Cheat Engine

glass660 · How do I cheat? Reputation: 0 Joined: 07 Nov 2009 Posts: 4

Hi, I'm hoping if someone could answer what the Cheat Engine actually considers a green "static address" as. Is it a variable in the .DATA section of the exe/process? Or is it a variable in the top level stack frame? I checked out the SVN repos for the Cheat Engine, but I couldn't find the code for identifying green "static addresses". This is mostly out of curiosity- thanks!

Dark Byte · Posted: Sat Nov 07, 2009 5:52 am Post subject:

static addresses are all addresses defined in the module. So not only .data, but also .text and even the resources. Those addresses will not change no matter how often you load them and under what circumstances

So, ce gets the module base address, and the module size. And anything that falls inside that range, is marked as a static address

glass660 · How do I cheat? Reputation: 0 Joined: 07 Nov 2009 Posts: 4

Thank you for the response Dark Byte. I've just started learning how to hack games, so I'm hoping you can answer a question or two more.

I can understand how addresses to the .data section are static ones, but I don't understand how an address that's referenced in the .text section can be a constant one. If local variables are referenced as an offset to the EBP register (where EBP is used as the pointer in stack memory to the current stack frame), can't the place in stack memory that EBP points to change depending on the flow of the program, and thereby making the absolute offsets invalid? For example, if a game runs once with the stack looking like:

--------------
GameStruct* pGame
function main
--------------

but the game is run again and instead it's:

--------------
GameStruct* pGame
function someFunc
function main
--------------

How would you be able to obtain a static address to pGame?

ChainRule · Cheater Reputation: 1 Joined: 21 Jan 2008 Posts: 40

Umm, modular address I think. Correct me if I am wrong, but each time a program is loaded, the offset will the same; however, the address at which the program is loaded into could be different. However, we do know that the program has to start somewhere (main()) and then follows the same pile of code unless it's patched into a new version. So, we can use address like:

game.exe + 1234BF

knowing that 1234BF would be constant (the offset) we can always use that as a base reference and locate other things.

Dark Byte · Posted: Tue Nov 10, 2009 6:24 am Post subject:

first:

glass660 · How do I cheat? Reputation: 0 Joined: 07 Nov 2009 Posts: 4

Thanks for your response. More specifically, I was imagining a scenario like this:

Dark Byte · Posted: Wed Nov 11, 2009 11:43 pm Post subject:

in that case you do code injection (e.g at the 'new' of GameClass to store all pointer objects created of type GameClass), or have 2 pointers based on the stack

also, depending on the rest of the code there might be ways to trace back to a static address (os version dependant or not)

example:
If the game uses a library for sound and it has to initialize it with pointers to data objects in the class or a class it owns. Let's say the sound module stores some of the pointers in static addresses for quick reference or event based stuff

So, the pointerpath would then go : soundmodule.dll(soundclass)->gameSoundManagerClass->GameClass (if gamesoundManagerClass is a class owned by the GameClass object and there's a link back to the owner object)

glass660 · How do I cheat? Reputation: 0 Joined: 07 Nov 2009 Posts: 4

Ah-I get it now. Thanks for the helpful info Dark Byte.