View previous topic :: View next topic |
Author |
Message |
Syncretic How do I cheat? Reputation: 0
Joined: 20 Feb 2014 Posts: 8
|
Posted: Sat Feb 22, 2014 3:12 pm Post subject: EntryPoint, Base Address and Offsets. Need a little bit help |
|
|
I've been coding some native with Java using the JNA API. I've gotten the code to read from memory, and most recently implemented a function that should return the base address, but I am not sure it really outputs the correct address.
Snippet of the code (full function here)
Code: | public int getBaseAddress() {
try {
Pointer hProcess = Nexus.getPointer();
toConsole(hProcess.toString());
List<Module> hModules = PsapiTools.getInstance().EnumProcessModules(hProcess);
toConsole(hModules.toString());
for(Module m: hModules){
toConsole(m.getFileName());
// if(m.getFileName().contains("NexusTK.exe")){
System.out.println((m.getFileName() + ": 0x" + Long.toHexString(Pointer.nativeValue(m.getEntryPoint()))));
System.out.println(m.getLpBaseOfDll());
System.out.println(Integer.valueOf("" + Pointer.nativeValue(m.getLpBaseOfDll())));
return Integer.valueOf("" + Pointer.nativeValue(m.getLpBaseOfDll()));
// }
}
} catch (Exception e) { e.printStackTrace(); }
return -1;
} |
I found a multi-level pointer, starting at
"NexusTK.exe"+0000025C
and I am not even fully sure how the Cheat Engine does its offset arithmetic, [00174000+514] -> 0017456C?
But that is whole other issue. The offsets are 4byte integers I might add.
These are the outputs I get in the console
Entry Point: 0x400000
LpBaseOfDll: native@0x516c8e
Value of LpBaseOfDll: 5336206 (Just the decimal conversion of lpbaseofdll?)
My question:
Do I have the right base address of the process? And if I do, how would I go about adding the offsets from my code?
Last edited by Syncretic on Sun Feb 23, 2014 8:30 pm; edited 1 time in total |
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25295 Location: The netherlands
|
Posted: Sat Feb 22, 2014 4:31 pm Post subject: |
|
|
your entry point seems to be switched with the base of dll
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Syncretic How do I cheat? Reputation: 0
Joined: 20 Feb 2014 Posts: 8
|
Posted: Sat Feb 22, 2014 4:50 pm Post subject: |
|
|
Do you think I got the right address from the .exe process though? an Enumerate symbols & dll's of CE points to 0x400000 as well. But how does that correlate with the "NexusTK.exe"+0000025C found in my pointer? And how would I add the offsets?
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25295 Location: The netherlands
|
Posted: Sun Feb 23, 2014 5:41 am Post subject: |
|
|
You must read the 4/8 byte value at 0040025c (this address is weird though)
Check out http://forum.cheatengine.org/viewtopic.php?t=422516
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Syncretic How do I cheat? Reputation: 0
Joined: 20 Feb 2014 Posts: 8
|
Posted: Sun Feb 23, 2014 3:17 pm Post subject: |
|
|
Thanks for the link, really informative and helped me understand the offset arithmetic. That alone deserves a donation, not to mention developing CE and most importantly taking the time to help out enthusiasts like me.
Now, you mention my address seems weird, and I agree so. When I read the value of the address, add the new offset of the first level in the pointer, I get a '???' value.
I've sent you a PM with two imgur links showing you my "Enumerate DLL" dump of the process. It shows the same as the console output of my code, how am I not getting the right address? I've also included the Pointer that I'm working off in case that helps anything.
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25295 Location: The netherlands
|
Posted: Sun Feb 23, 2014 3:57 pm Post subject: |
|
|
The address seems to be correct (the weird part is that that part in memory is usually not very "pointery", or does not take into account the random offset stack start )
Anyhow, based on the second image this is what happens
It reads the 4 byte value at 0040025c (00174000)
To that value it adds 3a4 (00174000+3a4=001743a4) and reads the 4 byte value stored at the address it represents (001744b8)
To that value it adds 104 (001744b8+104=001745bc) and reads the 4 byte value stored at the address it represents (002101d0)
...
Eventually it gets to the correct address
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Syncretic How do I cheat? Reputation: 0
Joined: 20 Feb 2014 Posts: 8
|
Posted: Sun Feb 23, 2014 4:54 pm Post subject: |
|
|
Weird thing is when I try to read from CE manually, I got other values than described in the Pointer instructions.
Code: | Address Type Value
0040025c 4 Bytes 1523712 | (Pointer dictates this to evaluate 00174000?)
How come I get different values?
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25295 Location: The netherlands
|
Posted: Sun Feb 23, 2014 6:06 pm Post subject: |
|
|
174000 hexadecimal=1523712 decimal
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Syncretic How do I cheat? Reputation: 0
Joined: 20 Feb 2014 Posts: 8
|
Posted: Sun Feb 23, 2014 6:37 pm Post subject: |
|
|
.. shit.
|
|
Back to top |
|
|
Rydian Grandmaster Cheater Supreme Reputation: 31
Joined: 17 Sep 2012 Posts: 1358
|
Posted: Sun Feb 23, 2014 8:10 pm Post subject: |
|
|
It happens!
You can right-click a table entry and change it's hex/dec and signed/unsigned display settings.
_________________
|
|
Back to top |
|
|
Syncretic How do I cheat? Reputation: 0
Joined: 20 Feb 2014 Posts: 8
|
Posted: Mon Feb 24, 2014 12:36 pm Post subject: |
|
|
Thanks Rydian, helping me out a lot finding all the new addresses & values that I need.
What's now weird is how I can find the exact address that correlates to the amount of items in a stack that my character holds. When I drop one from the stack and decrease the value, the address value will follow.
I examine what accesses the Address, get exactly one opcode, pointing me to a certain ESI value. I go to CE, switch the filter to Hex and search for the address as being a value. No results.
This only happens when I examine stackable items, in which case it happens for all. How can I find the x/y coordinate addresses without problems but not the root of these types?
|
|
Back to top |
|
|
|