 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
william22
How do I cheat?
![]() Reputation: 0
Joined: 16 Jun 2013
Posts: 6
|
 Posted: Sun Jun 16, 2013 2:26 am Post subject: Get values from application and use in own program |
 |
|
I'm trying to get some data from an application.
First I tried using to get the caption under cursor by programming, but that didn't work because the application is using a non standard control.
Then I start searching for the value (double) in Cheat Engine and was able to find the adress. I'm aware that this adress is on stack memory and is changing always. (Windows 8 x64).
If only the data was on a standard control I could read the caption.
So I start thinking about injecting a piece of code in a codecave that will print this data in the forms (window) caption.
That's however a bit hard to do and needs to change the application exe file.
Can someone think of a more save/easy-er way of getting the data needed?
By the way it's a navigation application and I'm trying to get the speed displayed in a custom panel.
|
|
| Back to top |
|
 |
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Sun Jun 16, 2013 3:21 am Post subject: |
|
|
You say it's on the stack, but you were able to find it with cheat engine, so I guess it's not overly volatile. Try to "find you what accesses" this address and for each result, show disassembler->"find out what addresses this instruction accesses". If there is one instruction that only accesses your double, hook it so that it stores a copy of the desired double in a convenient location (I can give more detailed instructions about that if you find an instruction that is only used to access your speed).
Also does your program have a static or dynamic image base? Is it 32 or 64bit? Do you know in what language it has been written (if it's in .net just go find a decompiler)?
|
|
| Back to top |
|
|
william22
How do I cheat?
![]() Reputation: 0
Joined: 16 Jun 2013
Posts: 6
|
| Posted: Sun Jun 16, 2013 4:28 am Post subject: |
|
|
Hi, thanks for helping.
The program is created with Borland Delphi.
I know my way in Ollydbg:
>wanted to post a picture, but are'nt allowed (see attachment)<
| Quote: | | You say it's on the stack, but you were able to find it with cheat engine |
I thought al values found in memory are on stack. Maybe my mistake.
| Quote: | | If there is one instruction that only accesses your double, hook it so that it stores a copy of the desired double in a convenient location |
The double is converted by the application to a string. How to get the string to a convenient location?
| Description: |
|
| Filesize: |
113.29 KB |
| Viewed: |
8570 Time(s) |
|
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Sun Jun 16, 2013 2:16 pm Post subject: |
|
|
| william22 wrote: | | Quote: | | You say it's on the stack, but you were able to find it with cheat engine |
I thought al values found in memory are on stack. Maybe my mistake. |
Ouch yes, quite. In olly go to view->memory map and find the region inside which ESP points: this is the stack. All other regions are either mapped file sections (when there is something in the "owner" column") or the heap (for all others that are not just free space).
As a result I assume your double simply is on the heap, so before trying any .exe modification, see if you can find a stable pointer to it (find value in cheat engine->pointer scanner, don't forget to restart application THEN do rescans). Once you get a stable pointer, it just gets a bunch of ReadProcessMemory to import the double into your program. You might need a EnumProcessModules or CreateToolhelp32Snapshot if your application has a dynamic image base.
| william22 wrote: | | The double is converted by the application to a string. How to get the string to a convenient location? |
I'd recommend reading the speed as a double and then converting it to a string in your application, this is because a double has a constant length of 8 bytes, while a string has a variable length (thus handling it in asm is a bit more complicated).
Is there any particular reason so you absolutely need to get the string instead of the double?
|
|
| Back to top |
|
|
william22
How do I cheat?
![]() Reputation: 0
Joined: 16 Jun 2013
Posts: 6
|
| Posted: Sun Jun 16, 2013 6:56 pm Post subject: |
|
|
You're right about the string. I'm already focussing on the double.
My application can get the double from memory, already tested, but when restarted the pointer is changed.
I tried using CE to find the pointer, but didn't figure out how the rescan really works.
Looking into it tomorrow, hopefully with a fresh look at it.
Thanks so far.
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Sun Jun 16, 2013 7:53 pm Post subject: |
|
|
| william22 wrote: | | I tried using CE to find the pointer, but didn't figure out how the rescan really works. |
Pointerscanning 101:
1-find your value in CE
2-right click->pointerscan
3-when got the results, make you application reallocate your variable (restart application, reboot computer, load a savegame, or do a new game when applicable)
4-find the new address of your value in CE
5-rescan pointers, giving the new address
6-go back to step 3 unless doing rescans doesn't decrease the number of results in which pick the sexiest remaining result
Basically step 2 means "find all pointers that end on my speed" and step 5 means "amongst all results, find those who -after reallocation- still point to the speed". There is an option a step 5 which is "find all pointers that point to a double that is worth xxx" that spares you step 4, but floating point accuracy might cause problems, so use at your own risks with floats/doubles.
|
|
| Back to top |
|
|
william22
How do I cheat?
![]() Reputation: 0
Joined: 16 Jun 2013
Posts: 6
|
| Posted: Mon Jun 17, 2013 9:26 am Post subject: |
|
|
I'm keeping around 580000 pointers after multiple restarts.
Need to find another aprouch.
I would like to add some ASM in the program that copy's some memory location to a known memory location (external).
To bad I don't know how to get this done.
I know that ESP holds the pointer to the memory location.
I know how to create a codecave, but don't know how to start.
A simple MOV [00ED000], ESP doest work offcourse.
I don't even know what destination adress to use.
Grrrr, getting hopeless on this 
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Mon Jun 17, 2013 4:23 pm Post subject: |
|
|
| william22 wrote: | I'm keeping around 580000 pointers after multiple restarts.
Need to find another aprouch. |
Nope, If you've got many good pointers, just pick a random one, no need to find The True Pointer. Honestly in my hacker's life, finding The True Pointer only happened twice: once in cheat engine tutorial, and once in a "real-life" game.
| william22 wrote: | | I would like to add some ASM in the program that copy's some memory location to a known memory location (external). |
For that I need to know if your program has a dynamic or static image base. Also the known memory location will be within the GPS application's internal memory space. FindWindow, GetWindowThreadProcessId, OpenPRocess, WriteProcessMemory all in asm to write directly into your custom application would be a needless overhead.
My idea is to make you GPS app have a static base if it hasn't already, use the last bytes of the .code/.text section to store the copying code (ollydbg disassembler window->press "end" key->scroll up until you find some code, write your code just below) and use the last 8 bytes of the .data section to store the double. If this goes well, your double should always be stored at a constant address. However since you have many valid pointers I recommend you try pointers first.
static base=MyProgram.exe is always loaded at the same address (usually 0x400000)
dynamic base=ASLR enabled program=MyProgram.exe is always loaded at a different address
|
|
| Back to top |
|
|
william22
How do I cheat?
![]() Reputation: 0
Joined: 16 Jun 2013
Posts: 6
|
| Posted: Tue Jun 18, 2013 1:48 pm Post subject: |
|
|
Thanks for the help.
I got it working. I copied the data to almost the end of the file and from there I can read the hex values and convert it to a double in Delphi:
| Code: |
//Read 4 bytes from memory
function peek4(Address: Cardinal): Cardinal;
var
Data: Cardinal;
Written: Cardinal;
begin
ReadProcessMemory(PidHandle, Pointer(Address), @Data, SizeOf(Data), Written);
Result:= Data;
end;
function StrToCardinal(const s:string):cardinal;
var
h: int64;
begin
h:=StrToInt64(s);
result:=h;
end;
procedure TForm1.Button11Click(Sender: TObject);
Var Data1, Data2: Cardinal;
Str1, Str2: String;
r1,r2,r3: double;
bytes: array[0..7] of Byte absolute r1;
a:currency;
b:int64;
begin
Data1:= $10C2190;
Data1:=Peek4(Data1);
Str1:= '$' + IntToHex(Data1,8);
Data2:= Data1 + 7820;//1st 4 byte $1E8C
Data1:= Data1 + 7824;//next 4 bits (Double is 8 bytes)
Str1:= '$' + IntToHex(Data1,8); //dus 0457A430
Str2:= '$' + IntToHex(Data2,8); //dus 0457A42C
Data1:= StrToCardinal(Str1); //Own function
Data2:= StrToCardinal(Str2);
Data1:=Peek4(Data1);
Data2:=Peek4(Data2);
Str1:= IntToHex(Data1,8);
Str1:= Str1 + IntToHex(Data2,8);
r1:= HexToDouble(Str1);
r2:= 1.8520000015630878620; //(knots to Km/hour)
r3:= r1 * r2;
r3:= Round(r3 *10) /10; //Round to 2 decimals
Form1.Caption:= FloatToStr(r3);
//Memo1.Lines.Append(FloatTostr(r3));
end;
|
And a small patch imade in Ollydbg:
| Code: | | MOV DWORD PTR DS:[10C2190],EDX |
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Tue Jun 18, 2013 6:45 pm Post subject: |
|
|
Good job getting it to work ! 
Ok, so your pointer is [10C2190]+1E8C with your asm patch. I take it your exe has a static base, or your asm patch won't work for long. And I assume Str1 & Str2 are here to help debugging. Still I couldn't resist optimizing parts of your code:
| Code: | //Read 4 bytes from memory
function peek4(Address: Cardinal): Cardinal;
var
Data: Cardinal;
ReadCount: Cardinal;
begin
ReadProcessMemory(PidHandle, Pointer(Address), @Data, SizeOf(Data), ReadCount);
Result:= Data;
end;
//Read a double from memory
function peekDouble(Address: Cardinal): double;
var
Data: double;
ReadCount: Cardinal;
begin
ReadProcessMemory(PidHandle, Pointer(Address), @double, SizeOf(double), ReadCount);
Result:= Data;
end;
function StrToCardinal(const s:string):cardinal;
var
h: int64;
begin
h:=StrToInt64(s);
result:=h;
end;
procedure TForm1.Button11Click(Sender: TObject);
Var Data1: Cardinal;
r1,r3: double;
begin
Data1:= $10C2190;
Data1:= Peek4(Data1);
Data1:= Data1 + 7824;
r1:=peekDouble(Data1);
r3:= r1 * 1.8520000015630878620; //r3=r1 in Km/hour
//r3:= Round(r3 *10) /10; //Round to 2 decimals
Form1.Caption:= FloatToStrF(r3, ffFixed, 8, 2); //display r3 with max 8 digits, with 2 decimals
//Memo1.Lines.Append(FloatTostr(r3));
end; |
I'm don't code often in delphi and I don't have a delphi compiler atm so there might be errors in that code.
|
|
| Back to top |
|
|
william22
How do I cheat?
![]() Reputation: 0
Joined: 16 Jun 2013
Posts: 6
|
| Posted: Wed Jun 19, 2013 1:07 am Post subject: |
|
|
| Quote: | | Ok, so your pointer is [10C2190]+1E8C with your asm patch. I take it your exe has a static base, or your asm patch won't work for long. And I assume Str1 & Str2 are here to help debugging. Still I couldn't resist optimizing parts of your code: |
Haha, you're right. That's for debugging.
The code is working while the program has a static base.
I was just so happy that it worked and wanted you to know.
Next job, optimizing the code 
Thanks for helping me. Whitout you I've already givin up.
PS. Sorry for bad english, greetings from Holland.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
