Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Can't find any static address...
Goto page 1, 2, 3, 4  Next
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
vmv
Cheater
Reputation: 0

Joined: 29 Jun 2013
Posts: 32

PostPosted: Sun Jun 30, 2013 2:06 am    Post subject: Can't find any static address... Reply with quote

Hello,

I really need some help with an address of a game, because i can't find any static base address. I tried with auto "pointer scan for this address" until level 15 and 5000+ offset value, but the addresses are always flickering, none of them stays fixed Sad.
I was reading this forum and i saw something about aobscan, but i can't really understand it.
Here is the addres that is always fixed, and the rest of the addresses.
Is there any way to change the value of this address with aobscan(aa) and after that to export into c++ ?

Thank you,.



fixed_cr.png
 Description:
 Filesize:  46.15 KB
 Viewed:  13741 Time(s)

fixed_cr.png


Back to top
View user's profile Send private message
TsTg
Master Cheater
Reputation: 5

Joined: 12 Dec 2012
Posts: 340
Location: Somewhere....

PostPosted: Sun Jun 30, 2013 3:42 am    Post subject: Reply with quote

It looks like this is a code from a DLL, to get the image base,in cheat engine's menu, use 'View-->Enumerate DLLs and Symbols', then find the 'game.dll'

-For finding it using C++, you can use functions CreateToolHelpSnapshot, Module32First and Module32Next to find the base of dll inside the process.



For an AOB scan, you can try this:


Code:
[ENABLE]
RegisterSymbol(MyCode)
label(MyCode)
aobscan(MyCode,5E 74 16 66 8B 4D 08 66 8B 55 0C 66 89 88 E8 04 00 00 66 89 90 EA 04 00 00 8B E5 5D C2 08 00)


MyCode+12:    //the +12 will shift the hack to the mov [eax+000004EA],dx instruction, this because the scan start from the pop esi instruction

//Now put your new instruction or hack here

[DISABLE]
MyCode+12:
mov [eax+000004EA],dx



but if you don't want to use AOB, and want to directly hack the 'Game.CreateGameInstance+105C0D' address, go to the 'View' Menu and unckeck 'Show Module Addresses', the exact address will be shown, then, in C++ use WriteProcessMemory function, with the address shown, and the bytes of the hack.
Back to top
View user's profile Send private message
vmv
Cheater
Reputation: 0

Joined: 29 Jun 2013
Posts: 32

PostPosted: Sun Jun 30, 2013 4:47 am    Post subject: Reply with quote

For c++ i have this:
Code:
   DWORD dllBase        = ModuleBaseAddress(dwPid, _T("Game.dll"));
   DWORD newAddress     = dllBase + 0x2DD5CC7D; // this is the address shown after unchecking "show module addresses"
   int value;
   if(!ReadProcessMemory (hProcess, (BYTE*)newAddress, &value, sizeof(value), NULL))
   cout << "error: failed to read the memory\n";   else cout << "value found: " << value << "\n";


It is returning: "error: failed to read the memory"...i think the address is incomplete Neutral.

For AOB scan, what code should i write here: "//Now put your new instruction or hack here" ?

It is better to use asm in c++ or not ?
Thank you,
Back to top
View user's profile Send private message
TsTg
Master Cheater
Reputation: 5

Joined: 12 Dec 2012
Posts: 340
Location: Somewhere....

PostPosted: Sun Jun 30, 2013 5:06 am    Post subject: Reply with quote

Quote:
It is returning: "error: failed to read the memory"...i think the address is incomplete .


the address needs to be converted from an absolute value, to a relative value of your 'dllBase' value, let's say EXAMPLE: dllBase dword = 0x2DD00000, then the target address would be dllBase + 0x5CC7D, where this is the offset (0x2DD5CC7D - 0x2DD00000 = 0x5CC7D) to be shifted by, so you have to know the correct offset first,in cheat engine's menu, use 'View-->Enumerate DLLs and Symbols', then find the 'game.dll', subtract the target address from the base to get the static offset, you will need to do this just once.


Quote:
For AOB scan, what code should i write here: "//Now put your new instruction or hack here" ?


I meant that you put the new assembly instruction to be replaced by cheat engine for you


Quote:
It is better to use asm in c++ or not ?


Just choose the easier for you Smile
Back to top
View user's profile Send private message
vmv
Cheater
Reputation: 0

Joined: 29 Jun 2013
Posts: 32

PostPosted: Sun Jun 30, 2013 5:33 am    Post subject: Reply with quote

Should be :

DWORD newAddress = dllBase + 0x17CC7D;


I'm getting some weird big number after this....

Code:
   DWORD dllBase        = ModuleBaseAddress(dwPid, _T("Game.dll"));
    DWORD newAddress     = dllBase + 0x17CC7D;
    DWORD value;
   ReadProcessMemory (hProcess, (LPCVOID)newAddress, &value, sizeof(value), NULL);
   cout << "value found: " << value << "\n";


Value found : 3935340902 (hex : EA908966).



gamedll_cr.jpg
 Description:
 Filesize:  38.08 KB
 Viewed:  13690 Time(s)

gamedll_cr.jpg


Back to top
View user's profile Send private message
TsTg
Master Cheater
Reputation: 5

Joined: 12 Dec 2012
Posts: 340
Location: Somewhere....

PostPosted: Sun Jun 30, 2013 6:27 am    Post subject: Reply with quote

Ok the read value is correct, the  (hex : 0xEA908966). value is the reverse order of the first 4 bytes of the mov [eax+000004ea],dx instruction, the instruction bytes are 66 89 90 EA 04 00 00

Now you can modify the bytes the same way, but Using WriteProcessMemory function
Back to top
View user's profile Send private message
vmv
Cheater
Reputation: 0

Joined: 29 Jun 2013
Posts: 32

PostPosted: Sun Jun 30, 2013 6:52 am    Post subject: Reply with quote

Code:
    DWORD dllbase        = ModuleBaseAddress(dwPid, _T("Game.dll"));
    DWORD newAddress     = dllbase + 0x17CC7D;

   DWORD value;
   int newValue = 900;

   ReadProcessMemory (hProc, (void*)newAddress, &value, sizeof(value), NULL);
   cout << "value found: " << value << "\n";

   WriteProcessMemory (hProc, (void*)newAddress, &newValue, sizeof(newValue), NULL);



The game is crashing because i think i only change the address not the value of that address , ex: 000004ea.
In CE, Memory view, if i change my weapon in game, nothing changes there where is this address: "Game.CreateGameInstance+105C0D - 66 89 90 EA040000 - mov [eax+000004EA],dx ""working address"""

I tried this many times and always the same crash.

The code is maybe wrong, and i need to write something else instead.


edit: isn't this code only reads the address and not his value ?
I need to add something to read the value of this final address and then to write /change the value ... no ?


edit 2 :

I'm trying to understand what is what Smile :

Code:
int _tmain(int argc, _TCHAR* argv[]) {
   
   HWND hwnd            = FindWindow (0, _T("AION Client"));
   DWORD dwPid          ; GetWindowThreadProcessId (hwnd, &dwPid);
   HANDLE hProcess      = OpenProcess (PROCESS_ALL_ACCESS, FALSE, dwPid);
   DWORD dllbase        = ModuleBaseAddress(dwPid, _T("Game.dll")); //  hex: 2D 7E 00 00 "Game.dll" Base Address
   DWORD BaseAddress    = dllbase + 0x17CC7D; //  "Game.dll" + 0x17CC7D = 2D 95 CC 7D
   DWORD BytesToRead;
   DWORD Buffer;

   ReadProcessMemory (hProcess, (LPCVOID)BaseAddress, &Buffer, sizeof(DWORD), &BytesToRead);

   BytesToRead += 0x0;  // default to read is 4 bytes -->>> what is this reading, what value ?!

   cout << "value found (BytesRead): "   << BytesToRead << "\n";    //   hex: 4
   cout << "value found (Buffer): "      << Buffer << "\n";        //   hex: EA 90 89 66 (3935340902)
   cout << "value found (BaseAddress): " << BaseAddress << "\n";  //   hex: 2D 95 CC 7D (764791933)
   cout << "value found (dllbase): "     << dllbase << "\n";     //   hex: 2D 7E 00 00 (763232256)

   CloseHandle(hProcess);
   cin.get();
   return 0;
}


What is missing from here to read the value from in game status ?

Thank you,
Back to top
View user's profile Send private message
TsTg
Master Cheater
Reputation: 5

Joined: 12 Dec 2012
Posts: 340
Location: Somewhere....

PostPosted: Sun Jun 30, 2013 9:13 pm    Post subject: Reply with quote

Quote:
I tried this many times and always the same crash.


The game crashes because you edited ONLY THE FIRST 4 BYTES of the instruction, while the instruction bytes are 7, (So you need to another call to WriteProcessMemory),

let's say i want to nop this instruction, read this code carefully:

Code:
    DWORD dllbase        = ModuleBaseAddress(dwPid, _T("Game.dll"));
    DWORD newAddress     = dllbase + 0x17CC7D;

   DWORD value;
   int newValue = 0x90909090;      //Means 4 NOPs (0x90 byte)


   WriteProcessMemory (hProc, (void*)newAddress, &newValue, sizeof(newValue), NULL);         //This modifies 4 bytes from 0x2D95CC7D to 0x2D95CC80

   WriteProcessMemory (hProc, (void*)newAddress+4, &newValue, 3, NULL);         //This modifies 3 bytes from 0x2D95CC81 to 0x2D95CC83



the code above modifies the 7 bytes to be all 0x90, take care of any instruction of how much bytes you need to edit , or game will mostly crash.


--And to restore the original bytes, use the same code, but modifying only the bytes value as following:

Code:
    DWORD dllbase        = ModuleBaseAddress(dwPid, _T("Game.dll"));
    DWORD newAddress     = dllbase + 0x17CC7D;

   DWORD value;
   int newValue = 0xEA908966;      //The reverse order of 66 89 90 EA, remember ?


   WriteProcessMemory (hProc, (void*)newAddress, &newValue, sizeof(newValue), NULL);         //This modifies 4 bytes from 0x2D95CC7D to 0x2D95CC80

newValue = 0x000004     //The reverse order of the next bytes: 04 00 00

   WriteProcessMemory (hProc, (void*)newAddress+4, &newValue, 3, NULL);         //This modifies 3 bytes from 0x2D95CC81 to 0x2D95CC83





Quote:
edit: isn't this code only reads the address and not his value ?
I need to add something to read the value of this final address and then to write /change the value


Yes the instruction bytes are the read data returned, not what [eax+4ea] contains, you can modify the value inside by modifying
the instruction itself (without the need to read), you want to set the value to 900,right ?, then the instruction can be converted to mov [eax+000004EA],00000384
, but this instruction requires 10 bytes (while you have only 7)


so the new code should be:

mov [eax+000004EA],00000384 //the bytes are C7 80 EA 04 00 00 84 03 00 00
mov esp,ebp
pop ebp
ret 08

and if you want to add other extra code or read the value inside, you need an empty space (codecave), or just allocate memory then write a jmp to there


Quote:

BytesToRead += 0x0; // default to read is 4 bytes -->>> what is this reading, what value ?!


BytesToRead is the actual number of bytes read, this is an output value and just for indication the operation went ok.
Back to top
View user's profile Send private message
vmv
Cheater
Reputation: 0

Joined: 29 Jun 2013
Posts: 32

PostPosted: Mon Jul 01, 2013 3:15 am    Post subject: Reply with quote

Now i'm more confused then ever Smile

Code:
   DWORD Value;
   int newValue = 0x90909090;

    WriteProcessMemory (hProc, (void*)newAddress, &newValue, sizeof(newValue), NULL);
    WriteProcessMemory (hProc, (void*)(newAddress + 4), &newValue, 3, NULL);


What is happening now, the game is not crashing anymore, and every time i change the map (dynamic address is changing to) i get the last value for my weapon.
Now, the thing is that there are 2 weapons value, 900 & 1200, and when i start the program, the last value is remembered, this means the weapon that needs value 900 will operate at 1200, slow motion practically.
After this:
""int newValue = 0x90909090;"" (i understand that this is making the address to do nothing anymore) ... can i put a value that i need ?
Because this part i can't understand it right now,.
I am changing the base address to do nothing, and to keep the last registered value but how to add my value in that code...without crashing the game?
For example if want to have all the time 1200 value or 900.... later i maybe need to put some key-binds for this values to change them on the fly...but later Smile


I'm happy now that i finally understand a bit of this Very Happy, and is really complicated for a novice.
I didn't wanted to ask on forum for this because i was confident i will learn and understand from tuts and video....man, i was so very wrong Smile.
Back to top
View user's profile Send private message
TsTg
Master Cheater
Reputation: 5

Joined: 12 Dec 2012
Posts: 340
Location: Somewhere....

PostPosted: Mon Jul 01, 2013 4:45 am    Post subject: Reply with quote

Yes that's possible to add code to modify it, but you need to allocate an empty memory space (or find one already exists), write your modification code in it, then redirect excution to there, see the following code:

Code:
int MyMemory = 0;


MyMemory = VirtualAllocEx(hProc,NULL,0x1000,0x1000,0x40);   
//Allocate empty memory, if MyMemory value returns zero, then allocation failed




//Now we will take our code cave begin at MyMemory+4, then write this in MyMemory address (this is for indirect jump or in asm: JMP DWORD [XXXXXXXX])

newValue = MyMemory+4
WriteProcessMemory (hProc, (void*)MyMemory, &newValue, sizeof(newValue), NULL);


//Now write the code cave that does the hack desired
//mov [eax+000004EA],00000384  //use (00000384 for 900, or 000004B0 for 1200)
//mov esp,ebp
//pop ebp
//ret 08

//C7 80 EA 04 00 00 84 03 00 00 8B E5 5D C2 08 00


    newValue = 0x04EA80C7;
    WriteProcessMemory (hProc, (void*)MyMemory+4, &newValue, sizeof(newValue), NULL);

    newValue = 0x03840000;    //For 1200, use this: newValue = 0x04B00000;
    WriteProcessMemory (hProc, (void*)MyMemory+8, &newValue, sizeof(newValue), NULL);

    newValue = 0xE58B0000;
    WriteProcessMemory (hProc, (void*)MyMemory+12, &newValue, sizeof(newValue), NULL);

    newValue = 0x0008C25D;
    WriteProcessMemory (hProc, (void*)MyMemory+16, &newValue, sizeof(newValue), NULL);


//Codecave finished, redirect code from Game.CreateGameInstance+105C0D
    newValue = 0x25FF;    //bytes required for the JMP DWORD [XXXXXXX] instruction
    WriteProcessMemory (hProc, (void*)newAddress, &newValue, 2, NULL);

    newValue = MyMemory;    //complete the instruction to jump to what's inside MyMemory = MyMemory+4 = code cave start
    WriteProcessMemory (hProc, (void*)newAddress+2, &newValue, 4, NULL);



--to disable the hack, only this code is required, also delete the allocated memory using VirtualFreeEx function

,then restore original bytes at Game.CreateGameInstance+105C0D:

Code:

   int newValue = 0xEA908966;
   WriteProcessMemory (hProc, (void*)newAddress, &newValue, sizeof(newValue), NULL); 

   newValue = 0x000004
   WriteProcessMemory (hProc, (void*)newAddress+4, &newValue, 3, NULL);
Back to top
View user's profile Send private message
vmv
Cheater
Reputation: 0

Joined: 29 Jun 2013
Posts: 32

PostPosted: Mon Jul 01, 2013 7:34 am    Post subject: Reply with quote

Is getting harder and harder to understand Sad....

Code:

     DWORD dllBase        = ModuleBaseAddress(dwPid, _T("Game.dll"));
     DWORD newAddress     = dllBase + 0x17CC7D;
 
   int newValue = 0x90909090;
   WriteProcessMemory (hProc, (void*)newAddress, &newValue, sizeof(newValue), NULL);
    WriteProcessMemory (hProc, (void*)(newAddress + 4), &newValue, 3, NULL);

   int MyMemory = 0;

    MyMemory = VirtualAllocEx (hProc, NULL, 0x1000, 0x1000, 0x40); // here is an error, "a value of type  LPVOID cannot be assigned to an entity tipe of int."

    newValue = MyMemory + 4;
    WriteProcessMemory (hProc, (void*)MyMemory, &newValue, sizeof(newValue), NULL);

    newValue = 0x04EA80C7;
    WriteProcessMemory (hProc, (void*)(MyMemory +4 ),  &newValue, sizeof(newValue), NULL);

    newValue = 0x04B00000;
    WriteProcessMemory (hProc, (void*)(MyMemory +8 ),  &newValue, sizeof(newValue), NULL);

    newValue = 0xE58B0000;
    WriteProcessMemory (hProc, (void*)(MyMemory +12 ), &newValue, sizeof(newValue), NULL);

    newValue = 0x0008C25D;
    WriteProcessMemory (hProc, (void*)(MyMemory +16 ), &newValue, sizeof(newValue), NULL);
 
    newValue = 0x25FF;
    WriteProcessMemory (hProc, (void*)newAddress, &newValue, 2, NULL);

    newValue = MyMemory;
    WriteProcessMemory (hProc, (void*)(newAddress + 2), &newValue, 4, NULL);

   CloseHandle(hProc);
   cin.get();
   return 0;
}



With this code the game is crashing again.... Maybe i put it wrong.
I have to read this code over and over again to understand it.

You calculated this values based on my first post ?

Thank you,
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 470

Joined: 09 May 2003
Posts: 25806
Location: The netherlands

PostPosted: Mon Jul 01, 2013 8:48 am    Post subject: Reply with quote

why write in blocks of 4 bytes ?
Why don't you first preallocate all the memory in an array, then fill in that array with the bytes, and then write that array with writeprocessmemory ?

Also, to add to confusion (or to make it clearer)

When a context switch happens after
Code:

    newValue = 0x25FF;
    WriteProcessMemory (hProc, (void*)newAddress, &newValue, 2, NULL);

but before
Code:

    newValue = MyMemory;
    WriteProcessMemory (hProc, (void*)(newAddress + 2), &newValue, 4, NULL);

and the game's thread executes the code at dllBase + 0x17CC7D

Then it will see FF 25 followed by some random bytes, so jumps to the address those random bytes make up, and crash

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
vmv
Cheater
Reputation: 0

Joined: 29 Jun 2013
Posts: 32

PostPosted: Mon Jul 01, 2013 10:40 am    Post subject: Reply with quote

Dark Byte wrote:
why write in blocks of 4 bytes ?
Why don't you first preallocate all the memory in an array, then fill in that array with the bytes, and then write that array with writeprocessmemory ?

Also, to add to confusion (or to make it clearer)

When a context switch happens after
Code:

    newValue = 0x25FF;
    WriteProcessMemory (hProc, (void*)newAddress, &newValue, 2, NULL);

but before
Code:

    newValue = MyMemory;
    WriteProcessMemory (hProc, (void*)(newAddress + 2), &newValue, 4, NULL);

and the game's thread executes the code at dllBase + 0x17CC7D

Then it will see FF 25 followed by some random bytes, so jumps to the address those random bytes make up, and crash



Can you be more specific, ... i just read some codecave tutorials and for me it's still hard to comprehend.
It's a function like this to cover all the addresses :
Code:
  for(int c = 0; c < newAddress; c++) {   if(c == 4) {
   WriteProcessMemory.............


And how can i fix this problem : newValue = 0x25FF; ? I can understand a bit of what you said with jumping to this address and crash.

Thank you,
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 470

Joined: 09 May 2003
Posts: 25806
Location: The netherlands

PostPosted: Mon Jul 01, 2013 12:11 pm    Post subject: Reply with quote

Not a for loop, just on call to WriteProcessMemory that writes all the bytes at once
That also fixes the other thing

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
TsTg
Master Cheater
Reputation: 5

Joined: 12 Dec 2012
Posts: 340
Location: Somewhere....

PostPosted: Mon Jul 01, 2013 5:43 pm    Post subject: Reply with quote

Quote:

MyMemory = VirtualAllocEx (hProc, NULL, 0x1000, 0x1000, 0x40); // here is an error, "a value of type LPVOID cannot be assigned to an entity tipe of int."



Sorry, the syntax of VirtualAllocEx is this:

LPVOID WINAPI VirtualAllocEx(
_In_ HANDLE hProcess, //Process Handle
_In_opt_ LPVOID lpAddress, //Set to NULL
_In_ SIZE_T dwSize, //Allocation size, use 0x1000
_In_ DWORD flAllocationType, //,MEM_COMMIT|MEM_RESERVE
_In_ DWORD flProtect //use 0x40 for PAGE_EXECUTE_READWRITE
);

the return value is the allocation base address, or 0 if failed.

also, set DWORD MyMemory instead of int MyMemory, i guess that should be:
Code:
DWORD MyMemory = 0;
LPVOID MyMemory = VirtualAllocEx (hProc, NULL, 0x1000, ,MEM_COMMIT|MEM_RESERVE, 0x40);


Quote:
You calculated this values based on my first post ?

yes
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Goto page 1, 2, 3, 4  Next
Page 1 of 4

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites