Now what suggestions would some of you more experienced guys/gals have for this scenario? Obviously I'm going to want to be able to find the DMA address at runtime everytime with the trainer. What methods would work the best? This is what i've been able to come up with so far. I may be on the right track I may not be. Look this work over a bit and let me know what I'm doing right or wrong here (if you have the time that is)
This is what i've found so far.
- Code: Select all
008A43C9 = MOV EAX, [EBP-20]
008A43CC = MOV [EBP+60],EAX
008A43CF = MOV EAX, [EBP-1C]
008A43D2 = MOV [EBP+64],EAX
008A43D5 = MOV EAX, [EBP-18]
008A43D8 = MOV [EBP+68],EAX
008A43DB = LEA EDI, [EBX+34]
008A43DE = LEA ESI, [EBP+60]
008A43E1 = movs dword ptr es:[edi],dword ptr [esi]
008A43E1 is the address being written to when the character moves, I set a BP on 008A43C9 and stepped through the code to find out what ESI was eventually being written to. And this is my findings
- Code: Select all
ebp+60 = 0013f490 + 60 (13F4F0)
But on line 008A43DE EBP+60 was written to ESI so ESI should be 0013F4F0 but as you can see below here it ends up being 0013f4f4.
- Code: Select all
esi = 0013f4f4
edi = 0013f5f8
eip = 008A43E2
I'm at a loss at this point because after adding the ESI address to CE it ends up being a constantly cycling address meaning 1sec it is 456456464 next second it's -689.5646465472 (This is the X Location) the next second it changes to something else. What would some of you more experienced members suggest I go from here? Am I even attempting this the correct way, if not how exactly should I be doing this?
Thanks
~Sorn