Bay 12 Games Forum

Please login or register.

Login with username, password and session length
Advanced search  

Author Topic: A question about dwarf fortress memory layout and how DFHac accesses it  (Read 444 times)

Moriabbey

  • Escaped Lunatic
    • View Profile

I'm working on some dwarf fortress memory hacking for a college programming class, and I need some help on memory addresses.

The documentation for DFHack says that there's a file with absolute memory addresses of DF objects that it uses for memory access. It doesn't actually name the file, but it seems like the only file in DFHack with absolute memory addresses is symbols.xml, so it seems like that must be the one, but when I start dwarf fortress and check the addresses in a memory hacking tool, most of them seem to be unused. So what gives? Do I have the wrong file? Are these actually relative and not absolute addresses? If anyone knows what's going on and could explain, it would be much appreciated.
Logged

Warmist

  • Bay Watcher
  • Master of unfinished jobs
    • View Profile
Re: A question about dwarf fortress memory layout and how DFHac accesses it
« Reply #1 on: October 09, 2018, 05:28:41 am »

You are correct: symbols.xml has the absolute memory addresses. However in that file usually there are multiple DF versions for multiple platforms. Also depending on what OS you are doing that (hint-windows) the absolute address gets relocated due to ASLR .

Usually hacking tools have a way to get module address and then it's <address from symbols.xml> -0x40000 (default windows image base)+<dwarffortress.exe module offset>

Moriabbey

  • Escaped Lunatic
    • View Profile
Re: A question about dwarf fortress memory layout and how DFHac accesses it
« Reply #2 on: October 09, 2018, 03:36:52 pm »

How do I find out what the module offset for Dwarf Fortress is?

Also, what do you mean when you say "image base?"
Logged

Quietust

  • Bay Watcher
  • Does not suffer fools gladly
    • View Profile
    • QMT Productions
Re: A question about dwarf fortress memory layout and how DFHac accesses it
« Reply #3 on: October 10, 2018, 06:24:57 pm »

How do I find out what the module offset for Dwarf Fortress is?
If you're writing a DFHack plugin, you don't need to know - DFHack figures it out for you and does all of the necessary adjustments for you.
If you're writing a 3rd-party application that connects to Dwarf Fortress from outside (e.g. like Dwarf Therapist does), this should give you enough information.

Also, what do you mean when you say "image base?"
"ImageBase" is one of the fields in the EXE/DLL file format header which tells Windows what the program's "preferred" base address is - if the program was compiled with Relocation support (guaranteed for DLLs, though not guaranteed for older EXEs), then Windows can feel free to load it at a different address chosen at random (a technique known as Address space layout randomization, or ASLR).

The default ImageBase for a 32-bit Windows application is 0x00400000, while the default ImageBase for a 64-bit Windows application is 0x0000000140000000, and all of the values in DFHack's "symbols.xml" file are the addresses you would see if Dwarf Fortress were to load at the default location.
« Last Edit: October 10, 2018, 06:26:50 pm by Quietust »
Logged
P.S. If you don't get this note, let me know and I'll write you another.
It's amazing how dwarves can make a stack of bones completely waterproof and magmaproof.
It's amazing how they can make an entire floodgate out of the bones of 2 cats.

Moriabbey

  • Escaped Lunatic
    • View Profile
Re: A question about dwarf fortress memory layout and how DFHac accesses it
« Reply #4 on: October 11, 2018, 10:39:06 pm »

If you're writing a DFHack plugin, you don't need to know - DFHack figures it out for you and does all of the necessary adjustments for you.
If you're writing a 3rd-party application that connects to Dwarf Fortress from outside (e.g. like Dwarf Therapist does), this should give you enough information.

I'm not actually trying to write anything- all I'm really trying to do is use a memory editor to do some super basic memory hacking.

"ImageBase" is one of the fields in the EXE/DLL file format header which tells Windows what the program's "preferred" base address is - if the program was compiled with Relocation support (guaranteed for DLLs, though not guaranteed for older EXEs), then Windows can feel free to load it at a different address chosen at random (a technique known as Address space layout randomization, or ASLR).

The default ImageBase for a 32-bit Windows application is 0x00400000, while the default ImageBase for a 64-bit Windows application is 0x0000000140000000, and all of the values in DFHack's "symbols.xml" file are the addresses you would see if Dwarf Fortress were to load at the default location.

Two things- first off (I'm sorry that this is kind of a dumb question) I'm having a lot of trouble looking at the .exe header. I've found the dumpbin exe, but I can't figure out how to use it- do I run it from the command line somehow?

Second, if I do find the image base, how does that help with ASLR? It seems like finding the 'default' address for the program wouldn't help me much if Windows can just load it at a random address anyway.
Logged