"""probe_rs_base.py Walk s_Resources to find a RenderSurface base (vfptr=0x0079a67c) entry. Dump its primary view (entry-0x30 .. entry-0x30+0x150) so we can see what's at primary+0x64 and primary+0x114 (where v5 reads). Also check primary+0x144 which is OOB for RS base (size 0x120).""" import ctypes, ctypes.wintypes as wt, sys, struct PROCESS_VM_READ = 0x10 PROCESS_QUERY_INFORMATION = 0x400 k = ctypes.windll.kernel32 k.OpenProcess.argtypes = [wt.DWORD, wt.BOOL, wt.DWORD]; k.OpenProcess.restype = wt.HANDLE k.ReadProcessMemory.argtypes = [wt.HANDLE, wt.LPCVOID, wt.LPVOID, ctypes.c_size_t, ctypes.POINTER(ctypes.c_size_t)] k.ReadProcessMemory.restype = wt.BOOL S_RESOURCES_M_DATA = 0x008398C4 S_RESOURCES_M_NUM = 0x008398CC RS_BASE_VTABLE = 0x0079a67c def rd(h, va, n): buf = (ctypes.c_ubyte * n)(); sz = ctypes.c_size_t(0) if not k.ReadProcessMemory(h, va, buf, n, ctypes.byref(sz)): return None return bytes(buf[:sz.value]) def rd_u32(h, va): b = rd(h, va, 4); return struct.unpack('= 3: break if n_found == 0: print("no RS base entries found in walk")