Ecoste
Newbie cheater
![]() Reputation: 0
Joined: 25 Jun 2012
Posts: 10
|
 Posted: Tue Mar 24, 2015 11:49 am Post subject: Finding pointer. |
 |
|
The weekly pointer thread is here!
Anyway, I'm trying to find a pointer in CSGO. The address that I'm trying to find a pointer for holds an integer that dictates whether I can shoot or not.(To make an autoshoot.)
Nevertheless, that isn't the point of this thread. So, let me dive right in, and tell you what I tried so far and my understanding of everything to see if I got anything gravely wrong.
The address that I want to find I will call 'address X'.
1. Pointer scanning & Multi-pointers
At first, I did a pointer scan for address X with max 4 levels and max 2k offset. I restarted the game, found address X again and re-scanned the list with the new address X. No cigar.
So, then I looked at what accesses address X. There was a bunch(6), and all of them were only called when I shot. They all had the same offset [register + 0x60](Register was ESI in most cases.). So, I searched for the [register] value with byte4 and 'hex' checked. CE gave me a couple of results, but none of them were static. I put all of the results in my addresses list, and took at look at what accesses each one. None of them had any offset values, so that was of no help. I also searched for each of the addresses with CE, just like I did with the [register] value. Also didn't work. So, then I decided to pointer scan every single one of the addresses. A bunch of pointers came up for each one. So, I restarted the game and found address X. I then re-scanned every single list that I got to see if they point to the value of address X which was '1'. No cigar there either.
2. Discovery of signature scanning.
So, I was pretty lost at that point and went deep into the interwebs to find the answer. I found something called 'pattern scanning', which seems cool, but I'm pretty sure I'm misunderstanding what it's supposed to be used for.
Anyway, I went into OLLYDBG and put a conditional breakpoint on each of the addresses which contain the instructions to access address X. Worked as expected, it breakpointed whenever ESI was address X - 0x60.
But, let's focus on one instruction.
0x8000 | 8B4E 60 > MOV ECX, DWORD PTR DS:[ESI+60].
Well, it's no mystery what it does. It will move 4 bytes of data at [ADDRESS X] onwards 4 bytes into ECX. And I need to get my address X!
So, let's assume I find 0x8000 through signature scanning.
3. What now?
I thought of different ways to utilize that instruction. But, I thought of one useless way which -
Inject DLL so we're in the virtual memory space of the process, allocate memory for a pointer(8 bytes on my PC.), and then change that instruction to something like MOV pointerToAddressX, DWORD PTR DS:ESI+60 | Obviously, overwriting code is baaaaa-baaaaad and ESI +60 only contains the needed address when I shoot.
The other idea was to signature scan for addressX in .data, but that wouldn't work unless there are some static values around it.
-----------------------------------------------------------------------------
So, where should I go from now? I'm pretty lost and pretty noob at this, and I'm pretty sure signature scanning isn't intended to be used here.
Anyway, thanks for taking the time to read.
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
