0

OK this is a weird on. I need to get the base address of a process in vb.net (not my application). To delve into the memory of the other process (to explore the values I needed before coding it into vb.net) I used cheat engine. Cheat engine gives me an address like so: 

Client.exe + 00BBD310

The issue here is that the Client.exe address changes whenever I re-run the program. I have a declaration of the process in my code already so I've tried this:

bAddress = handle_s.MainModule.BaseAddress

Where handle_s is the process in question. The issue here is that the value I get in bAddress isn't the value that is represented by cheat engines "Client.exe" - I can work backward to work out what cheat engine is referring to as it tells me what the result of the above sum is, however as the value changes each time, I need a method by which to simple get the value in vb.net.

Any advice/suggestions welcome.

FraserOfSmeg
  • 1,128
  • 2
  • 23
  • 41
  • Isn't that `00BBD310` an offset? Meaning Module.Address + `BBD310`. – Jimi Feb 25 '19 at 20:12
  • @Jimi indeed it is just an offset. In cheat engine I am able to see what the base address + the offset is equal to. From this I can rearrange the equation to get the base address in cheat engine. This value isn't equal to module.Baseaddress which is my issue – user6916458 Feb 25 '19 at 20:26
  • I should add that I'm Fraserofsmeg. My mobile account and desktop account won't sync! – user6916458 Feb 25 '19 at 20:28
  • Difficult to say something without knowing what is `Client.exe`. Are you sure this executable has just one process? Also, can you say that the address shown (by the cheat engine) is actually the main module Entry Point and not possibly, another address reference? The header offset, maybe. Unless you didn't calculate the offset correctly in the first place: alignment can be tricky. You could search for the value(s) you have with the addresses you can get from `Process.GetProcessByName()` and see if you can understand what address the cheat engine is pointing to. Boring procedure, I know. – Jimi Feb 25 '19 at 21:58
  • maybe it is ASLR – zerocool Mar 16 '19 at 10:51

1 Answers1

0

MainModule.BaseAddress gives you the address where the module was loaded (source)

Therefore it's the absolute dynamic virtual address of the module. If 0x0BBD310 is a relative offset, then adding 0x0BBD310 to MainModule.BaseAddress will give you the address of your variable at run time.

If it's not matching up with what you're seeing in Cheat Engine then you're either attached to the wrong process or you're confused.

GuidedHacking
  • 3,628
  • 1
  • 9
  • 59