessorMask; DWORD dwNumberOfProcessors;
        DWORD dwProcessorType; DWORD dwAllocationGranularity; WORD wProcessorLevel; WORD wProcessorRevision; } SYSTEM_INFO, *LPSYSTEM_INFO;
    typedef struct _MEMORY_BASIC_INFORMATION { DWORD BaseAddress; DWORD AllocationBase; DWORD AllocationProtect; DWORD RegionSize; DWORD  State;
        DWORD  Protect; DWORD  Type; } MEMORY_BASIC_INFORMATION, *PMEMORY_BASIC_INFORMATION;
    void GetSystemInfo(LPSYSTEM_INFO lpSystemInfo);
    DWORD VirtualQueryEx(int hProcess, DWORD lpAddress, PMEMORY_BASIC_INFORMATION lpBuffer, DWORD dwLength);
    int OpenProcess(DWORD dwDesiredAccess, BOOL  bInheritint, DWORD dwProcessId);
    BOOL CloseHandle(int hObject);
    BOOL ReadProcessMemory(int hProcess, int lpBaseAddress, void *lpBuffer, int nSize, int *lpNumberOfBytesRead);
]]
function findmemory_f(data)
    if workwindow() == 0 then log ('Нет привязки к окну\r\nNo binding to the window') return nil, -1 end

    local result = {}
    local count = 0
    local prc = C.OpenProcess(bit.bor(PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_VM_OPERATION, PROCESS_QUERY_INFORMATION), TRUE, workwindowpid())
    if prc ~= 0 then
        local si = ffi.new('SYSTEM_INFO')
        local mbi = ffi.new('MEMORY_BASIC_INFORMATION')
        C.GetSystemInfo(si)
        local start_address = si.lpMinimumApplicationAddress
        local end_address = si.lpMaximumApplicationAddress

        while start_address < end_address do
            C.VirtualQueryEx(prc, start_address, mbi, ffi.sizeof(mbi))
            if mbi.Type == MEM_PRIVATE and mbi.State == MEM_COMMIT then
                local array = ffi.new('float[?]', mbi.RegionSize/4)
                    if C.ReadProcessMemory(prc, mbi.BaseAddress, array, mbi.RegionSize, nil) then
                        for i=0, mbi.RegionSize/4-1 do
                            if math.floor(array[i]) == math.floor(data) then
                                result[#result+1] = string.format("0x%x", mbi.BaseAddress+i*4)
                                count = count + 1
                            end
                        end
                end
            end
            start_address = start_address + mbi.RegionSize
        end
        C.CloseHandle(prc)
    else
        log('Процесс не открылся\r\nThe process did not open')
    end

    if count == 0 then return nil, 0 end
    return result, count
end
log 'clear' log 'mode compact'

local addr, count = findmemory_f(84380)   -- search float
hint ( count )
if count > 0 then
    for i=1, count do
        log(addr[i])
    end
end


That's perfect!
Thank you, cirus.
Это текстовая версия — только основной контент. Для просмотра полной версии этой страницы, пожалуйста, нажмите сюда.
Русская версия Invision Power Board © 2001-2024 Invision Power Services, Inc.