Cheat Engine

[kot1990]

hello, I have an issue with finding an address in a client program. The client is connected on a server and if the client is connected it displays the string "connected", otherwise it displays "No Connection". I found those strings in the executable with CE. Then I found what accesses that address of the string and it shows 3 asm instructions (probably it is windows api, the display function) but I don't need how the string is displayed. I want to access what makes this string display, what calls the display function and giving the string parameter. Like:

If (conn == 0) //I need the conn!!!
display("No Connection");

else
display("Active");

Please help!!

[Slugsnack]

Look for a reference to the string. Most likely somewhere there is an instruction such as :
push x

where x is a pointer to the string. The code above that will be what you are looking for

[kot1990]

I found that the function called is named RtlUnicodeToMultiByteN, how can I find what called that function? I found that the function is indise module ntdll. I didn't find any push but there is a reference like mov ebx, [eax +12] eax + 12 <-- this one has the address of the string being shown. It seems that the program is starting at 0x00400000 , but when debugging the only addresses I find in the registers at calling moment are below 0x00400000, I think that I cannot find what called that function, please help . I cannot use a debugger like olly or w32dasm because it seems the exe is something like encrypted and I can't see any instruction or imports there, so the only way is on run time. I need instruction how to find the caller with CE.

Edit: Because the program is a kind of a package of some encryption, is there a way to copy the binary from memory on run time and save it to executable file???

[Slugsnack]

Maybe WideCharToMultiByte() ?

http://msdn.microsoft.com/en-us/library/cc500362.aspx

Or look on the stack at return addresses

[Jani]

[kot1990]

Well I found another solution. I want to create a code cave and check if the value of the register points to the "No connection" string. The moment the client accesses the "No connection" string after unknown execution, the eax register contains the starting address of the string. I know how to create the code cave but not clearly understand what to write. I think I need a condition jump, jump if equal something like this. I need to check if eax contains the address of "No connection" and if its true then write on a byte the value 1... like in my position:

if (eax == 004A3352)
{
write the value 0x01 to the byte located at 003F0010.
}

with that byte enabled I will ReadProccessMemory() from my external program to check if there is "No connection".Of course I will WriteProccessMemory() the cove cave itself first. Oh and I need a little help to allocate a little unused by the client memory to create the code cave in, I don't know any functions, maybe AllocateProccessMemory() have no idea xD. If there's a better way please tell me, I have spent more than 20 hours to find what causes eax to take that value but with no luck. I stuck on an interrupt like this one
int 2b while debugging and after that I couldn't see anything executing, and eax magically turned to that address. Thx.

Edit: LOL I found an easier way. I guessed that the client has already somewhere this value as a boolean. I connected disconnected 5-6 times the client and searched in memory till only 4 values remained. These 4 bytes turned to 1 when there was a connection and to 0 when there was no connection. I tried that up to 20 times and that's true LOL LOL LOL again!! Solved