I'm trying to make a program that read the timer value from Minesweeper. (OS is windows 7 64bit)
Using cheat engine I found the base address of the variable, but it changes every time I run Minesweeper.

What do I need to do to find out the base address automatically?
Does it have something to do with the executable base address?

Here's my code:

#include <windows.h>
#include <iostream>
using namespace std;



int main()
{
    DWORD baseAddress = 0xFF1DAA38;//always changing
    DWORD offset1 = 0x18;
    DWORD offset2 = 0x20;
    DWORD pAddress1;
    DWORD pAddress2;

    float value = 0;
    DWORD pid;
    HWND hwnd;

    hwnd = FindWindow(NULL,"Minesweeper");
    if(!hwnd)//didn't find the window
    {
        cout <<"Window not found!\n";
        cin.get();
    }
    else
    {
        GetWindowThreadProcessId(hwnd,&pid);
        HANDLE phandle = OpenProcess(PROCESS_VM_READ,0,pid);//get permission to read
        if(!phandle)//failed to get permission
        {
            cout <<"Could not get handle!\n";
            cin.get();
        }
        else
        {
            ReadProcessMemory(phandle,(void*)(baseAddress),&pAddress1,sizeof(pAddress1),0);
            ReadProcessMemory(phandle,(void*)(pAddress1 + offset1),&pAddress2,sizeof(pAddress2),0);
            while(1)
            {
                ReadProcessMemory(phandle,(void*)(pAddress2 + offset2),&value,sizeof(value),0);
                cout << value << "\n";
                Sleep(1000);
            }
        }
    }
}

Edited 4 Years Ago by yoni0505: make it simpler

Comments
http://www.mobile-phone.pk

You have to allocate memory for hModules array before calling EnumProcessModules() because that function doesn't do it for you. Study the MSDN page about EnumProcessModules() more carefully and follow the examples links near the bottom of that page. Don't try to allocate an array exactly the size needed because that will usually fail. Even EnumProcessModules() can't tell you the exact size needed because processes are always changing. So its better to just create some arbitrarily large array of hModules. Go to Task Manager, look at the processes it list, then double that number for your program.

Edited 4 Years Ago by Ancient Dragon

In a PE file the base address is always in the same place the Optional Header, in the windows structures IMAGE_OPTIONAL_HEADER it is known as AddressOfEntryPoint, you just need to fill the structure and take it...

I found the base address of the variable, but it changes every time I run Minesweeper.

FYI, it's quite likely that your Minesweeper has been compiled with Address space layout randomization enabled, meaning that the address of the variable will continue to keep changing.

To check whether this feature is enabled, you can use e.g. the following

dumpbin.exe /headers minesweeper.exe

and look for Dynamic Base under OPTIONAL HEADER VALUES as in the following example

**OPTIONAL HEADER VALUES**
        8140 DLL characteristics
               *Dynamic base*
               NX compatible
               Terminal Server Aware

Study the MSDN page about EnumProcessModules() more carefully and follow the examples links near the bottom of that page.

Since your OS is windows 7 64bit, ASLR is implemented by default. IMHO, MitrMakr correctly identified the issue. So, with that said, I offer one possible solution. Use the CreateToolHelp32Snaphot function to get the base address from the MODULEENTRY32 structure. At that poiint you can use modbaseAddr structure member as a starting point. You will need to add an offset to the base address to where your data resides. Finally, execute your ReadProcessMemory at the calculated address to acquire your data.

This article has been dead for over six months. Start a new discussion instead.