I know i’m a little bit late to reply this, but...
Aspras wrote:I had already tried [[[0x58AF1EC]+(0x0)]+0x8]+0x58 but it didnt get me anywhere. And I guess Whitehat just misstyped that, though I believe he didnt notice the fact that 58AF040 already is in auto-hack in my screenshot.
Yes, i was miss-typed those 3 brackets... LoLz.
However i posted that after studying your screen shot. And here is my reason was:
In you expression evaluator:
-0x58500C0+0x58
-[0x58AF188+0x8]+0x58
both expressions returned same result.
i concluded that:
[0x58AF188+0x8] = 0x58500C0
Then, i guess, you dig deeper by searching for pointer with exact value of
0x58AF188, and 3 addresses came up (which you put into Auto-Hack window using “Find Out What Accesses this Address”). They were:
- 0x5850118
- 0x58AF190
- 0x58AF040
You were stuck when you highlighted
0x58AF040 and
MOV ESI, DWORD PTR [ESI] came up. That was when minorutono posted his suggestion. Unfortunately, he was suggesting a complex address with wrong ESI (no offense at all here, we’re here to learn together). He picked the value of ESI from the registers info. But that was ESI
after the code is executed...
In fact, what you needed from
MOV ESI, DWORD PTR [ESI] was the right-most ESI (the one before the code executed).
That was why i pointed
[[[0x58AF040]+0x8]+0x58 (with one left-bracket miss-typed, thanks for minorutono’s correction), because according to your screen-shot the
[ESI] in that code was supposed to be
your highlighted address in auto-hack window (“Find Out What Accesses this Address” thingy)...
Anyway, congratulations for getting those pointers...
.. to boldly go where no eagle has gone before...