1

I injected a DLL to an exe. Now I need to read data from a specific offset. My code from the DLL:

DWORD ExeBaseAddress = (DWORD)GetModuleHandleA(0); 
// HANDLE baseAddr = GetModuleHandleA(0)

uint16_t value = ExeBaseAddress + 0x7198BC + 0x70e;

cout << value << endl;

Problem is it doesn't give me the value I expect which is 1000. It also doesn't give me the right address.

Using a memory reading software I can get the CORRECT value. See:

cheatengine

But I am still getting the wrong value from the code even though I'm using the exact same offset from the memory reading app. So what am I missing?

I tried this but its still giving me the wrong value.

HANDLE ExeBaseAddress = GetModuleHandleA(0);

uintptr_t p = (uintptr_t)ExeBaseAddress + 0x7198BC + 0x70e;
int value = *reinterpret_cast<int *>(p);

cout << ExeBaseAddress << " - " << value << endl;
majidarif
  • 18,694
  • 16
  • 88
  • 133
  • You need to dereference the value at that location, you're just printing the address its located at. Also, the value of `ExeBaseAddress` + `0x7198BC` + `0x70e` is going to overflow a `uint16_t` – lcs Feb 10 '16 at 20:37
  • Sorry @cocarin , I'm not that good with `C++`. How is that done? – majidarif Feb 10 '16 at 20:39
  • http://stackoverflow.com/questions/4955198/what-does-dereferencing-a-pointer-mean includes an overview of dereferencing. – lcs Feb 10 '16 at 20:40
  • Even the address being printed is not the same as the address I am seeing from the Memory Editor. – majidarif Feb 10 '16 at 20:43
  • @cocarin I tried this `uint16_t *value = (uint16_t*) ExeBaseAddress + 0x7198BC + 0x70e;` but still no luck. – majidarif Feb 10 '16 at 20:46
  • @cocarin `cout << ExeBaseAddress << " - " << *value << endl;` But still not the value. – majidarif Feb 10 '16 at 20:48
  • 2
    You need to do the math before converting to a pointer, because C++ pointer arithmetic is in array elements, not bytes (for `uint16_t*` everything will get doubled) – Ben Voigt Feb 10 '16 at 20:48
  • @BenVoigt I updated my question. – majidarif Feb 10 '16 at 20:53
  • Beware: A DWORD is too small for a pointer on 64 bit machines. Use e.g. UINTPTR if you want to stay in win32's type system. – Ulrich Eckhardt Feb 10 '16 at 20:58
  • @UlrichEckhardt I updated my question again. But still getting the wrong value. – majidarif Feb 10 '16 at 21:12
  • what is the output that you are getting? – Abhineet Mar 21 '16 at 05:02
  • @Abhineet I'm only getting `00400000 - 0`. Value expected is 1000. Which is also confirmed by checking it with a memory reader. – majidarif Mar 21 '16 at 05:06
  • Can you load your exe in HxD (https://mh-nexus.de/en/hxd/) and post the relevant screenshot like the base address and the offset you are trying to read? – Abhineet Mar 21 '16 at 05:12
  • @Abhineet I don't believe I'll be able to see it from the hexeditor. The application only ends at `0x312FF4`, I'm trying to read beyond `0x7198BC`. – majidarif Mar 21 '16 at 05:15
  • For reading the content of some address in C, I do this:: `HANDLE ExeBaseAddress = GetModuleHandleA(0); uintptr_t *p = (uintptr_t*)((uintptr_t)ExeBaseAddress + 0x30 + 0x20); printf( "ExeBaseAddress - %X, Val - %X, Val Content - %X\n", ExeBaseAddress, p, (WORD&)*p ) ;` – Abhineet Mar 21 '16 at 05:29
  • The code you just gave, (I changed the offsets), gives me `ExeBaseAddress - 400000, Val - B19FCA, Val Content - 0` – majidarif Mar 21 '16 at 05:30
  • ExeBaseAddress is a HANDLE, so it's size is unknown to the compiler. That's why, we cast it to `unintptr_t`. And overall, we need an address which can be dereferenced to get the value kept at the location, so I have cast it to `uintptr_t*`. – Abhineet Mar 21 '16 at 05:31
  • You need 2 bytes to be read from 0x00B19FCA, right? Because, I am doing `(WORD&)*p`, if you need more bytes, you have to properly cast it. Is the location address correct now? – Abhineet Mar 21 '16 at 05:34
  • Yes, I use DWORD, I tried it and I guess the pointer I'm using is incorrect. At the moment on the code it points to address `B19FCA`. But on CheatEngine it is pointed to `2E03074E`. But I'm confused because I'm adding the same offsets in CheatEngine and in code. Could it be the base address? I tried subtracting the offsets to get the base address, CheatEngine is using `2d916784` as base address. – majidarif Mar 21 '16 at 05:37
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/106878/discussion-between-majidarif-and-abhineet). – majidarif Mar 21 '16 at 05:43

1 Answers1

3

From all the long comments and chats (some basic input too) with the OP, the solution found its way,

The exe loaded have the base address stored of another PE at the location 0x7198BC. This Base Address + offset(0x70E) have the desired value contained.

HANDLE ExeBaseAddress = GetModuleHandleA(0);

/*ExeBaseAddress is a HANDLE, so it's size is unknown to the compiler.
 That's why, we cast it to (unintptr_t). 
 And overall, we need an address which can be dereferenced,
 to get the value kept at the location, so cast it to (uintptr_t*)*/

uintptr_t *p = (uintptr_t*)((uintptr_t)ExeBaseAddress + 0x7198BC);
uintptr_t ModuleBaseAdrs = (DWORD&)*p ;
printf( "ModBaseAdrsLoc - %p, ModuleBaseAdrs - %X\n", p, ModuleBaseAdrs ) ;

uintptr_t *ValLoc = (uintptr_t *) (ModuleBaseAdrs + 0x70E);
DWORD Val = (DWORD&)*ValLoc ;
printf( "ValLoc - %p, Val - %u\n", ValLoc, Val ) ;
Abhineet
  • 5,320
  • 1
  • 25
  • 43