使用带偏移量的基指针读取进程内存 [英] Using Base Pointers with Offset to Read Process Memory
问题描述
我在整个网络上搜索了几个小时,但终其一生都无法理解为什么下面的代码不起作用.
I have searched all over the web for hours, and cannot for the life of me understand why the below code is not working.
为进程拉取的基地址似乎是错误的.如果我将结束地址直接硬编码到 ReadMemory 中,我会得到所需的值(所以我知道我有正确的过程等等).
The base address that is pulled for the process seems to be wrong. If I hard-code the end-address directly into the ReadMemory, i get the desired value out (so i know i have the correct process and all).
我没有发布 MemoryHandler 类,因为它可以正常工作
I have not posted the MemoryHandler class, as that is working as it should
这可能与我使用的是 64 位 Windows 的事实有关吗?游戏为 32 位(安装在Program Files (x86)"文件夹中).
Might it have something to do with the fact that I am on a 64-bit windows? The game is 32-bit (installed in the "Program Files (x86)" folder).
public partial class MainForm : Form
{
Process myProcess = Process.GetProcessesByName("ffxiv").FirstOrDefault();
public MainForm()
{
InitializeComponent();
}
private void startButton_Click(object sender, EventArgs e)
{
IntPtr baseAddress = myProcess.MainModule.BaseAddress;
Console.WriteLine("Base Address: " + baseAddress.ToString("X"));
IntPtr newAddr = IntPtr.Add(baseAddress, 0xF8BEFC);
IntPtr finalAddr = IntPtr.Add(newAddr, 0x1690);
int bytesRead;
byte[] memoryOutput = MemoryHandler.ReadMemory(myProcess, finalAddr, 4, out bytesRead);
int value = BitConverter.ToInt32(memoryOutput, 0);
Console.WriteLine("Read Value: " + value);
}
}
基址是正确的,我围绕指针的代码逻辑是错误的,请参阅下面的完整答案.
Base Address was right, my code-logic around pointers were wrong, see full answer below.
推荐答案
所以,David 的评论说基地址不能是奇数,让我觉得也许我从 Cheat Engine 得到的数字实际上不是基地址.事实证明这是正确的.我的代码实际上是在拉正确的基地址.我之前发布的数字 (9460301) 实际上是存储在内存中基地址位置的数字(不是地址本身).
So, David's comment that base addresses can't be odd numbers, made me think that perhaps the number i had from Cheat Engine in fact was not the base address. That turned out to be correct. My code was in fact pulling the right base address. The number i posted earlier (9460301) was in fact what was stored at the base address location in memory (not the address itself).
无论如何,上面的代码取基地址并加上第一个偏移量,然后加上下一个偏移量,然后读取该地址上的内存.那是错误的,这不是多级指针的工作方式.对于每个级别,您必须读取内存并查看地址中存储的内容.您找到的值将是您的下一个地址,您将对其应用下一个偏移量,依此类推..
Anyways, the code above takes the base address and adds the first offset, and then adds the next offset, and then reads the memory on that address. That is wrong, that is not how multi-level pointers work. For each level you have to read the memory and see what is stored at the address. The value you find will be your next address, to which you apply your next offset, and so on..
正确的代码是:
public partial class MainForm : Form
{
Process myProcess = Process.GetProcessesByName("ffxiv").FirstOrDefault();
public MainForm()
{
InitializeComponent();
}
private void startButton_Click(object sender, EventArgs e)
{
int bytesRead;
IntPtr baseAddress = myProcess.MainModule.BaseAddress;
Console.WriteLine("Base Address: " + baseAddress);
IntPtr firstAddress = IntPtr.Add(baseAddress, 0xF8BEFC);
IntPtr firstAddressValue = (IntPtr)BitConverter.ToInt32(MemoryHandler.ReadMemory(myProcess, firstAddress, 4, out bytesRead), 0);
IntPtr finalAddr = IntPtr.Add(firstAddressValue, 0x1690);
Console.WriteLine("Final Address: " + finalAddr.ToString("X"));
byte[] memoryOutput = MemoryHandler.ReadMemory(myProcess, finalAddr, 4, out bytesRead);
int value = BitConverter.ToInt32(memoryOutput, 0);
Console.WriteLine("Read Value: " + value);
}
}
我想知道,如何使这个非特定于 32 位窗口?我真的不喜欢 Int32() 函数和随后的 IntPtr 转换,所以想知道是否有任何方法可以直接从 byte[] 转到 IntPtr.我尝试了 marshal-copy 等,但无法让它工作.
I am wondering though, how to make this non-specific to 32-bit windows? I don't really like the Int32() function and the subsequent IntPtr casting, so would like to find out if there is any way to go directly from the byte[] to IntPtr. I tried marshal-copy etc., but couldn't get it to work.
再次感谢!
这篇关于使用带偏移量的基指针读取进程内存的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
