Cheat Engine, C#, THREADSTACK0

~~Melli-~~ · 01/10/2020, 12:48

Hello,

I try to describe my problem in english, to get more help, as when I write it in german.

I have a pointer for the zoom value, and I got many pointers for some .dll's, but after a while, the pointers aren't valid anymore, and only the pointers which comes from "THREADSTACK0" are valid.

I am not working with C++, that's why I tried to find a way, to get the "THREADSTACK0" address via C#.

I found a github project, which returns a "THREADSTACK0" address (if I convert it to IntPtr) but it isn't the correct address.

I used following project:

Now to explain a little bit more my problem, I will add screens.

That is the address which shows Cheat Engine:

That is the address which shows Visual Studio without adding the 0x000001D8 to the THREADSTACK0:

That is the address which shows Visual Studio with adding the 0x000001D8 to the THREADSTACK0 (I forgot to make a photo of it so I calculated it): 0x3A7FC58

Cheat Engine Value:
"THREADSTACK0"-000001D8

elmarcia · 01/10/2020, 14:21

Don't know much about it, but some urls should help you find your way out.

The git you share is for 32 bit process, if you are ussing 64, you have to change a bit of code, (remember 64bit process has 8bytes address size, so intPtr don't know if can store it without overflow)

~~Melli-~~ · 01/10/2020, 14:35

Quote:

Originally Posted by elmarcia

Don't know much about it, but some urls should help you find your way out.

The git you share is for 32 bit process, if you are ussing 64, you have to change a bit of code, (remember 64bit process has 8bytes address size, so intPtr don't know if can store it without overflow)

First of all: I am using a 32 bit process, that's fine and give no problem (otherwise I would never have a result - because it throws an exception then.)

I read both of them, and that doesn't helped. I need to explain the problem better.

I found out now, that if I use the program:

the THREADSTACK0 base address is "okay" but it isn't this one, which CE uses. Just to clarify with pictures:

if I add the address "THREADSTACK0" I got following address:

this is the same address as the program "threadstack.exe" say:

but if I go to the pointer, and delete the "-000001D8" which is added after the "THREADSTACK0"
I got following value:

but this is obviously not the same value, which I got when I add the address "THREADSTACK0" (because this value is 1999864944)

False · 01/10/2020, 17:50

#moved

elmarcia · 01/10/2020, 21:58

Quote:

Originally Posted by Melli-

First of all: I am using a 32 bit process, that's fine and give no problem (otherwise I would never have a result - because it throws an exception then.)

I read both of them, and that doesn't helped. I need to explain the problem better.

I found out now, that if I use the program:
the THREADSTACK0 base address is "okay" but it isn't this one, which CE uses. Just to clarify with pictures:

if I add the address "THREADSTACK0" I got following address:

this is the same address as the program "threadstack.exe" say:

but if I go to the pointer, and delete the "-000001D8" which is added after the "THREADSTACK0"
I got following value:

but this is obviously not the same value, which I got when I add the address "THREADSTACK0" (because this value is 1999864944)

Pointer works in oposite direction, i don't know what you mean by add, i see a substraction there no adittion...

If i understand well you get your THREADSTACK0 base address, which is great, lets say THREADSTACK0 base is [03A7F9C0] this base address points to some other address 1999864944 -> [77338470], but this address pointed isn't what you need, you need to recalculate your base address first with the offset (0x1d8):

THREADSTACK0 - 0x1D8 -> 03A7F9C0 - 0x1d8 => BaseAddress:3A7F7E8

Then you can apply your pointer paths like this:

Note is reverse order as in cheat engine

Code:

offsets = {0x4,0x10,0x518,0x24,0x0,0x4,0x260}
currentAddress = BaseAddress
for (i=0;i<len(p) - 1;i++){
   currentAddress = MemoryRead(hProcess,currentAddress + offsets [i],'dword')
}
 value = MemoryRead(hProcess,currentAddress + 0x260,'your type here')

Last pointer offset is used to retrieve the address of the value needed

Lets say that this is valid code that is not, but for simplicity, memoryRead returns value readed, which is stored in the currentAddress and read all pointer path

~~Melli-~~ · 01/10/2020, 23:48

Thank you for your help, but the problem was easier as I thought..

The class which I copied works fine, but I need to compile my project as 32 bit file (and run it as 32 bit file) - then I was able to get the THREADSTACK0, substract it with the 0x1D8, and add then the offsets to it.

I had a funny problem too, because after 6 offsets, I wasn't able to add the 7th offset, but if I wrote "offset7 = offset6 + 0x260" it worked fine, lol.

Thank you very much, but the solution was much easier