Searching tips?

Need Help With an Existing Feature in Memory Hacking Software? Ask Here

Moderators: g3nuin3, SpeedWing, WhiteHat, mezzo

Searching tips?

Postby slointe » Sun Sep 16, 2007 3:02 am

I am wondering if anyone would like to share how they go about searching things other than health and ammo stuff?

I am interested in a 3D game setting, finding players x,y,z values. Also a sniper scope 'sway'. What method of searching is best? What are some good techniques on paring down results?

for example:

I assume that the players xyz will be (3) floats. How do I even start looking for this?
slointe
Hackleberry Fin
 
Posts: 28
Joined: Tue Jul 10, 2007 11:25 am

Postby L. Spiro » Sun Sep 16, 2007 1:30 pm

I assume that the players xyz will be (3) floats. How do I even start looking for this?

By walking/jumping to higher and lower locations in the game and searching for increased/decreased float values. You can not know the X and Y by walking forward/back/left/right, but you can know that your Z is increasing and decreasing as you walk up and down ramps.
Obviously your initial search is either Unknown or Range with a range of -100000 to 100000 (or so).

As you can see, the Hex Editor helper tab (Conversions) is already ready to help you view XYZ float vectors, once you find them.



Also a sniper scope 'sway'. What method of searching is best?

Float search for a range of values from -1 to 1. Then as your vertical sway moves up you sub search for increased values. As it sways down you look for decreased values.



For things other than ammo and health—values you don’t know already—you just have to take advantage of the search types that are meant to help you find values you don’t actually know.
Creative searching is all there is to it.




Also, you will often get lucky enough to have your player position/direction/etc. right there near your health in RAM. View your health in RAM and watch the Hex Editor as you move around in the game. It is likely you will find areas in RAM that only change when you move (and changes are highlighted in blue for ease in spotting). They very well may be your XYZ positions.
You can view all data in the Hex Editor as Float by selecting View/Base Options setting the Current Layer/Data Type to Float.


L. Spiro
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

o_0

Postby slointe » Mon Sep 17, 2007 1:33 pm

OK, here's where I am now

MHS finds this address that I can modify:

2055A63C

At this address I punch in any short I want and it's reflected in game, no problem.

So doing MHS pointer search with range:

2054A63C to 2055A63C

yields nothing under (-5000) distance.

Now restarting the game several times this (2055A63C) of course changes but I can always find the changeable value again with MHS.

What am I finding if it's not a static address and I cannot find the base of this structure?

Or could it really be that the base of this structure, which is the character's grenades BTW, be really that far back (-5000)?
slointe
Hackleberry Fin
 
Posts: 28
Joined: Tue Jul 10, 2007 11:25 am

Postby L. Spiro » Mon Sep 17, 2007 5:53 pm

Most likely the value is nested under another pointer.

You probably have a pointer to a player class which then has a pointer to his grenades.


If that is the case you would need to uncheck Find Only Static.

But that will just help you confirm the case.

To find data that is actually useful you will need to debug the game and study the disassembly.


You will be looking for ADD EAX, XXXX -> MOV ECX, DWORD PTR [EAX] or MOV ECX, DWORD PTR [EAX+XXXX] where the italic values could be any register, not just EAX and ECX.

Use Find What Accesses This Address from the right-click pop-up menu.


L. Spiro
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Postby slointe » Mon Sep 17, 2007 11:56 pm

this address I find is the amount of grenades my character has in his inventory. So you are saying I have to work my way backwards from this location?

So far the pointers I have been finding are something like:

Gamex86.dll + 0x67354 + 0x28

If I am getting this right, I may run into something like the following:

Gamex86.dll + 0x67354 + 0x104 + 0x28

It would just be another layer?
slointe
Hackleberry Fin
 
Posts: 28
Joined: Tue Jul 10, 2007 11:25 am

Postby L. Spiro » Tue Sep 18, 2007 9:44 am

this address I find is the amount of grenades my character has in his inventory.

Then it is probably also stored on the player class itself.
But again, who knows how many pointers need to be followed to get there.
yes you need to work backwards from here.


So far the pointers I have been finding are something like:

I think you mean [Gamex86.dll + 0x67354] + 0x28.


It would just be another layer?

It would be.
As a complex address:
[[Gamex86.dll + 0x67354] + 0x104] + 0x28


L. Spiro
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Postby slointe » Tue Sep 18, 2007 12:07 pm

I know I can patch out the SUB but I am trying to find the data buckets instead. So I have narrowed it down to this:

Code: Select all

323BD90C   999                           ; (1) This is the location I can edit and it is reflected in game (dataGrenades = 999)

1EBEBFBC   CC               INT3
1EBEBFBD   CC               INT3
1EBEBFBE   CC               INT3
1EBEBFBF   CC               INT3
1EBEBFC0   56               PUSH ESI
1EBEBFC1   57               PUSH EDI
1EBEBFC2   8B7C24 0C        MOV EDI,DWORD PTR SS:[ESP+C]             ; (4) [01FF71F4 + C] = 1FF7200 = 00000007
1EBEBFC6   8BF1             MOV ESI,ECX
1EBEBFC8   57               PUSH EDI
1EBEBFC9   8D8E 18110000    LEA ECX,DWORD PTR DS:[ESI+1118]
1EBEBFCF   E8 CC6DFFFF      CALL gamex86.1EBE2DA0
1EBEBFD4   85C0             TEST EAX,EAX
1EBEBFD6   7C 15            JL SHORT gamex86.1EBEBFED
1EBEBFD8   8B4C24 10        MOV ECX,DWORD PTR SS:[ESP+10]
1EBEBFDC   3BC8             CMP ECX,EAX
1EBEBFDE   7E 02            JLE SHORT gamex86.1EBEBFE2
1EBEBFE0   8BC8             MOV ECX,EAX
1EBEBFE2   2BC1             SUB EAX,ECX                              ; ECX = 00000001 / EAX = (999) dataGrenades value / dataGrenades value is then decremented
1EBEBFE4   8B8E 4C110000    MOV ECX,DWORD PTR DS:[ESI+114C]          ; (3) [ESI = 3231D9E4] = [0x3231D9E4+0x114C] = [323BD8F0]
1EBEBFEA   8904B9           MOV DWORD PTR DS:[ECX+EDI*4],EAX         ; (2) [323BD8F0 + 00000007 * 4] = [323BD90C] / EAX = (998)
1EBEBFED   5F               POP EDI
1EBEBFEE   5E               POP ESI
1EBEBFEF   C2 0800          RETN 8
1EBEBFF2   CC               INT3
1EBEBFF3   CC               INT3
1EBEBFF4   CC               INT3
1EBEBFF5   CC               INT3


(1) is where I started from
(2) is the line of code that is dumping the new values into (1) when I toss a grenade
(3) is one of the two lines that make up (1)'s location in RAM
(4) is the other one that makes up (1)'s location in RAM


the part that is throwing me is the *4 and the fact that two different lines 'populate' for the address of the final data bucket. o_0

P.S. as far as I can tell 3XXXXXXX are the volatile addresses & the 1EXXXXXX are definately static as they are located in the gamex86.dll module.
slointe
Hackleberry Fin
 
Posts: 28
Joined: Tue Jul 10, 2007 11:25 am

Postby L. Spiro » Tue Sep 18, 2007 6:30 pm

#1: You need to know what ECX was before entering this function and how it was created.
#2: Your grenades are stored inside an array, index 7. Indices 0, 1, 2, 3, 4, 5, 6, etc., are all objects in this array.
#3: EDI tells you the index. It is modified inside this function which is why it is pushed and popped at the start and end. However it is not modified inside this function directly; it is modified in one of the function calls here.
#4: The 1EXXXXXX addresses are static in terms of being stored inside the DLL. But that DLL moves in memory. You can not express these addresses as 0x1EXXXXX; you must express them as gamex86.dll+0xXXXXXX.
#5: ESI (and ECX at the start of the function) hold a pointer to your player class. The ammo values are stored in an array with your grenades being the 8th item (index 7). That array starts at playerPointer+114Ch. Which means your grenades are 114Ch+4*7 after the start of the player class. Which means if you have the address of your grenades, you should be able to find a pointer (static or otherwise) that points to (grenadesAddress-(114Ch+4*7)).


L. Spiro
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Postby slointe » Wed Sep 19, 2007 5:36 am

Ahhh...an array. That's makes sense. I am new to ASM so I haven't seen that notated until now. the *4 are the 4bytes spaces being allocated per object right?

Also I think I made a mistake C+P'ing since I couldn't get things to add up correctly. This should be the real line...it's was late at night for me when I did this:

Code: Select all
1EBEBFE4   8B8E 4C110000    MOV ECX,DWORD PTR DS:[ESI+114C]          ; (3) [ESI = 323BC7A4] = [0x323BC7A4+0x114C] = [323BD8F0]


So with the above I would say that these are my part of my character class?:

Code: Select all
[0x323BC7A4 + 0x114C] <--- array starts here
[0x323BC7A4 + 0x114C] + 0x04 <--- some inventory item ???
[0x323BC7A4 + 0x114C] + 0x08 <--- some inventory item ???
[0x323BC7A4 + 0x114C] + 0x0C <--- some inventory item ???
[0x323BC7A4 + 0x114C] + 0x10 <--- some inventory item ???
[0x323BC7A4 + 0x114C] + 0x14 <--- some inventory item ???
[0x323BC7A4 + 0x114C] + 0x18 <--- some inventory item ???
[0x323BC7A4 + 0x114C] + 0x1C <--- Grenades


And possibly more above 0x1C if my EDI is modified to in one of the above function calls?
slointe
Hackleberry Fin
 
Posts: 28
Joined: Tue Jul 10, 2007 11:25 am

Postby L. Spiro » Wed Sep 19, 2007 9:44 am

the *4 are the 4bytes spaces being allocated per object right?

Essentially.


So with the above I would say that these are my part of my character class?:

You would.


And possibly more

Probably.


L. Spiro
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Postby slointe » Thu Sep 20, 2007 5:33 am

Thanks for the help L. Spiro! I always wanted to know how people found the data pointers and what the notation meant exactly.

In case anyone cares this was for the game Enemy Territory: Quake Wars Demo. This was only for my education and is not for online play. The servers control ammo values in multiplayer.

**single player only**:

Code: Select all
Grenades (int)
=============================================
[[[gamex86.dll + 0x64CECC] + 0x114C] + 0x1C]


Main gun ammo (int)
=============================================
[[[gamex86.dll + 0x64CECC] + 0x114C] + 0x24]

slointe
Hackleberry Fin
 
Posts: 28
Joined: Tue Jul 10, 2007 11:25 am


Return to Help

Who is online

Users browsing this forum: No registered users and 0 guests

cron