Jump to content

Recommended Posts

Posted (edited)

Well I'd have to restart EQ2, but I tried returning $Array[0], [1], [2], etc. in the first set of tests I did... The offset was wrong then and I haven't returned to it with the new offset yet.

It might take 5 mins or so, but want me to?

EDIT: It returned -30300

Grrrrr

$Process = "EverQuest2.exe"
$Pid = ProcessExists($Process)
$h_open = _MemOpen($pid)
$Read = _MemRead($h_open,0xF4798A,4)
MsgBox(0, "Test Box", "TEst: " & $Read[0] & $Read[1] & $Read[2] & $Read[3])
_MemClose($h_open)
Edited by JoshDB
Ha, I haven't been on these forums since... 2006, almost. Behold, my legacy signature:My AutoIt idol is Valuater. You know you love him, too.My Stuff: D&D AGoT Tools Suite
Posted

Well I'd have to restart EQ2, but I tried returning $Array[0], [1], [2], etc. in the first set of tests I did... The offset was wrong then and I haven't returned to it with the new offset yet.

It might take 5 mins or so, but want me to?

EDIT: It returned -30300

Grrrrr

$Process = "EverQuest2.exe"
$Pid = ProcessExists($Process)
$h_open = _MemOpen($pid)
$Read = _MemRead($h_open,0xF4798A,4)
MsgBox(0, "Test Box", "TEst: " & $Read[0] & $Read[1] & $Read[2] & $Read[3])
_MemClose($h_open)

Grrrrr

Yep. Iv'e tried the same thing you did. :o

w0uter please give a simple example of how to read a number. Mem functions is somthing iv'e wanted in AutoIt since I started using it. :geek:

Thanks, Hallman

Posted

I've read the same hex address from two programs, both wielding the same value. So it's something we're doing for sure now :o

Ha, I haven't been on these forums since... 2006, almost. Behold, my legacy signature:My AutoIt idol is Valuater. You know you love him, too.My Stuff: D&D AGoT Tools Suite
Posted

I've read the same hex address from two programs, both wielding the same value. So it's something we're doing for sure now :geek:

:o hmm . . .

w0uter please give a simple example of how to read a number.

Posted (edited)

The arrays never returned anything of value to me, so I removed it all together. I get the result I've been looking for for about 3 months now. Heres a example:

#include 'Memory Functions.au3'
Func _MemOpen($i_dwDesiredAccess, $i_bInheritHandle, $i_dwProcessId)
    $ai_Handle = DllCall("kernel32.dll", 'int', 'OpenProcess', 'int', $i_dwDesiredAccess, 'int', $i_bInheritHandle, 'int', $i_dwProcessId)
    If @error Then
        SetError(1)
        Return 0
    EndIf
    Return $ai_Handle[0]
EndFunc;==>_MemOpen
Func _MemRead($i_hProcess, $i_lpBaseAddress, $i_nSize, $v_lpNumberOfBytesRead = '')
    Local $v_Struct = DllStructCreate('byte[' & $i_nSize & ']')
    DllCall('kernel32.dll', 'int', 'ReadProcessMemory', 'int', $i_hProcess, 'int', $i_lpBaseAddress, 'int', DllStructGetPtr($v_Struct, 1), 'int', $i_nSize, 'int', $v_lpNumberOfBytesRead)
    Local $v_Return = DllStructGetData($v_Struct, 1)
    $v_Struct = 0
;~; Comment out;    DllStructDelete ($v_Struct)
    Return $v_Return
EndFunc;==>_MemRead
Func _MemClose($i_hProcess)
    $av_CloseHandle = DllCall('kernel32.dll', 'int', 'CloseHandle', 'int', $i_hProcess)
    Return $av_CloseHandle[0]
EndFunc;==>_MemClose
;||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||

$i_pid = WinGetProcess('VMS EB2')
$v_Open = _MemOpen($i_pid)
$MemRead_results = _MemRead( $v_Open, 0x746041)
ConsoleWrite($MemRead_results&@LF)
_MemClose($v_Open)
Not sure if this will help anyone but the array idea kept me from getting what I wanted.

Edited by strate
INI TreeViewA bus station is where a bus stops, a train station is where a train stops. Onmy desk I have a work station...
Posted

<memory functions here>

$i_pid = WinGetProcess('EverQuest II (Feb 13 2006 19:03:07) USER OPTIMIZED: SOEBuild=2767L')
$v_Open = _MemOpen($i_pid)
$MemRead_results = _MemRead( $v_Open, 0xF4798A)
MsgBox(0,"Test",$MemRead_results)
_MemClose($v_Open)

That returns gibberish :o

Ha, I haven't been on these forums since... 2006, almost. Behold, my legacy signature:My AutoIt idol is Valuater. You know you love him, too.My Stuff: D&D AGoT Tools Suite
Posted

<memory functions here>

$i_pid = WinGetProcess('EverQuest II (Feb 13 2006 19:03:07) USER OPTIMIZED: SOEBuild=2767L')
$v_Open = _MemOpen($i_pid)
$MemRead_results = _MemRead( $v_Open, 0xF4798A)
MsgBox(0,"Test",$MemRead_results)
_MemClose($v_Open)

That returns gibberish :o

This is a shot in the dark but your title has the time in it, is this static? To be more certain that your getting a good PID try using $i_pid = ProcessExist(Process Name)

Just a guess though.

INI TreeViewA bus station is where a bus stops, a train station is where a train stops. Onmy desk I have a work station...
Posted

Yes, the time is static. That was the time of the latest update.

Today is the 15th

Ha, I haven't been on these forums since... 2006, almost. Behold, my legacy signature:My AutoIt idol is Valuater. You know you love him, too.My Stuff: D&D AGoT Tools Suite
Posted (edited)

hello,

if you ask _MemRead to read n bytes, it would return an array of n bytes starting from the address you specified. however, the value you want will actually be stored in the array in reverse order. i.e. if you're expecting a value of 43707 (0xAABB in hex), the array you would get is [0xBB,0xAA,00,00] or [187,170,0,0] in dec. i dunno why it's reversed, i thought at first it was intentionally reversed by the programmer, but i tried reading stuff from other programs and they're all like that. anyway, you can use the _MemRev function to get the reversed hex representation of the array returned by _MemRead.

Edited by monji
Posted

i dunno why it's reversed, i thought at first it was intentionally reversed by the programmer

The "wrong order" of the bytes is caused by Intel, see Little Endian vs Big Endian

best regards,

Marc

Any of my own codes posted on the forum are free for use by others without any restriction of any kind. (WTFPL)

Posted (edited)

What does all this mean for me?

All I want to do is read the hex adress 0xF4798A, type 4 bytes, of the program PID EverQuest2.exe.

Cheat Engine lets me do this easily.

$Process = "EverQuest2.exe"
$Pid = ProcessExists($Process)
$h_open = _MemOpen($pid)
$Read = _MemRead($h_open,0xF4798A,4)
MsgBox(0, "Test Box", "Test: " & $Read[0] & " - " & $Read[1] & " - " & $Read[2] & " - " & $Read[3])
MsgBox(0, "Test Box", "Test: " & _MemRev($Read))
_MemClose($h_open)

This results in two messageboxes, one holding -30 - 3 - 0 - 0 (The " - " was for me to see better the seperation of the arrays.) and the other holding 0x000003E2. Neither of these yield anything more then -1 when put through HexToString or StringToHex...

:o

EDIT EDIT EDIT: Alright in Cheat Engine I displayed the value as Hexidecimal and it was the same as in the Messagebox... Now to convert it.

Edited by JoshDB
Ha, I haven't been on these forums since... 2006, almost. Behold, my legacy signature:My AutoIt idol is Valuater. You know you love him, too.My Stuff: D&D AGoT Tools Suite
Posted

Alright guys - Sorry for double post - I figured it out.

#include <String.au3>

Func _HexadecimalToDecimal($var)
    $result = 0
    $sum = 0
    $power=0
    
    Do
        $currentDigit = StringRight(_MemRev($var),$power+1)
        $currentDigit = StringLeft($currentDigit,1)
        If $currentDigit = "A" Then
            $currentDigit = 10
        ElseIf $currentDigit = "B" Then
            $currentDigit = 11
        ElseIf $currentDigit = "C" Then
            $currentDigit = 12
        ElseIf $currentDigit = "D" Then
            $currentDigit = 13
        ElseIf $currentDigit = "E" Then
            $currentDigit = 14
        ElseIf $currentDigit = "F" Then
            $currentDigit = 15
        EndIf
        $result=$currentDigit*16^$power
        $power = $power + 1
        $sum = $sum + $result
    Until $currentDigit = "x"
    
    Return $sum
EndFunc;==>_HexadecimalToDecimal by joshdb

Example:

$Process = "EverQuest2.exe"
$Pid = ProcessExists($Process)
$h_open = _MemOpen($pid)
$Read = _MemRead($h_open,0xF4798A,4)
MsgBox(0, "Test Box", "Test: " & _HexadecimalToDecimal($Read))
_MemClose($h_open)

Big huge thanks to: http://www.permadi.com/tutorial/numHexToDec/

Whew... :">

Ha, I haven't been on these forums since... 2006, almost. Behold, my legacy signature:My AutoIt idol is Valuater. You know you love him, too.My Stuff: D&D AGoT Tools Suite
Posted

I don't understand, is it possible to write to the game memory. For example, use this function to find a byte for Diablo II then write over it, so kind of like HACKING into Diablo?

Posted (edited)

I don't understand, is it possible to write to the game memory. For example, use this function to find a byte for Diablo II then write over it, so kind of like HACKING into Diablo?

These functions read and/or edit what a process stores in memory. So, it's kinda like hacking. :o

Anyone have any write functions that work?

Edited by Hallman
Posted

This is C++ but is it possible to send packets kind of like this with auto-it?

GetPlayerID 
Code: 

CODEDWORD __declspec(naked) GetPlayerID(VOID) { 
   __asm { 
MOV EAX,DWORD PTR DS:[0x6FBCC1E0] 
MOV ECX,DWORD PTR DS:[EAX+0xC] 
mov eax, ecx 
ret 
   } 
} 



GetPlayerArea 
Code: 

CODEDWORD __declspec(naked) GetPlayerArea(void) { 
__asm { 
MOV EAX,DWORD PTR DS:[0x6FBCC1E0] 
push eax 
mov ebx, 0x6FABC0BC 
call ebx 
push eax 
mov ebx, 0x6FABC0B6 
call ebx 
ret 
} 
} 



SendGamePacket 
Code: 

CODEvoid SendGAMEPacket(BYTE* Packet,DWORD PacketSize) { 
DWORD size1 = PacketSize; 
__asm { 
mov eax, Packet 
push Packet 
mov ebx, size1 
mov edx, 0x6FB0DE40 
call edx 
} 
} 



GetCurrentLife 
Code: 

CODEDWORD __declspec(naked) GetCurrentLife() { 
__asm { 
mov eax, 6 
mov ebx, 0x6FB653A0 
call ebx 
SAR eax,8 
ret 
} 
} 



GetMaxLife 
Code: 

CODEDWORD __declspec(naked) GetMaxLife() { 
__asm 
mov eax, 6 
mov ebx, 0x6FB653A0 
call ebx 
SAR edx,8 
mov eax,edx 
ret 
} 
} 



GetCurrentMana 
Code: 

CODEDWORD __declspec(naked) GetCurrentMana() { 
__asm { 
mov eax, 8 
mov ebx, 0x6FB653A0 
call ebx 
SAR eax,8 
ret 
} 
} 


GetMaxMana 
Code: 

CODEDWORD __declspec(naked) GetMaxMana() { 
__asm { 
mov eax, 8 
mov ebx, 0x6FB653A0 
call ebx 
SAR edx,8 
mov eax,edx 
ret 
} 
} 


GamePrintMessage 
Code: 

CODEenum { colWhite, colRed, codGreen, colBlue, colGold, colGrey, colBlack, colBrown, colOrange, colYellow }; 

typedef void (_stdcall *pPrint)(wchar_t* Text, BYTE Color); 

void GamePrintMessage(char *Message, BYTE color) 
{ 
   pPrint Print = (pPrint)0x6FAC6780; 
   wchar_t Buffer[256]; 
   MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, Message, sizeof(Message), Buffer, sizeof(Buffer)); 
   Print(Buffer, color); 
} 

GetPlayerID Code: 
CODEDWORD __declspec(naked) GetPlayerID(VOID) { __asm { MOV EAX,DWORD PTR DS:[0x6FBCC1E0] MOV ECX,DWORD PTR DS:[EAX+0xC] mov eax, ecx ret } } 

GetPlayerArea Code: 
CODEDWORD __declspec(naked) GetPlayerArea(void) { __asm { MOV EAX,DWORD PTR DS:[0x6FBCC1E0] push eax mov ebx, 0x6FABC0BC call ebx push eax mov ebx, 0x6FABC0B6 call ebx ret } } 

SendGamePacket Code: 
CODEvoid SendGAMEPacket(BYTE* Packet,DWORD PacketSize) { DWORD size1 = PacketSize; __asm { mov eax, Packet push Packet mov ebx, size1 mov edx, 0x6FB0DE40 call edx } }

GetCurrentLife Code: 
CODEDWORD __declspec(naked) GetCurrentLife() { __asm { mov eax, 6 mov ebx, 0x6FB653A0 call ebx SAR eax,8 ret } } 

GetMaxLife Code: 
CODEDWORD __declspec(naked) GetMaxLife() { __asm mov eax, 6 mov ebx, 0x6FB653A0 call ebx SAR edx,8 mov eax,edx ret } } 

GetCurrentMana Code: 
CODEDWORD __declspec(naked) GetCurrentMana() { __asm { mov eax, 8 mov ebx, 0x6FB653A0 call ebx SAR eax,8 ret } }

GetMaxMana Code: 
CODEDWORD __declspec(naked) GetMaxMana() { __asm { mov eax, 8 mov ebx, 0x6FB653A0 call ebx SAR edx,8 mov eax,edx ret } } 

GamePrintMessage Code: 
CODEenum { colWhite, colRed, codGreen, colBlue, colGold, colGrey, colBlack, colBrown, colOrange, colYellow }; typedef void (_stdcall *pPrint)(wchar_t* Text, BYTE Color); void GamePrintMessage(char *Message, BYTE color) { pPrint Print = (pPrint)0x6FAC6780; wchar_t Buffer[256]; MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, Message, sizeof(Message), Buffer, sizeof(Buffer)); Print(Buffer, color); }
Posted

you don't need that function, you can simply Int() the result of _MemRev to get the decimal representation.

Alright guys - Sorry for double post - I figured it out.

#include <String.au3>

Func _HexadecimalToDecimal($var)
    $result = 0
    $sum = 0
    $power=0
    
    Do
        $currentDigit = StringRight(_MemRev($var),$power+1)
        $currentDigit = StringLeft($currentDigit,1)
        If $currentDigit = "A" Then
            $currentDigit = 10
        ElseIf $currentDigit = "B" Then
            $currentDigit = 11
        ElseIf $currentDigit = "C" Then
            $currentDigit = 12
        ElseIf $currentDigit = "D" Then
            $currentDigit = 13
        ElseIf $currentDigit = "E" Then
            $currentDigit = 14
        ElseIf $currentDigit = "F" Then
            $currentDigit = 15
        EndIf
        $result=$currentDigit*16^$power
        $power = $power + 1
        $sum = $sum + $result
    Until $currentDigit = "x"
    
    Return $sum
EndFunc;==>_HexadecimalToDecimal by joshdb

Example:

$Process = "EverQuest2.exe"
$Pid = ProcessExists($Process)
$h_open = _MemOpen($pid)
$Read = _MemRead($h_open,0xF4798A,4)
MsgBox(0, "Test Box", "Test: " & _HexadecimalToDecimal($Read))
_MemClose($h_open)

Big huge thanks to: http://www.permadi.com/tutorial/numHexToDec/

Whew... :">

Posted (edited)

These functions read and/or edit what a process stores in memory. So, it's kinda like hacking. :o

Anyone have any write functions that work?

_MemWrite seems to work okay. you first have to call _MemCreate then pass the result to _MemWrite

i tried these last night and i checked with ollydbg, they we're all written properly

$hMem = _MemOpen( ProcessExists( 'game.exe' ) )
$len = _MemCreate( 0x04 )
$txt = _MemCreate( 'test' )
_MemWrite( $hMem, 0x109F8788, $len )
_MemWrite( $hMem, 0x109F8794, $txt )
_MemWrite( $hMem, 0x109F9138, $txt )
_MemClose( $hMem )

btw, i re-read the last few pages, you probably wrote the right thing before but read it back incorrectly. try outputting Int( _MemRev( _MemRead(...) ) ) after _MemWrite()ing to see if it really was written.

Edited by monji
Posted (edited)

_MemWrite seems to work okay. you first have to call _MemCreate then pass the result to _MemWrite

i tried these last night and i checked with ollydbg, they we're all written properly

$hMem = _MemOpen( ProcessExists( 'game.exe' ) )
$len = _MemCreate( 0x04 )
$txt = _MemCreate( 'test' )
_MemWrite( $hMem, 0x109F8788, $len )
_MemWrite( $hMem, 0x109F8794, $txt )
_MemWrite( $hMem, 0x109F9138, $txt )
_MemClose( $hMem )

btw, i re-read the last few pages, you probably wrote the right thing before but read it back incorrectly. try outputting Int( _MemRev( _MemRead(...) ) ) after _MemWrite()ing to see if it really was written.

Do I have to write it as a hex though? I would like to have a GUI Input Ctrl with a number And just do:

_MemWrite( $Mem, 0x000000,_MemCreate(GuiCtrlRead($Input1)))

How am i supposed to do that? Do I need to convert the number to something first? I'm confused :o

Hallman

Edited by Hallman
Posted

you don't need that function, you can simply Int() the result of _MemRev to get the decimal representation.

Aw crap. And I thought I was so smart :o

Ha, I haven't been on these forums since... 2006, almost. Behold, my legacy signature:My AutoIt idol is Valuater. You know you love him, too.My Stuff: D&D AGoT Tools Suite

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...