Search code examples
c++pointersmemorycheat-engine

WriteProcessMemory with Multi Level Pointer

i am trying to write to a certain address in the memory (base address which i got from cheat engine, so it doesn't change), problem is i cant figure out how i need to write with all the offsets.

Here are the following address and offsets i have:

DWORD Pointer = 0x001E8AA0;
DWORD offset1 = 0x3F0;
DWORD offset2 = 0x62C;
DWORD offset3 = 0x4;
DWORD offset4 = 0x104;
DWORD offset5 = 0x68;
char moduleName[] = "Insaniquarium.exe";

picture of the pointer in cheat engine:

I've tried many things, and they all failed, i know this because in the game the value doesn't changes and in cheat engine the pointer of the value doesn't change either. Here what my finally try:

WriteProcessMemory(handle, (LPVOID)(moduleName + Pointer + offset1 + offset2 + offset3 + offset4 + offset5), &val, sizeof(val), nullptr);

Ad I described earlier, the value haven't changed.

If you think u need more information, let me know, thank you.

Solution

  • Your offsets are added in the wrong order. You need to do from bottom to top of that screenshot.

    You need to de-reference each pointer in the chain, you're not doing that.

    Here is how to correctly do it:

    DWORD GetProcId(const wchar_t* procName)
{
    DWORD procId = 0;
    HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (hSnap != INVALID_HANDLE_VALUE)
    {
        PROCESSENTRY32 procEntry;
        procEntry.dwSize = sizeof(procEntry);

        if (Process32First(hSnap, &procEntry))
        {
            do
            {
                if (!_wcsicmp(procEntry.szExeFile, procName))
                {
                    procId = procEntry.th32ProcessID;
                    break;
                }
            } while (Process32Next(hSnap, &procEntry));

        }
    }
    CloseHandle(hSnap);
    return procId;
}

uintptr_t GetModuleBaseAddress(DWORD procId, const wchar_t* modName)
{
    uintptr_t modBaseAddr = 0;
    HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, procId);
    if (hSnap != INVALID_HANDLE_VALUE)
    {
        MODULEENTRY32 modEntry;
        modEntry.dwSize = sizeof(modEntry);
        if (Module32First(hSnap, &modEntry))
        {
            do
            {
                if (!_wcsicmp(modEntry.szModule, modName))
                {
                    modBaseAddr = (uintptr_t)modEntry.modBaseAddr;
                    break;
                }
            } while (Module32Next(hSnap, &modEntry));
        }
    }
    CloseHandle(hSnap);
    return modBaseAddr;
}

uintptr_t FindDMAAddy(HANDLE hProc, uintptr_t ptr, std::vector<unsigned int> offsets)
{
    uintptr_t addr = ptr;
    for (unsigned int i = 0; i < offsets.size(); ++i)
    {
        ReadProcessMemory(hProc, (BYTE*)addr, &addr, sizeof(addr), 0);
        addr += offsets[i];
    }
    return addr;
}

    int main()
{
    //Get ProcId of the target process
    DWORD procId = GetProcId(L"Insaniquarium.exe");

    //Getmodulebaseaddress
    uintptr_t moduleBase = GetModuleBaseAddress(procId, L"Insaniquarium.exe");

    //Get Handle to Process
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, NULL, procId);

    //Resolve base address of the pointer chain
    uintptr_t dynamicPtrBaseAddr = moduleBase + 0x001E8AA0;

    //Resolve the pointer chain
    std::vector<unsigned int> offsets = {0x68, 0x104, 0x4, 0x62C, 0x3F0};

    uintptr_t addr = FindDMAAddy(hProcess, dynamicPtrBaseAddr, offsets);

    return 0;
}