2

** Edit ** After some great help from @tylernygaard I have discovered that the same variable is being written to two difference places in the memory. They are both 'static' addresses. Problem solved. Original question below....

I posted a question earlier regarding "reading" a variable from an executable here (Please excuse my naivety in this area)

I simply wanted to "read" a Total variable from an executable whilst it was running.

I was recommended a program called Cheat Engine which I have downloaded, completed the tutorial and then used.

On one PC, Cheat Engine showed the variable at address "0096E0B4".

Out of curiosity I installed Cheat Engine on another PC and the variable was at address "0096E0A4"

These addresses are so close that I'm assuming this isn't just dynamically chosen at runtime (is it?). So I wondered if anyone knew why they would be different?

And whether it would still be possible to write some code to read the correct value?

John T
  • 167
  • 1
  • 5

1 Answers1

2

You will know if they are static addresses if Cheat Engine shows them green on the search results screen. See pic related. enter image description here

tylernygaard
  • 58
  • 4
  • That's brilliant info. Thanks. The variable is green. But then why is it a different address slightly from the other PC? Should it not be fixed every time? If you could add to your answer that would be great and I'll 'accept' it. – John T Jun 08 '17 at 05:50
  • 1
    Hmm, that's interesting. Are you sure this value is representing exactly what you want and is not a duplicate/coincidence? I only ask because I have not run into this issue yet. I would suggest browsing that memory region and also seeing if the disassembly that writes/reads that value are the same to verify.

    Also, if the address is found using a base pointer with module + offset, that module could possibly vary ever so slightly from your PC to the other's? Different OS, executable version, etc.

     – tylernygaard Jun 08 '17 at 07:02
  • Thanks for your help. The relevant machine code for this address on one PC reads add [DOCU.thisForm+D8],eax and on the other PC it is add [DOCU.thisForm+E8],eax. Also Cheat Engine on one reports the value of the pointer needed to find this address is probably 000000D8 and on the other one it's 000000E8. Does that help? (please excuse my ignorance) Is it just a difference in PC's and I'll have to change my 'reading' code to suit whatever PC the program runs on? Or is there a way of getting the 'reading' code to always find the correct address? Thanks :) – John T Jun 08 '17 at 07:21
  • 1
    Are the differing add instructions showing at the same address in the disassembler? – tylernygaard Jun 08 '17 at 07:29
  • @tylemygaard .... ooops. No they're not. I've just looked and straight after the D8 one is the E8 one! Doh!! So at the same address on both PCs is the E8 one. I'm thinking that the same variable must be copied to two different memory addresses then, and I must have found one address on the first PC and the other address on the second PC? Both software has add [DOCU,thisForm+D8],eax then the next line add [DOCU,thisForum+E8],eax. I don't speak assembly but I'm guessing this is writing that value to two areas in memory that are D8 and E8 offsets from eax, is that correct? – John T Jun 08 '17 at 07:58
  • 1
    Good to hear! If they are truly consecutive instructions, then yes, the value EAX holds is getting written to two different addresses. If they aren't actually consecutive, then it could be conditional (maybe it jumps to one or the other depending on). That should be easy to tell though! :) – tylernygaard Jun 08 '17 at 08:07
  • 1
    @tylemygaard yep definitely consecutive. This is great news for me as I've only got one address to worry about. A massive thank you for all your help. Really appreciate the time you've spent going through this with me. Cheers :-) – John T Jun 08 '17 at 09:05