I'm developing a trainer for a flash game which will support 32-bit and 64-bit systems.
我正在开发一款支持32位和64位系统的Flash游戏培训师。
I trying to return the memory address of a pointer so that I can use the memory address to change the value. I am able to do this perfectly fine in the 32-bit version. But, in the 64-bit version it returns an incorrect memory address.
我试图返回指针的内存地址,以便我可以使用内存地址来更改值。我能够在32位版本中完美地完成这项工作。但是,在64位版本中,它返回不正确的内存地址。
The trainer currently only supports Google Chrome. If you're using the 32-bit trainer, Chrome needs to be 32-bit. If you're using the 64-bit trainer, Chrome needs to be 64-bit.
培训师目前仅支持Google Chrome。如果您使用的是32位培训师,则Chrome需要为32位。如果您使用的是64位培训师,则Chrome需要为64位。
This is the 32-bit pointer's information from Cheat Engine:
这是来自Cheat Engine的32位指针信息:
<?xml version="1.0" encoding="utf-8"?>
<CheatTable>
<CheatEntries>
<CheatEntry>
<ID>0</ID>
<Description>"pointerscan result"</Description>
<LastState Value="10000" RealAddress="071DCAA8"/>
<VariableType>4 Bytes</VariableType>
<Address>"pepflashplayer.dll"+01035A80</Address>
<Offsets>
<Offset>28</Offset>
<Offset>28</Offset>
<Offset>464</Offset>
<Offset>B8</Offset>
<Offset>80</Offset>
</Offsets>
</CheatEntry>
</CheatEntries>
</CheatTable>
The code below will successfully retrieve the memory address of the 32-bit pointer:
下面的代码将成功检索32位指针的内存地址:
using System;
using System.Diagnostics;
using System.Linq;
using System.Runtime.InteropServices;
namespace Trainer
{
internal class Program
{
[DllImport("kernel32.dll", SetLastError = true)]
private static extern bool ReadProcessMemory(IntPtr process, IntPtr baseAddress, [Out] byte[] buffer, int size,
out IntPtr bytesRead);
public static int ReadInt32(IntPtr process, IntPtr baseAddress)
{
var buffer = new byte[4];
IntPtr bytesRead;
ReadProcessMemory(process, baseAddress, buffer, 4, out bytesRead);
return BitConverter.ToInt32(buffer, 0);
}
private static ProcessModule GetProcessModule(Process process, string moduleName)
{
foreach (ProcessModule module in process.Modules)
{
if (module.ModuleName == moduleName)
{
return module;
}
}
return null;
}
public static int GetRealAddress(IntPtr process, IntPtr baseAddress, int[] offsets)
{
var address = baseAddress.ToInt32();
foreach (var offset in offsets)
{
address = ReadInt32(process, (IntPtr)address) + offset;
}
return address;
}
private static void Main()
{
Console.WriteLine(Environment.Is64BitProcess);
// Get the first Chrome process that contains a module named "pepflashplayer.dll".
var chromeProcess =
Process.GetProcessesByName("chrome")
.FirstOrDefault(
process =>
process.Modules.Cast<ProcessModule>()
.Any(module => module.ModuleName == "pepflashplayer.dll"));
if (chromeProcess != null)
{
var flashPlayerModule = GetProcessModule(chromeProcess, "pepflashplayer.dll");
var baseAddress = flashPlayerModule.BaseAddress.ToInt32() + 0x01035A80;
var offsets = new[] { 0x80, 0xB8, 0x464, 0x28, 0x28 };
var realAddress = GetRealAddress(chromeProcess.Handle, (IntPtr)baseAddress, offsets);
Console.WriteLine(realAddress.ToString("X"));
Console.ReadLine();
}
}
}
}
Output:
False
83CAAA8
This is the 64-bit pointer's information from Cheat Engine:
这是来自Cheat Engine的64位指针信息:
<?xml version="1.0" encoding="utf-8"?>
<CheatTable>
<CheatEntries>
<CheatEntry>
<ID>0</ID>
<Description>"pointerscan result"</Description>
<LastState Value="10000" RealAddress="2A0C3492B38"/>
<VariableType>4 Bytes</VariableType>
<Address>"pepflashplayer.dll"+01CB16E8</Address>
<Offsets>
<Offset>48</Offset>
<Offset>3D8</Offset>
<Offset>370</Offset>
<Offset>7A8</Offset>
<Offset>360</Offset>
</Offsets>
</CheatEntry>
</CheatEntries>
</CheatTable>
The code below is my attempt to retrieve the memory address of the 64-bit pointer:
下面的代码是我尝试检索64位指针的内存地址:
using System;
using System.Diagnostics;
using System.Linq;
using System.Runtime.InteropServices;
namespace Trainer
{
internal class Program
{
[DllImport("kernel32.dll", SetLastError = true)]
private static extern bool ReadProcessMemory(IntPtr process, IntPtr baseAddress, [Out] byte[] buffer, int size,
out IntPtr bytesRead);
public static long ReadInt64(IntPtr process, IntPtr baseAddress)
{
var buffer = new byte[8];
IntPtr bytesRead;
ReadProcessMemory(process, baseAddress, buffer, 4, out bytesRead);
return BitConverter.ToInt64(buffer, 0);
}
private static ProcessModule GetProcessModule(Process process, string moduleName)
{
foreach (ProcessModule module in process.Modules)
{
if (module.ModuleName == moduleName)
{
return module;
}
}
return null;
}
public static long GetRealAddress(IntPtr process, IntPtr baseAddress, int[] offsets)
{
var address = baseAddress.ToInt64();
foreach (var offset in offsets)
{
address = ReadInt64(process, (IntPtr)address) + offset;
}
return address;
}
private static void Main()
{
Console.WriteLine(Environment.Is64BitProcess);
// Get the first Chrome process that contains a module named "pepflashplayer.dll".
var chromeProcess =
Process.GetProcessesByName("chrome")
.FirstOrDefault(
process =>
process.Modules.Cast<ProcessModule>()
.Any(module => module.ModuleName == "pepflashplayer.dll"));
if (chromeProcess != null)
{
var flashPlayerModule = GetProcessModule(chromeProcess, "pepflashplayer.dll");
var baseAddress = flashPlayerModule.BaseAddress.ToInt64() + 0x01CB16E8;
var offsets = new[] { 0x360, 0x7A8, 0x370, 0x3D8, 0x48 };
var realAddress = GetRealAddress(chromeProcess.Handle, (IntPtr)baseAddress, offsets);
Console.WriteLine(realAddress.ToString("X"));
Console.ReadLine();
}
}
}
}
Output:
True
48
How can I retrieve the memory address of a 64-bit pointer?
如何检索64位指针的内存地址?
1 个解决方案
#1
1
Here you allocate 8 bytes:
在这里你分配8个字节:
var buffer = new byte[8];
IntPtr bytesRead;
and here you read just 4:
在这里你只读了4:
ReadProcessMemory(process, baseAddress, buffer, 4, out bytesRead);
#1
1
Here you allocate 8 bytes:
在这里你分配8个字节:
var buffer = new byte[8];
IntPtr bytesRead;
and here you read just 4:
在这里你只读了4:
ReadProcessMemory(process, baseAddress, buffer, 4, out bytesRead);