I’m trying to extract the value from a memory address using the base address of a .dll + offsets.
I used Cheat Engine to find the base address, and pymem to get the base address as hex.
Here’s the code I used to find the base address:
import pymem pm = pymem.Pymem("PD.exe") baseAddress = pymem.process.module_from_name(pm.process_handle, "jvm.dll").lpBaseOfDll print(hex(baseAddress)) #output: 0x51250000
For reading the value I’m using ReadWriteMemory.
from ReadWriteMemory import ReadWriteMemory rwm = ReadWriteMemory() process = rwm.get_process_by_id(4372) process.open() hp_pointer = process.get_pointer(0x51250000 + 0x0036e654, offsets=[0x28, 0x1d0, 0x26, 0x3a, 0x12]) hp = process.read(hp_pointer) print(hp)
I used the output from the first code as the base address and added +0036e654
to it, but the output is always 0.
If I replace “jvm.dll” with 51250000 in Cheat Engine the addresses are still calculated correctly.
Advertisement
Answer
I was getting it all wrong from the start. The pointer offsets showed in Cheat Engine are hex values, so the offsets should be offsets=[0x40, 0x464, 0x38, 0x58, 0x18]
.