Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Static addresses and pointers question aimed at Gurus

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
densjizz
How do I cheat?
Reputation: 0

Joined: 20 May 2014
Posts: 3

PostPosted: Tue May 20, 2014 5:37 pm    Post subject: Static addresses and pointers question aimed at Gurus Reply with quote

First of all i want to say that am new to this.

So i used cheat engine to read the memory out of a game to get a list of the players name.

I used pointer scanners so this is what i got

This is where the game stores the first player's name
Code:
("game.dll" + 0x12345) + (0xAe7) + (0x0) + (0xA)


and if i add 104 to 0xA i get the next player's name and so on.

So i can deduce that the object at (0xA) is the first of the list and at (0x0) would be the base of the list ?

Now since am using pointers i can get this anytime the game closes and opens no problem. The problem is that i cannot find a way to keep that pointer valid after a patch, the game updates often for very small patches and often it screws up my pointers prolly because the size between the offset changed.

Now i am wondering how i could keep it so that each time the game updates i can still get the pointers correctly. Also i notice that the value stored in ("game.dll" + 0x12345) is also located inside a static variable, would that help me ? Any reply or ressources on the subject would be very appriciated. Thanks alot !

PS: sorry for the bad english.
Back to top
View user's profile Send private message
Gniarf
Grandmaster Cheater Supreme
Reputation: 42

Joined: 12 Mar 2012
Posts: 1283

PostPosted: Tue May 20, 2014 8:02 pm    Post subject: Reply with quote

Somewhere in the game's code it's written "read the 4 bytes at game.dll + 0x12345" and after a patch it could become "read the 4 bytes at game.dll + 0x12543", but you can write an auto assembler script that will locate that piece of code and fetch game.dll + 0x12345 from there.

Here's a little example based on CE's tutorial's step6: pointers. For me the data was at address [[Tutorial-i386.exe+231360]+0], so add "Tutorial-i386.exe+231360" to the cheat table, right click on it->"find out what accesses...", make the value change and you'll see 4 "mov e**, [00631360]" each of which means "read the 4 bytes at 00631360 (=Tutorial-i386.exe+231360)". In a real-life scenario, just changing the data might not be enough for the pointer base to be accessed (if the game made copies of intermediary pointers) so you might need to fiddle some more, change maps, get back to main menu...
Anyway when you've got at least one "mov e**, [Some constant]", select it and click show disassembler, you'll see something like:
Code:
Tutorial-i386.exe+2685E - E8 FD4BFEFF           - call Tutorial-i386.exe+B460
Tutorial-i386.exe+26863 - E8 B86BFEFF           - call Tutorial-i386.exe+D420
Tutorial-i386.exe+26868 - 50                    - push eax
Tutorial-i386.exe+26869 - 85 C0                 - test eax,eax
Tutorial-i386.exe+2686B - 0F85 DA000000         - jne Tutorial-i386.exe+2694B
Tutorial-i386.exe+26871 - A1 60136300           - mov eax,[Tutorial-i386.exe+231360] <-highlighted line
Tutorial-i386.exe+26876 - 8B 00                 - mov eax,[eax]
Tutorial-i386.exe+26878 - 89 45 F4              - mov [ebp-0C],eax
Tutorial-i386.exe+2687B - B8 E8030000           - mov eax,000003E8
Tutorial-i386.exe+26880 - E8 FB62FEFF           - call Tutorial-i386.exe+CB80
Tutorial-i386.exe+26885 - 89 45 F0              - mov [ebp-10],eax
Tutorial-i386.exe+26888 - C7 45 EC 00000000     - mov [ebp-14],00000000
Tutorial-i386.exe+2688F - EB 3E                 - jmp Tutorial-i386.exe+268CF
You then have to build an auto assembler script to locate the "mov eax,[Tutorial-i386.exe+231360]" (because it contains the Tutorial-i386.exe+231360 we want).
Aobscan tutorial, read sections 5-AOB and 6-A good signature.
One thing Rydian forgot to say: you can make your aob signature start anywhere and it can have any length, just copy-paste your signature (with wildcards) in the main scanner, select type=array of bytes, right click on "writable"->preset:scan all memory, then do a first scan. If there is more than one result, try another signature.
A pointer base locator will look like this:
Code:
[enable]
aobscan(MarkerForPointerBase,A1 ?? ?? ?? ?? 8B 00 89 45 F4 B8 E8 03 00 00) //this will set MarkerForPointerBase=Tutorial-i386.exe+26871
label(PointerBase)
registersymbol(PointerBase)

MarkerForPointerBase+1: //set PointerBase=MarkerForPointerBase+1
PointerBase:             //the +1 comes from 'there is only one byte (A1) in "A1 60136300" before the final pack of 4 bytes'.

[disable]
unregistersymbol(PointerBase)
Last step is to manually add an address (pointer) to the cheat table with its base at "PointerBase" (CE will recognize the text from your AA script once you activate it), its first/bottom offset =0, and the offsets you found above that (AE7, 0, and A for you, one more 0 for me).

Next time the game updates, your AA script should find the updated "mov e**,[game.dll + 0x12345]" if your signature is good enough, otherwise you'll have to add more wildcards/try another so I suggest you keep a copy of what the disassembler showed you to see what changed and what didn't - and probably won't - change.


densjizz wrote:
This is where the game stores the first player's name
Code:
("game.dll" + 0x12345) + (0xAe7) + (0x0) + (0xA)


and if i add 104 to 0xA i get the next player's name and so on.

So i can deduce that the object at (0xA) is the first of the list and at (0x0) would be the base of the list ?
If you mean that [[["game.dll" + 0x12345]+AE7]+0]+0 is the base of the list, then my answer is yes.
_________________
DO NOT PM me if you want help on making/fixing/using a hack.
Back to top
View user's profile Send private message
densjizz
How do I cheat?
Reputation: 0

Joined: 20 May 2014
Posts: 3

PostPosted: Tue May 20, 2014 11:04 pm    Post subject: Reply with quote

Thanks alot ! that is exactly what i was looking for, woukd it be a good idea to try to search the pattern using cheat engines source/dll since i could have my application search it auto instead of doing it manually ? Thanks again !
Back to top
View user's profile Send private message
Gniarf
Grandmaster Cheater Supreme
Reputation: 42

Joined: 12 Mar 2012
Posts: 1283

PostPosted: Wed May 21, 2014 8:16 am    Post subject: Reply with quote

Cheat engine source? What does the source code have anything to do with that?

It's simpler to use CE to scan for the signature when you're developing your hack, but once you've got it to work it makes more sense to use the same program to scan for the signature/find the pointer's base and read/use the player names.

As for "searching it auto", cheat engine will automatically search for the signature when you activate your AA script in the cheat table, the only time you have to manually scan for signatures is when you're developing your hack and checking if your signature is really unique.

_________________
DO NOT PM me if you want help on making/fixing/using a hack.
Back to top
View user's profile Send private message
densjizz
How do I cheat?
Reputation: 0

Joined: 20 May 2014
Posts: 3

PostPosted: Wed May 21, 2014 9:27 am    Post subject: Reply with quote

I understand am just saying that after i get signature, i could use programming to get that base address automatically instead of having to go back to cheat engine scanning it and then opening the source of my hack and then changing the values. I might be miss understanding something, the way i see it is i have to search for a pattern in memory for something that will allocate that player list, once i found it i will always be the same object that allocates it unless they make major changements to the code. Once i get the signature what is a prolly way of streamlining it to my hack ?
Back to top
View user's profile Send private message
justa_dude
Grandmaster Cheater
Reputation: 23

Joined: 29 Jun 2010
Posts: 888

PostPosted: Wed May 21, 2014 11:43 am    Post subject: Reply with quote

No, it doesn't work that way unless the bit you're scanning for happens to be in a static location.
_________________
A nagy kapu mellett, mindig van egy kis kapu.
----------------------
Come on...
Back to top
View user's profile Send private message
Gniarf
Grandmaster Cheater Supreme
Reputation: 42

Joined: 12 Mar 2012
Posts: 1283

PostPosted: Wed May 21, 2014 2:17 pm    Post subject: Reply with quote

densjizz wrote:
I understand am just saying that after i get signature, i could use programming to get that base address automatically instead of having to go back to cheat engine scanning it and then opening the source of my hack and then changing the values.
If I understand correctly you have written a 3rd party program that has nothing to do with CE and this program reads the player names. In this case, yes, you should scan for the signature in your own program.

densjizz wrote:
I might be miss understanding something, the way i see it is i have to search for a pattern in memory for something that will allocate that player list
Close, but not exactly that.
1-You have to find (a signature inside) a function that accesses your pointer base, but not necessarily the function that allocates the list.
2-You have to find (a signature inside) a function that accesses your pointer base, but not necessarily a function that accesses player name list, ie: if your pointer is like game.dll->world_object->list_of_players then a function that accesses game.dll->world_object->list_of_birds will also read game.dll+xxxxx to get the world_object pointer, so it is good too.

densjizz wrote:
once i found it i will always be the same object that allocates it unless they make major changements to the code.
More like "that function will always reference the base of my pointer unless they make...."
densjizz wrote:
Once i get the signature what is a prolly way of streamlining it to my hack ?
Start by putting "aobscan + your_programming_language" in the forum's search box. Then ask if you encounter insurmountable obstacles.
_________________
DO NOT PM me if you want help on making/fixing/using a hack.
Back to top
View user's profile Send private message
densjizz
How do I cheat?
Reputation: 0

Joined: 20 May 2014
Posts: 3

PostPosted: Wed May 21, 2014 7:39 pm    Post subject: Reply with quote

Quote:
If I understand correctly you have written a 3rd party program that has nothing to do with CE and this program reads the player names. In this case, yes, you should scan for the signature in your own program.

Yes exactly.


Quote:
2-You have to find (a signature inside) a function that accesses your pointer base, but not necessarily a function that accesses player name list, ie: if your pointer is like game.dll->world_object->list_of_players then a function that accesses game.dll->world_object->list_of_birds will also read game.dll+xxxxx to get the world_object pointer, so it is good too.


Got it !

Quote:
Start by putting "aobscan + your_programming_language" in the forum's search box. Then ask if you encounter insurmountable obstacles.

I've seen this done already, one guy at this for a wow bot. Thanks alot i will keep searching and reading. Thanks you very much ![/quote]
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites