Memory Hacking Software

[efel]

I'm on the first level, and failing. I do a pointer search and it pulls up the nearest pointer as -382h so I thought I'd try finding it via the 'find what access this address method'...

It gives me two accesses:

Code: Select all

004B7F18   0FBF42 02   MOVSX   EAX, WORD PTR [EDX+2]   46   

Value of registers after statement:

Address: 004B7F18
EAX (after): 0000000F   ESP (after): 0018A620
ECX (after): 00000001   EBP (after): 0018A630
EDX (after): 08465DFC   ESI (after): 00011652
EBX (after): 00000000   EDI (after): 00000000


Move Fh to EAX with sign-extension

And this one:

Code: Select all

74BE5008   72 2A   JB      74BE5034   3   

Address: 74BE5008
EAX (after): 08465E1C   ESP (after): 0017DA24
ECX (after): 00000007   EBP (after): 0017DA2C
EDX (after): 00000000   ESI (after): 08465E00
EBX (after): 00000000   EDI (after): 0017EEC8


Jump short if below/carry (CF=1)

I can't figure out what it's trying to tell me... If I get the registers prior to the first statement, I feel like I'm getting somewhere... As it tells me what EDX is before...

But ultimately, two days have been wasted trying to trace this... can anyone give me any tips based on what I've posted?

[Aspras]

What you want is in the first one. EDX is the first address of a structure and 2 bytes away is the address of whatever youre trying to hack. That offset is most of the time static. Now you need to find a pointer to the base of the structure or to another structure inside of which lies that one. You need to search for pointers to 8465DFC in this case.

[efel]

It seems like searching for that pulled up nothing... No references... Is that possible?

Or maybe I was searching for EDX - 02h which would be 8465DFA. I'm really not sure.

Either way, whatever I tried searching for never pulled any results. I'll try it again tonight and see what happens...

[efel]

http://stackoverflow.com/questions/1127 ... 63#1128863

[L. Spiro]

For whatever is being fed into that MOVSX instruction, 08465DFC is already the base pointer with 2 being the offset. If you were to search for any pointers from here, it would be 08465DFC.


Here it is clear that you are working with pointers to types other than 4 (or greater) bytes, which means you can not reliably use the Pointer Search.

Start over from the final address and work back using only the Find What * This Address button.

Once you have gotten past the first layer (which will be given to you quickly via Find What * This Address, then you can begin using the Pointer Search again, since the pointers below that level will begin behaving like regular pointers again.


L. Spiro

[efel]

This is the first level using 'Find What * This Address'. I simply can't figure it out, no matter what I try...

Check out this:
http://stackoverflow.com/questions/1129 ... -in-a-game

It's my latest post on SO trying to provide more details and get some help... using more CE than MHS just because I'm most familiar with it...

[efel]

Finally found it... good lord.