我对С++和ctypes不太了解,请不要马上踢我。)
如果已经问过这个问题-对不起。
我正在编写一个程序来跟踪游戏中角色的状态。
我有一个片段python代码,它可以帮助我从内存中获取某人的价值,但是我不理解如何对基本DLL地址及其偏移量求和。.
# with pywin32 get pid and loaded modules
.....
for i in range(len(modules)):
dllName = re.search('NWindow.DLL', win32process.GetModuleFileNameEx(processHandle,modules[i]))
if dllName:
dllAddress = modules[i]
print(hex(dllAddress),win32process.GetModuleFileNameEx(processHandle,modules[i]))
break
processHandle.close()
dllAddress += 0x009CF49C # Base DLL address + something from CE ..:D
offsets = [0x5AC, 0x200, 0x268, 0x6C4, 0x240] # Offsets list
buffer = (ctypes.c_byte * 4)()
bytesRead = ctypes.c_ulonglong(0)
pHandle = ctypes.windll.kernel32.OpenProcess(0x1F0FFF, False, get_pid('process.exe'))
ctypes.windll.kernel32.ReadProcessMemory(pHandle, dllAddress+sum(offsets), buffer, len(buffer),
ctypes.byref(bytesRead))
print(struct.unpack('i', buffer)[0])
例如:
from Cheat Engine i get this view (click)
将所需DLL的地址及其偏移量加到python中后,我没有获得与CE相同的地址:
CE:0x0F386E40
Py:0xDAD07B4
当然,我不能从错误的地址获得真实的价值。但是,如果我只是输入CE发现的(动态)地址,我就会获得真实的价值。
我对使用RAM没有足够的了解,请帮助我。.)
我希望我把问题弄清楚了。
UPD:是的,我做到了
def get_address(base_address, offsets):
ctypes.windll.kernel32.ReadProcessMemory(pHandle, base_address, buffer,
len(buffer), ctypes.byref(bytesRead))
addr = struct.unpack('i', buffer)[0]
for i in range(len(offsets)-1):
addr += offsets[i]
ctypes.windll.kernel32.ReadProcessMemory(pHandle, addr, buffer,
len(buffer), ctypes.byref(bytesRead))
addr = struct.unpack('i', buffer)[0]
result = addr + offsets[len(offsets)-1]
return result