Memory Hacking Software

[trialusert]

I started to write a C# code that searches a 4-bytes value inside a process, but got stuck. Can I get help here (I'm asking as it's a MHS related sub-forum)?
Anywats, I would be most grateful if someone who understands in that language could pm me, I kind of need some instruction.

Thank you.

[L. Spiro]

The whole process of searching RAM is very complex and you could have gotten stuck anywhere. Why not explain exactly where you got stuck, and what is preventing you from moving forward?

You can probably gain some insight from this reply to a person who asked a similar question:
http://www.gamehacking.com/forums/memor ... #post27802


L. Spiro

[trialusert]

I wrote a recursive function that seperates a 128bytes array into small arrays of 4bytes each:

Code: Select all

public static bool ValueFound(byte[] srcBytes, int index, int value, ref int count)
{
    if (index >= 128)
        return false;
    byte[] mem = new byte[4];
    Buffer.BlockCopy(srcBytes, index, mem, 0, 4);
    if (BitConverter.ToInt32(mem, 0) == value)
        return true;
    count++;
    return ValueFound(srcBytes, index + 4, value, ref count);
}

Problem is that I can't manage to calculate the address from where the necessary memory (the value) was found.

The variable "count" tells me how many loops ValueFound goes through untill it returns its bool value (True or False). Here's the code snippet where I try to calculate the address, using "count":

Code: Select all

//necessary variables: int count, int value, byte[] memory, ProcessMemoryReader preader

for (int i = X [Starting Address]; i <= Y [Ending Address]; i = i + 128 [Bytes Skip])
{
    count = 0;
    memory = preader.ReadProcessMemory(new IntPtr(i), 128 [Bytes to Read],  out bytesread);
    if (ValueFound(memory, 0, value, ref count))
    {
        ProcessOrder.ResumeProcess(p[selected_process].Id); // Ignore this one
        Found_Addresses.Add( i + count ); // <- Here's my problem, look down
        ...
    }
    ...
}

As you can see, I use ( i + count ) to retreive the address, but it happens to be wrong. Every search returns an address that's really close to the real address. There must be something wrong with the way I calculate the it (i + count). Can you tell me what's wrong?

[L. Spiro]

Why not just read the chunk of memory into a big buffer and loop over it with a for loop?
Why do you recurse?
And if you have to copy 4 bytes into a buffer (using Buffer.BlockCopy()) then why not use the same buffer over and over (instead of re-allocating it every time as you are now)?


L. Spiro

[trialusert]

-I know it's faster that way, but in my case I want to call ReadProcessMemory() more than once (chances it will be changed later).
-I recurse (a lot) because it's easier for me to program that way, it just makes my codes easy to read & write...
-About the Buffer.CopyBlock() , you're right - this code is kinda ugly right now but it will be rewritten as soon as I get everything working.

Did you manage to catch my mistake? Why am I getting wrong addresses?

[L. Spiro]

I do not have time to look in detail now.
Contrary to what you may have been led to believe, recursion makes it very hard to read and (usually) write.
And as you may now have found, it is also very hard to debug.

Have to stepped through it with the Microsoft debugger?


L. Spiro

[trialusert]

I see, I guess I'm just used to recursion and that's why I prefer it...
I tried to use the Microsoft debugger, no success so far though.

I really appreciate your time and attention.
Thank you very much

[L. Spiro]

It is not just that. Recursion causes slower code and leads to stack overflows.
It makes your code slower, harder to understand, and reduces its stability. It should be avoided at all costs.

As for your problem, you increase index by 4 but only increase count by 1.
If you increase index by 4 then you have increased the offset by 4. Since you are using count as an offset, it should be increased by 4 or multiplied by 4 at the end.

Since count is the same thing as index they should be merged into one variable (index).

index should be used to check if the end of the array has been reached. You have allocated 128 bytes per buffer but you operate on 512 bytes in that buffer (count 0-127 = index 0-508, as index is always count * 4).

Lose count, use index to keep track of where you are in the buffer and to check the buffer bounds, and return index as the offset (used to derive the final address).


L. Spiro

[trialusert]

Wow, I'm so stupid. I erased "count", referenced "index" and now I'm using (i + index) to calculate the correct (!) address.
Thank you, you helped a lot =)