Thread: Memory Editing for Newbies

This is my first tutorial on visual basic memory access, hope it will cover your needs.

First, we need to add some declarations for memory reading. What we are going to need, is the following:

Code:

Private Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hWnd As Long, lpdwProcessId As Long) As Long
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, ByRef lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long

This is how we tell Visual Basic about new functions, learning it how to open processes and read memory. Taken care of that, we can start writing the bits of code which lets you read the memory.

Code:

Private Function tHvnd() As Long
    tHvnd = FindWindow("tibiaclient", vbNullString)
End Function

Private Function ReadMemory(Address As Long) As Long
    Dim ProcessID As Long, processHandle As Long
    If tHvnd = 0 Then Exit Function
    GetWindowThreadProcessId tHvnd, ProcessID
    processHandle = OpenProcess(&H10, False, ProcessID)
    If processHandle = 0 Then Exit Function
    ReadProcessMemory processHandle, Address, ReadMemory, 4, 0&
    CloseHandle processHandle
End Function

Now, let's try to explain this. The two chunks of code you see here, are "functions". They are bits of code which can be used from anywhere, to make the program more efficient. If you were to read alot of memory addresses without the help of functions, you would have to type this code for every reading. Now I'll try to explain each line of code.

Code:

Private Function ReadMemory(Address As Long) As Long

This line simply tells Visual Basic that this is the start of the function, and information about the input and output it will do. Information that will be fed to the function have to be "declared" between the (), this is for both cosmetic and functional reasons. The word Address is the name of the value-holder it will use, and is made to hold a "long" value - a number up tp 4,7 million if I remember correct. Now, after the ), you see it ends with "As Long". This means that whenever you use this function, it will "return" a long value. Put simply, this means that you can basically use it as a regular stored value. The difference is that the value will change depending on what its code contains. Having used this function header as an example, I shall return to the start of the code.

The function we are studying is this:

Code:

Private Function tHvnd() As Long

This tells VB that it is a function named tHvnd, and returns a long value.

Code:

tHvnd = FindWindow("tibiaclient", vbNullString)

This line, however, is what will be done inside the function. It starts with tHvnd =. This means that whatever follows the = will be what the function returns. Moving on, we see FindWindow. Recognize that one? That's right, we wrote it at the very start of the program. This is the function which finds an open window, and gives you the address to it. However, to find a window, you need to specify something to look for. This function will either accept a classname or the window title. Since we know the classname for Tibia (tibiaclient), we will use that. To show the function that we are not going to look for a title, we enter vbNullString as the second attribute - this means that it's nothing at all.

Code:

End Function

This line tells VB that it's the end of the function. Let's continue with the ReadMemory function.

Code:

Private Function ReadMemory(Address As Long) As Long

As already explained, this is the start of the ReadMemory function. You need to enter the address to read, and it will give you the value stored at that address. Fair enough.

Code:

Dim ProcessID As Long, processHandle As Long

This line "dims" (preparing a memory location for storing a value) two values - ProcessID for long values, and processHandle for long values. This means that we can enter ProcessID = 5 in the function, and if we then enter ProcessID somewhere else after that - it will be the same as entering the number 5.

Code:

If tHvnd = 0 Then Exit Function

This here will call the tHvnd function mentioned before. Then it checks if it returns 0. If it does, then we cancel the reading. If this returns 0, it means that it couldn't find Tibia - therefore it would crash if it tried to read. Makes sense that it can't read something that's not there, right?

Code:

GetWindowThreadProcessId tHvnd, ProcessID

This calls the function GetWindowThreadProcessId (wow, what an ugly name). This is yet another function declared at the start of the program. Here we enter the address for the Tibia window (which the tHvnd function finds, that's why we enter tHvnd) and the location to store the ProcessID in. The ProcessID is another type of address to the Tibia window, to say it simply. Since we earlier declared the value ProcessID, it can just go ahead and write to that.

Code:

processHandle = OpenProcess(&H10, False, ProcessID)

This starts with processHandle, which we now know means that it will set the value processHandle to something. What it will be set to follows after the =. Here we see yet another function, the OpenProcess function. This function needs to know three things: The desired access level, the Inherit Handle (if any), and the ProcessID of the process to open. You can see that we entered &H10 - let's start by explaining this. If you enter &H in the start of a value, it means that what follows is a hexadecimal value. The hexadecimal system goes from 0-9 and then A-F, so 10 in hexadecimal actually means 16 in "normal" (decimal) numbers. The number 16, as used in this funcion, means "read access" for some reason which only Microsoft can explain. Let's move on with the OpenProcess function. The next value to enter, is the Inherit Handle. I don't know what that is, and I couldn't care less as we don't need it here. Just type in either False or 0, which both are the same. The third thing to enter is the ProcessID. As you know, we already took care of finding that using the GetWindowblabla process, so no need to think about that.

Code:

If processHandle = 0 Then Exit Function

This is yet another error check, to see wether VB6 managed to open up the Tibia client. If not, processHandle will most likely be 0 - if so, we cancel the memory read.

Code:

ReadProcessMemory processHandle, Address, ReadMemory, 4, 0&

As we can see, it is yet another function. It will need the process handle which we found earlier (processHandle), the memory location to read from (Address), some place to write the captured data to (ReadMemory - the function for this piece of code), the length of the information to read (a long value is 4 bytes, therefore 4), and finally "Number Of Bytes Written". The other ones have all been explained before, so I'll just conclude by saying that NumberOfBytesWritten is not relevant in this situation - it is rarely altered.

Code:

CloseHandle processHandle

This function was also declared at the start of the program, along with everything but the tHvnd function (which we made ourselves). It will simply close Tibia being edited, as we're done with it for now.

Code:

End Function

I won't bother explaining this. :P


Phew, that's the hard work done with. Now let's use this code to make it read your current health level.

Code:

Private Sub Form_load()
    me.caption = ReadMemory(&H6059CC)
End Sub

See how simple it is after we wrote the functions? Anyways, let's move on. Private sub Form_Load is the first sub (a sub is a function which does not return a value, but performs a bit of code anyways) which will be executed when you start the program. When started, the program will set me.caption (the title of the program window - "me" is the current form, and .caption is the title or text) to the value returned my ReadMemory. The address given to the ReadMemory function here is the address for health in Tibia - this can easily be found using TSearch, but I don't got time to explain it right now. There are alot of tutorials for this on the 'net.


Let's finish the tutorial with the final code.

Code:

Private Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hWnd As Long, lpdwProcessId As Long) As Long
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, ByRef lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long

Private Sub Form_load()
    Me.Caption = ReadMemory(&H6059CC)
End Sub

Private Function tHvnd() As Long
    tHvnd = FindWindow("tibiaclient", vbNullString)
End Function

Private Function ReadMemory(Address As Long) As Long
    Dim ProcessID As Long, processHandle As Long
    If tHvnd = 0 Then Exit Function
    GetWindowThreadProcessId tHvnd, ProcessID
    processHandle = OpenProcess(&H10, False, ProcessID)
    If processHandle = 0 Then Exit Function
    ReadProcessMemory processHandle, Address, ReadMemory, 4, 0&
    CloseHandle processHandle
End Function