Read memory

[Nivex]

Hello everyone!

I am in need of help.

My code is suppose to read an address in the memory which holds some text..

When it reads the address it returns numbers instead of text..

By the way if its because I have txt() declared as long then what do I do because if I use string it closes everything including visual basics studio.


Module code

Code:

Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hWnd As Long, lpdwProcessId As Long) As Long
Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Declare Function GetCurrentProcess Lib "kernel32" () As Long
Public Const PROCESS_ALL_ACCESS = &H1F0FFF

Form code

Code:

Dim hwnd As Long ' Holds the handle returned by FindWindow
Dim pid As Long ' Used to hold the Process Id
Dim pHandle As Long ' Holds the Process Handle
Dim txt(255) As Long
Dim tstring As String
Dim buffer2 As String

' First get a handle to the "game" window
hwnd = FindWindow(vbNullString, "legend of mir2")
If (hwnd = 0) Then MsgBox ("Window not found!")

' We can now get the pid
GetWindowThreadProcessId hwnd, pid

' Use the pid to get a Process Handle

pHandle = OpenProcess(PROCESS_ALL_ACCESS, False, pid)


If (pHandle = 0) Then MsgBox ("Could not get process handle")

' Now we can read from memory

Dim lpBytesWritten As Long
ReadProcessMemory pHandle, &H12AD3F, txt(0), ByVal 255, lpBytesWritten

If lpBytesWritten > 0 Then
  tstring = Trim(StrConv(txt(0), vbUnicode))
  Text1.Text = tstring
Else
  MsgBox Err.LastDllError
End If
' Close the Process Handle
CloseHandle pHandle

[ice_531]

You have to convert the byte array into a string.

When your reading from memory it isnt' in string format..so you have to convert, i know there is code that does this on the forum.

look through this aswell: here

[Nivex]

Thanks for your reply.. I had a go at doing it but this doesn't seem to work it gives me an error:

Code:

   For i = 0 To 255
        If Chr(txt(i)) = vbNullChar Then Exit For ' - invalid procedure or call 
        tstring = tstring & Chr(txt(i))
    Next i

I also tried this gives same error:

Code:

    For index = LBound(txt()) To UBound(txt())
        If Chr(txt(index)) = vbNullChar Then Exit For
        tstring = tstring & Chr(txt(index))
    Next index

EDIT: fixed it.. txt() had to be byte not long.. also it displays some weird text not what I wanted.

if I read address: 0014D130

Address holds in artmoney when I view it: Johny

the letters it gets without converting: 48

when it trys to convert the bytes to string:

Code:

0?

now what.


EDIT AGAIN: I don't understand why i'm converting numbers into the ascii keys...when I do convert thought every 255 byte holds 48... which then converted means 0.. 255 0s.. so what does this mean?

so o very confusing please look at the current code:

Code:

Private Sub Form_Load()
 Dim hWnd As Long ' Holds the handle returned by FindWindow
Dim pID As Long ' Used to hold the Process Id
Dim pHandle As Long ' Holds the Process Handle
Dim txt(255) As Byte
Dim tstring As String
Dim buffer2 As String
Dim testy As String
Dim index As Long

' First get a handle to the "game" window
hWnd = FindWindow(vbNullString, "Form1")
If (hWnd = 0) Then MsgBox ("Window not found!")

' We can now get the pid
GetWindowThreadProcessId hWnd, pID

' Use the pid to get a Process Handle

pHandle = OpenProcess(PROCESS_ALL_ACCESS, False, pID)


If (pHandle = 0) Then MsgBox ("Could not get process handle")

' Now we can read from memory

Dim lpBytesWritten As Long
Call ReadProcessMemory(pHandle, &H14D130, txt(0), ByVal 255, 0&)

Dim test As Integer
For test = 0 To 255
If Chr(txt(test)) = "" Then
Exit Sub
End If
Text1.Text = Text1.Text & txt(test)
tstring = tstring & Chr(txt(test))
Next test

Text2.Text = tstring
'test = 0

   'For test = 0 To 255
  '      If Chr(txt(test)) = vbNullChar Then Exit For ' - invalid procedure or call
   '     tstring = tstring & Chr(txt(test))
 '   Next test
'tstring = Trim(StrConv(txt(0), vbUnicode))
  'For index = LBound(txt()) To UBound(txt())
   '     If Chr(txt(index)) = vbNullChar Then Exit For
  '      tstring = tstring & Chr(txt(index))
'    Next index
   'Text1.Text = tstring
'Else
 '  MsgBox Err.LastDllError
'End If
' Close the Process Handle
CloseHandle pHandle
End Sub

EDIT once again: simple way to convert bytes to string:

Code:

Dim test As Long
For test = 0 To 255
If Chr(txt(test)) = "" Then
Exit Sub
End If
Text1.Text = Text1.Text & txt(test)
tstring = StrConv(txt(test), vbUnicode) 'what converts it
Next test

But it still returns 0.. so i'm trying to figure out why.

[Nivex]

Hm.. you still alive?

[ice_531]

Sorry lol havent checked this thread in awhile

Well

Code:

Dim test As Long
For test = 0 To 255
If Chr(txt(test)) = "" Then
Exit Sub
End If
Text1.Text = Text1.Text & txt(test)
tstring = StrConv(txt(test), vbUnicode) 'what converts it
Next test

that should be working, i am not quite sure why that is returniing a value of 0 instead of the original string. I will try a few things and maybe even ask megatron to have a looksy

[Nivex]

Its not I got beyond that problem.. now it just displays weird text that the chr() gives so I don't think converting bytes to string is what needs to be done.. heres my latest code:

when i read address i get these numbers: 6812541144424918
its suppose to be text not numbers.. so then I try to convert bytes to string and get some funky text that isn't even close to the text it really holds.

I think we need some one who knows what kind of thing it is so we can convert it. :P

Code:

 Dim hWnd As Long ' Holds the handle returned by FindWindow
Dim pID As Long ' Used to hold the Process Id
Dim pHandle As Long ' Holds the Process Handle
Dim txt(255) As Byte
Dim tstring As String
Dim buffer2 As String
Dim testy As String
Dim index As Long

' First get a handle to the "game" window
hWnd = FindWindow(vbNullString, "legend of mir2")
If (hWnd = 0) Then MsgBox ("Window not found!")

' We can now get the pid
GetWindowThreadProcessId hWnd, pID

' Use the pid to get a Process Handle

pHandle = OpenProcess(PROCESS_ALL_ACCESS, False, pID)


If (pHandle = 0) Then MsgBox ("Could not get process handle")

' Now we can read from memory

Dim lpBytesWritten As Long
Call ReadProcessMemory(pHandle, &H12AD3F, txt(0), ByVal 255, lpBytesWritten)
Dim test As Long
For test = 0 To 255
If Chr(txt(test)) = vbNullChar Then Exit For
Text1.Text = Text1.Text & txt(test) 'raw data
Text3.Text = Text3.Text & Chr(txt(test)) ' converted bytes to string
Text2.Text = Text2.Text & Hex$(txt(test)) 'converted to hex for testing
Next test

CloseHandle pHandle

Please help me ice. :P

[Merri]

Humm...

Code:

Dim Temp As String
Dim txt(255) As Byte

'lets assume txt gets filled with data here...

'convert byte array to string
Temp = txt

'in case it doesn't show up correctly yet, you can try this:
Temp = StrConv(txt, vbUnicode)

'and to check if it is correct now:
Debug.Print Temp

Hope it helps


You can also use Debug.Print txt, even if it is a byte array. You can't store stuff to it though, as it is a fixed length array. If it was variable length array, then you could use it almost like if it were a string.

[Nivex]

Thanks for the attempt.. but nope

heres the out come on everything..

The address holds the text SilverHaze and This is what I get:

Code:

raw data: 6812541144424918
Converted to hex: 441FE722CF912
chr() function: D
,?
Temp = txt: n?????
TRIM() function: D
,?

Please

[Merri]

Okay, to really see what is in the array:

Code:

For A = 0 To 255
    If txt(A) > 0 Then Debug.Print "Byte " & A & " : " & txt(A)
Next A

Then just paste the result so we can see what it is like.


But what I can see from what you've given, you are getting something quite different from what you want.

[Nivex]

i'mg lad you understand:

I think its just this: 6812541144424918

results:

Code:

Byte 0 : 68
Byte 1 : 1
Byte 2 : 254
Byte 3 : 114
Byte 4 : 44
Byte 5 : 249
Byte 6 : 18
Byte 8 : 16
Byte 10 : 254
Byte 11 : 114
Byte 13 : 254
Byte 14 : 253
Byte 15 : 114
Byte 24 : 16
Byte 26 : 254
Byte 27 : 114
Byte 28 : 207
Byte 29 : 54
Byte 31 : 127
Byte 36 : 16
Byte 40 : 137
Byte 41 : 182
Byte 42 : 3
Byte 43 : 127
Byte 44 : 2
Byte 48 : 150
Byte 49 : 6
Byte 50 : 1
Byte 51 : 234
Byte 52 : 216
Byte 53 : 248
Byte 54 : 18
Byte 56 : 199
Byte 57 : 31
Byte 58 : 253
Byte 59 : 114
Byte 60 : 19
Byte 72 : 44
Byte 73 : 249
Byte 74 : 18
Byte 81 : 254
Byte 82 : 253
Byte 83 : 114
Byte 88 : 16
Byte 90 : 254
Byte 91 : 114
Byte 92 : 3
Byte 96 : 1
Byte 100 : 8
Byte 101 : 249
Byte 102 : 18
Byte 104 : 133
Byte 105 : 33
Byte 106 : 253
Byte 107 : 114
Byte 112 : 3
Byte 120 : 44
Byte 121 : 249
Byte 122 : 18
Byte 124 : 28
Byte 125 : 255
Byte 126 : 253
Byte 127 : 114
Byte 128 : 2
Byte 132 : 134
Byte 133 : 176
Byte 134 : 252
Byte 135 : 114
Byte 136 : 36
Byte 137 : 255
Byte 138 : 253
Byte 139 : 114
Byte 140 : 255
Byte 141 : 255
Byte 142 : 255
Byte 143 : 255
Byte 144 : 150
Byte 145 : 6
Byte 146 : 1
Byte 147 : 234
Byte 149 : 254
Byte 150 : 253
Byte 151 : 114
Byte 152 : 192
Byte 153 : 254
Byte 154 : 253
Byte 155 : 114
Byte 156 : 230
Byte 157 : 47
Byte 158 : 253
Byte 159 : 114
Byte 160 : 150
Byte 161 : 6
Byte 162 : 1
Byte 163 : 234
Byte 164 : 36
Byte 165 : 255
Byte 166 : 253
Byte 167 : 114
Byte 168 : 28
Byte 169 : 255
Byte 170 : 253
Byte 171 : 114
Byte 172 : 150
Byte 173 : 6
Byte 174 : 1
Byte 175 : 234
Byte 180 : 1
Byte 188 : 13
Byte 192 : 104
Byte 193 : 249
Byte 194 : 18
Byte 198 : 20
Byte 200 : 230
Byte 201 : 23
Byte 202 : 245
Byte 203 : 119
Byte 204 : 3
Byte 208 : 24
Byte 209 : 7
Byte 210 : 20
Byte 214 : 20
Byte 216 : 176
Byte 217 : 167
Byte 218 : 224
Byte 219 : 3
Byte 220 : 64
Byte 221 : 249
Byte 222 : 18
Byte 224 : 49
Byte 225 : 68
Byte 226 : 156
Byte 227 : 98
Byte 228 : 136
Byte 229 : 251
Byte 230 : 18
Byte 232 : 5
Byte 233 : 144
Byte 234 : 247
Byte 235 : 119
Byte 236 : 240
Byte 237 : 213
Byte 238 : 246
Byte 239 : 119
Byte 240 : 255
Byte 241 : 255
Byte 242 : 255
Byte 243 : 255
Byte 244 : 230
Byte 245 : 23
Byte 246 : 245
Byte 247 : 119
Byte 248 : 120
Byte 249 : 23
Byte 250 : 245
Byte 251 : 119
Byte 252 : 178
Byte 253 : 23
Byte 254 : 245

[Merri]

Yup, whatever you are getting now, is wrong. You're propably reading a wrong position in the memory. I can't help much more than that, byte arrays are where I have some expertancy.

[Nivex]

Merri please man. lol

Ok I use artmoney memory editor.. now I use search and use search for Text then type in SilverHaze it finds it.. 1 value of it. And its value in the program is SilverHaze so what does this mean?

Why can it read it and I can't?

[Merri]

Hmm, try this:

Call ReadProcessMemory(pHandle, &H12AD3F, ByVal VarPtr(txt(0)), ByVal 255, lpBytesWritten)

No idea if it'll work any better.

[Nivex]

actually it outcomes the same

anyway take a look at what i'm using..

http://www.smir.co.uk/upload/uploaded/editor.JPG


I wish this would work so badly.

[Calibra]

PHP Code:


Dim txt(255) As Long

&

ReadProcessMemory pHandle, &H12AD3F, txt(0), ByVal 255, lpBytesWritten 


Actual info from MSDN :

ReadProcessMemory

The ReadProcessMemory function reads data from an area of memory in a specified process. The entire area to be read must be accessible, or the operation fails.


BOOL ReadProcessMemory(
HANDLE hProcess,
LPCVOID lpBaseAddress,
LPVOID lpBuffer, <-- pointer to actual buffer
SIZE_T nSize,
SIZE_T* lpNumberOfBytesRead
);

Parameters
hProcess
[in] Handle to the process whose memory is being read. The handle must have PROCESS_VM_READ access to the process.
lpBaseAddress
[in] Pointer to the base address in the specified process from which to read. Before any data transfer occurs, the system verifies that all data in the base address and memory of the specified size is accessible for read access. If this is the case, the function proceeds; otherwise, the function fails.
lpBuffer
[out] Pointer to a buffer that receives the contents from the address space of the specified process.
nSize
[in] Number of bytes to be read from the specified process.
lpNumberOfBytesRead
[out] Pointer to a variable that receives the number of bytes transferred into the specified buffer. If lpNumberOfBytesRead is NULL, the parameter is ignored.
Return Values
If the function succeeds, the return value is nonzero.

If the function fails, the return value is zero. To get extended error information, call GetLastError.

The function fails if the requested read operation crosses into an area of the process that is inaccessible.

Remarks
ReadProcessMemory copies the data in the specified address range from the address space of the specified process into the specified buffer of the current process. Any process that has a handle with PROCESS_VM_READ access can call the function. The process whose address space is read is typically, but not necessarily, being debugged.

The entire area to be read must be accessible. If it is not, the function fails as noted previously.

Requirements
Client: Requires Windows XP, Windows 2000 Professional, Windows NT Workstation, Windows Me, Windows 98, or Windows 95.
Server: Requires Windows Server 2003, Windows 2000 Server, or Windows NT Server.
Header: Declared in Winbase.h; include Windows.h.
Library: Use Kernel32.lib.

[Nivex]

I don't understand what you're trying to say.. please explain.

[Megatron]

Where you are obtaining the base address (&H12AD3F) from?

[Nivex]

From a game called Legend of mir 2

I am trying to retrieve the players name..

I hope thats what you ment.

[Megatron]

Well that helps, but still not what I was referring to.

Where do you get this actual value from? I don't see a line where you retrieve this?

More over, why is it hard-coded?

[Nivex]

The game is a mmorpg.. its online. So when I go on my character it stores the characters name in the memory.

then I use Artmoney(a memory editor) I view that address and it has a tetx value which displays SilverHaze.

Then in vb6 I call readprocess() so I can read the text in visual basics 6.

But it displays numbers instead.


Hope you understand, thanks.

[Megatron]

Pass your base address by value

So:

Code:

ReadProcessMemory pHandle, ByVal &H12AD3F, txt(0), ByVal 255, lpBytesWritten

And I hope you're declaring your array as Byte and not Long (unless it's unicode)

[Nivex]

OMG my heart almost stopped when it worked!!!!!!!

THANK YOU GUYS SOOOO MUCH THANK YOU!

2 YEARS OF TRYING TO FIGURE THIS OUT!


THANKKSSS!
<3

[Megatron]

Glad it all worked out.

Remember: by default, ReadProcessMemory, and WriteProcessMemory take the lpAddress argument by reference. This means that (when passed by reference) it's actually sending the address of the variable that's holding "&H12AD3F" and not the actual value itself.

[Nivex]

Thanks..

Also do you have any idea how to find the main address that will always carry the players name..

Everytime I find it its a different address.

I can't have my program read from a static address if it keeps changing. *cries*

any ideas?

[Megatron]

If the RVA (offset) changes each time, then it means the memory is dynamically allocated.

Without the actual structures used to hold or point to data, you're out of luck. Your next approach would be to search the application's virtual address space for a specific sequence of bytes. Use VirtualQueryEx to cycle through each page, and read it with ReadProcessMemory. Scan these read bytes for your sequence, and if it's found, exit the loop.

[SgtBane]

I have found this thread quite uefull just looking through the progress that was made on this topic. But after getting most of this working properly, there is a little flaw that sort of makes this entire function useless.
I am rather new to VB still, but I know a few things.

VB Code:

Public Function ReadCustom(Offset As Long, WindowName As String) As String
    Dim hWnd As Long
    Dim ProcessID As Long
    Dim ProcessHandle As Long
    Dim arr(255) As Byte
    Dim test As Long
    
    hWnd = FindWindow(vbNullString, WindowName)
    If hWnd = 0 Then
        Exit Function
    End If
    GetWindowThreadProcessId hWnd, ProcessID
    ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, False, ProcessID)
    If ProcessHandle = 0 Then
        Watcher.lblStatus.Caption = "Status: Cannot find window"
        Exit Function
    Else
        Watcher.lblStatus.Caption = "Status: Running..."
    End If
    
    Call ReadProcessMemory(ProcessHandle, ByVal Offset, arr(0), ByVal 255, lpbyteswritten)
    For test = 0 To 255
        If Chr(arr(test)) = vbNullChar Then Exit For
        ReadCustom = ReadCustom & Hex$(arr(test))
    Next test
    
    CloseHandle ProcessHandle
End Function

When this code is run I get the error on the line where it is reading the memory. It highlights the "arr(0)" line and it says type mismatch. Now I know that it must be in byte format, so i know that is correct. But when I change the variable "Offset" to a fixed value then it works fine. But like I said earlyer it makes this function rather useless only being able to find one offset.

Any help is aprecieated.

Ps. I realize that this topic has been dead for around two years now. But I am still hopeing that I will get a response.

[Merri]

How you have defined ReadProcessMemory? Check the datatypes are correct.

[moeur]

try declaring it like this

VB Code:

Private Declare Function ReadProcessMemory Lib "kernel32" ( _
    ByVal hProcess As Long, _
    byval lpBaseAddress As long, _
    lpBuffer As byte, _
    ByVal nSize As Long, _
    lpNumberOfBytesWritten As Long _
) As Long

[SgtBane]

wow! thanks for the quick response.
I currently have it declared with:

VB Code:

Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Long, lpBuffer As Byte, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long

and have tried your suggestion of:

VB Code:

Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, ByVal lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long

with no change in results.

I have noticed though that some people use offsets in the form of "&H12AD3F" wich i believe is "HEX". (like i said.. I am rather new to this) And that the offset values that I use are "27375537". I used tsearch's "Converter" function to convert a hex value into this using Data Type "unsigned byte". I have no theory behind how it works, I just know that I have been able to use tsearch to find values, convert them that way, and use the readprocessmemory command on the values that I convert and it seems to work fine. (Also the same offsets found by "Cheatmaster" on "pscode.com".)

If you need to see any more of my code, then feel free to ask. Thanks again for the quick response.

[Merri]

This isn't really related to your problem, but you could optimize your code a bit:

VB Code:

For test = 0 To 255
        If arr(test) = 0 Then Exit For
        ReadCustom = ReadCustom & Hex$(arr(test))
    Next test

There is no need to convert to a string, comparing numbers is superior in speed

[SgtBane]

Thanks. I have revised my code a little with your suggestion.
Though as you said, it doesen't realy help me with my problem. But thanks, it makes sence to remove that step, since there is no point of converting it if I can do the same thing just leaving it as a number.

Ide realy like to figure this out though. I have no idea why it says that its a type mismatch because in the beginning of this thread the first guy had it as txt(255) as long
and was told to make it
txt(255) as byte

and I did that, but thats where it gives me the error.

VB Code:

Call ReadProcessMemory(ProcessHandle, ByVal Offset, arr(0), ByVal 255, lpbyteswritten)

it highlights the "arr(0)"

Edit:
I just thought.. Can I maby collect the offset data as a number, and then convert it?

How can I take a bunch of numbers (say from a textbox) and convert it into readable text? I know that may add an extra useless step, but at the moment I am not realy going for speed, I just want it to work properly. Then I will go through it and clean it up.

[moeur]

try this

VB Code:

Call ReadProcessMemory(ProcessHandle, ByVal Offset, arr(0), ByVal 255&, byval 0&)

[SgtBane]

Yeah thanks! that worked
Once I did that i started to get jibberish, but atleast it was working.. then I noticed it was translating it into HEX, so i changed it to "Chr(arr(test))" instead of "Hex$(arr(test))". A stupid mistake on my part :S

But it works now, so thankyou very much! Now just a few more bugs to work out ralating to transparencys, but ill look it up first before i go posting somewhere.

For anyone else who finds this thread looking for the same thing I was, here are my end results.

VB Code:

Public Function ReadCustom(Offset As Long, WindowName As String) As String
    Dim hWnd As Long
    Dim ProcessID As Long
    Dim ProcessHandle As Long
    Dim arr(255) As Byte
    Dim test As Long
 
    hWnd = FindWindow(vbNullString, WindowName)
    If hWnd = 0 Then
        Exit Function
    End If
    GetWindowThreadProcessId hWnd, ProcessID
    ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, False, ProcessID)
    If ProcessHandle = 0 Then
        'Message if window is not found goes here.
        Exit Function
    Else
        'Message when window is found goes here.
    End If
    
    Call ReadProcessMemory(ProcessHandle, ByVal Offset, arr(0), ByVal 255&, ByVal 0&)
    
    For test = 0 To 255
        If arr(test) = 0 Then Exit For
        ReadCustom = ReadCustom & Hex$(arr(test))
    Next test
 
    CloseHandle ProcessHandle
End Function

Thanks again!