Memory Hacking Software

[L. Spiro]

As mentioned, emulator settings determine how the graphics data is loaded and used by the graphics card.
Differences between Software mode, DirectX, and OpenGL cause things to run differently on every computer.
The whip graphics data is being copied from the location you are modifying to a location inside the graphics card, then stored there as needed.
This is why the whip only changes colors after flush points (restarting the emulator, loading save states, etc.)
But the emulator has the option of also storing the graphics data in main memory (the thing you are modifying), which is why on some computers with some graphics modes and settings your idea is working.
If you were to distribute this mod you would have to force everyone to use the same graphics modes, which isn’t possible for some people.


L. Spiro

[esco]

Hmmmm, now I understand all that completely! Hallelujah! Well, my next question then would be is it possible to find a way to "flush" this data on command? kind of like you can do for a scanf command? In other words a way to have my code do this EVERY TIME I have the whip change color?

Aso, isn't it kind of odd how it only copies SOME of the color data, not all? SInce I can alter the red/blue/green flickering whenever I want? Yet the white and silver I can't do it for.

I'm also wondering how do I figure out WHAT aspect of my video settings is what affects this?

The alternative is I alter the temp data, which i can do.... it just won't be as pretty (due to a split second where the color would flicker) and it will take a little more work on my part. But I am willing to do it!


EDIT: Wait a minute.... there is a video setting in the emulator.... couldn't I just tell everyone to have it set the same? Hmmm... I'm gonna mess with it a bit.....

RESULT: HA HAAA! Well that last idea didn't effect squat! I figured it wouldn't but I had to try.

[Torero]

notepad.exe !



I am trying to do string search (or maybe it's another search that I need)


to find "french wine" in the notepad, how do I find it and modify it ?

[Torero]

also, I am trying to search chat window strings, any help on how i can be notified in real time when certain strings show up ?

[L. Spiro]

, my next question then would be is it possible to find a way to "flush" this data on command?

There is going to be an emulator function that does it, called at certain times when the emulator feels it is required (power-up, shut-down, etc.) based on “hardware” events, and then there are times when the “software” can do it, via the emulated commands inside the ROM when the game itself wants to load a texture/color palette for the characters it wants to display.

Since I do not have the emulator or game, I can only give you this information and let you run.

Aso, isn't it kind of odd how it only copies SOME of the color data, not all? SInce I can alter the red/blue/green flickering whenever I want? Yet the white and silver I can't do it for.

I have not seen it myself so I can only guess. It sounds as though some of the sprite objects are rendered differently.
For example, in Nintendo DS we prefer to have the main character in video RAM as often as we can and the other objects in main memory. The other objects get flushed out and swapped more often while the main character is there to stay.
So it is likely that your method would work on some objects but not others, and without being the coder of the game itself it will seem entirely random on which objects it works and which it does not.

to find "french wine" in the notepad, how do I find it and modify it ?

Use the String Search (and help file).
Once you find the value add it to the main list and you can modify it as if it were any other kind of data. Type the new string into the Current Value field.

also, I am trying to search chat window strings, any help on how i can be notified in real time when certain strings show up ?

By finding the location where the strings go, finding the code that puts the strings there, and then setting a breakpoint on that code using the Debugger/Disassembler.

In the breakpoint Callback function specify the script function with parameter 0.
Then write the script function:

Code: Select all

void On_BP_0() {
}

When that function is called in the script you know that text was written (or will be written) to the buffer and you can scan that text then for whatever you want.


L. Spiro

[Torero]

how do I learn to find the locked value later?


I can find the location, money, and chat, i think, but i don't know how to make the software knowing where it is everytime !


please give me some more hints !

[Torero]

[Chat] 12:34:48 Torero says, "H"
[Chat] 12:34:51 Torero says, "@"
[Chat] 12:35:39 Torero says, "#"
[Chat] 12:35:57 Torero says, "$"
[Chat] 12:36:24 Torero says, "%"
[Chat] 12:40:39 Torero says, "$$"


I have these in my chat window, can you give any hints how to scan these and then write a script it out put chat window content?

[Torero]

also, I am trying to search chat window strings, any help on how i can be notified in real time when certain strings show up ?

By finding the location where the strings go, finding the code that puts the strings there, and then setting a breakpoint on that code using the Debugger/Disassembler.

In the breakpoint Callback function specify the script function with parameter 0.
Then write the script function:

Code: Select all

void On_BP_0() {
}

When that function is called in the script you know that text was written (or will be written) to the buffer and you can scan that text then for whatever you want.


L. Spiro[/quote]





Does MHs currently has help fille for that assembbler/debugger?

also, do you know a good ollydbg newbie guide or a help file for your version ?

[Torero]

I have manged to find some string in the chat window and view them change as I talk to myself in the chat window in the hex editor.

what do I do next to find out the pattern of where these information would be everytime when the game boots?



please give me some hints on dbg and things I'll need.

thx !

[Torero]

I found out that in ollydbg there is a way to make minesweeper draw only one square at the time and so it's possible to find out as each square is drawn what is chagned.

I don't really understand how that works but maybe it will apply to my case, as that I am trying to find out what output to the chat window



apparently the chat messages are stored in diffferent places according to its type and origin, i think what I need to do, instead of finding out where each of those messages would be stored, (although that might turn out to be useful) I should find the process that output the messsage.


I am trying to find out more about dbg, but i ll appreciate any input.

thx !

[L. Spiro]

how do I learn to find the locked value later?


I can find the location, money, and chat, i think, but i don't know how to make the software knowing where it is everytime !

By using a complex address that follows the pointers to the final destination.

[Chat] 12:34:48 Torero says, "H"
[Chat] 12:34:51 Torero says, "@"
[Chat] 12:35:39 Torero says, "#"
[Chat] 12:35:57 Torero says, "$"
[Chat] 12:36:24 Torero says, "%"
[Chat] 12:40:39 Torero says, "$$"


I have these in my chat window, can you give any hints how to scan these and then write a script it out put chat window content?

You should probably type a longer unique string and do a simple search to find it.
“kdjhakjsdhdgeb” probably won’t be in RAM unless you type it.

Does MHs currently has help fille for that assembbler/debugger?

also, do you know a good ollydbg newbie guide or a help file for your version ?

There is no help documention for the debugger or disassembler because they are still being made.
I don’t have guides for OllyDbg because I do not use it.

apparently the chat messages are stored in diffferent places according to its type and origin, i think what I need to do, instead of finding out where each of those messages would be stored, (although that might turn out to be useful) I should find the process that output the messsage.

I told you this already.
Find the code that puts the strings into the buffer(s) and then you can write an injection to perform your own operations at those times.


エル　スパイロ

[Torero]

How do I tell which module it is in ?
In order to tell which module the found address is in, do I use a dbg ?



トレロ

[Torero]

[Chat] 12:34:48 Torero says, "H"
[Chat] 12:34:51 Torero says, "@"
[Chat] 12:35:39 Torero says, "#"
[Chat] 12:35:57 Torero says, "$"
[Chat] 12:36:24 Torero says, "%"
[Chat] 12:40:39 Torero says, "$$"



oh I found the "asfasdfasdf" string alright, however "12:34:48" , "torero says" or "torero" "says," ,


"Electra" "tells" "you" "hello"


are all stored in different places.

[Torero]

We know quite a bit now. Let’s assume we wanted to know our player’s health at any given moment.

Get the base address of lspiro.exe. That is 0x00400000 in this case.

Go to [lspiro.exe+0x2104C]. This means 0x00400000 + 0x2104C. The result is 0x0042104C.

Get the value at 0x0042104C. Let’s assume it is 0x004AE804.

Go to the address depicted by the above value. That means we are now at address 0x004AE804. This is the structbase.

Go to [structbase+offset]. Our structbase is 0x004AE804, and the offset of our health is 0x4. 0x004AE804 + 0x4 = 0x004AE808.

0x004AE808 is the address where our health is, as shown in the above diagram. And getting the value here gives us 9,999.

[L. Spiro]

How do I tell which module it is in ?
In order to tell which module the found address is in, do I use a dbg ?



トレロ

Dynamic-sized strings aren’t going to be in any module. They are on the heap.

are all stored in different places.

Complications you will have to handle.


L. Spiro