C# read memory from pointer + CE

Hello guys, I have question regarding reading
from pointer in C#. I scanned for pointers in Lineage2 game(l2.bin)and I
got about 2 bilions of pointers. Some of them look like "L2.bin +
0x302444 Offset 0: 0x32 Offset 1: 0x48 Offset 2: 0x4A Offset 3: 0x5F".
And now comes the question: How do I use that pointer? I have read FAQ:
How to use a pointer; does it mean that I have to read memory at
0x302444 then add to the value Offset 0 then add to that value Offset 1
etc till offset 3 ? Do I have to add offset to memory address or to the
value that is read from memory address ? Could anyone help me through
skype ? If yes, contact with me: immonsi . Thanks.

Code:

public int ReadMemory() { ProcessMemoryReader pReader = new ProcessMemoryReader(); System.Diagnostics.Process[] myProcesses = System.Diagnostics.Process.GetProcessesByName("l2.bin"); if (myProcesses.Length == 0) { MessageBox.Show("No L2 process found!"); return 0; } pReader.ReadProcess = myProcesses[0]; pReader.OpenProcess(); int byteswritten; int bytesread; int value; int value1; int value2; int value3; int value4; int pointerbase; byte[] memory; memory = pReader.ReadProcessMemory((IntPtr)0x0008EAD0, 4, out bytesread); pointerbase = BitConverter.ToInt32(memory, 0); pointerbase += 0x5BC; memory = pReader.ReadProcessMemory((IntPtr)pointerbase, 4, out bytesread); value = BitConverter.ToInt32(memory, 0); value += 0x160; memory = pReader.ReadProcessMemory((IntPtr)value, 4, out bytesread); value1 = BitConverter.ToInt32(memory, 0); value1 += 0x140; memory = pReader.ReadProcessMemory((IntPtr)value1, 4, out bytesread); value2 = BitConverter.ToInt32(memory, 0); value2 += 0x30; memory = pReader.ReadProcessMemory((IntPtr)value2, 4, out bytesread); value3 = BitConverter.ToInt32(memory, 0); value3 += 0x240; memory = pReader.ReadProcessMemory((IntPtr)value3, 4, out bytesread); value4 = BitConverter.ToInt32(memory, 0); int bytesReaded; int CurrentCP; byte[] pamiec; int CPaddress = 0x24D21440; //should be that address but value4 == 0 pamiec = pReader.ReadProcessMemory((IntPtr)value4, 4, out bytesReaded); CurrentCP = pamiec[0] + (pamiec[1] << ; pReader.CloseHandle(); return CurrentCP; }

Value4 should be same as "CPaddress" but it is 0..


***********************************************************************

Immons wrote:

I have to read memory at 0x302444.

No...



All you have to do is read the result of the sum of the value of the module address (L2.bin) + 0x302444.



At this point you're wondering how to get that address, it is simple,
use the class "Process" to do so, declare a variable of type "Process[]"
and add to this the value of the name of your process, then you can get
hence the address we need to add.



Here's an example:

Code:

using System.Diagnostics; internal static IntPtr GetBaseAddress(string ProcessName) { try { Process[] L2Process = Process.GetProcessesByName(ProcessName); return L2Process[0].MainModule.BaseAddress; } catch { return IntPtr.Zero; } }

After that result, add the offset 1, and reads its value again, and repeat until finish.



Hope this helps.






****************************************************************************

So I tested what you wrote and here comes what I got:



-Using CE I tested pointers:



img577[dot]imageshack[dot]us/img577/4175/pointertest[dot]jpg



It worked fine, pointed to good address. But now I post my tests in C# code:

Code:

internal static IntPtr GetBaseAddress(string ProcessName) { try { Process[] L2Process = Process.GetProcessesByName(ProcessName); return L2Process[0].MainModule.BaseAddress; } catch { return IntPtr.Zero; } } public int ReadMemory() { ProcessMemoryReader pReader = new ProcessMemoryReader(); System.Diagnostics.Process[] myProcesses = System.Diagnostics.Process.GetProcessesByName("l2.bin"); if (myProcesses.Length == 0) { MessageBox.Show("No L2 process found!"); return 0; } pReader.ReadProcess = myProcesses[0]; pReader.OpenProcess(); int byteswritten; int bytesread; int value; int value1; int value2; int value3; int value4; IntPtr baseadress = GetBaseAddress("l2.bin"); int test = baseadress.ToInt32(); int test2 = test + 0x001926D0; int pointerbase; byte[] memory; memory = pReader.ReadProcessMemory((IntPtr)test2, 4, out bytesread); MessageBox.Show(Convert.ToString(memory[0])); pointerbase = BitConverter.ToInt32(memory, 0); pointerbase += 0x7AC; memory = pReader.ReadProcessMemory((IntPtr)pointerbase, 4, out bytesread); value = BitConverter.ToInt32(memory, 0); value += 0x300; memory = pReader.ReadProcessMemory((IntPtr)value, 4, out bytesread); value1 = BitConverter.ToInt32(memory, 0); value1 += 0x460; memory = pReader.ReadProcessMemory((IntPtr)value1, 4, out bytesread); value2 = BitConverter.ToInt32(memory, 0); value2 += 0x12C; memory = pReader.ReadProcessMemory((IntPtr)value2, 4, out bytesread); value3 = BitConverter.ToInt32(memory, 0); value3 += 0x1E0; memory = pReader.ReadProcessMemory((IntPtr)value3, 4, out bytesread); value4 = BitConverter.ToInt32(memory, 0); int bytesReaded; int CurrentCP; byte[] pamiec; int CPaddress = 0x1FECAD40; //should be that address but value4 == 0 pamiec = pReader.ReadProcessMemory((IntPtr)value4, 4, out bytesReaded); CurrentCP = pamiec[0] + (pamiec[1] << ; pReader.CloseHandle(); return CurrentCP; }

Following that:



-Baseaddress returned: 0x10900000

-variable test = 277872640

-variable test2 = 279520976



but:

Code:

memory = pReader.ReadProcessMemory((IntPtr)test2, 4, out bytesread); MessageBox.Show(Convert.ToString(memory[0]));

memory[0] = 0 ! while it should have return DEC - 874810112 | HEX - 34248B00



Looking for help, please.



Btw there was a guy named Pingo, I had to contact you by MSN but you are offline whole time.



@edit



Got it to work ! The fair code should be:

Code:

public int ReadMemory() { ProcessMemoryReader pReader = new ProcessMemoryReader(); System.Diagnostics.Process[] myProcesses = System.Diagnostics.Process.GetProcessesByName("l2.bin"); if (myProcesses.Length == 0) { MessageBox.Show("No L2 process found!"); return 0; } pReader.ReadProcess = myProcesses[0]; pReader.OpenProcess(); int byteswritten; int bytesread; int value; int value1; int value2; int value3; IntPtr baseadress = GetBaseAddress("l2.bin"); int test = baseadress.ToInt32(); int test2 = test + 0x001926D0; int test3 = test2 + 0x7AC; int pointerbase; byte[] memory; memory = pReader.ReadProcessMemory((IntPtr)test2, 4, out bytesread); pointerbase = BitConverter.ToInt32(memory, 0); pointerbase += 0x7AC; memory = pReader.ReadProcessMemory((IntPtr)pointerbase, 4, out bytesread); value = BitConverter.ToInt32(memory, 0); value += 0x300; memory = pReader.ReadProcessMemory((IntPtr)value, 4, out bytesread); value1 = BitConverter.ToInt32(memory, 0); value1 += 0x460; memory = pReader.ReadProcessMemory((IntPtr)value1, 4, out bytesread); value2 = BitConverter.ToInt32(memory, 0); value2 += 0x12C; memory = pReader.ReadProcessMemory((IntPtr)value2, 4, out bytesread); value3 = BitConverter.ToInt32(memory, 0); value3 += 0x1E0; int bytesReaded; int CurrentCP; byte[] pamiec; int CPaddress = 0x1FECAD40; pamiec = pReader.ReadProcessMemory((IntPtr)value3, 4, out bytesReaded); CurrentCP = pamiec[0] + (pamiec[1] << ; pReader.CloseHandle(); return CurrentCP; }

**************************************************************************

Immons wrote:

Another question comes. I see that many pointers change after application restart, but some stay the same. Those which stay are in process "Engine.dll" but when I try to get baseaddress of engine.dll it returns 0. Can I use "Engine.dll" to read memory of application ?

Hmmm, i hope you code are solved, the way for get the baseaddress of "Engine.dll" module is the next:

Code:

internal static IntPtr GetModuleBaseAddress(string AppName, string ModuleName) { IntPtr BaseAddress = IntPtr.Zero; Process[] myProcess = null; ProcessModule myProcessModule = null; myProcess = Process.GetProcessesByName(AppName); if (myProcess.Length > 0) { ProcessModuleCollection myProcessModuleCollection; try { myProcessModuleCollection = myProcess[0].Modules; } catch { return IntPtr.Zero; /*Maybe would be ok show the exception after/instead return*/ } for (int i = 0; i < myProcessModuleCollection.Count; i++) { myProcessModule = myProcessModuleCollection[i]; if (myProcessModule.ModuleName.Contains(ModuleName)) { BaseAddress = myProcessModule.BaseAddress; break; } } } return BaseAddress; }

I don't know how hell the code works for you when you're looking for a process with this parameter:

Code:

IntPtr baseadress = GetBaseAddress("l2.bin");

Might be wrong, because the "Process class" just needs the process name WITHOUT extension.



Anyway, I hope I've helped.



PS: For get a specific module base address you just need yo set the next parameters:

Code:

IntPtr baseadress = GetModuleBaseAddress("L2", "Engine.dll");

Where "Engine.dll" is the specific module to find, and "L2" the process name.



Gruß.







**********************************************************

darkjohn20 wrote:

Here is my Memory Library with full source code included. I will be updating it soon but it should have everything you need at the moment. The points of interest would be CalculatePointer() and the ReadType() functions. Hope it helps!

Hey mate, I am trying to use your ReadInt from pointer and I got "Object reference not set to an instance of an object" error:

Code:

public int BaseAddress(string sModuleName) { return FindModule(sModuleName).BaseAddress.ToInt32(); }

in "return" code. Do I need to declare it myself ? I have such method for reading:

Code:

public void ReadMemory() { Memory editor = new Memory(); editor.OpenProcess("L2.bin"); editor.GetModules(); int baseaddress = editor.BaseAddress("l2.bin"); int basemoduleaddress = editor.BaseAddress("Engine.dll"); int moduleaddress = basemoduleaddress + 0x01834A6C; int[] wartosci = { 0x5C8, 0x494, 0x3EC, 0x8, 0x160, 0x3C, 0x4C, 0x240 }; IloscCP = editor.ReadInt(moduleaddress, wartosci); MaxIloscCP = editor.ReadIntMinus8(moduleaddress, wartosci); try { progressBar1.Value = Convert.ToInt32((IloscCP / MaxIloscCP) * 100); label1.Text = Convert.ToString(IloscCP); label3.Text = Convert.ToString(MaxIloscCP); } catch { } }

********************************************