C ++从内存中读取字符串

Question

I wrote a dll application that is hooked into a process. It works but it ONLY shows the FIRST letter.
I wanted to get the whole string. The string could vary from 2 letters to 32 letters.

//READING MEMORY
HANDLE ExeBaseAddress = GetModuleHandleA(0);

char uNameAddr = *(char*)((char*)ExeBaseAddress + 0x34F01C);
printf("%c \n", uNameAddr);

I also wanted to understand the parts:

 *(char*)((char*) //<-- what this is for.

And if it is possible to use this if using multilevel pointers:

char multipoint = *(char*)((char*)ExeBaseAddress + 0x34F01C + 0x123 + 0x321 + 0x20);

---

UPDATE

I guess something is wrong here:

if(uNameAddr == "omnicient")
    cout << "YOU ARE OMNI" << endl;

I used the username name omnicient but it did not cout YOU ARE OMNI . I guess my compare is wrong?

Answer 1

char uNameAddr is a character, you need a list of chars (or char*)

try this instead:

char* name= (char*)((char*)ExeBaseAddress + 0x34F01C);
printf("%s \n", name);

What does *(char*)((char*) mean?

(char*)ExeBaseAddress treat ExeBaseAddress as a pointer to some data of type char

((char*)ExeBaseAddress + 0x34F01C) means add 0x34F01C to the above pointer to offset it by 0x34F01C chars

(char*)((char*)ExeBaseAddress + 0x34F01C) means treat this new address as pointer to some chars

*(char*)((char*)ExeBaseAddress + 0x34F01C) take the contents of the first char at that location

char uNameAddr = *(char*)((char*)ExeBaseAddress + 0x34F01C); means put that character into the char sized variable called uNameAddr.

So basically you had a pointer, you offset it, and then took the first character and printed it.

In the example I gave note how I don't take the firat character, and I put it a pointer variable.

Then I used %s in the printf to make it print out all the chars potnted to by name.

Answer 2

%c displays char s (single characters), %s displays NULL-terminated char* s (strings):

HANDLE ExeBaseAddress = GetModuleHandleA(0);

char *uNameAddr = (char*) ExeBaseAddress + 0x34F01C;
printf("%s \n", uNameAddr);

Notice that I also tidied up the pointer casting, but the important thing is I got rid of the final dereference ( * at the front) and assigned it to a char* (pointer) instead of a char .

If your string isn't NULL-terminated (unlikely), you will need to use %.*s and pass the length of your string too.

As for the second part of your question:

*(char*)((char*) ExeBaseAddress + 0x34F01C)

let's break it down. Inside the brackets (therefore the first thing to be evaluated) is this:

(char *) ExeBaseAddress + 0x34F01C

Well that's a C cast (casting the HANDLE to a char* ) followed by an addition. In other words, it says "Treat this thing as if it is a pointer to some memory, then look ahead by 0x34F01C bytes of memory" ( char is always 1 byte). It is now a pointer to a new position in memory.

Then we get out of the brackets and cast to char* again... needlessly. It could have been:

*((char*) ExeBaseAddress + 0x34F01C)

and finally we dereference (the * at the front), which says "Now tell me what the bit of memory you're pointing to is". But in this case you don't want that, because you want the whole string, not just the first letter (inside printf , it loops along the memory you send it printing each character until it finds a 0 , aka \\0 aka NULL ).