AoBScan result

05/26/2020 12:42 KaMeR1337#1
Code:
        public async void MemoryScan()
        {
            MemLib.OpenProcess(MemLib.GetProcIdFromName("metin2client"));
            var myAoBScan = (await MemLib.AoBScan(patternText.Text)).ToArray();

            for (int i = 0; i < myAoBScan.Count(); i++)
            {
                BaseAddress = myAoBScan[i];
            }
        }
BaseAddress returns 030BA2C6 but i want return this 04CEB1F8:
[Only registered and activated users can see links. Click Here To Register...]

how can i do it?

EDIT:
never mind got it by doing
MemLib.ReadInt(BaseAddress)
05/27/2020 20:17 PC Jones#2
Thanks for providing your solution :)
06/05/2020 08:15 KaMeR1337#3
now i dont know how to read address from this call:

[Only registered and activated users can see links. Click Here To Register...]
06/07/2020 01:51 florian0#4
Quote:
Originally Posted by KaMeR1337 View Post
now i dont know how to read address from this call:

[Only registered and activated users can see links. Click Here To Register...]
Calls (& Jumps) use indirect addressing. This means the value stored in the instruction-bytes is not using an absolute address, but a relative instead.

E8 B1 FA 0E 00 are your instruction bytes. E8 means CALL.

B1 FA 0E 00 are the bytes of the relative address. We flip them around (endianess) and get 0x000EFAB1 as a "usable" number. To get to the address 0xB4316E0, we need to add the address of the next instruction to it.
We can calculate it. 0xB341C2A is the address where the call is. The instruction bytes are 5 bytes long. So you the next address is 0xB341C2A+5 = 0xB341C2F.

0xB341C2F + 0x000EFAB1 = 0xB4316E0

You can also inline it with the current instruction address, instead of the next:

0xB341C2A + 5 + 0x000EFAB1

Or as a more generic form

Code:
call_absolute_address = next_instruction_address + call_indirect_address

// - or -

call_absolute_address = current_instruction_address + instruction_byte_count + call_indirect_address

Keep in mind that the indirect address can also be negative. This means the call destination comes "before" the address the call happens.

PS: According to the definition of the call instruction, the indirect address might also be 16 instead of 32 bit; only half the size. Eventho it's allowed, I've never seen it actually happen.