View previous topic :: View next topic |
Author |
Message |
Viloresi Expert Cheater Reputation: 0
Joined: 02 Feb 2017 Posts: 149
|
Posted: Sun Mar 19, 2017 4:36 am Post subject: I can't find a valid pointer... |
|
|
Hello, I'm trying to find a pointer to the ammunitions address of the player's gun.
This game is protected against cheat engine and it has some other protections... Btw I've managed to freeze the game to scan it with cheat engine (after I've found the ammo address), the fact is that the game is freezed and I can't debug it or I can't perform any other action that involves dynamic stuff, as you may understand :S.
The only viable thing that I'm using right now is the pointerscan, but it doesn't work as it should, since after I've set a level 7 pointer I get a lot of results but all of them are useless after I restart the game, I've tried with level 8 pointer and it takes too much time (with 500,000,000 path/seconds speed )...
Do you know any other way I could use to find a pointer?
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25295 Location: The netherlands
|
Posted: Sun Mar 19, 2017 3:18 pm Post subject: |
|
|
first make sure that the address you found actually has an effect in the game. (else pointers will be of no use)
and check out http://forum.cheatengine.org/viewtopic.php?t=602561 (using snapshots of previous runs will only leave proper pointer paths)
especially the node limit. that way you can do deeper levels and bigger structsizes
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Viloresi Expert Cheater Reputation: 0
Joined: 02 Feb 2017 Posts: 149
|
Posted: Sun Mar 19, 2017 4:19 pm Post subject: |
|
|
Dark Byte wrote: | first make sure that the address you found actually has an effect in the game. (else pointers will be of no use)
and check out http://forum.cheatengine.org/viewtopic.php?t=602561 (using snapshots of previous runs will only leave proper pointer paths)
especially the node limit. that way you can do deeper levels and bigger structsizes |
Ty what you say it's always precious... Btw I already found a valid pointer to this address some time ago, but in that time the game had less protections so I was able to run cheat engine without the need of freezing the game, so I searched for a level 7 pointer then changed the game's map and with some of the pointers that were "valid" I did a level 5 rescan for the first pointer pointed by the module base(plus it's offset) , in the end I had a level 12 pointer which was valid... But now the game is updated...
I will try tomorrow with a node limit of 2 , offset size 10000 , level 12 . Hoping it will not take ages otherwise if there aren't any other methods I will consider to pointerscan with multiple computers as you suggested me before .
Edit: I forgot that I know the module base of this pointer, so I may try to tick thick the option to scan only certain memory pages? Will it work? How could I know which memory pages are assigned to a module that in this case it's a dll file?
|
|
Back to top |
|
|
Viloresi Expert Cheater Reputation: 0
Joined: 02 Feb 2017 Posts: 149
|
Posted: Mon Mar 20, 2017 1:53 pm Post subject: |
|
|
bump.
Unfortunately it doesn't work ... I think btw that setting a node limit of 2 cut in pieces my chances to find a valid pointer... not sure but who knows, it doesn't work .
If anybody know how I could do, or has a good method to share, it would be really appreciated
|
|
Back to top |
|
|
++METHOS I post too much Reputation: 92
Joined: 29 Oct 2010 Posts: 4197
|
Posted: Mon Mar 20, 2017 2:23 pm Post subject: |
|
|
Does attaching the debugger work on the target? If so, you could try SE plugin for injection and attempt to circumvent and/or remove any memory integrity check routines while also eliminating the need for pointer scanning.
|
|
Back to top |
|
|
Viloresi Expert Cheater Reputation: 0
Joined: 02 Feb 2017 Posts: 149
|
Posted: Mon Mar 20, 2017 2:57 pm Post subject: |
|
|
++METHOS wrote: | Does attaching the debugger work on the target? If so, you could try SE plugin for injection and attempt to circumvent and/or remove any memory integrity check routines while also eliminating the need for pointer scanning. |
Thank you for the reply...
Not sure I got what you mean, btw yes I can attach the debugger but the process is completely freezed (all the threads are suspended).
What's the se plugin? Why should I try to circumvent the memory integrity check routines? How is that gonna remove me the need of pointerscan?
Ty
|
|
Back to top |
|
|
++METHOS I post too much Reputation: 92
Joined: 29 Oct 2010 Posts: 4197
|
Posted: Mon Mar 20, 2017 3:04 pm Post subject: |
|
|
Why are you freezing the target during attachment of debugger?
SE Plugin == Stealth Edit Plugin
Circumvention for injection will eliminate the need for pointers/pointer scanning altogether. You can hook the instruction and save off the address that you are wanting to manipulate...that way, you will have the correct address every time without having to rely on potentially unreliable pointers.
|
|
Back to top |
|
|
Viloresi Expert Cheater Reputation: 0
Joined: 02 Feb 2017 Posts: 149
|
Posted: Mon Mar 20, 2017 3:14 pm Post subject: |
|
|
++METHOS wrote: | Why are you freezing the target during attachment of debugger?
SE Plugin == Stealth Edit Plugin
Circumvention for injection will eliminate the need for pointers/pointer scanning altogether. You can hook the instruction and save off the address that you are wanting to manipulate...that way, you will have the correct address every time without having to rely on potentially unreliable pointers. |
Oh right I got what you mean, btw I'm freezing the target because it has a lot of protections, I do it to avoid detection of cheat engine and other tools.
Btw I can't debug the process in this state, maybe you know some method by looking at the memory or some other useful tools?
|
|
Back to top |
|
|
++METHOS I post too much Reputation: 92
Joined: 29 Oct 2010 Posts: 4197
|
Posted: Mon Mar 20, 2017 3:54 pm Post subject: |
|
|
You could try Ollydbg with plugins. If the target is 64bit, then try x64dbg. Else, try to make CE undetectable.
|
|
Back to top |
|
|
Viloresi Expert Cheater Reputation: 0
Joined: 02 Feb 2017 Posts: 149
|
Posted: Mon Mar 20, 2017 4:09 pm Post subject: |
|
|
++METHOS wrote: | You could try Ollydbg with plugins. If the target is 64bit, then try x64dbg. Else, try to make CE undetectable. |
but is still not what I'm looking for since I can't debug it... and if you or somebody has another Idea it will be really appreciated... But I think at this point there is'nt much anybody else who knows another technique.
Ty to you and darkbyte , aniway.
|
|
Back to top |
|
|
++METHOS I post too much Reputation: 92
Joined: 29 Oct 2010 Posts: 4197
|
Posted: Mon Mar 20, 2017 4:15 pm Post subject: |
|
|
I referenced the other tools that you could try in an effort to debug. Some protections target CE, specifically. Additionally, certain detection methods can be circumvented by way of various plugins that are available for programs like Ollydbg.
All that said, are you able to temporarily unpause the target so that results populate the debugger list post-attachment?
|
|
Back to top |
|
|
Viloresi Expert Cheater Reputation: 0
Joined: 02 Feb 2017 Posts: 149
|
Posted: Mon Mar 20, 2017 11:05 pm Post subject: |
|
|
++METHOS wrote: | I referenced the other tools that you could try in an effort to debug. Some protections target CE, specifically. Additionally, certain detection methods can be circumvented by way of various plugins that are available for programs like Ollydbg.
All that said, are you able to temporarily unpause the target so that results populate the debugger list post-attachment? |
No actually I didn't find a way to do that... If that would be possible it would be awesome
|
|
Back to top |
|
|
|