0

I'm trying to get a value from a memory address of a process(In this case, OBS64). I have this code with the Process ID of the OBS and the memory address of the value I want. Cheat Engine says the value is 4 Bytes

from ctypes import *
import ctypes

OpenProcess = windll.kernel32.OpenProcess
ReadProcessMemory = windll.kernel32.ReadProcessMemory
CloseHandle = windll.kernel32.CloseHandle

PROCESS_ALL_ACCESS = 0x1F0FFF

pid = 15352
address = 0x1AF91A490C4  # From Cheat Engine, it's a 4 Bytes int

buffer = c_uint()
val = c_int()

processHandle = OpenProcess(PROCESS_ALL_ACCESS, False, pid)

if ReadProcessMemory(processHandle, address, buffer, 32, 0):  # Error here
    memmove(ctypes.byref(val), buffer, ctypes.sizeof(val))

    print("Success: " + str(val.value))
else:
    print("Failed.")

CloseHandle(processHandle)

I get the error: ctypes.ArgumentError: argument 2: <class 'OverflowError'>: int too long to convert But I'm not sure why. I think it's because of the length of the buffer, but I tried to play with it a lot and kept getting the error...

Botje
  • 26,269
  • 3
  • 31
  • 41
Flafy
  • 176
  • 1
  • 3
  • 15
  • That's not "*a 4 Bytes int*". Count the hex digits (each 2 form a byte). Also check https://stackoverflow.com/questions/58610333/c-function-called-from-python-via-ctypes-returns-incorrect-value/58611011#58611011, and the *WinAPI*s documentation, as the parameters you;re passing are incorrect. – CristiFati Jan 14 '20 at 15:55
  • @CristiFati I still can't understand what I'm doing wrong... I now have this code https://pastebin.com/0pKTiipf and I saw that smaller addresses do work... Also how do I check the hex of the value with what Cheat Engine provides me(https://imgur.com/a/tx08eSf)? – Flafy Jan 14 '20 at 18:21
  • 2
    @FlafyMation @CristiFati gave you the answer: if you don't prototype the APIs (by using `argtypes` and `restype`) all parameters are passed as int (hence 64-bits addresses are truncated). You need to tell to ctypes what parameter types those APIs use. – Neitsa Jan 16 '20 at 16:58
  • 1
    See https://stackoverflow.com/a/33858255/235698 for an example using `argtypes` and `restype`. – Mark Tolonen Jan 16 '20 at 19:42

0 Answers0