Memory Hacking Software

by **gandalfge** » Thu Dec 18, 2008 3:12 am

Hi all mates,
from MMOwned a user referred me MHS as teh best tool to manage memory. I used CE but for some games it wasn't possible to access certain memory location.
But i need some help to better understand where i'm making mistakes:
I try to be as clear as possible, hope someone (please understand me...) can help me sort it out:

Let's say i need to find my char name at login (WoW is the game) so i can check it with my program and i can auto-login:

1) I look address (dinamic) where NOW is the name:

Code: Select all: Search String -> ASCII -> Name

2) I go changing name and i find 2 addresses

Code: Select all: 1240DBA0 - 12409C0

3) i dont think to use "Pointer Search" since i read it's better to use DIS

4) Right Click "Find what accesses this Address" on 1240DBA0
5) Go back to program and I change name
6) Going to look where i find a MOV:

Code: Select all: 006A125F 8808 MOV BYTE PTR [EAX], CL 2

Code: Select all: Address: 006A125F EAX (after): 1240DBA0 ESP (after): 0019FBB0 ECX (after): 1240DB50 EBP (after): 0019FBB8 EDX (after): FFFFFE20 ESI (after): 1240DBA0 EBX (after): 1240D9C0 EDI (after): 1240DBA8 Move CL (Ch) to [1240DBA0h]

7) I do the same for the other address: 12409C0
8 ) I find :

Code: Select all: 006A1280 8808 MOV BYTE PTR [EAX], CL 1

Code: Select all: Address: 006A1280 EAX (after): 1240D9C0 ESP (after): 0019F850 ECX (after): 00000050 EBP (after): 0019F858 EDX (after): FF5DFE04 ESI (after): 1240D9C0 EBX (after): 00000008 EDI (after): 119ED7C4 Move CL (Ch) to [1240D9C0h]

9) Well, i realized (i did before) that this 006A1280 remains tha same if I close program and I restart.
10) This 006A1280 I believe should be a Static Address, so i add it to Address List (Unsigned Long - Hex) and go see it:
11) This address has this value: 1284114568 or 4C8A0888h
12) Going to see "Find what accesses this Address": there's nothing in DIS and no notes:
13) So IF i'm I correct if i read the value of 006A1280 (WoW.exe + 2A1280) i should find the address pointed, that contains my data BUT i don't find it, since as in 11) the value is 4C8A0888h
14) So i go see that 4C8A0888h but.. i get an "Unobtainable" ...

So I try it but using, i.e., Auto-It, if i memoryread 006A1280 i simply get 4C8A0888h and i can't go further more

Where do I fail? I repeat, if i restart game, close and reopen MHS i always will find 006A1280 pointed by the dinamic address, but i'm not able to go back to it from here, so i can't find the way to write down a correct formula to get it always.
Another hint, the 006A1280 it's not green so probably it's not a pointer.

Hope to find a solution, and maybe this can clarify lot of things I see here and in other forums asked mainly by users.

Thanks again to everyone for the help,

Sincerely,

M.

by **L. Spiro** » Thu Dec 18, 2008 11:53 am

006A1280 is not data, it is code.
That is the address of the instruction reading your value. It has nothing to do with the address of the value itself or the pointers used to get to that address.

The address of the code is irrelevant; you need to be taking addresses from the registers/code.

If you find what reads 0x1240DBA0 and you get MOV BYTE PTR [EAX], CL 2, EAX holds the address of your value.
Look above to see how EAX was created.

You will see some kind of addition or dereferencing, which tells you the offset used to get 0x1240DBA0 from its base (if any) and that there was at least one more pointer beneath that one.

For example:

Code: Select all: INC EAX, 80 MOV BYTE PTR [EAX], CL 2

This means 0x1240DBA0 - 0x80 (0x1240DB20) is the base of the structure.
Find what accesses 0x1240DB20 and repeat until you see an instruction that accesses a hard-coded address:

Code: Select all: MOV EAX, [00504FEC]

0x00504FEC is the static base pointer.

L. Spiro

by **gandalfge** » Thu Dec 18, 2008 4:39 pm

First of all thanks.
Just to clarify the following. I'm not just a leecher, i'm interesting in understanding and available to donate all the necessary to you, Spiro, for the work you did. Hope you can help me to learn and understand it for me and the community.
Let's go on.

I tried what you did but i can't find the INC EAX bla bla bla.
Once i read the address i find i get these:

Code: Select all: 00417EEC 3A51 FC CMP DL, BYTE PTR [ECX-4] 1 006A1280 8808 MOV BYTE PTR [EAX], CL 1 0042A4F2 803B 00 CMP BYTE PTR [EBX], 0 3 0042A50E 803B 00 CMP BYTE PTR [EBX], 0 3 0042A943 803F 00 CMP BYTE PTR [EDI], 0 1 006A12B7 8039 00 CMP BYTE PTR [ECX], 0 3 00604FB8 803B 00 CMP BYTE PTR [EBX], 0 1 0042348E 0FB602 MOVZX EAX, BYTE PTR [EDX] 4 0042AA67 803B 00 CMP BYTE PTR [EBX], 0 1 00601110 803E 00 CMP BYTE PTR [ESI], 0 1 00604E58 8038 00 CMP BYTE PTR [EAX], 0 2 00604B48 381E CMP BYTE PTR [ESI], BL 2 0042CB88 8038 00 CMP BYTE PTR [EAX], 0 1 00600B9D 803E 00 CMP BYTE PTR [ESI], 0 1 00600C48 381E CMP BYTE PTR [ESI], BL 1 0042CC92 3807 CMP BYTE PTR [EDI], AL 1 0042CC96 8A0C38 MOV CL, BYTE PTR [EAX+EDI] 1 006A124B 803A 00 CMP BYTE PTR [EDX], 0 1 006A125C 8A0C02 MOV CL, BYTE PTR [EDX+EAX]1 0042C519 8038 00 CMP BYTE PTR [EAX], 0 1

I suppose, having no INC i can look directly at the address, given by MOV...but:

Code: Select all: Address: 006A1280 EAX (after): 11C8F1C8 ESP (after): 0019F850 ECX (after): 00000050 EBP (after): 0019F858 EDX (after): FF24F28C ESI (after): 11C8F1C8 EBX (after): 00000008 EDI (after): 10EDE454

So what's wrong? Where i'm doing error? To be honest right now i'm in a loop since it seems 11C8F1C8 it's read from 006A1280 where i get no info.

M.

by **L. Spiro** » Thu Dec 18, 2008 7:40 pm

INC was just an example.

It may be:

Code: Select all: MOV EAX, [EBX+80]

In which case your value is at the base of the class already (offset 0) and inside another structure, 0x80 bytes deep, is a pointer to your data.

You use the Expression Evaluator to keep track of the Complex Address as you go.
Thus, take the value of EBX (let’s say 0x10EDE454), and replace EBX in the following:
EAX = [EBX+80h]
[EAX] = Address of Your Value
Therefore
[[EBX+80h]] = Address of Your Value
Therefore
[[0x10EDE454+80h]] = Address of Your Value

And you are not supposed to look for this in the Auto-Hack window.
You need to right-click the address in the Auto-Hack window and show it in a new tab in the Disassembler.

Next you would find what accesses 0x10EDE454 and continue building your Complex Address by replacing 0x10EDE454 with that.

L. Spiro

by **gandalfge** » Sat Dec 20, 2008 5:04 am

I tried but i still get no results.
Try to write me the example based on what I see now:
reading my address

Code: Select all: 12284760

i see what reads and i see:

Code: Select all: 00417EEC 3A51 FC CMP DL, BYTE PTR [ECX-4] 1 006A1280 8808 MOV BYTE PTR [EAX], CL 1 ...

and

Code: Select all: Address: 006A1280 EAX (after): 12284760 ESP (after): 0019F850 ECX (after): 00000050 EBP (after): 0019F858 EDX (after): FF52DC14 ESI (after): 12284760 EBX (after): 00000008 EDI (after): 117B2374 Move CL (Ch) to [12284760h]

I select 006a1280 and i open in new tab (I just pasted the function):

Code: Select all: 006A1280 | 8808 | MOV BYTE PTR [EAX], CL | 006A1282 | 8A4C02 01 | MOV CL, BYTE PTR [EDX+EAX+1] | 006A1286 | 83C0 01 | ADD EAX, 1 | 006A1289 | 84C9 | TEST CL, CL | 006A128B | 75 F3 | JNZ 006A1280 | 006A128D | C600 00 | MOV BYTE PTR [EAX], 0 | 006A1290 | 5F | POP EDI | 006A1291 | 2BC6 | SUB EAX, ESI | 006A1293 | 5E | POP ESI | 006A1294 | 5D | POP EBP | 006A1295 | C2 0C00 | RETN C |

Shall I work here and decode this calculating new address?

M.

by **L. Spiro** » Sat Dec 20, 2008 7:50 am

You pasted the code below 006A1280 instead of above it. There is nothing of use here.

L. Spiro

by **gandalfge** » Tue Dec 23, 2008 1:01 am

Well let's re-try...
Once i get the address

Code: Select all: 11e48f28

i read it:

Code: Select all: 00417EEC 3A51 FC CMP DL, BYTE PTR [ECX-4] 1 006A1280 8808 MOV BYTE PTR [EAX], CL 1 ...

with:
00417eec:

Code: Select all: Address: 00417EEC EAX (after): 11C98C40 ESP (after): 0019F830 ECX (after): 11E48F2C EBP (after): 0019F83C EDX (after): 11C98C50 ESI (after): 11C98C3C EBX (after): 7FFFFFFF EDI (after): 7FFFFFFB

and
006A1280:

Code: Select all: Address: 006A1280 EAX (after): 11E48F28 ESP (after): 0019F850 ECX (after): 00000050 EBP (after): 0019F858 EDX (after): FFE4FD14 ESI (after): 11E48F28 EBX (after): 00000008 EDI (after): 11C98C3C Move CL (Ch) to [11E48F28h]

then i open to new window:
00417EEC :

Code: Select all: 00417ED1 | 72 75 | JB 00417F48 | 00417ED3 | 8D7B FC | LEA EDI, DWORD PTR [EBX-4] | 00417ED6 | 85FF | TEST EDI, EDI | 00417ED8 | 76 6E | JBE 00417F48 | 00417EDA | 8B4D 0C | MOV ECX, DWORD PTR [EBP+C] | 00417EDD | 8B45 08 | MOV EAX, DWORD PTR [EBP+8] | 00417EE0 | 8A10 | MOV DL, BYTE PTR [EAX] | 00417EE2 | 83C0 04 | ADD EAX, 4 | 00417EE5 | 83C1 04 | ADD ECX, 4 | 00417EE8 | 84D2 | TEST DL, DL | 00417EEA | 74 52 | JE 00417F3E | 00417EEC | 3A51 FC | CMP DL, BYTE PTR [ECX-4] | 00417EEF | 75 4D | JNZ 00417F3E | 00417EF1 | 8A50 FD | MOV DL, BYTE PTR [EAX-3] | 00417EF4 | 84D2 | TEST DL, DL | 00417EF6 | 74 3C | JE 00417F34 | 00417EF8 | 3A51 FD | CMP DL, BYTE PTR [ECX-3] | 00417EFB | 75 37 | JNZ 00417F34 | 00417EFD | 8A50 FE | MOV DL, BYTE PTR [EAX-2] | 00417F00 | 84D2 | TEST DL, DL | 00417F02 | 74 26 | JE 00417F2A | 00417F04 | 3A51 FE | CMP DL, BYTE PTR [ECX-2] | 00417F07 | 75 21 | JNZ 00417F2A | 00417F09 | 8A50 FF | MOV DL, BYTE PTR [EAX-1] | 00417F0C | 84D2 | TEST DL, DL | 00417F0E | 74 10 | JE 00417F20 | 00417F10 | 3A51 FF | CMP DL, BYTE PTR [ECX-1] |

and 006A1280

Code: Select all: 006A126A | C600 00 | MOV BYTE PTR [EAX], 0 | 006A126D | 5F | POP EDI | 006A126E | 2BC6 | SUB EAX, ESI | 006A1270 | 5E | POP ESI | 006A1271 | 5D | POP EBP | 006A1272 | C2 0C00 | RETN C | 006A1275 | 8A0A | MOV CL, BYTE PTR [EDX] | 006A1277 | 84C9 | TEST CL, CL | 006A1279 | 8BC6 | MOV EAX, ESI | 006A127B | 74 10 | JE 006A128D | 006A127D | 2BD6 | SUB EDX, ESI | 006A127F | 90 | NOP | 006A1280 | 8808 | MOV BYTE PTR [EAX], CL | 006A1282 | 8A4C02 01 | MOV CL, BYTE PTR [EDX+EAX+1] | 006A1286 | 83C0 01 | ADD EAX, 1 | 006A1289 | 84C9 | TEST CL, CL | 006A128B | 75 F3 | JNZ 006A1280 | 006A128D | C600 00 | MOV BYTE PTR [EAX], 0 | 006A1290 | 5F | POP EDI | 006A1291 | 2BC6 | SUB EAX, ESI | 006A1293 | 5E | POP ESI | 006A1294 | 5D | POP EBP | 006A1295 | C2 0C00 | RETN C |

I need to understand, in this specific case, if i'm looking to correct addresses and which code-line i've to look into to point to the next address.

Thanks again for your patience...i'll compensate you for that

M.

by **aeolus811tw** » Mon Jul 27, 2009 4:07 pm

consider you said 006A1208 shows up no matter what
most likely it is an instruction of a particular function that access the memory offset that is relevant to the data you are searching for

at this point
if you scroll up and finds tons of je, jnz, mov
it would be easier to hook the game onto a debugger such as OllyDBG or SoftICE

then put breakpoint on the assembler offset and repeat your in-game action
then due to the breakpoint the debugger will pause the program and allows you to check what was the previous instruction that led to the trigger of the breakpoint

then you analyze the code to find your static address

by **[Psych]** » Mon Jul 27, 2009 4:21 pm

Post date dude, post date...

Memory Hacking Software

[HELP] - Correct Procedure to find Static Address

[HELP] - Correct Procedure to find Static Address

Who is online