| View previous topic :: View next topic |
| Author |
Message |
LionKing
Newbie cheater
![]() Reputation: 0
Joined: 21 Jul 2021
Posts: 16
|
 Posted: Fri Oct 08, 2021 6:02 am Post subject: The address is fixed but the offset changes every time. |
 |
|
I have tried to get the static address and I found it but although the address is fixed that is, does not change each time I open the game or change the level but the offset changes each time.
For example:
First try -> address = 065b6020, offset = 1E64C.
second try -> address = 065b6020, offset = 1F5C4.
And so on...
Also, the instruction that is responsible for that address is shared with you and the enemies.
How do I solve that problem of the offset change?
Also, how do I solve the problem of the shared instruction?
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 470
Joined: 09 May 2003
Posts: 25785
Location: The netherlands
|
| Posted: Fri Oct 08, 2021 12:04 pm Post subject: |
|
|
maybe it's a multilevel pointer
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
LionKing
Newbie cheater
![]() Reputation: 0
Joined: 21 Jul 2021
Posts: 16
|
| Posted: Fri Oct 08, 2021 1:11 pm Post subject: |
|
|
| Dark Byte wrote: | | maybe it's a multilevel pointer |
Unfortunately, that address is the last one, it doesn't point to anything after that.
Instruction:
| Code: | | 06CBCBB8 - mov [ebx+06976020],eax |
Registers:
| Code: | EAX=000003E4
EBX=0001F5C4 |
|
|
| Back to top |
|
|
ragnaroks
Newbie cheater
![]() Reputation: 1
Joined: 30 Aug 2021
Posts: 13
|
| Posted: Fri Oct 08, 2021 7:27 pm Post subject: |
|
|
| Code: |
06CBCBB8:
jmp newmem
return:
newmem:
mov [ebx+06976020],eax
push eax
mov eax,065b6020 //address
add eax,ebx //address+offset
mov [target_address],eax
pop eax
jmp return
target_address:
DB 00 00 00 00
|
then you can use the symbol `target_address` in your table
|
|
| Back to top |
|
|
LionKing
Newbie cheater
![]() Reputation: 0
Joined: 21 Jul 2021
Posts: 16
|
| Posted: Mon Oct 11, 2021 1:14 pm Post subject: |
|
|
| ragnaroks wrote: | | Code: |
06CBCBB8:
jmp newmem
return:
newmem:
mov [ebx+06976020],eax
push eax
mov eax,065b6020 //address
add eax,ebx //address+offset
mov [target_address],eax
pop eax
jmp return
target_address:
DB 00 00 00 00
|
then you can use the symbol `target_address` in your table |
Unfortunately, it doesn't work as expected (The instruction is shared between me and the enemies).
|
|
| Back to top |
|
|
ragnaroks
Newbie cheater
![]() Reputation: 1
Joined: 30 Aug 2021
Posts: 13
|
| Posted: Tue Oct 12, 2021 1:26 am Post subject: |
|
|
you can get a lot of video on youtube for deal shared code
here is an example for DeathlyStillness that a free steam game:
| Code: |
{$STRICT}
[ENABLE]
assert(DeathlyStillness-Win64-Shipping.exe+29BF2E2,89 06 48 8B 74 24 48)
alloc(cheat1_code,192,DeathlyStillness-Win64-Shipping.exe)
registersymbol(cheat1_code)
label(return)
label(default)
label(process_address)
label(magize)
label(ammo)
label(cheat1_store1)
label(cheat1_store2)
label(cheat1_setting1)
label(cheat1_setting2)
registersymbol(cheat1_setting1)
registersymbol(cheat1_setting2)
DeathlyStillness-Win64-Shipping.exe+29BF2E2:
jmp cheat1_code
nop 2
return:
cheat1_code:
pushfq
cmp byte ptr [cheat1_setting1],01
je magize
cmp byte ptr [cheat1_setting2],01
je ammo
jmp process_address
magize:
cmp rsi,[cheat1_store1]
jne process_address
popfq
mov [rsi],1F
mov rsi,[rsp+48]
jmp return
ammo:
cmp rsi,[cheat1_store2]
jne process_address
popfq
mov [rsi],258
mov rsi,[rsp+48]
jmp return
process_address:
push rax
push rbx
mov rax,[rbp-48]
mov rbx,DeathlyStillness-Win64-Shipping.exe+10370B1
cmp rax,rbx
pop rbx
pop rax
jne default
push rax
mov rax,rsi
mov [cheat1_store1],rax
sub rax,1DC
mov [cheat1_store2],rax
pop rax
default:
popfq
mov [rsi],eax
mov rsi,[rsp+48]
jmp return
// magize address
cheat1_store1:
DB 00 00 00 00 00 00 00 00
// ammo address
cheat1_store2:
DB 00 00 00 00 00 00 00 00
// magize setting
cheat1_setting1:
DB 00
// ammo setting
cheat1_setting2:
DB 00
[DISABLE]
DeathlyStillness-Win64-Shipping.exe+29BF2E2:
DB 89 06 48 8B 74 24 48
unregistersymbol(*)
dealloc(*)
|
|
|
| Back to top |
|
|
LionKing
Newbie cheater
![]() Reputation: 0
Joined: 21 Jul 2021
Posts: 16
|
| Posted: Wed Oct 13, 2021 12:28 pm Post subject: |
|
|
| Thank you, but that way is inefficient because most of the values that lie in the offsets are not constant (constantly changing).
|
|
| Back to top |
|
|
LF2005
Newbie cheater
![]() Reputation: 0
Joined: 03 Apr 2014
Posts: 16
|
| Posted: Thu Oct 14, 2021 11:31 am Post subject: |
|
|
| LionKing wrote: | | Dark Byte wrote: | | maybe it's a multilevel pointer |
Unfortunately, that address is the last one, it doesn't point to anything after that.
Instruction:
| Code: | | 06CBCBB8 - mov [ebx+06976020],eax |
Registers:
| Code: | EAX=000003E4
EBX=0001F5C4 |
|
Pretty sure you are looking at the wrong piece of code, 06976020 is obviously an address.
You should find an register plus an offset and not an register plus an address.
If you used the function "find what writes" and that's the only result then you have no choice but to use " find what accesses".
it is best to map results, if you get a pointer address plus its offset, you need to make a few logic checks.
1. the offset can't be too big.
2. if you get an address + an offset, then you can't get the same address + a different offset later on.
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
