Skip to content
Advertisement

Unable to read value from memory using offsets

I’m trying to extract the value from a memory address using the base address of a .dll + offsets.

I used Cheat Engine to find the base address, and pymem to get the base address as hex.

enter image description here

Here’s the code I used to find the base address:

import pymem
pm = pymem.Pymem("PD.exe")
baseAddress = pymem.process.module_from_name(pm.process_handle, "jvm.dll").lpBaseOfDll

print(hex(baseAddress))

#output: 0x51250000

For reading the value I’m using ReadWriteMemory.

from ReadWriteMemory import ReadWriteMemory

rwm = ReadWriteMemory()

process = rwm.get_process_by_id(4372)
process.open()

hp_pointer = process.get_pointer(0x51250000 + 0x0036e654, offsets=[0x28, 0x1d0, 0x26, 0x3a, 0x12])
hp = process.read(hp_pointer)
print(hp)

I used the output from the first code as the base address and added +0036e654 to it, but the output is always 0.

If I replace “jvm.dll” with 51250000 in Cheat Engine the addresses are still calculated correctly.

enter image description here

Advertisement

Answer

I was getting it all wrong from the start. The pointer offsets showed in Cheat Engine are hex values, so the offsets should be offsets=[0x40, 0x464, 0x38, 0x58, 0x18].

User contributions licensed under: CC BY-SA
7 People found this is helpful
Advertisement