Unable to read value from memory using offsets

I’m trying to extract the value from a memory address using the base address of a .dll + offsets.

I used Cheat Engine to find the base address, and pymem to get the base address as hex.

Here’s the code I used to find the base address:

import pymem
pm = pymem.Pymem("PD.exe")
baseAddress = pymem.process.module_from_name(pm.process_handle, "jvm.dll").lpBaseOfDll

print(hex(baseAddress))

#output: 0x51250000

JavaScript
​x
 
import pymem
pm = pymem.Pymem("PD.exe")
baseAddress = pymem.process.module_from_name(pm.process_handle, "jvm.dll").lpBaseOfDll
​
print(hex(baseAddress))
​
#output: 0x51250000
​

For reading the value I’m using ReadWriteMemory.

from ReadWriteMemory import ReadWriteMemory

rwm = ReadWriteMemory()

process = rwm.get_process_by_id(4372)
process.open()

hp_pointer = process.get_pointer(0x51250000 + 0x0036e654, offsets=[0x28, 0x1d0, 0x26, 0x3a, 0x12])
hp = process.read(hp_pointer)
print(hp)

JavaScript
 
from ReadWriteMemory import ReadWriteMemory
​
rwm = ReadWriteMemory()
​
process = rwm.get_process_by_id(4372)
process.open()
​
hp_pointer = process.get_pointer(0x51250000 + 0x0036e654, offsets=[0x28, 0x1d0, 0x26, 0x3a, 0x12])
hp = process.read(hp_pointer)
print(hp)
​

I used the output from the first code as the base address and added +0036e654 to it, but the output is always 0.

If I replace “jvm.dll” with 51250000 in Cheat Engine the addresses are still calculated correctly.

Answer

I was getting it all wrong from the start. The pointer offsets showed in Cheat Engine are hex values, so the offsets should be offsets=[0x40, 0x464, 0x38, 0x58, 0x18].

Advertisement

Answer