Search code examples
c#windowsmemoryoffset

How to find my static address from CheatEngine in C# with Memory functions

So I figured out a static address of my ping in TeamSpeak 3 with a cheat engine. The adress is "Qt5Gui.dll"+005F2E58 so module Qt5Gui.dll + offset of 0x005F2E58

With Cheat Engine it's not a problem to get the ping value after restarting the application.

Now I tried to find this address in C# using memory functions but I'm not getting my address.

The Wanted Adress is: 16CE3AB92E40549592 My Programm gets me: 14072403

How to find the right address like in cheat engine?

My getModule function:

 static IntPtr getModule(String processName, String moduleName)
        {
            Process[] ProcessList = Process.GetProcessesByName(processName);
            IntPtr BaseAddress = IntPtr.Zero;

            if (ProcessList.Length > 0)
            {
                Process process = ProcessList[0];

                foreach (System.Diagnostics.ProcessModule Module in process.Modules)
                {
                    if (Module.ModuleName.Contains(moduleName))
                    {
                        BaseAddress = Module.BaseAddress;
                        break;
                    }

                }

            }

            return BaseAddress;
        }

Main Function:

String process = "ts3client_win64";

IntPtr handle = getProcessHandle(process);

if (!handle.Equals(new IntPtr(1337)))
    {
      IntPtr qtGui = getModule(process, "Qt5Gui.dll");
      int pingOffset = 0x005F2E58;
      IntPtr pingAdress = IntPtr.Add(qtGui, pingOffset);

      Int64 finalPingAdress = pingAdress.ToInt64();

      MessageBox.Show("Ping Adress: " + finalPingAdress);
     }
     else
     {
        MessageBox.Show("Process Not Found!");
     }

Image of CheatEngine + my tool

Solution

  • To walk multilevel pointers using modulename.dll + 0xDEADC0DE scheme base addresses you can use my code

    public static IntPtr FindDMAAddy(IntPtr hProc, IntPtr ptr, int[] offsets)
{
    var buffer = new byte[IntPtr.Size];
    foreach (int i in offsets)
    {
        ReadProcessMemory(hProc, ptr, buffer, buffer.Length, out var read);

        ptr = (IntPtr.Size == 4)
        ? IntPtr.Add(new IntPtr(BitConverter.ToInt32(buffer, 0)), i)
        : ptr = IntPtr.Add(new IntPtr(BitConverter.ToInt64(buffer, 0)), i);
    }
    return ptr;
}

public static IntPtr GetModuleBaseAddress(Process proc, string modName)
{
    IntPtr addr = IntPtr.Zero;

    foreach (ProcessModule m in proc.Modules)
    {
        if (m.ModuleName == modName)
        {
            addr = m.BaseAddress;
            break;
        }
    }
    return addr;
}

    Here is an example of me using this code to do what you want to do

    Process process;

process = Process.GetProcessesByName("ac_client")[0];

var hProc = OpenProcess(0x001F0FFF, false, process.Id);

var modBase = GetModuleBaseAddress(process, "ac_client.exe");

var addr = FindDMAAddy(hProc, (IntPtr)(modBase + 0x10f4f4), new int[] { 0x374, 0x14, 0 });

Console.WriteLine("0x" + addr.ToString("X"));
Console.ReadKey();