OR
Is there easier way to find the real one? And does it really matter what pointer you use?
Here is example. How would you start finding a real pointer?
Something with pointers
Moderators: g3nuin3, SpeedWing, WhiteHat, mezzo
8 posts • Page 1 of 1
Something with pointers
by Utev » Mon Aug 06, 2007 5:22 am
When I use "pointer search" with range and get a lot of results. Should I just start trying them one ofter another? From smallest difference to biggest?
OR
Is there easier way to find the real one? And does it really matter what pointer you use?
Here is example. How would you start finding a real pointer?
OR
Is there easier way to find the real one? And does it really matter what pointer you use?
Here is example. How would you start finding a real pointer?
- Utev
- I Have A Few Questions
- Posts: 6
- Joined: Mon Aug 06, 2007 5:05 am
by L. Spiro » Thu Aug 09, 2007 1:31 pm
From a purely brute-force way, I would examine each pointer and see how they behave has the HP values move around.
I would also check the locations where they point and see if there are any indications of them pointing to the starts of structures.
But a more graceful approach would be to use the new Auto-Hack feature in the teaser release.
Find what reads HP. You get a lot of code addresses.
If you find one that has, for example, MOV EAX, [ECX+1A8], then you can tell from your Found Address list that 1265A54 is the pointer you want.
If you find ones that have different offsets from the register inside the [], look for the one that is most common.
And furthermore, you may easily get lucky enough to see something like:
MOV EAX, DWORD PTR [1265A54]
MOV EAX, [EAX+1A8]
And that would be your answer right there.
L. Spiro
I would also check the locations where they point and see if there are any indications of them pointing to the starts of structures.
But a more graceful approach would be to use the new Auto-Hack feature in the teaser release.
Find what reads HP. You get a lot of code addresses.
If you find one that has, for example, MOV EAX, [ECX+1A8], then you can tell from your Found Address list that 1265A54 is the pointer you want.
If you find ones that have different offsets from the register inside the [], look for the one that is most common.
And furthermore, you may easily get lucky enough to see something like:
MOV EAX, DWORD PTR [1265A54]
MOV EAX, [EAX+1A8]
And that would be your answer right there.
L. Spiro
-
L. Spiro - L. Spiro
- Posts: 3129
- Joined: Mon Jul 17, 2006 10:14 pm
- Location: Tokyo, Japan
by Utev » Fri Aug 10, 2007 2:54 am
L. Spiro wrote:From a purely brute-force way, I would examine each pointer and see how they behave has the HP values move around.
I would also check the locations where they point and see if there are any indications of them pointing to the starts of structures.
But a more graceful approach would be to use the new Auto-Hack feature in the teaser release.
Find what reads HP. You get a lot of code addresses.
If you find one that has, for example, MOV EAX, [ECX+1A8], then you can tell from your Found Address list that 1265A54 is the pointer you want.
If you find ones that have different offsets from the register inside the [], look for the one that is most common.
And furthermore, you may easily get lucky enough to see something like:
MOV EAX, DWORD PTR [1265A54]
MOV EAX, [EAX+1A8]
And that would be your answer right there.
L. Spiro
I thought it would be 1265A54 but seems like that it isin't. It works fine for me but not for others. I also tried rest of them. Without result.
- Utev
- I Have A Few Questions
- Posts: 6
- Joined: Mon Aug 06, 2007 5:05 am
8 posts • Page 1 of 1
Who is online
Users browsing this forum: No registered users and 0 guests