Get address that is pointed to from another address

Question

For practice I am trying to get the address that a certain memory address is pointing at. I have a tool which shows what result I have to get. In my case it is:

"clientApp.exe"+0x11F9B08 -> 0E4C5F90

So I am assuming this basically means: ("The base address of the .exe" + 0x11F9B08) and that points to the address 0x0E4C5F90.

I already have the base address of the clientApp.exe. I used EnumProcessModules and GetModuleFileNameEx for that.

Small snippet

if ( GetModuleFileNameEx( hProcess, hMods[i], szModName, sizeof(szModName) / sizeof(TCHAR)))
{
    if(gameName.compare(szModName))
    {
        dwClientBase = (DWORD)hMods[i]; //base address
        break;
    }
}

Then later on i'm trying to get the address that is pointed to. But the following give me a whole other result:

DWORD result = (DWORD)(dwClientBase + 0x11F9B08);

This gives me: 23042824. And i'm looking for: 0x0E4C5F90. I guess i'm close, but not sure what I could try next.

Anyone any idea what I should do in order to get the same result as the tool is giving me?

Answer 1

What type is dwClientBase? If it is a DWORD then you should cast to a BYTE * and then do your arithmetic, making sure to dereference the pointer to return the value pointed to by that address:

DWORD result = *(DWORD *)( (BYTE *)dwClientBase + 0x11F9B08);

When adding a number to a pointer the compiler will add a number of bytes equal to the number multiplied by the size of the pointer type. This is why we convert to a BYTE * first, so what we add on exactly 0x11F9B08 bytes.

Answer 2

You do not dereference the pointer. Try either

DWORD result = *(DWORD*)(dwClientBase + 0x11F9B08);

or

DWORD result = *(DWORD*)(0x11F9B08);

The cast to DWORD* says the compiler to treat the number as a pointer, then dereferencing * it causes read the actual number.