Memory Hacking Software

[wahoyaho]

So I'm playing this game and when you select a player or monster their name shows up with their health bar. I did a search for that name and got their address. But the pointer search does nothing.


So I looked in the Auto-Hack thing and it says
#1

Code: Select all

006DCC52   8A10   MOV     DL, BYTE PTR [EAX]   2
006975A0   8A1A   MOV     BL, BYTE PTR [EDX]   2
006975E0   0FB61C2A   MOVZX   EBX, BYTE PTR [EDX+EBP]
27C902F3B   8903   MOV     DWORD PTR [EBX], EAX   1
7C902F17   8B18   MOV     EBX, DWORD PTR [EAX]   1
78144AFD   74 06   JE      SHORT 78144B05   1
78145174   89448F F8   MOV     DWORD PTR [EDI+ECX*4-8], EAX   1

And I don't know where to go on from here. Can anyone give me some pointers on this? (no pun intended)

[L. Spiro]

Go to 006DCC52, 006975A0, or 006975E0 and breakpoint (execute) it (remember to stop the Auto-Hack or else your user breakpoints will not be hit).

Once the break is hit, if EAX, EDX, or EDX+EBP points to your address, you can study the code backwards to see how it came up with that address.

Obviously if you breakpoint address 006DCC52 then you are interested in finding out how it came up with the value in EAX (but only if EAX points to the string you are seeking). If the code is used on many strings, EAX may not point to your string every time.
To ensure it points to your string, use a condition on the breakpoint: EAX == XXXXXXXX. Replace XXXXXXXX with the address of your string.
You need to follow the code backwards until it gives shows a command that loads a static address into a register.
For example, MOV EAX, [0040FECC]. Once you find this you can put together all the commands that lead to the string and create a complex address to match the code.


L. Spiro

[wahoyaho]

Thanks, I'll give that a try. Just a quick question, how do you know to look at the 006DCC52, 006975A0, and 006975E0 addresses? Why not the other four?

I'm able to get the break point, but how do I move back on the code to find what happened to EAX/EDX?

[Shynd]

006DCC52, 006975A0, and 006975E0 are all within the game's execute space whereas the others are in some DLL or other module loaded by the process. When you breakpoint, make sure the Callback function is Single Step, then use F8 to step through the code and see how the registers change (be sure to change to the Registers tab in the helper).

[wahoyaho]

I'm just looking at the code and

006C5010 mov ecx, dword ptr [esi+720]
006C5016 lea edx, dword ptr [ecx+edi]
006C5019 mov cl, byte ptr [edx]

I found that esi before 006C5010 is 0CA1B588 in the registers, but after 006C5010 it becomes 0CA1EBB8 (which is the address where the string is stored)? So am I on the right track? Also, how did it get from 0CA1B588+720 to 0CA1EBB8? Shouldn't it be 0CA1BCA8?

[Shynd]

mov ecx, dword ptr [esi+0x720] is basically saying "move the value at address esi+0x720 into ecx, as a pointer." So if ESI is 0CA1B588, it's moving the value at address 0CA1B588+720 into ECX, or the value at address 0CA1BCA8 into ECX. I bet you that if you breakpoint at that line and look at the value held at address 0CA1BCA8--add it to your cheattable--you'll see that the value calculates to 0CA1EBB8 when converted to hex.

In ASM, anything inside brackets is indicating an address. If ECX is equal to 0x123456, a mov eax, ecx will make EAX equal to 0x123456; however, a mov eax, [ecx] will make EAX equal to whatever the value at address 0x123456 is. I hope it makes more sense now.

[wahoyaho]

Thanks, that helps explain it . I kinda understand what the assembly code there is trying to do, but is still nowhere near finding that static pointer.


Is it possible to do a search where it keeps scanning a specific register until it hits a certain value, then it pause the process for you to look at what caused that change?

[Turtle]

There are two main ways of tracking down a static pointer, the proper way is to manually decipher the ASM code backwards until you find it, the other way is to do it by searching ram, but it is not as reliable as the proper way.

If you want to now try the ram searching method, you will need to do the following:

Have a quick read of this thread: http://www.memoryhacking.com/forums/viewtopic.php?t=333
Then, as stated in that thread, you will need to do the 8 steps of the cheat engine tutorial, the link to the video solutions is there also. This will give you a basic understanding of the subject.

Lastly, you should read another thread, which is a detailed method of completing step 8 by using ram searching, then you will have learned the ram searching method: http://forum.cheatengine.org/viewtopic.php?t=74826

I know it seems like a lot to do, but it will give you an understanding of pointers very quickly.

[Turtle]

If you want some general knowledge about pointers then read these links:
http://www.memoryhacking.com/Misc/Tut/A ... inters.htm
http://forum.cheatengine.org/viewtopic.php?t=79

[wahoyaho]

Ah thanks Turtle and Shynd

I realized what I was doing wrong after reading over your comments and doing that tutorial. I was mixing up the difference between [ecx] and ecx. Took a few minutes to just clear my head and now I think I got it all right Thanks again!