Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


What are pointers?
Goto page Previous  1, 2, 3, 4, 5, 6, 7  Next
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials -> Pointer tutorials
View previous topic :: View next topic  
Author Message
xeratal
Advanced Cheater
Reputation: 1

Joined: 05 Nov 2005
Posts: 93

PostPosted: Sun Nov 06, 2005 4:21 am    Post subject: Reply with quote

I think i figured out how to find the pointer pointing to the pointer
"example of a more complicated instruction:
[EAX*2+EDX+00000310] eax=4C and edx=00801234.
In this case EDX would be the value the pointer has, and EAX*2+00000310 the offset, so the offset you'd fill in
would be 2*4C+00000310=3A8. (this is all in hex, use cal.exe from windows in scientific mode to calculate)"
However, i'm now wondering how you know eax =4C?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25252
Location: The netherlands

PostPosted: Sun Nov 06, 2005 8:02 am    Post subject: Reply with quote

eax may be a array element indicator or structure number.
in some games it may be the player number.

e.g for units: the first unit would be 0, the 2nd unit would be 1, the 3th unit would be 2, etc...

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
xeratal
Advanced Cheater
Reputation: 1

Joined: 05 Nov 2005
Posts: 93

PostPosted: Sun Nov 06, 2005 11:09 pm    Post subject: Reply with quote

This is what writes to the address of the first pointer - I'm currently attempting to get 2nd one.
>>00455ecd - mov [edx+00000310], eax (Red highlight)
Pointer value probably 00902B78
So I search 00902B78,and I get 00902E88
EDX value from the table given in extra info is 00902B78,
so I calculate 902B78+310 in my scientific calculator (hex mode)
I get "902E88" - and if I read your tutorial correctly, that is the offset
So I add address manually, check pointer - Address of pointer "00902E88" Offset "902E88"
Then I get a "??" value Confused
Can anyone shed some light on this part? Laughing
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25252
Location: The netherlands

PostPosted: Mon Nov 07, 2005 4:13 am    Post subject: Reply with quote

no, you are right that the address of the pointer is 00902E88
but the offset is just 310

the value at 00902e88 contains the value 00902b78
the offset just increases the value returned at that address, so 00902b78+310 = 902e88 (the address of the first pointer)

and the value stored at 902e88+0 contains the address to the value you need.

so the notation would be:
add pointer 2 times
at the bottom 00902b78
then from bottom to top: 310, 0

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
xeratal
Advanced Cheater
Reputation: 1

Joined: 05 Nov 2005
Posts: 93

PostPosted: Mon Nov 07, 2005 9:12 am    Post subject: Reply with quote

What do you mean by from bottom to top 310,0?
I tried the tutorial again
1st Pointer - 0090AF14
2nd Pointer - 0090AC04+310 (90AF14)
I clicked add address manually
Tick pointer
Click add pointer
At the bottom "Address of pointer", I put the 2nd pointer, 0090AC04 with offset of 310, leaving the top part blank
But I get an address which is not my value Sad
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25252
Location: The netherlands

PostPosted: Mon Nov 07, 2005 11:09 am    Post subject: Reply with quote

ehrm, sorry about that, it seems that the tutorial with 5.1.1 is only a level 1 pointer
the pointer to the address is 0045AC34 , and that is a static address

here's a screenshot of how it should look



pointer.PNG
 Description:
 Filesize:  10.95 KB
 Viewed:  38117 Time(s)

pointer.PNG



_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
xeratal
Advanced Cheater
Reputation: 1

Joined: 05 Nov 2005
Posts: 93

PostPosted: Mon Nov 07, 2005 11:11 pm    Post subject: Reply with quote

Thanks , come to think of it, I did it correctly last time. Don't know why when I opened my tutorial it gave me a "??" value Confused But anyways why is my value in add address manually 904EE4 while yours is different? Or were you not using the tutorial Twisted Evil
Don't know why now I read your tutorial it seems so easy Razz
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25252
Location: The netherlands

PostPosted: Tue Nov 08, 2005 4:52 am    Post subject: Reply with quote

That is because I scanned the pointer for the value in step 2
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
ClaireValentine
Newbie cheater
Reputation: 0

Joined: 25 Nov 2005
Posts: 11

PostPosted: Fri Nov 25, 2005 7:51 am    Post subject: Reply with quote

Hi Dark Byte, hi everyone,
i'm quite new to cheat engine, so excuse me, if i ask stupid questions, but i try to make a trainer for NFS: Most Wanted and i'm somehow stuck...
It uses DMA and comes up with the 87-error (strangely your workaround with the physical address works only in v.5.0 for me, 5.1.1 crashes with an access violation), and this is what i got:
I tried to start with a simple money trainer, searched for my exact value, got 2B9CEC4 for the address, set the value to 9999999 and checked -> worked.
But since it's dynamically i tried to find the respective pointer.
So i tried "what writes to" and found an address executing as follows:
mov [ecx+0c], eax with ecx=02B9CEB8 (so ecx+0c = my address , which seems right so).
But now i tried a hex search for 02B9CEB8 and it returned 0 findings.
Tried many times already, but it never works for me...
What am i doing wrong???
Sad

Regards,
G.

_________________
All the excitement of a trip to hell - without the negative side-effects
Back to top
View user's profile Send private message
Zhoul
Master Cheater
Reputation: 1

Joined: 19 Sep 2005
Posts: 394

PostPosted: Fri Nov 25, 2005 8:22 am    Post subject: Reply with quote

It's your lucky day...

I'm currently building out a fully featured trainer for NFS-MW. The first thing I must say is that, if you're learning how to find pointer paths, this is hands down the easiest game I've seen to do it with (you know, aside from minesweeper).

(trainer is here) http://forum.cheatengine.org/viewtopic.php?t=4618

The only problem is that it blocks attachment of a debugger, but the ASM actually gives perfect poitner paths, usually within 2-3 lines of code right next to eachother.

This usually isn't the case with most games, as they build extensive pointers, but so far, I've only found L1 and L2 pointers.

This code reads from player Ranking...
0056ac38 - 8a 88 b0 00 00 00 - mov cl,[eax+000000b0]

Now, when finding pointers, one way to do it, is to back-track and find out how the register that holds the address got to be what it is. In this case, that register is EAX...

I scroll up a few lines and omfg.... Its all right here..

0056ac10 - mov eax,[0091bf50]
0056ac15 - mov eax,[eax+10]
0056ac18 - mov cl,[eax+000000ac]
0056ac1e - sub esp,70
0056ac21 - push ebx
0056ac22 - push ebp
0056ac23 - push esi
0056ac24 - mov esi,[esp+00000080]
0056ac2b - xor ebx,ebx
0056ac2d - test cl,01
0056ac30 - push edi
0056ac31 - mov ebp,00000001
0056ac36 - je 0056ac44
0056ac38 - mov cl,[eax+000000b0]

The top 2 lines are defining EAX... The bottom line reads from eax+b0
0056ac10 - mov eax,[0091bf50]
0056ac15 - mov eax,[eax+10]
(between-lines removed)
0056ac38 - mov cl,[eax+000000b0]

Whenever your pointer register gets its data from an actual address (i.e. mov eax, [0091BF50]) You have found the base pointer, which usually turns out to be THE base pointer for all the values (although it does split for certain values, as you drill down).

So, my pointer path for this would be 2 levels deep. Starting at 0091BF50 + 10 + b0

It just so happens that player money is +4 bytes away from this value. So a 2 level deep pointer, starting at 0091BF50 +10 +b4 = Money!

That base pointer is used in almost every single pointer resolve as well.

I'll release the table once my trainer is complete, but until then, learn yer arse off about all this pointer stuff, as learning it without using an attachable debugger = awesome (harder, but this game makes it so frickin easy, as the example shows above).

- Zhoul

*edit*

You had pasted in a little bit of ASM ...

mov [ecx+0c], eax with ecx=02B9CEB8 (so ecx+0c = my address , which seems right so).

I Guaran-Damn-Tee ya, that you can find out how ECX became ECX, the same exact way , only a few lines above the actual write code.
Back to top
View user's profile Send private message AIM Address
ClaireValentine
Newbie cheater
Reputation: 0

Joined: 25 Nov 2005
Posts: 11

PostPosted: Fri Nov 25, 2005 8:51 am    Post subject: Reply with quote

Cool, thanks a lot! Only thing is, that now i see the code, it makes perfect sense to me, but i still wonder, why i'm unable to find that pointer address...
See, i got my value, searched for it and got the matching address, in my case the 2B9CEC4. Now i ran a "what writes to" search and got [ecx+0c] with ecx=02B9CEB8. If i check this one with the "what does it write to" it pops out the first one, so it fits. If i nop this pointer i can also freeze my money perfectly, but if i set it to a specific value it gets overwritten (since, as you found, there's a L2 pointer above it. Yet i'm unable to find that one, if i hex search for the ecx it always returns nothing. Drives me mad, you know?!
Don't know what i'm doing wrong, just want to fix my errors in case i try a harder game next time Wink ...

Regards,
G.

_________________
All the excitement of a trip to hell - without the negative side-effects
Back to top
View user's profile Send private message
Zhoul
Master Cheater
Reputation: 1

Joined: 19 Sep 2005
Posts: 394

PostPosted: Fri Nov 25, 2005 9:50 am    Post subject: Reply with quote

The first and foremost thing to remember, is that there are near infinite ways to find pointer paths. The way I described and the way you are describing are 2 completely different methods.

Try the method I described with some of your values and see how it works.

Onto the method you described:

"See, i got my value, searched for it and got the matching address, in my case the 2B9CEC4. Now i ran a "what writes to" search and got [ecx+0c] with ecx=02B9CEB8."

This first step is indeed the proper way to start the method.

"If i check this one with the "what does it write to" it pops out the first one, so it fits."

*GONGGGGGG* - This is the first place you've done messed up the method Wink

02B9CEB8 only "holds" the value to the next level (which happens to be the last level in this case). *IT* doesn't actually write to anything at-all. The *only* thing that writes to anything, is assembly code. The rest is just 'scratch paper' for the assembly to work with.

What you want to do here, is find out what reads from this address. You will get another register with another address, and keep doing this process until you reach the end of the line.

This method is by far, not the best method to use, as it can break easily along the path. Hard to describe why , as there are a thousand reasons (which you'll learn on your own, as you get good at the method I described first). It's even possible to resolve a 'working' pointer path, but the path isn't *really* a true path.. just one that 'just happens' to work, until you restart the game. I was using this method at first, and when I kept finding 15 level deep pointers, I knew something was wrong. Then I really knew something was wrongwhen it broke the next time I restarted the game (talk about being driven mad) =)

You might also find interest in this article...

http://forum.cheatengine.org/viewtopic.php?t=4606

That is an ENTIRELY different way to work with.. *ahem* ... self-created poitners. It has nothing to do with the two methods we talked about in this thread (i can't stress enough the importance of knowing that there are a lot of VERY different ways to do this whole pointer thing )

- Zhoul
Back to top
View user's profile Send private message AIM Address
Zhoul
Master Cheater
Reputation: 1

Joined: 19 Sep 2005
Posts: 394

PostPosted: Fri Nov 25, 2005 10:15 am    Post subject: Reply with quote

"If i nop this pointer i can also freeze my money perfectly"


Whoa! I forgot to reply to this..

NOPing pointers isnt a good thing at'all.. Heres what happens when you 90909090 a pointer.


Example of a game finding a pointer path.

Mov eax, [edi+0c] - eax now equals 00123456
Mov edi, [eax+0c] - edi now equals 00654321
Mov eax, [edi+0c] - eax now equals 00789012
Mov [eax+0c], edx - This code writes to 00789012+0c

Ok, lets say you NOP the value at 00654321. All you are doing is making the 'address' it points to, 90909090.

When the game goes to resolve the pointer path, this would happen...

Mov eax, [edi+0c] - eax now equals 00123456
Mov edi, [eax+0c] - edi now equals 90909090
Mov eax, [edi+0c] - eax now equals 0
Mov [eax+0c], edx - This code writes to 0+0c

So, in a way , this does indeed freeze your money, but you've just completely broken an ENTIRE pointer path. This will affect MANY things in teh game, not just money, because now the game cant use that path to get anywhere near any other values that are in the same 'block' as money.

Another thing you eventually learn, is that pointer paths to different values are
1. The same exact path as another value, just with a different modifier.. i.e. end registers being eax+0c eax+10 eax+14 eax+18 etc
2. If values don't use the same exact path, then they use a similar 'starting' path.

Example:

With the B&W 2 trainer, I created 3 'groups' of values, based on their pointer paths. That is, each group contained the same pointer path, and the last +whatever modifier is the only difference.


i.e.
Group 1 (partial list)
Creature Muscle pointer path = 018E8E68 + 1BB90 + 2B0 + 4C + 10C
Creature Fitness poitner path = 018E8E68 + 1BB90 + 2B0 + 4C + 110
Creature Tiredness pointer path = 018E8E68 + 1BB90 + 2B0 + 4C + 114
Creature Height pointer path = 018E8E68 + 1BB90 + 2B0 + 4C + 118

Group 2 (partial list)
Anger = 018E8E68 + 1BB90 + 2B8 + 74
Fear = 018E8E68 + 1BB90 + 2B8 + 94
Boredom = 018E8E68 + 1BB90 + 2B8 + B4
Happiness = 018E8E68 + 1BB90 + 2B8 + C8


As you can see, if you had broken the pointer path at 018E8E68+1BB90, then the entire chain would collapse.

I'm just suprised your game didn't crash, but then again, you were NOP'n either the code that reads the ending pointer, or NOP'n the end pointer itself, so this would only affect anything in the same memory block as your money (i.e. experience, or whatever).

You do get an A for effort, as your story sounds exactly like mine. That is, how I learned how to work with pointers (or shall I say, how *not* to work with them /grin)
Back to top
View user's profile Send private message AIM Address
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25252
Location: The netherlands

PostPosted: Fri Nov 25, 2005 11:25 am    Post subject: Reply with quote

actually, he used find out what writes to this address and nopped that. (not really the pointer, but the instruction)

But yes, nopping the value of a pointer is a bad thing....

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
ClaireValentine
Newbie cheater
Reputation: 0

Joined: 25 Nov 2005
Posts: 11

PostPosted: Fri Nov 25, 2005 3:16 pm    Post subject: Reply with quote

Woah! First of all, thumbs up for your effort in my issue. That much work and generous insight, complete with an intelligent approach in understanding what might/has lead me to what i did isn't very common round. I try to do so myself for those newbies at the Asus W1N-forum so it's nice to know there are others like me out there. Thanks again... See, i'm pretty new to this sort of deeper insight into a programs work, being a MD i have earned me some status as a sys-admin of some small companies and our clinic, yet simply keeping a network up and running and actually messing with a programs code are surely different things... Wink I've always regarded myself as a quick learner (speaking of computing that is Laughing ), yet i had to learn by yesterday what mov means at all, so i didn't quite dare to look at the code and try to work it out by myself, i mainly took the tutorial approach at this one, that's where all this noping came from... Thanks to you i now think i'm on the my way to understanding the first steps i have to take, yet the one question stays: Why am i not able to find anything in hex mode after i found that first pointer? Is there a mistake in my approach or might the game or something else mess up the process? I really have no clue on this one...

And for that pointer instruction noping, i mainly did that to test if the pointer was the right one at all, i used the "what does THIS write to" on the pointer itself and it returned only the address, where my value was stored, so i thought it should be quite save to nope its write instruction. More of a workaround, not getting anywhere deeper than that pointer Crying or Very sad

Ah, and just since you mentioned it, i think Dark Byte's recommendation for the debugger attaching problem posted here:
http://forum.cheatengine.org/viewtopic.php?t=2338
works with NFS. At least i am able to attach one after editing those 4 Bytes.
Right now i'm off and trying to get some feeling for "your" method, miles to go though *sigh*
Regards,
G.

_________________
All the excitement of a trip to hell - without the negative side-effects
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials -> Pointer tutorials All times are GMT - 6 Hours
Goto page Previous  1, 2, 3, 4, 5, 6, 7  Next
Page 3 of 7

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites