CatHat How do I cheat? Reputation: 0
Joined: 01 Jun 2007 Posts: 9
|
Posted: Fri Nov 17, 2017 9:14 pm Post subject: Sneaky address |
|
|
Hello
So I've done some address searching and was only able to find two addresses with the value I'm looking for, one's a 4 byte which does nothing I can tell, and the other one's a double value that controls how big the bar of the value is in the User interface. I used this last address to do pointer scanning, this is what I found.
By the way, I'm not looking into modifying anything, just reading the value through offsets and pointers each time the program is launched
MyValue is the value I want to read in the end
I'm using -'s as space
1st run of the program
===============================
1st Scan
address------value
A38E45B0----MyValue
Find what writes to A38E45B0
movsd [rcx+00000550],xmm1
RCX=00000000A38E4060
xmm1:32.00 _ 0.00 (correct value)
2ndScan
address-------value
9D95C350----A38E4060
Find what accesses 9D95C350
mov rdi,[rcx+40] (9D95C310 + 40 = 9D95C350)
RCX=000000009D95C310
RDI=00000000A38E4060
3rd Scan
address-------value
E2F68C58----9D95C310
Find what accesses E2F68C58
mov rax,[rcx+rax*8] cmp qword ptr [rcx+rax*8],00
RAX=000000009D95C310 RAX=000000009D95C310
RCX=00000000E2AA6050 RCX=000000008DF79350
4th Scan
address-------value
1842740F8----E2AA6050
Green
2nd run of the program
========================================
1st Scan
address-------value
A0D6E490----MyValue
Find what writes to A0D6E490
movsd [rcx+00000550],xmm1
RCX=00000000A0D6DF40
xmm1:32.00 _ 0.00 (correct value)
2nd Scan
address-------value
9D70B2F0----A0D6DF40
Find what accesses 9D70B2F0
mov rdi,[rcx+40]
RCX=000000009D70B2B0
RDI=00000000A0D6DF40
3rd Scan
address-------value
10BF84C70---9D70B2B0
Find what accesses 10BF84C70
mov rax,[rcx+rax*8] cmp qword ptr [rcx+rax*8],00
RAX=000000009D70B2B0 RAX=0000000000098584
RCX=000000010BAC2050 RCX=000000010BAC2050
4th Scan
address-------value
1842740F8 ---10BAC2050
In both runs I got a 2nd opcode at the last 'find what accesses...' but I used the RCX value of the mov rax,[rcx+rax*8] one.
So I was able to find a green address, but I don't know how to use it, the rax*8 and other stuff threw me off.
I tried changing the address of the first scan result and using pointers and offsets, but at the 2nd offset, it didn't work.
Where do I go from here?
Appreciate the help.
|
|