Memory Hacking Software

[Flubleah]

Hey everyone! I'm really sorry for starting a new thread, but this is really my first time ever searching for pointers and I'm kind of lost. I started off using T-search, then Art-Money, then Cheatengine, and now I've moved to MHS(I think this one is by FAR the easiest to use).

ANYWAYS, I used Josese's tutorial and I followed it word-for-word, step-by-step, it's worked pretty well but theres a few things I don't quite understand.

Here's what I've got:

A couple questions now:
1.) I'm guessing since my shortest distance was finally green, that I've finally found my pointer. (please say yes)

2.)In Josese's tutorial it only took a few tries to find the static pointer, now I understand all games are different, but 16 levels seems a little high. Is it possible that I've just encountered a couple loops? I don't know if this is even applicable but in my final pointer I've got a couple offsets that are the same:
[[[[[[[[[[[[[[[0x00A4C65C]+0x520]+0x8]+0x8]+0x30]+0x4]+0x0]+0x14]+0x68]+0x75C]+0x34]+0x18]+0x68]+0x8]+0x10]+12C
I've got 3 offsets that are 0x8... if that even means anything...

3.)Ok, so since I've found my static green pointer that works with my original value, what the hell do i do with it now? If i were to leave MHS open, restart my game, and reopen the process with MHS, would it point to the right address? Or is there something more I have to do with my static address?

I've got one last question about modules, here's what I've got:

4.) So yeah, L. spiro said something about adding "h" to the end of the module (from Josese's thread) I did a search and someone said something about when you add an h, all it means is it turn it to hexidecimal kind of like 0xwhatever(i have no idea what adding an h to the module would ACTUALLY do >.<). In MY case is there anything I have to do to my module?

Alright, well sorry for being a noob, but hey, I gotta start somewhere eh? Also my biggest question has to be #3, I just want to know what I have to do with my static adress, or if I just leave it and it'll work perfectly.

THANKS for any help guys, I really really really appreciate it, I've been trying to figure out these pointer thingies for about 4 or 5 days now. Also sorry for the essay of a post...

(just if your wondering, i'm working on the sims3, hahah yeah, i know, it's gay, but I thought i'd start somewhere XD)

[L. Spiro]

#1: Your base address is 0x00A4C65C. It is static. However you should write it as TS3.exe+64C65Ch, so that if TS3.exe changes addresses your Complex Address will still work.

#2: 16 layers of pointers is average. Repeated offsets are common, but you should watch them carefully next time you start your game, as they may go a few iterations along a linked list before continuing to your destination.

#3: Save it. Never forget it unless you want to find it all again. It will keep track of your value as you close, restart, etc., your game.
Once you have completed a Complex Address you are done and can move on to the next value you want to find.

#4: That value is shown in the Simple group. Complex Addresses override Simple Addresses so it does not matter what is there or in what format.
That box defaults to hex input, so neither 0x nor h are necessary there.

h postfix and 0x prefix do the same thing. There is 0% difference, so it is up to your background/style.


L. Spiro

[Flubleah]

oh ok, I see... but I'm still a bit confused...

I restarted my game and the base pointer I have under value now reads, "Unobtainable"
locking it does nothing.

I'm completely 100% lost, what the heck am I supposed to do with my base address? Do i need to put it into a couple lines of code or something?

Thanks for the help though! I did learn a few things XD

[L. Spiro]

Follow your pointer trail from its base out.

Start at TS3.exe+0x64C65C. Get the value there. Go to that address. Go up 0x520 bytes from there. Get the value there. Repeat.

Continue until one of the values is NULL (0x00000000).

Find out where and why your trail of pointers no longer works.

Make a new Complex Address. Is it the same as before? Where is it different? Study the disassembly to see why.

Use Find What Accesses this Address to get better pointers+offsets, and to be sure that your trail of pointers is correct.


Use the Expression Search to find your values quickly.

For example, if [[[[??]+0x8]+0x10]+12C+0x3C] == 100 gives you one result, you have just found one of the pointers in your Complex Address multiple layers deep. Before you ask, I got that expression by:
#1: Assuming [[[[[[[[[[[[[[[0x00A4C65C]+0x520]+0x8]+0x8]+0x30]+0x4]+0x0]+0x14]+0x68]+0x75C]+0x34]+0x18]+0x68]+0x8]+0x10]+12C gives you to the address that is the start of your player structure.
#2: If that gives you the address of your player structure, your HP is some offset from there. I chose 0x3C arbitrarily.
#3: That gives us the address of your HP. To get the value of your HP, add [] around it.
#4: Compare that value with 100 (max HP). If it is == to 100, return 1. Otherwise return 0. Read the documentation for the reason this works.


Turn off custom read/write functions in the Options dialog before doing this type of search or you may experience a blue screen not of life.


L. Spiro

[Flubleah]

Alright, well I figured out what value is NULL, althought it never said "NULL" or "0x00000000"
However it worked fine untill I added 3 to last pointer offset (one of the 0x8 at the begining) and it said, "Valid Expression but Unable to Resolve"

I'll try to find a new complex address (I'm new so this takes me a while eh?)
Can you explain how I would go about studying the disassembly? and also explain a bit more about the find what accesses this address? (If theres a tutorial on "find what accesses this address I'd gladly take a gander at it)

So let me get this Expression search correct:
1.) I'll scan for my [[[[[[[[[[[[[[[0x00A4C65C]+0x520]+0x8]+0x8]+0x30]+0x4]+0x0]+0x14]+0x68]+0x75C]+0x34]+0x18]+0x68]+0x8]+0x10]+12C assuming it does lead to the address I'm looking for (if it doesn't what then?)
2.) So I choose some arbitrary hex value here or what? Will I find this using the expression search?
3.) Add [] around my whole expression, got it.
4.)um... ok? I'm assuming looking at the expression search I'd understand this a bit more...

Sorry L. but that last post just absolutely confused the fuck out of me (excuse my harsh language) I'm not getting this at all, I'm SO freaking confused, I'll try playing around with this stuff, but honestly I'm gonna need a little more direction than that...
Are there any tutorials you could point me to or something or just explain it some more?

Thanks a tonne dude, I really really appreciate the effort for you to help me, but you gotta remember I'm new at this and you really can't assume I'm gonna know how to do any of this.
Sorry for being such a newblet. >.<;;!

[L. Spiro]

If you do not understand my explanation of how to use the Expression Search then just forget it; it is just an alternative way to find your address (and part of your pointer trail) for advanced users.

There is no need to explain it further if it is not the route you will be going.

Study the disassembly in the Disassembler. Find your address. Right-click it, Find What Accesses this Address, and it will load the Disassembler.
There are several tutorials that cover how this works, among them http://memoryhacking.com/forums/viewtopic.php?t=2695 is but one.
When your value is accessed it will appear in the list in the Helper window where you will have to click it to see what code was used to access it. Inside the code there will be something like mov [eax+OFFSET].
This is the exact same format as in a Complex Address, where EAX and offset will be numeric values in your Complex Address surrounded by [].

To give a clearer example, the first time you do this you will probably find this:
mov ecx, [edx+12C]

EDX would be an address and 12C is the last offset in your Complex Address. Since EDX is an address, you then need to see how EDX was created, and you would repeat the process.

Code: Select all

edx+0x12C ->
[ecx+0x8]+0x12C ->
[[ecx+0x68]+0x8]+0x12C ->
Repeat the Auto-Hack process until you find the base pointer.

L. Spiro

[Flubleah]

using "Find out what Accesses this Address" gives me 2 Options in the Disassembler:
FLD DWORD PTR [ECX+EAX] (this one has more hits if that matters)
and
FSTP DWORD PTR [ECX+EAX]

EAX (after): 28E93700
ECX (after): 0000012C
(same addresses for both FLD and FSTP)

Now I'm just assuming that ECX is my offset because it's 12C, also when I put the value of EAX in my Expression Evaluator like this: EAX+0x12C it gives me my original address, so thats good *thumbs up*

EAX is the same in both FLD and FSTP which is REALLY annoying because when I do a pointer search it gives me 218 results. This is the EXACT same problem I had with cheat engine, how am I supposed to narrow down those results? I honestly don't have the patience to sift through 218 results to see if maybe ONE is correct. (NONE of my results are static (green))

Even if I continue on, and choose 1 random address of my 218 results, do a "Find what accesses this adress" on it, I get something like this:
MOV ECX, DWORD PTR [EDX]
so now I do a pointer search on my address of EDX and guess what? 0 results, ARGGGG!!!!

So L. is there anyway I can narrow down my 218 results?!?

Thanks!!! XD

[L. Spiro]

They are both usable.

Method #1:
Run the game. Tell me what EAX is in the same code (this time it was 28E93700; I need to know what it is next time).
Then tell me what [EAX+ECX] is.
Then tell me the address of your health.
Then tell me the value of your health.
I will make an Expression Search that may help.


Method #2:
Now that you have 218 results, perform the smallest action that will change the address of the data you are finding. I assume it is your player data. So die and respawn. Your objective is to change only the address of that data, and not anything else. You want to change the top of the pointer trail only, not any of the lower-level pointers.

Having done that, look at the list of 218 pointers. Many of them will have a new value. You can follow that value to see if it is pointing to your new player data address. The rest will be pointing to other random garbage data.
Since you know the correct value the pointers need to be to point at your new player data, you can perform an Exact Value Sub Search to remove all the dead entries.


Method #3:
MOV ECX, DWORD PTR [EDX]
I already know from your previous Complex Address that the next offset down should be 0x10.
This means there is a high chance that some ASM above that one looks like this:
INC EDX, 10
Whatever the case may be, you need to be looking at the ASM above the code you posted to see how EDX got the value it got.
And if EDX was increased by some value (I expect 0x10 in this case) then you need to be searching for (EDX-OFFSET), not (EDX). Which would probably be (EDX-0x10) in this case.



In many situations, you do not know the offset.
You have probably seen tutorials on this site, the help file, and even on YouTube (http://www.youtube.com/watch?v=o3690R8B4JM) that suggest you use a Range Pointer Search where the To value is the actual pointer you found (could be the actual value of EDX in this case) and the From value is the same value but reduced by some arbitrary amount (just take the third digit and set it to a 0, for example).

Your EDX example demonstrates why this is done.
Most pointers are followed by an offset (as you can see in your Complex Address) such that (BASE+OFFSET) = (EDX).
Therefore (EDX-OFFSET) = (BASE) (this is why EDX goes in the To field, because (BASE) is guaranteed to be equal to or lower than EDX).
We want to find (BASE). We do not know (OFFSET), so we use a Range Pointer Search to cover many potential offsets. That is why the offsets are shown in the list of results.
Picking the closest offset is usually correct. If there are multiple closest, then there are probably multiple paths to the end target, and both are just as valid.

The point is if you search for EDX and get 0 results, search for a range of values up to EDX.


L. Spiro