How do I get the first pointer to a struct ?

Need Help With an Existing Feature in Memory Hacking Software? Ask Here

Moderators: g3nuin3, SpeedWing, WhiteHat, mezzo

How do I get the first pointer to a struct ?

Postby Felheart » Tue Jun 10, 2008 6:24 am

Hi,
i've made a bit progress since I postet last time on this site.
Still I have a problem left that I cant figure out myself.

I have already made a trainer with quite a few options.
( I can provide full source code and or compiled X64 .exe; just ask )

Screen:
http://img110.imageshack.us/img110/4389 ... ot1kw1.jpg


I want to make an aimbot too.
I have the coordinates of the player, and i can get a (nearly completly reversed) class pointer when i got the health of one enemy.

Now there are many enemys, and no matter how much i try i cant figure out where the start of the enemy-list or vector is!

Here is a screenshot of the reversed-class / struct of an enemy.
http://img107.imageshack.us/img107/85/reclassedaw0.jpg

As you can see the Health is 0x24 bytes after the base.

I have tried to follow all the unknown adresses / searching pointers to the base of the class and so on...

What should i do now ?
I cant find the first "segment" of the list/ vector that is containing the pointers to the enemystructs.
Felheart
Acker
 
Posts: 89
Joined: Sun Apr 27, 2008 3:05 am
Location: Germany

Postby denispn » Sun Dec 28, 2008 8:49 pm

Hi

I have the same problem too, but in another game. This is the only thing that blocks me from making my own aimbot (just for learning purposes).

In my case, the game is Counter-Strike 2D. I can get, for example, x and y coordinates from, let's say, 2 or 3 enemies, their health, and so on... but these values are temporary. If i close the game, i lose these values. I could not find the right pointer to these values.

What i don't know, is how to find the right pointer and cycle through every enemy and get their position coordinates, so that ai can make my own calculations.

Thanks for reading
denispn
Hacker Smacker
 
Posts: 43
Joined: Wed Dec 26, 2007 9:45 am

Postby denispn » Sat Jan 03, 2009 9:57 am

Hi all!

For those who have the same problem, i have found a workaround for this problem.

What i did is what follows:

1. I have found the adress of an enemy position.
2. Right click the address and click Find What Accesses This Address.
3. The disassembler will open.
4. Go back to the game and don't do anything and wait for 1 sec or 2 secs.
5. Go back to the disassembler and view the address that accesses the enemy position address.
6. Right click the address and click Go To... current tab.
7. You will see the code on the right.
8. Right click this code that accesses the enemy address and click auto-assemble
9. Go to Tools Menu -> Memory Allocator -> specified 2048 for the size and clicked Allocate It! and write down this address.
10. Then i injected this little code below. What it does is to create a counter in the first 4 bytes of this allocated memory. For the others 4 by 4 bytes, it will copy the addresses the game refers to in the game.

I my case, the allocated memory is at address [01480000].
And the code that access the players position is (fld dword ptr [esi+C0]), where it loads the Y position value.

Code: Select all
Alloc( MyCode1, 2048 ) ; Allocate 2,048 bytes and store the allocated
Alloc( MyCode2, 2048 ) ; Allocate 2,048 bytes and store the allocated
Alloc( Continue, 2048 ) ; Allocate 2,048 bytes and store the allocated
Alloc( MyCode, 2048 )    ; Allocate 2,048 bytes and store the allocated address into MyCode, which we use as the location where our new code goes.
Label( OverwrittenCode ) ; The code that was overwritten by the JMP to MyCode will go here.
Label( Exit )            ; JMP here to exit our custom code and go back to the original code.
Label( Return )          ; The location of the next instruction of the original code.

FullAccess( CounterStrike2D.exe+0x000C3468, 2048 )
CounterStrike2D.exe+0x000C3468 :
jmp MyCode
nop
Return :






MyCode :                 ; The allocated address.  Put your code after this.
push eax
push ebx
push ecx
xor eax, eax
xor ebx, ebx
xor ecx, ecx
mov ebx, [01480000] ;Move to EBX the value of the counter.
cmp byte ptr [01480000], F8h ;Compares is counter has reached it's limit, that is F8. (Just my choice, it can be up to 4bytes, but you won't need it to be so big.)
jbe MyCode1 ;Jump if it's below or equal
jg Continue ;Else jump to Continue

MyCode1 :
lea eax, dword ptr [esi+c0] ;Move to EAX the address at [ESI+C0]. ESI is the base pointer of a player. In this case, ESI+0C points the the Y position of the player.
cmp esi, [00595320] ;Compares to know if ESI is the same of my player. The base address of my player is 0x595320, Note that this adrress is static
je Continue ;Don't write if it's the same address.
jne MyCode2 ;If not equal, jump to the code that will write to the allocated memory.

MyCode2 :
add byte ptr [01480000], 4h ;Add 4h to the counter
mov ebx, [01480000] ;Move to EBX the value of the counter
lea ecx, dword ptr [01480000 + ebx] ;Move to ECX the address at [01440000 + value of counter]
mov dword ptr [ecx], eax ;Move to ECX the adress at [ESI+C0] (it could be just ESI, and you would be copying the base address of a player, so that the Y position would be at the [[address at ESI] + C0])
jmp Continue

Continue :
pop ebx
pop eax
pop ecx





OverwrittenCode :        ; The overwritten code (code that was overwritten by the JMP to MyCode).
fld     dword ptr [esi+C0]






Exit :                   ; Automatic JMP back to the original code, or you can JMP Return directly to avoid coming here.
jmp Return



now you just have to read the addresses in your allocated memory using a FOR, like below:


Code: Select all
For $i=0x04 To 0xF8 Step x04

$PlayerYPositionAddr = $MemoryAllocated + $i

blablabla

Next


Everytime the game restarts, you can set the counter to Zero at the memory allocated address, and you will get the new pointers. I my case, i have to set the valou at address [01480000] to zero again.

You can try to make the auto-assemble code better by making it check to see if the address is already in the allocated memory, before writing it in the memory.

Hope it helps. It worked for me. This is the best i can do. Now everyone can make a working aimbot. :-)
denispn
Hacker Smacker
 
Posts: 43
Joined: Wed Dec 26, 2007 9:45 am

Postby L. Spiro » Sat Jan 03, 2009 11:17 am

I have never seen this topic before. Sorry for ignoring Felheart and denispn.

Good that you found one of many solutions to this problem.


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Postby denispn » Sat Jan 03, 2009 6:37 pm

That's ok :-)
denispn
Hacker Smacker
 
Posts: 43
Joined: Wed Dec 26, 2007 9:45 am


Return to Help

Who is online

Users browsing this forum: No registered users and 0 guests

cron