how about the pointer instruction change?

Discussions Related to Game Hacking and Memory Hacking Software

Moderators: g3nuin3, SpeedWing, WhiteHat, mezzo

how about the pointer instruction change?

Postby sieutruc » Sat Aug 14, 2010 8:43 pm

From 9 tutorials of CE,a little MH and hacking game Fist of Fu http://fistsoffu.outspark.com, i have 2 questions:
ques 1) When u have a ins like that:
0101757c add [eax],esi (assume eax= 041c5c78, address of health)
I know that eax is value pointer. And when i restart game, or change map, the value of eax is changed, we also know how to find the base of it as step 8. But the problem is, if the address of instruction is also change 0101757c to
03054681 add [eax],esi (eax=044f5a12)
the addr inst change , the value pointer of eax also change.
HOw can i determine what is the base addr of instruction, or base of value pointer. I think value pointer depend on ins pointer.

ques 2) when i debug FistOFFu, i also see that:
0101757c add [eax],esi (assume eax= 041c5c78, address of health)
this function for increase health, but when i put breakpoint on this without decrease or incease health in game by being attk or healing, the game also broke on this, i think maybe another function for texting or graphic also use this instruction, i also test this, when break on it, the value of eax is 0471fa8c, not the value of health. This is confused me, so i cannot codecave for this function, because it takes effect of other property. Anybody can show me how to handle 2 problem, at lease a suggestion, so we can do together.
The game i test is FOFu above, the health address.
sieutruc
I Have A Few Questions
 
Posts: 5
Joined: Wed Sep 16, 2009 10:06 am

Re: how about the pointer instruction change?

Postby L. Spiro » Sat Aug 14, 2010 11:18 pm

Initially I suspected the game is just using code shifting (the reason I ruled out simple DLL relocation is because the last 3 digits of your new address were different, but this may simply be you making up fake example addresses), but your second issue makes me suspect the game has a scripting language that is compiled into machine code.

If the game is using code shifting, you can do searches for function footprints. Unfortunately MHS does not generate function footprints for you, so to make one you have to know what you are doing.
However, there is a way you can make it as long as you can find the function after it moves once.

First, copy the function bytes. The Disassembler allows you to select the whole function and then copy as Code.
Save the hex text to Notepad.

Restart the game so the code moves and find it again. Copy the whole function again as Code and save to Notepad.

Then change the bytes that are different between those two pastes and change them to ?.

You may end up with something like this:
Code: Select all
6A 0F
E8 D6FDFFFF
68 D8560001
6A 0C
A3 D4560001
E8 3AFEFFFF
68 18570001
6A 0E

Changed to:
Code: Select all
6A ?
E8 ????
68 ????
6A ?
A3 ????
E8 ????
68 ????
6A ?

And put onto one line:
Code: Select all
6A ? E8 ???? 68 ???? 6A ? A3 ???? E8 ???? 68 ???? 6A ?

Change the hex numbers by adding a \x prefix and remove spaces:
Code: Select all
\x6A?\xE8????\x68????\x6A?\xA3????\xE8????\x68????\x6A?


That gives you a function footprint.
To use the footprint, start a String Search.
Select Wildcard and enter your footprint.
Ensure that Match Whole Word Only is off, Aligned is off, and Match Case is on.
Using the string I made above, I correctly get one result in my test application.



You can add an item to MHS that uses a script for its address, and the first time the address is requested you perform a search via the script to get this address, then store the address and return it from there instead of searching every time.


If you want to do an injection instead of storing the address of that code in your address list, you can do the same search with scripts via the On_OpenProcess() event.



The solution for your second problem is to add code that checks that EAX is the address of your health and only calls your modified code if so.



L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Re: how about the pointer instruction change?

Postby sieutruc » Mon Aug 16, 2010 1:26 pm

But how can i can combine 2 solutions into code, that we can go on fly , automatically search pointer instruction, and know what is health address to compare, how to write this code for this, using assembly or MHS script?
sieutruc
I Have A Few Questions
 
Posts: 5
Joined: Wed Sep 16, 2009 10:06 am

Re: how about the pointer instruction change?

Postby L. Spiro » Mon Aug 16, 2010 4:23 pm

Ah shit. RAMSearch() doesn’t support Wildcard searches for some stupid reason.
So you will just have to do it manually until there is an update.


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Re: how about the pointer instruction change?

Postby sieutruc » Tue Aug 17, 2010 10:01 am

You also mentioned about Ramsearch(), and code shifting. I search in this forum for tut about 2 this, a little about Ramsearch() (except syntax in help file), no about code shifting. Can u share me some tuts for that?
sieutruc
I Have A Few Questions
 
Posts: 5
Joined: Wed Sep 16, 2009 10:06 am

Re: how about the pointer instruction change?

Postby L. Spiro » Tue Aug 17, 2010 5:13 pm

I know of no tutorials for code shifting.
Anyway it is the same as any back-tracing. Except probably easier, because pointers to that chunk of code will probably be page-aligned, and you can just look at the page where the code is and search for a pointer to that.
And since the code is definitely created at start-up, you can easily follow the start-up code to see where it allocates the dynamic code.
Additionally, since the code needs special access rights to be executed, you can breakpoint VirtualProtect(), checking for a call that changes the protection to include executable values.


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan


Return to General Related Discussions

Who is online

Users browsing this forum: No registered users and 0 guests

cron