0

i am trying to write to a certain address in the memory (base address which i got from cheat engine, so it doesn't change), problem is i cant figure out how i need to write with all the offsets.

Here are the following address and offsets i have:

DWORD Pointer = 0x001E8AA0;
DWORD offset1 = 0x3F0;
DWORD offset2 = 0x62C;
DWORD offset3 = 0x4;
DWORD offset4 = 0x104;
DWORD offset5 = 0x68;
char moduleName[] = "Insaniquarium.exe";

picture of the pointer in cheat engine:

I've tried many things, and they all failed, i know this because in the game the value doesn't changes and in cheat engine the pointer of the value doesn't change either. Here what my finally try:

WriteProcessMemory(handle, (LPVOID)(moduleName + Pointer + offset1 + offset2 + offset3 + offset4 + offset5), &val, sizeof(val), nullptr);

Ad I described earlier, the value haven't changed.

If you think u need more information, let me know, thank you.

yarin Cohen
  • 995
  • 1
  • 13
  • 39
  • 1
    You write to the sum of the offsets, not to each offset. You need to call WriteProcessMemory with each offset. – yar Jan 04 '19 at 16:42
  • What do i do with the Pointer? write to it as well?, and i write the same value in all write? – yarin Cohen Jan 04 '19 at 16:44
  • I don't know what the cheat engine is, but I guess what you want is to write to pointer+offset (and for sure not to "moduleName"). I have no idea what you want to write there =) – yar Jan 04 '19 at 16:51
  • Thanks but it didn't change the value unfortunately , and why do you need to write to every pointer+offset in separate? – yarin Cohen Jan 04 '19 at 16:57
  • Because this is how `WriteProcessMemory` works… Read the documentation: https://msdn.microsoft.com/en-us/library/windows/desktop/ms681674(v=vs.85).aspx – Phil1970 Jan 04 '19 at 17:08
  • even when i am adding the values(pointer+offset1), (pointer+offset2) and so on it doesn't change.. – yarin Cohen Jan 04 '19 at 17:36
  • As @yar mentioned, why do you include `moduleName` as part of your address to WPM? – Phil M Jan 04 '19 at 18:44
  • @PhilM this was something i saw some people using when writing so i wasn't sure if its necessary – yarin Cohen Jan 04 '19 at 18:46

1 Answers1

1

Your offsets are added in the wrong order. You need to do from bottom to top of that screenshot.

You need to de-reference each pointer in the chain, you're not doing that.

Here is how to correctly do it:

DWORD GetProcId(const wchar_t* procName)
{
    DWORD procId = 0;
    HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (hSnap != INVALID_HANDLE_VALUE)
    {
        PROCESSENTRY32 procEntry;
        procEntry.dwSize = sizeof(procEntry);

        if (Process32First(hSnap, &procEntry))
        {
            do
            {
                if (!_wcsicmp(procEntry.szExeFile, procName))
                {
                    procId = procEntry.th32ProcessID;
                    break;
                }
            } while (Process32Next(hSnap, &procEntry));

        }
    }
    CloseHandle(hSnap);
    return procId;
}

uintptr_t GetModuleBaseAddress(DWORD procId, const wchar_t* modName)
{
    uintptr_t modBaseAddr = 0;
    HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, procId);
    if (hSnap != INVALID_HANDLE_VALUE)
    {
        MODULEENTRY32 modEntry;
        modEntry.dwSize = sizeof(modEntry);
        if (Module32First(hSnap, &modEntry))
        {
            do
            {
                if (!_wcsicmp(modEntry.szModule, modName))
                {
                    modBaseAddr = (uintptr_t)modEntry.modBaseAddr;
                    break;
                }
            } while (Module32Next(hSnap, &modEntry));
        }
    }
    CloseHandle(hSnap);
    return modBaseAddr;
}

uintptr_t FindDMAAddy(HANDLE hProc, uintptr_t ptr, std::vector<unsigned int> offsets)
{
    uintptr_t addr = ptr;
    for (unsigned int i = 0; i < offsets.size(); ++i)
    {
        ReadProcessMemory(hProc, (BYTE*)addr, &addr, sizeof(addr), 0);
        addr += offsets[i];
    }
    return addr;
}

int main()
{
    //Get ProcId of the target process
    DWORD procId = GetProcId(L"Insaniquarium.exe");

    //Getmodulebaseaddress
    uintptr_t moduleBase = GetModuleBaseAddress(procId, L"Insaniquarium.exe");

    //Get Handle to Process
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, NULL, procId);

    //Resolve base address of the pointer chain
    uintptr_t dynamicPtrBaseAddr = moduleBase + 0x001E8AA0;

    //Resolve the pointer chain
    std::vector<unsigned int> offsets = {0x68, 0x104, 0x4, 0x62C, 0x3F0};

    uintptr_t addr = FindDMAAddy(hProcess, dynamicPtrBaseAddr, offsets);

    return 0;
}
GuidedHacking
  • 3,628
  • 1
  • 9
  • 59