Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Pointer with two offsets c# app

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials
View previous topic :: View next topic  
Author Message
SHadSW
How do I cheat?
Reputation: 0

Joined: 22 Nov 2020
Posts: 3

PostPosted: Sun Nov 22, 2020 4:53 pm    Post subject: Pointer with two offsets c# app Reply with quote

Soo... I've created a simple c# winforms app with a var of the type double, that is generated random. Now I've tried to create a trainer for that app using cheat engine to find the pointers for the variables.
Finding the adress is not a problem, but when I try to to find what accessed this adress I get 4 options to find the offset: Two of them are always "copy memory", one is "store double" and one is "load floating point value".
Both "store double" and "load floating point value" always have the offset 14C and they always have the same base adress (the ba changes when I restart the app).
On the other hand, the two "copy memory" have different offsets:
One of them has always 04 as offset and the other one has 08 as offset.
Example for all 4 "options":

store double:04C93812 - fstp qword ptr [eax+0000014C]
lading floating point value:04C93D6C - fld qword ptr [eax+0000014C]
copy memory1:67A61A24 - mov [ecx+esi+08],eax
copy memory2:67A61A1D - mov [ecx+esi+04],eax

From another forum post I've learned that for the copy memory either ecx can be the ba or esi, the offset needs to be calculated from the rest.
I've already done pointerscans for 14C, 150 and the other values, but the pointerscans just give me outputs like no pointers, big amount of threadstack pointers and one or two times I've seen pointers with two offsets not threadstack.

The pointerscans with 2 offset gave me hope and I tried to do multiple pointerscans (level 8, struct 8192) but the results were no pointers at all...
Am I doing something wrong or is there a possibility that some games don't have pointers?
I am relatively new to coding I would say and my program, is pretty simple, I don't use things like VAMemory yet.

Even with simple var like ints i couldn't get a good pointerscan either.
Are there just situations where you get two offsets to work with?
I'm really out of ideas now and idk what to do anymore...

Thanks for your help in advance and sorry for my bad english Rolling Eyes
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 90

Joined: 06 Jul 2014
Posts: 2878

PostPosted: Sun Nov 22, 2020 5:35 pm    Post subject: Reply with quote

If you defined that value local to a function, it's going to be stored locally in the stack. There won't be any reliable pointer path from the exe to that value unless you make one yourself. (e.g. define a static pointer that points to that value)

In my experience mov instructions with low offsets ( < 0x20 ) sometimes operate on generic data with no regard to the structure the value is encapsulated within. As such, they likely won't be relevant to finding pointer paths, and you should ignore them in the presence of other instructions more particular to that value type. Several floating point instructions using the same larger offset is a textbook example.

The two moves use different offsets because they each move the top/bottom halves of the double.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
SHadSW
How do I cheat?
Reputation: 0

Joined: 22 Nov 2020
Posts: 3

PostPosted: Mon Nov 23, 2020 2:48 am    Post subject: Reply with quote

Hey ParkourPenguin,

thanks for your quick reply. I declared the double as public double and it is given its value in a public void using Random class.
What did you mean by "If you defined that value local to a function"?
Did you mean wether the double is declared as local/private or did you mean giving the double its value in a function?
Either way, if it would be located in the stack, is it possible to read this data with another program?
Thanks it advance for your help and I'm sorry for being a bother.
The thing is,
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 90

Joined: 06 Jul 2014
Posts: 2878

PostPosted: Mon Nov 23, 2020 12:00 pm    Post subject: Reply with quote

I'm not familiar with C#, but take this C code for example:
Code:
double s;

struct Foo {
  char space[80];
  double d;
};

Foo *p;

int main() {
  double l;
  struct Foo f;
  p = &f;

  return 0;
}

Variables declared outside any functions are global, also known as static in other contexts including CE. These are stored in the .exe generated by the compiler. The double s is an example. Since it's static, there's usually no reason to find a pointer path to these values.

Variables declared in a function are local to that function. They're stored in the thread's stack. The double l and the Foo object f are examples. While these values are temporal and only live for as long as the function call lasts, the first few function calls of a program will tend to live as long as the program itself lives - equate to static variables. As such, the first little bit of memory in a thread's stack can be treated as if it's static.

In order for the pointer scanner to find some path from the exe to a variable, there has to be a static pointer in the exe that acts as a base address. In this case, the pointer p is static (declared outside any function) and is initialized to point to the Foo object f. If you do a pointer scan for the double d inside f, it will find two good pointer paths: one with a threadstack base address and the other with a base address in the exe. Doing a pointerscan for l should only result in a threadstack base address since there is no static variable that stores a pointer to l. Note that the pointer scanner might still find a path from p since f and l are located so close to each other in the stack.

If you want to find the threadstack base yourself, see:
CEF post by DB explaining the process
CE source showing the process

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
SHadSW
How do I cheat?
Reputation: 0

Joined: 22 Nov 2020
Posts: 3

PostPosted: Mon Nov 23, 2020 1:13 pm    Post subject: Reply with quote

Thanks a lot for your explaination, I think I understand it now.
I'll post again when I succeed hacking my own app.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites