-4

What actions should I take to get to this address: 0DE1AC74 knowing pointer Offsets: 194 5C And this: "bin.exe"+0121AC10 The goal is to use pointer instead of searching address every app restart? enter image description here

Cœur
  • 37,241
  • 25
  • 195
  • 267
RFID nie damy zacipować się
  • 1
  • 1

2 Answers2

3

In Cheat Engine Script:

[[bin.exe+0x121AC10]+14c]+194

In Assembly:

lea ebx, [bin.exe+0121AC10]
add ebx, 14c
mov ebx, [ebx]
add ebx, 194

In C++:

You need to get the Process Id so you can open a handle with OpenProcess and start reading memory. You need to find the module by name and get the module base address using the ToolHelp32Snapshot and grabbing the modBaseAddr member variable of the module snapshot. Then you can add and dereference each offset in the pointer using FindDMAAddy.

DWORD GetProcId(const wchar_t* procName)
{
    DWORD procId = 0;
    HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (hSnap != INVALID_HANDLE_VALUE)
    {
        PROCESSENTRY32 procEntry;
        procEntry.dwSize = sizeof(procEntry);

        if (Process32First(hSnap, &procEntry))
        {
            do
            {
                if (!_wcsicmp(procEntry.szExeFile, procName))
                {
                    procId = procEntry.th32ProcessID;
                    break;
                }
            } while (Process32Next(hSnap, &procEntry));

        }
    }
    CloseHandle(hSnap);
    return procId;
}

uintptr_t GetModuleBaseAddress(DWORD procId, const wchar_t* modName)
{
    uintptr_t modBaseAddr = 0;
    HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, procId);
    if (hSnap != INVALID_HANDLE_VALUE)
    {
        MODULEENTRY32 modEntry;
        modEntry.dwSize = sizeof(modEntry);
        if (Module32First(hSnap, &modEntry))
        {
            do
            {
                if (!_wcsicmp(modEntry.szModule, modName))
                {
                    modBaseAddr = (uintptr_t)modEntry.modBaseAddr;
                    break;
                }
            } while (Module32Next(hSnap, &modEntry));
        }
    }
    CloseHandle(hSnap);
    return modBaseAddr;
}

uintptr_t FindDMAAddy(HANDLE hProc, uintptr_t ptr, std::vector<unsigned int> offsets)
{
    uintptr_t addr = ptr;
    for (unsigned int i = 0; i < offsets.size(); ++i)
    {
        ReadProcessMemory(hProc, (BYTE*)addr, &addr, sizeof(addr), 0);
        addr += offsets[i];
    }
    return addr;
}

int main()
{
    //Get ProcId of the target process
    DWORD procId = GetProcId(L"bin.exe");

    //Getmodulebaseaddress
    uintptr_t moduleBase = GetModuleBaseAddress(procId, L"bin.exe");

    //Get Handle to Process
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, NULL, procId);

    //Resolve base address of the pointer chain
    uintptr_t dynamicPtrBaseAddr = moduleBase + 0x121AC10;

    //Resolve the pointer chain
    std::vector<unsigned int> offsets = { 0x14c, 0x194 };

    uintptr_t addr = FindDMAAddy(hProcess, dynamicPtrBaseAddr, offsets);

    return 0;
}
GuidedHacking
  • 3,628
  • 1
  • 9
  • 59
  • `lea ebx,[ebx]` will practicly do nothing use `mov` when you want to ACCESS address and `lea` when you want to LOAD address and also you should explain that looong c++ code, it can be done much easier – Segy Nov 14 '18 at 17:56
  • 1
    @Segy Yep you are correct about lea/mov, updated my answer. How can the C++ code be done much easier? – GuidedHacking Nov 15 '18 at 03:55
  • all CE scripts runs internally so `GetProcId` can be replaced with `GetCurrentProcessId` or direct inline assembly, `GetModuleBaseAddress` internally is just `(DWORD)GetModuleHandleA(...)` And also you can use offsets like `mov ebx,[ebx+194]` – Segy Nov 15 '18 at 19:21
2

From that img i can see you are using CE and if i understood your question correctly you need in CE aa+ scripting just do lea ebx,[bin.exe+0121AC10] and the address will be stored in ebx register (use rbx in 64 bit process)

Segy
  • 213
  • 2
  • 12