 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Paprikaskrumpli
Cheater
![]() Reputation: 0
Joined: 19 Dec 2020
Posts: 29
|
 Posted: Sat Dec 19, 2020 6:05 am Post subject: Find a variable who's adress changes when the value changes |
 |
|
Last night I was thinking about the following:
Lets say I have, for example, a variable named A with value N.
Each secound A's value changes (for the sake of simplicity, always inceases).
But when A's value changes, A's address also changes. The old address gets discarded/overwritten/deleted, you tell me. A is now on a new address.
How could you possibly find A's address?
The program can find it obviously, because it has the pointer to it, but in order for us to find the pointer to A, we have to find A in the first place.
Please read the following code to fully understand what I mean by this:
| Code: |
int* p = new int;
*p = 100;
while(1){
cout << "A: " << *p << endl; //print A's value
int* t = new int; //reallocate A
*t = (*p) + 1;
delete p;
p = t;
Sleep(1000); //Sleeps for 1 secound
}
|
Thoughts:
You know A's value is N. You quickly press first scan, and scan for exact value N. You get a bunch of results, and one of them is the correct address of A, but not for long.
A's value changes, and A's address changes.
You press next scan with the new value, but get faulty (or no) results because:
A's current address was not in the first scan results, therefore it is still not in the second. A's old address gets discarded by CE because it did not increase (necessarily).
In order to avoid confusion I renamed the pointer to A, p.
 
Last edited by Paprikaskrumpli on Sat Dec 19, 2020 10:15 am; edited 2 times in total |
|
| Back to top |
|
 |
MMM-304
Expert Cheater
![]() Reputation: 0
Joined: 17 Aug 2020
Posts: 170
Location: Milkey Way
|
| Posted: Sat Dec 19, 2020 6:46 am Post subject: |
|
|
First of all if with different value the address is different then each address has one static value like a constant cuz its value never changes
Second, things like theses are implemented in all the games. For example Instances of Mouse Hover and Instances of Item/Entity Selection these all have pointer whose value(s) (which also point to another address) keep changing as you move your mouse. So the final address and final values are always different/changing. To find the static address youll have to find the base pointer which even if reallocated, will always point to correct address with correct value. |
|
| Back to top |
|
|
Paprikaskrumpli
Cheater
![]() Reputation: 0
Joined: 19 Dec 2020
Posts: 29
|
| Posted: Sat Dec 19, 2020 7:02 am Post subject: |
|
|
| MMM-304 wrote: | First of all if with different value the address is different then each address has one static value like a constant cuz its value never changes
|
The value of the addresses is by no means static. As you can see it is a dynamic allocation, happening on the heap. It is either the correct value that the program currently uses, or some trash, that is no longer in use. If you chew trough the code, you can see that the reallocation is random, and can result in an address that has already been used earlier.
| MMM-304 wrote: |
Second, things like theses are implemented in all the games. For example Instances of Mouse Hover and Instances of Item/Entity Selection these all have pointer whose value(s) (which also point to another address) keep changing as you move your mouse. So the final address and final values are always different/changing. To find the static address youll have to find the base pointer which even if reallocated, will always point to correct address with correct value. |
It is obvious that if you find the correct pointer path you can always find/access the right memory address, the right value. But in order to find that path, you will need to find the right address in the first place, and then run a pointer scan on that address.
Please explain further, so I can be sure that I understand the point you are making here. |
|
| Back to top |
|
|
Csimbi
I post too much
 Reputation: 98
Joined: 14 Jul 2007
Posts: 3347
|
| Posted: Sat Dec 19, 2020 9:13 am Post subject: Re: Find a variable who's adress changes when the value chan |
|
|
| Paprikaskrumpli wrote: |
How could you possibly find A's address?
|
You don't look for the value.
You look for a pointer.
In your code, 'A' did not change. It's still 100 and it is still at the same location.
Paprikaskrumpli - lol |
|
| Back to top |
|
|
MMM-304
Expert Cheater
![]() Reputation: 0
Joined: 17 Aug 2020
Posts: 170
Location: Milkey Way
|
| Posted: Sat Dec 19, 2020 9:29 am Post subject: |
|
|
| Paprikaskrumpli wrote: | | The value of the addresses is by no means static. |
Value only changes when written. Unless the address is deallocated or value is written, the address has a static value
| Paprikaskrumpli wrote: | | It is obvious that if you find the correct pointer path you can always find/access the right memory address, the right value. But in order to find that path, you will need to find the right address in the first place, and then run a pointer scan on that address. |
Search for changed/unchanged value. you will find an address whose value is the Address/Base Address/Base Pointer(if structure is small) of your current value. |
|
| Back to top |
|
|
Paprikaskrumpli
Cheater
![]() Reputation: 0
Joined: 19 Dec 2020
Posts: 29
|
| Posted: Sat Dec 19, 2020 9:43 am Post subject: Re: Find a variable who's adress changes when the value chan |
|
|
| Csimbi wrote: | | Paprikaskrumpli wrote: |
How could you possibly find A's address?
|
You don't look for the value.
You look for a pointer.
In your code, 'A' did not change. It's still 100 and it is still at the same location.
Paprikaskrumpli - lol |
Well, A's value has to change, I add 1 to it every iteration. And it's location also has to change, since it gets copied elsewhere in the memory, and the previous location gets deallocated after the copy.
How would you go about looking for a pointer to an address, when you don't have the address to point to.
----
| MMM-304 wrote: |
Value only changes when written. Unless the address is deallocated or value is written, the address has a static value
|
The address IS deallocated and the value of A is changing at each new allocation.
| MMM-304 wrote: |
Search for changed/unchanged value. you will find an address whose value is the Address/Base Address/Base Pointer(if structure is small) of your current value. |
You can't search for changed/unchanged value, because the address is not in the result pool of the current scan, or won't be in the next scan. |
|
| Back to top |
|
|
MMM-304
Expert Cheater
![]() Reputation: 0
Joined: 17 Aug 2020
Posts: 170
Location: Milkey Way
|
| Posted: Sat Dec 19, 2020 9:58 am Post subject: Re: Find a variable who's adress changes when the value chan |
|
|
| Csimbi wrote: |
You don't look for the value.
You look for a pointer.
In your code, 'A' did not change. It's still 100 and it is still at the same
|
this is what i am saying.
| Paprikaskrumpli wrote: | | You can't search for changed/unchanged value, because the address is not in the result pool of the current scan, or won't be in the next scan. |
You cannot because clearly you did not read this:
| Quote: | | you will find an address whose value is the Address/Base Address/Base Pointer(if structure is small) of your current value. |
Anyone else who scan for address(which is also a value of some other address which is not changing *pointer*). |
|
| Back to top |
|
|
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4725
|
| Posted: Sat Dec 19, 2020 11:42 am Post subject: |
|
|
| Paprikaskrumpli wrote: | | How could you possibly find A's address? |
Unknown initial value scan, changed/unchanged to find the pointer (i.e. p or t). If the memory allocator reuses the same memory for this value, then it's possible this could fail.
The pointer scanner has facilities to scan for values, not addresses, IIRC. I'm pretty sure I used this on an old AS1/2 flash game that reallocated memory every time a value was written to- exactly the scenario you're describing. (in theory, this might fail too on a race condition between reallocation and pointermap generation, but that's far more unlikely)
Scanning for code (i.e. ultmap / code filter) would certainly work but requires far more knowledge.
Once you have the pointer, add it to the cheat table as a pointer and you always have the address of the value.
| Paprikaskrumpli wrote: | | in order for us to find the pointer to A, we have to find A in the first place. |
It's easier to find a pointer if you know what address it points to, but that's by no means required.
| Paprikaskrumpli wrote: | The address IS deallocated and the value of A is changing at each new allocation.
...
You can't search for changed/unchanged value, because the address is not in the result pool of the current scan, or won't be in the next scan. |
MMM-304 is talking about a pointer, not the value. The value itself certainly won't be in the same place for long, but the pointers to the value don't change their addresses at all.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
Paprikaskrumpli
Cheater
![]() Reputation: 0
Joined: 19 Dec 2020
Posts: 29
|
| Posted: Sat Dec 19, 2020 12:05 pm Post subject: |
|
|
| ParkourPenguin wrote: | | Paprikaskrumpli wrote: | | How could you possibly find A's address? |
Unknown initial value scan, changed/unchanged to find the pointer (i.e. p or t). If the memory allocator reuses the same memory for this value, then it's possible this could fail.
The pointer scanner has facilities to scan for values, not addresses, IIRC. I'm pretty sure I used this on an old AS1/2 flash game that reallocated memory every time a value was written to- exactly the scenario you're describing. (in theory, this might fail too on a race condition between reallocation and pointermap generation, but that's far more unlikely)
Scanning for code (i.e. ultmap / code filter) would certainly work but requires far more knowledge.
Once you have the pointer, add it to the cheat table as a pointer and you always have the address of the value.
| Paprikaskrumpli wrote: | | in order for us to find the pointer to A, we have to find A in the first place. |
It's easier to find a pointer if you know what address it points to, but that's by no means required.
| Paprikaskrumpli wrote: | The address IS deallocated and the value of A is changing at each new allocation.
...
You can't search for changed/unchanged value, because the address is not in the result pool of the current scan, or won't be in the next scan. |
MMM-304 is talking about a pointer, not the value. The value itself certainly won't be in the same place for long, but the pointers to the value don't change their addresses at all. |
Thank you, this makes sense. This solidifies my ideas about solving the problem. |
|
| Back to top |
|
|
OldCheatEngineUser
Whateven rank
 Reputation: 20
Joined: 01 Feb 2016
Posts: 1586
|
| Posted: Sat Dec 19, 2020 7:46 pm Post subject: |
|
|
| ParkourPenguin wrote: | | If the memory allocator reuses the same memory for this value, then it's possible this could fail. |
then 90% guaranteed to be process heap address.
so GetProcessHeap or find it in PEB at offset 18h.
query size of heap and manually search there.
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
| STN wrote: | | i am a sweetheart. |
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4725
|
| Posted: Sat Dec 19, 2020 8:11 pm Post subject: |
|
|
| OldCheatEngineUser wrote: | then 90% guaranteed to be process heap address.
so GetProcessHeap or find it in PEB at offset 18h.
query size of heap and manually search there. |
I don't know what you're trying to say, but here's an example of what I meant:
Say every time a value changes, its address changes:
| Code: | // c++
#include <cstdio>
void add(int *&p, int i) {
int *p2 = new int(0);
*p2 = *p + i;
delete p;
p = p2;
}
int main() {
int *p = new int(1);
std::printf("%p : %d\n", p, *p);
add(p, 5);
std::printf("%p : %d\n", p, *p);
add(p, 7);
std::printf("%p : %d\n", p, *p);
return 0;
}
// Output:
// 0xf19eb0 : 1
// 0xf1aee0 : 6
// 0xf19eb0 : 13 |
Notice how the first and third allocations have the same address. The second allocation has a different address because the first allocation hasn't been freed yet. By the time the third allocation happens, the first allocation has been freed, and it can be used again.
If the value changes twice and gets the same address, a changed value scan would filter out the correct pointer.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
OldCheatEngineUser
Whateven rank
Reputation: 20
Joined: 01 Feb 2016
Posts: 1586
|
| Posted: Sat Dec 19, 2020 8:32 pm Post subject: |
|
|
| ParkourPenguin wrote: | | and it can be used again. |
because it resides in process heap, and searching process heap will give you the address.
here is your modified code:
| Code: | #include <cstdio>
#include <Windows.h>
MEMORY_BASIC_INFORMATION mbi;
void add(int *&p, int i) {
int *p2 = new int(0);
*p2 = *p + i;
delete p;
p = p2;
}
int main() {
HANDLE hHeap = GetProcessHeap();
VirtualQuery(hHeap, &mbi, sizeof(mbi));
std::printf("Base Address: %.8X\nSize: %.8X\nLast Address: %.8X\n", (DWORD)hHeap, mbi.RegionSize, (DWORD)hHeap+mbi.RegionSize-1);
int *p = new int(1);
std::printf("%p : %d\n", p, *p);
add(p, 5);
std::printf("%p : %d\n", p, *p);
add(p, 7);
std::printf("%p : %d\n", p, *p);
system("pause");
return 0;
} |
please note that the size will eventually grow up (not always, but most likely), so whatever the size is returned by VirtualQuery may be smaller.
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
| STN wrote: | | i am a sweetheart. |
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
