Reading Memory, then reading Pointer to Memory

[kevikev]

I was using this thread as an example:
https://autohotkey.com/boards/viewtopic.php?f=5&t=31288

I'm also trying to figure out how to correctly read the pointer to a memory address so I don't have to change my script every time I load up my headset software.

I initially used CheatEngine to figure out what memory address was used to store my headset's battery level, and then reading through some other threads about how to figure out the pointer address, I came up with:

astrocc-battery-offset.PNG (5.41 KiB) Viewed 1865 times

I tried using the offset (0x67E770B) in the following code:

Code: Select all

#SingleInstance force

#Include <classMemory>

if (_ClassMemory.__Class != "_ClassMemory")
    msgbox class memory not correctly installed. Or the (global class) variable "_ClassMemory" has been overwritten

Process, Exist, ASTRO Command Center.exe
pid := ErrorLevel
if !pid 
{
    msgbox pid not found 
    ExitApp
}

mem := new _ClassMemory("ahk_pid " pid, "", hProcessCopy) 

; Check if the above method was successful.
if !isObject(mem) 
{
    msgbox failed to open a handle
    if (hProcessCopy = 0)
        msgbox The program isn't running (not found) or you passed an incorrect program identifier parameter. 
    else if (hProcessCopy = "")
        msgbox OpenProcess failed. If the target process has admin rights, then the script also needs to be ran as admin. Consult A_LastError for more information.
    ExitApp
}
; setformat is only used to make displayed number easier to read
SetFormat, IntegerFast, H

; *** if .exe is 64 bit then the AHK script must be 64 bit***
msgbox % "Base Address: " mem.BaseAddress

SetFormat, IntegerFast, d 

pointerHSBat := [0x67E770B + mem.BaseAddress, "UInt", 0x10, 0x20, 0x20, 0x124]

msgbox % "HSBatLeft: " mem.read(pointerHSBat*)

But, it's not returning the value that I expect. I suspect I'm not adding the correct offset?

[RHCP]

What is the entire contents of this field?

Code: Select all

; if the red circled field contains something like:
; ASTRO Command Center.exe + HEXOffset
; then replace xxxxx below with value of HEXOffset - remember to append the 0x 
pointerHSBat := [mem.BaseAddress + xxxxx, "UInt", 0x67E770B]
msgbox % "HSBatLeft: " mem.read(pointerHSBat*)


; if the red circled field just contains
; ASTRO Command Center.exe
; then its not a pointer, and this should work 
msgbox % mem.read(mem.BaseAddress + 0x67E770B)

[kevikev]

The field contains "ASTRO Command Center.exe" (including the quotes)

I'm not sure I'm doing this correctly.

Code: Select all

[mem.BaseAddress, "UInt", 0x67E770B]

returns the correct value; so I tried reloading the exe and the value is no longer there.

[RHCP]

The field contains "ASTRO Command Center.exe" (including the quotes)

I'm not sure I'm doing this correctly.

Code: Select all

[mem.BaseAddress, "UInt", 0x67E770B]

returns the correct value; so I tried reloading the exe and the value is no longer there.

I assume CE doesn't display the value either for that 'pointer'?

The listed value in CE is not a real pointer. It is effectively address = processBaseAddress + 0x67E770B.
You need to find a proper pointer for the address.

[kevikev]

The field contains "ASTRO Command Center.exe" (including the quotes)

I'm not sure I'm doing this correctly.

Code: Select all

[mem.BaseAddress, "UInt", 0x67E770B]

returns the correct value; so I tried reloading the exe and the value is no longer there.

I assume CE doesn't display the value either for that 'pointer'?

The listed value in CE is not a real pointer. It is effectively address = processBaseAddress + 0x67E770B.
You need to find a proper pointer for the address.

Find the proper pointer (e.g., "ASTRO Command Center.exe"+Exxx) for the address that contains the value of the battery level?

[RHCP]

You need to find a real pointer for the address that stores the battery value.

The easiest way is to use the CE pointer scan. Lookup some youtube guides.