Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


[Question]THREADSTACK0 - what is this?

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Discussions
View previous topic :: View next topic  
Author Message
root426
Newbie cheater
Reputation: 0

Joined: 09 Feb 2010
Posts: 23

PostPosted: Mon Jul 29, 2013 7:12 am    Post subject: [Question]THREADSTACK0 - what is this? Reply with quote

as u can read from the subject. i found a pointer.(CE did thx Darkbyte) and it's showing -"THREADSTACK0"-00000974-. i know i need to get virtual adress of threadstack0. But i dunno how to do it. i used Readprocessmemory writeprocessmemory, i got handles etcs. (everthing is okey). but i dont know what is Threadstack? is it a module or thread? how can i get it's virtual adress.
Back to top
View user's profile Send private message
root426
Newbie cheater
Reputation: 0

Joined: 09 Feb 2010
Posts: 23

PostPosted: Wed Jul 31, 2013 9:19 am    Post subject: Reply with quote

guys i can give caps if u want.
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 384

Joined: 09 May 2003
Posts: 23078
Location: The netherlands

PostPosted: Wed Jul 31, 2013 11:39 am    Post subject: Reply with quote

THREADSTACK0 is a special symbol that cheatengine defines internally when opening a process.
You can just use it like that in your addresslist without any problems, so not really needed to convert it to a virtual address

But if you wish to code your own trainer in your own language it may be a bit tricky but I'll try to explain

First you can go to the address of "THREADSTACK0" in the hexview, and it will show you the exact address.
On Windows XP this will often be the same address every time, but on windows Vista and later that is not the case


What Cheat Engine does to find this is to get the TebBaseAddress of the specific thread, then get the second pointer from that structure, which contains the stack top. (+4 in 32-bit target, +8 in 64-bit target)

the TebBasePointer can be obtained using NtQueryInformationThread with the ThreadBasicInformation (if it's a 64-bit process, or you're on 32-bit windows)
or
in 32-bit targets on 64-bit windows get the FSbase address by using Wow64GetThreadSelectorEntry

Since vista+ the stack top has some random padding, so after the threadtop has been obtained, scan for a direct or indirect reference to ExitThread (Since every thread has a call to ExitThread eventually if it ret's often enough)
And use that as a base for stack relative addresses

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
root426
Newbie cheater
Reputation: 0

Joined: 09 Feb 2010
Posts: 23

PostPosted: Wed Jul 31, 2013 1:03 pm    Post subject: Reply with quote

Thx Dark Byte. i wanted to create a trainer on CE but it dont work (probably cant attach the right process.couse of the 2x same process "Flashplayerplugin" on the process list).

Yea i wanted to create my own trainer with c# i got right process(handles etc...). im listing threads but just one thread i can see Very Happy

well... After these information i need to work harder to understand this.Smile

and again Thx Dark byte.
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 384

Joined: 09 May 2003
Posts: 23078
Location: The netherlands

PostPosted: Wed Jul 31, 2013 2:43 pm    Post subject: Reply with quote

you can target the 2nd flashplayer plugin, but then you'll have to rewrite some parts of the autogenerated lua code. (get the processlist and go through it and open the other flashplayer )

Also, since it's flash, pointers are VERY system dependent. (a lot of people have slightly different flash versions or firefox which might launch the plugin slightly different)

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Discussions All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites