大会指针和基址 [英] Assembly Pointer and base address

问题描述

因为我是一个汇编语言初学者和研究目的，我在比赛中试图扫描内存地址和指针。我有点混乱有关指针和地址。

As i am a assembly language beginner and studying purpose, I am trying scan memory address and pointer in a game. I am kind of confusing about pointer and address.

我发现在YouTube上的教程指针，但我想这个指针的一些深入的了解和偏移。

I found the pointer by a tutorial on youtube, but i want some depth understanding of this pointers and offset.

我不明白如何将这些偏移和地址添加在一起，并给该存储值1000的最终地址。

I don't understand how those offset and address add up together and give a final address that stored a value of 1000.

我的理解是，00F8EBE0为基址，22,20,10，C，20有五种抵消。

What I understand is that 00F8EBE0 is base address, " 22,20,10,C,20" are five offset.

00F8EBE0 - > 11DA0924 = 1000这是怎么发生的？
我怎么能读00F8EBE0值与C ++？我需要那些偏移帮我得到最终的价值？

00F8EBE0 -> 11DA0924 = 1000 How this happen? How could I read 00F8EBE0 value with C++? Do I need those offset to help me to get the final value?

推荐答案

在进程的虚拟内存空间，图像文件（something.exe）被加载。如果添加 0x00F8EBE0 到该地址和阅读的位置，你会得到 0x127B5450 。阅读箭头指向和方括号中的数值为地址加上偏移量。您可以使用ToolHelp32 API编程获取图像的基础。

In the process's virtual memory space, the image file ("something.exe") is loaded. If you add 0x00F8EBE0 to that address and read that location, you'll get 0x127B5450. Read the arrows as "points to" and the values in square brackets as "address plus offset". You can programatically get the image base using the ToolHelp32 API.

您在这里有什么指针链对象结构，每偏移给你在哪里下指针是结构/对象。

What you have here is a chain of pointers to object structs, with each offset giving you where the next pointer is in the struct/object.

要从另一个程序，你可以使用 ReadProcessMemory 使用这些信息。从第一个偏移量（图片库）开始，调用 ReadProcessMemory 然后添加相关的偏移，然后重复。一般过程如下：

To use this information from another program you can use ReadProcessMemory. Starting from the first offset (the image base), call ReadProcessMemory and then add the relevant offset to it, then repeat. The general process is as follows:

//assuming you've calculated the image base of the target
//and acquired a handle to the process:

LPVOID base = ImageBase + 0x00F8EBE0; //note: EntryPoint needs obtaining properly
LPVOID value;
ReadProcessMemory(hnd,base,(LPVOID) &value,sizeof value, NULL);
base = value + 0x20;
ReadProcessMemory(hnd,base,(LPVOID) &value,sizeof value, NULL);
base = value + 0xc;
ReadProcessMemory(hnd,base,(LPVOID) &value,sizeof value, NULL);
base = value + 0x10;
ReadProcessMemory(hnd,base,(LPVOID) &value,sizeof value, NULL);
base = value + 0x20;
ReadProcessMemory(hnd,base,(LPVOID) &value,sizeof value, NULL);
base = value + 0x44;
ReadProcessMemory(hnd,base,buf,sizeof value, NULL);
//value will now contain the number 1000.

请注意，有没有任何担保进程的地址空间将每次运行时看起来是一样的;如果它分配任何内存的第一个偏移量的入口点（ 0x00F8EBE0 ）将不会是相同的。

Note that there aren't any guarantees the process' address space will look the same each time it runs; if it allocates any memory the first offset to the entry point (0x00F8EBE0) won't be the same.

这篇关于大会指针和基址的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！