Memory Hacking Software

[Aspras]

Hello, I am currently trying to get a static pointer to the address of mana in game Fable The Lost Chapters. Ive tried all other pointers and the one I am on now is the only one that goes as deep as this using the debugger. So this is where I currently am at:



Is there any way to go even further using the debugger or should i search for a pointer to the closest base address of a structure to the current pointer (in other words do what josese did in his tutorial)?

[minorutono]

Try inputting 0x58AF1EC into your stored addresses and autohacking that.


Then in expression editor you'd put in (from what it used to be to what it is now)

Code: Select all

  [[0x58AF188(+0x0)]+0x8]+0x58

To

Code: Select all

[[[0x58AF1EC]+(0x0)]+0x8]+0x58

[WhiteHat]

I’d rather go with:

Code: Select all

[[[0x58AF040]+0x8]+0x58

... then dig deeper (auto-hack) 0x58AF040.

Anyway, “Fable, The Lost Chapters” is a good game...

[minorutono]

I’d rather go with:

Code: Select all

[[[0x58AF040]+0x8]+0x58

... then dig deeper (auto-hack) 0x58AF040.

Anyway, “Fable, The Lost Chapters” is a good game...

You opened 3 brackets and closed 2.

[Aspras]

I had already tried [[[0x58AF1EC]+(0x0)]+0x8]+0x58 but it didnt get me anywhere. And I guess Whitehat just misstyped that, though I believe he didnt notice the fact that 58AF040 already is in auto-hack in my screenshot.

[minorutono]

Wait a second.. So you put in Expression Editor
[0x58AF188+0x8]+0x58


Then Pointer Searched
0x58AF188


And it Returned in the Auto-Hack
0x58AF040, 0x58AF1EC.


You then autohacked 058AF040, and it returned [ESI] which turns out to be
0x58AF188, which is the same as you put in before? The value you got in the Expression Editor?

So, sequence of events : you got the next pointer (not pictured). You put in Expression Editor, found it gave correct base addy. Took the value that you got and Pointer Searched that, took the two addys that it returns into your table (not pictured) and then autohacked the first one.

Sorry if im wrong its just hard for me to see it all in a screenshot. So much easier live.


_____

Whitehat,
Why would you put in 0x58AF040? Isn't that the value he has to Auto Hack? Which he did and it returned the ESI value [0x58AF188]. Shouldn't he use the ESI?

[Aspras]

You can see 2 addresses in my screenshot. The one you suggested first returns nothing when put in Auto-Hack , the one Whitehat suggested returns what you see in the auto-hack. Anyway, I continued on with this, lil bit of creativity along with backtracing mixed with what josese does in his tut finally brought me to this working bitch.

[[[[[[[Fable.exe+0xFB8A1C]+0x8c]+0x2*8]+0x44]+0x184]+0x30]+0x8]+0x58

I closed and restarted the game twice, also loaded different savegames while playing and it continues to work. This is like the longest pointer I have ever found and it was damn hard to haha.

[minorutono]

You can see 2 addresses in my screenshot. The one you suggested first returns nothing when put in Auto-Hack , the one Whitehat suggested returns what you see in the auto-hack. Anyway, I continued on with this, lil bit of creativity along with backtracing mixed with what josese does in his tut finally brought me to this working bitch.

[[[[[[[Fable.exe+0xFB8A1C]+0x8c]+0x2*8]+0x44]+0x184]+0x30]+0x8]+0x58

I closed and restarted the game twice, also loaded different savegames while playing and it continues to work. This is like the longest pointer I have ever found and it was damn hard to haha.

First, let me say gratz on getting the pointer.

But, jw, how'd you get to the next step? Did you mess up somewhere before the SS? Because there is nowhere in that SS telling you to do w/e value +0x30.

[Aspras]

I searched for all pointers pointing at a range of values beetween 58AF040-10000 and 58AF040, I found a pointer whose address thats pointing at has a distance of 30 from 58AF040. Therefore what I found is probably a pointer that points to the base address of a data structure in which variable at address 58AF040 lies. After that I continued by trying to find a pointer to the pointer I found earlier etc.

I am currently working on finding a pointer to the alignment, this ones even harder

EDIT: It looks like I did something wrong when trying to find it, I had gone all the way to level 11+ , reached some modules but after I restarted none worked. Tried once more and finally found it, its very similar to mana

[[[[[Fable.exe+0xFB8A1C]+0x8c]+0x2*8]+0x44]+0x14]+0x28

So far I have found mana, hp, exp points, alignment. Still need to find gold, renown, attractiveness, scariness. After Im done with those I will officially release my first trainer, just need to learn some more Qt in order to give my trainer a GUI but it shouldnt be hard at all.

[WhiteHat]

I know i’m a little bit late to reply this, but...

I had already tried [[[0x58AF1EC]+(0x0)]+0x8]+0x58 but it didnt get me anywhere. And I guess Whitehat just misstyped that, though I believe he didnt notice the fact that 58AF040 already is in auto-hack in my screenshot.

Yes, i was miss-typed those 3 brackets... LoLz.

However i posted that after studying your screen shot. And here is my reason was:

In you expression evaluator:
-0x58500C0+0x58
-[0x58AF188+0x8]+0x58
both expressions returned same result.

i concluded that: [0x58AF188+0x8] = 0x58500C0

Then, i guess, you dig deeper by searching for pointer with exact value of 0x58AF188, and 3 addresses came up (which you put into Auto-Hack window using “Find Out What Accesses this Address”). They were:
- 0x5850118
- 0x58AF190
- 0x58AF040

You were stuck when you highlighted 0x58AF040 and MOV ESI, DWORD PTR [ESI] came up. That was when minorutono posted his suggestion. Unfortunately, he was suggesting a complex address with wrong ESI (no offense at all here, we’re here to learn together). He picked the value of ESI from the registers info. But that was ESI after the code is executed...

In fact, what you needed from MOV ESI, DWORD PTR [ESI] was the right-most ESI (the one before the code executed).

That was why i pointed [[[0x58AF040]+0x8]+0x58 (with one left-bracket miss-typed, thanks for minorutono’s correction), because according to your screen-shot the [ESI] in that code was supposed to be your highlighted address in auto-hack window (“Find Out What Accesses this Address” thingy)...


Anyway, congratulations for getting those pointers...

[Aspras]

Thanks , I found the rest also. Scariness and attractiveness would be impossible to find without knowing renown or alignment. I had the pointer to alignment , to find renown all I did was auto-hack the address of renown and get 0xaddy+0xoffset , then replaced that offset with the right most offset of the complex pointer address of alignment. So I took

[[[[[Fable.exe+0xFB8A1C]+0x8c]+0x2*8]+0x44]+0x14]+0x28

and replaced 0x28 with 0x78. Problem with scariness and attractiveness was that the first offset wasnt working, and on top of that If i went in deeper I could clearly see that the complex address was nothing like alignment's and renown's one. Though what I noticed is that the alignment's complex address with 0x28 replaced by the wrong offset of scariness found with auto-hack would bring me very close to the actual address of scariness, it would bring me exactly to it if I added something to the wrong offset, so I added a new offset I calculated to the wrong one and since then its been getting me correctly back to the address of scariness. I didnt expect it to work but it did .
I think I am also going to find the pointer to damage dealt and then start working on the trainer.

[minorutono]

That was when minurotono posted his suggestion.

Close. Minorutono ^^.

And yes, we're all learning together. All I know is from a little experience and your tuts. ^^.

So.. the ESI was the one after? How do you get the one before?

[WhiteHat]

I think I am also going to find the pointer to damage dealt and then start working on the trainer.

Thatwould be quite tricky... Anyway, good luck with the trainer...

Close. Minorutono ^^.

OMG, so sorry for my mistakes..

You see, miss-typing someone’s name is a very big mistake in my origin culture... I’ve edited my previous post, and 2 other posts with same mistakes:
http://memoryhacking.com/forums/viewtop ... 7126#37126
http://memoryhacking.com/forums/viewtop ... 7044#37044

There... Corrections done. Hope they’re enough for an act of apology...

So.. the ESI was the one after? How do you get the one before?

There are 3 ways that i know:
1. Use software break point instead of Hardware one.. (i’m not to profound about this one. Just have heard about it somewhere, maybe MHS Help)
2. Use a single step break point to the code (this will halt the process MHS hooked on to. Must be in window mode to avoid PC freeze)
3. By simple logic...

Let’s discuss no 3. a little..

When Aspras used “Find Out What Accesses this Address” to address 0x58AF040, this code came up:

Code: Select all

MOV ESI, DWORD PTR [ESI]

That code read the value from the address being auto-hacked, that was [ESI], and store the value into register ESI...
Since the address being auto-hacked was 0x58AF040, we can say that: “0x58AF040 was the rightmost ESI”.

Hope i made my self clear... ^^;