| View previous topic :: View next topic |
| Author |
Message |
root426
Newbie cheater
![]() Reputation: 0
Joined: 09 Feb 2010
Posts: 22
|
 Posted: Mon Jul 29, 2013 7:12 am Post subject: [Question]THREADSTACK0 - what is this? |
 |
|
| as u can read from the subject. i found a pointer.(CE did thx Darkbyte) and it's showing -"THREADSTACK0"-00000974-. i know i need to get virtual adress of threadstack0. But i dunno how to do it. i used Readprocessmemory writeprocessmemory, i got handles etcs. (everthing is okey). but i dont know what is Threadstack? is it a module or thread? how can i get it's virtual adress.
|
|
| Back to top |
|
 |
root426
Newbie cheater
![]() Reputation: 0
Joined: 09 Feb 2010
Posts: 22
|
| Posted: Wed Jul 31, 2013 9:19 am Post subject: |
|
|
| guys i can give caps if u want.
|
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 470
Joined: 09 May 2003
Posts: 25796
Location: The netherlands
|
| Posted: Wed Jul 31, 2013 11:39 am Post subject: |
|
|
THREADSTACK0 is a special symbol that cheatengine defines internally when opening a process.
You can just use it like that in your addresslist without any problems, so not really needed to convert it to a virtual address
But if you wish to code your own trainer in your own language it may be a bit tricky but I'll try to explain
First you can go to the address of "THREADSTACK0" in the hexview, and it will show you the exact address.
On Windows XP this will often be the same address every time, but on windows Vista and later that is not the case
What Cheat Engine does to find this is to get the TebBaseAddress of the specific thread, then get the second pointer from that structure, which contains the stack top. (+4 in 32-bit target, +8 in 64-bit target)
the TebBasePointer can be obtained using NtQueryInformationThread with the ThreadBasicInformation (if it's a 64-bit process, or you're on 32-bit windows)
or
in 32-bit targets on 64-bit windows get the FSbase address by using Wow64GetThreadSelectorEntry
Since vista+ the stack top has some random padding, so after the threadtop has been obtained, scan for a direct or indirect reference to ExitThread (Since every thread has a call to ExitThread eventually if it ret's often enough)
And use that as a base for stack relative addresses
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
root426
Newbie cheater
![]() Reputation: 0
Joined: 09 Feb 2010
Posts: 22
|
| Posted: Wed Jul 31, 2013 1:03 pm Post subject: |
|
|
Thx Dark Byte. i wanted to create a trainer on CE but it dont work (probably cant attach the right process.couse of the 2x same process "Flashplayerplugin" on the process list).
Yea i wanted to create my own trainer with c# i got right process(handles etc...). im listing threads but just one thread i can see 
well... After these information i need to work harder to understand this.
and again Thx Dark byte.
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25796
Location: The netherlands
|
| Posted: Wed Jul 31, 2013 2:43 pm Post subject: |
|
|
you can target the 2nd flashplayer plugin, but then you'll have to rewrite some parts of the autogenerated lua code. (get the processlist and go through it and open the other flashplayer )
Also, since it's flash, pointers are VERY system dependent. (a lot of people have slightly different flash versions or firefox which might launch the plugin slightly different)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
