如何使用多指针WriteProcessMemory

时间:2014-10-26 05:29:13

标签: c++ pointers memory offset

首先,我要做的是改变游戏记忆中的值。 为了写入该变量,我需要添加以下指针和偏移,因为那时我总是找到一个有效的地址:

baseAddr + offset1 + offset2 + offset3 = myDesiredAddr

现在,这是我试图做的...... 

ReadProcessMemory(
hProc, (LPVOID)(BaseAddr + offset1), &myDesiredAddr, sizeof(myDesiredAddr), 0
);
ReadProcessMemory(
hProc, (LPVOID)(myDesiredAddr + offset2), &myDesiredAddr, sizeof(myDesiredAddr), 0
);
ReadProcessMemory(
hProc, (LPVOID)(myDesiredAddr + offset3), &myDesiredAddr, sizeof(myDesiredAddr), 0
);

我已经厌倦了WriteProcessMemory在我得到的最终地址,但它没有成功读写。任何建议都会有所帮助。

2 个答案:

答案 0 :(得分:3)

你可以这样做:

unsigned long offset1 =  /* your value              */
unsigned long offset2 =  /* your value              */
unsigned long offset3 =  /* your value              */
unsigned long BaseAddr = /* your value              */
unsigned long Pointer;   /* to hold the final value */
unsigned long temp;      /* hold the temp values    */
unsigned value =         /* value to write          */

以上显示了您的声明。我假设你检查读写函数是否成功返回,否则我建议你这样做。

ReadProcessMemory(
hProc, reinterpret_cast<LPVOID>(BaseAddr), &temp, sizeof(temp), 0);
Pointer = temp + offset1;

ReadProcessMemory(
hProc, reinterpret_cast<LPVOID>(Pointer), &temp, sizeof(temp), 0);
Pointer = temp + offset2;

ReadProcessMemory(
hProc, reinterpret_cast<LPVOID>(Pointer), &temp, sizeof(temp), 0);
Pointer = temp + offset3;

/* Now Pointer stores the final address and *
 * you can write to it                      */
WriteProcessMemory(
hProc, reinterpret_cast<unsigned*>(Pointer), &value, sizeof(value), 0);

通过添加内存地址和偏移并将值存储在指针中,您可以继续从指针中读取并将临时地址存储在 temp < / em>变量,直到你到达你想要的最终地址。

我建议您在循环中执行此操作以提高效率和更简洁的代码。

答案 1 :(得分:0)

您编写了一个遍历多级指针的函数,该函数取消引用指针的每一步并添加相对偏移量。

在此示例中,我将使用我制作的简单的攻击立方体作弊

FindDMAAddy函数(查找动态内存分配地址):

uintptr_t FindDMAAddy(HANDLE hProc, uintptr_t ptr, std::vector<unsigned int> offsets)
{
    uintptr_t addr = ptr;
    for (unsigned int i = 0; i < offsets.size(); ++i)
    {
        ReadProcessMemory(hProc, (BYTE*)addr, &addr, sizeof(addr), 0);
        addr += offsets[i];
    }
    return addr;
}

主要代码:

    uintptr_t moduleBase = GetModuleBaseAddress(procId, L"ac_client.exe");

    //Get Handle to Process
    HANDLE hProcess = 0;
    hProcess = OpenProcess(PROCESS_ALL_ACCESS, NULL, procId);

    //Resolve base address of the pointer chain
    uintptr_t dynamicPtrBaseAddr = moduleBase + 0x10f4f4;

    std::cout << "DynamicPtrBaseAddr = " << "0x" << std::hex << dynamicPtrBaseAddr << std::endl;

    //Resolve our ammo pointer chain
    std::vector<unsigned int> ammoOffsets = { 0x374, 0x14, 0x0 };
    uintptr_t ammoAddr = FindDMAAddy(hProcess, dynamicPtrBaseAddr, ammoOffsets);

    std::cout << "ammoAddr = " << "0x" << std::hex << ammoAddr << std::endl;

您可以找到我的答案here

的更完整版本
相关问题
最新问题