CE Pointer scan to AutoIt

05/18/2015 04:49 hailflex#1
I'm trying to read a pointer address. How do i transfer the pointer scan information to the code? I tried to use one of the results like this. Am I transfering the StaticOffset and CurHPOffset information correctly?

[Only registered and activated users can see links. Click Here To Register...]

Code:
$ID=_MemoryOpen(ProcessExists("Rag2.exe"))
Global $CurHPOffset[3] = [0x7C, 0xB0, 0xB0]
$StaticOffset = 0x013F0C90

$openmem = _MemoryOpen($ID)
$baseADDR = _MemoryGetBaseAddress($openmem, 1)
$finalADDR = "0x" & Hex($baseADDR + $StaticOffset)

$HPread = _MemoryPointerRead($finalADDR, $openmem, $CurHPOffset, "char[10]")
_MemoryClose($openmem)
MsgBox(0, "Info", $HPread[1])
05/18/2015 08:10 alpines#2
The first element in the offset array is always zero if you're using _MemoryPointerRead. The rest looks fine, you might need elevated rights for these commands so add #RequireAdmin.
05/18/2015 18:18 hailflex#3
Is there any difference if i search for level 3 offset or level 5?
05/18/2015 19:37 alpines#4
Just add the new offsets to the array and it should work fine. There's no difference in multilevel pointers than the amount of different offsets.
05/18/2015 23:00 hailflex#5
I'm having trouble with the offset array. _MemoryPointerRead is returning 0 and @error gives me 1 (which means $CurHPOffsetis not an array)

I changed:

Code:
$CurHPOffset[4] = [0, 0x7C, 0xB0, 0xB0]
to

Code:
$CurHPOffset[4] = [Null, Dec("7C"), Dec("B0"), Dec("B0")]
because the function definition tells me to use Null in the first index of the array, but nothing really changed. Am i doing something wrong? This is the relevant code:

Code:
$ApplicationID=ProcessExists("Rag2.exe")
Global $CurHPOffset[4] = [Null, Dec("7C"), Dec("B0"), Dec("B0")]
$StaticOffset = 0x013F0C90

$OpenMem = _MemoryOpen($ApplicationID)
$BaseADDR = _MemoryGetBaseAddress($OpenMem, 1)
$FinalADDR = "0x" & Hex($BaseADDR + $StaticOffset)

Global $HPRead = _MemoryPointerRead($FinalADDR, $OpenMem, $CurHPOffset)
_MemoryClose($OpenMem)

If @error Then MsgBox(0,"TEST READ","ERROR: " & @error,0,"")
05/18/2015 23:09 alpines#6
The function definition tells you to set the value to 0 not Null. Also you don't have to use Dec("7C"), 0x7C will do just fine.
05/18/2015 23:46 hailflex#7
Okay.. the function is now returning an address. The new problem is: it's not the right address. Tried like 4 base address and offset combinations and they all return a different address.

What should i do or how can i debug this problem? I've just scanned again for these pointers and got exactly the same table. The pointers seem to be right.
05/19/2015 00:16 alpines#8
Reverse the order of the offsets, go like 0, 0xB0, 0xB0, 0x7C. Maybe that was the mistake.
05/19/2015 00:25 hailflex#9
Quote:
Originally Posted by alpines View Post
Reverse the order of the offsets, go like 0, 0xB0, 0xB0, 0x7C. Maybe that was the mistake.
Reversing the order of the offsets gave the same address actually...
05/19/2015 00:27 alpines#10
Are you sure that the ModuleBaseAddress is returned properly?
05/19/2015 00:33 hailflex#11
Quote:
Originally Posted by alpines View Post
Are you sure that the ModuleBaseAddress is returned properly?
Uh? I think im not using that, but _MemoryGetBaseAddress

This is the current code:

Code:
$ApplicationID=ProcessExists("Rag2.exe")
Global $CurHPOffset[3] = [0, 0xB0, 0x184]

$StaticOffset = 0x013F51BC

$OpenMem = _MemoryOpen($ApplicationID)

$BaseADDR = _MemoryGetBaseAddress($OpenMem, 1)
$FinalADDR = "0x" & Hex($BaseADDR + $StaticOffset)

Global $HPRead = _MemoryPointerRead($FinalADDR, $OpenMem, $CurHPOffset, "char[10]")


$Read=StringRight ( $HPRead[0], 8); Only uses last 8 digits of string "Removes uneeded 0's"
MsgBox(0,"TEST READ","Pointer Read: " & $Read,-1,"")

$HPValue = _MemoryRead($Read, $OpenMem)

MsgBox(0,"TEST READ","HP Read: " & $HPValue,-1,"")

_MemoryClose($OpenMem)
05/19/2015 10:18 alpines#12
Did you try to run your script with elevated privileges such as #RequireAdmin?
05/19/2015 15:39 hailflex#13
Quote:
Originally Posted by alpines View Post
Did you try to run your script with elevated privileges such as #RequireAdmin?
Yes, it's running with #RequireAdmin

The full script: [Only registered and activated users can see links. Click Here To Register...]

EDIT1: I just found out:

1- ProcessExists("Rag2.exe") returns the right PID (checked in Task Manager)

2- _MemoryOpen is returning an empty string/array? It doesn't seem to be an error because there's no @error.

3- Because of that, _MemoryGetBaseAddress returns 0.

Any ideas? :)

EDIT2: _MemoryOpen also returns empty when opening notepad.exe