Memory Hacking Software

Discussions Regarding Memory Hacking Software

Skip to content

Any help in how to track down a static to this....

Need Help With an Existing Feature in Memory Hacking Software? Ask Here

Moderators: g3nuin3, SpeedWing, WhiteHat, mezzo

Post a reply

Any help in how to track down a static to this....

Postby Malakai » Tue Jul 14, 2009 8:11 am

Code: Select all
.text:10309D00
.text:10309D00 ; =============== S U B R O U T I N E =======================================
.text:10309D00
.text:10309D00 ; This function updates X/Z/Y location eventually.
.text:10309D00
.text:10309D00 UpdateLocation  proc near               ; CODE XREF: .text:102FCDBFp
.text:10309D00                                         ; .text:10314B8Fp
.text:10309D00
.text:10309D00 var_C           = dword ptr -0Ch
.text:10309D00 var_8           = dword ptr -8
.text:10309D00 var_4           = dword ptr -4
.text:10309D00 arg_0           = dword ptr  4
.text:10309D00 arg_4           = dword ptr  8
.text:10309D00 arg_8           = byte ptr  0Ch
.text:10309D00
.text:10309D00                 sub     esp, 0Ch
.text:10309D03                 cmp     [esp+0Ch+arg_8], 0
.text:10309D08                 push    ebx
.text:10309D09                 mov     ebx, [esp+10h+arg_0] ; ebx contains eventual offset to XZY location
.text:10309D0D                 push    ebp
.text:10309D0E                 mov     ebp, [esp+14h+arg_4]
.text:10309D12                 push    esi
.text:10309D13                 jz      loc_10309E95    ; Jump to location which sets location X,Z,Y values

<snip>

.text:10309E95 ; ---------------------------------------------------------------------------
.text:10309E95
.text:10309E95 loc_10309E95:                           ; CODE XREF: UpdateLocation+13j
.text:10309E95                 mov     eax, [edi]
.text:10309E97                 mov     edx, [eax+0Ch]
.text:10309E9A                 push    ebp
.text:10309E9B                 mov     ecx, edi
.text:10309E9D                 call    edx
.text:10309E9F                 test    al, al
.text:10309EA1                 jz      loc_1030A04E
.text:10309EA7                 test    byte ptr [edi+48h], 1
.text:10309EAB                 mov     [esp+18h+arg_8], 0
.text:10309EB0                 mov     byte ptr [esp+18h+arg_4], 0
.text:10309EB5                 jz      loc_10309F53
.text:10309EBB                 mov     eax, [ebx+0Ch]  ; eax+14h is offset to eventual XZY
.text:10309EBE                 movss   xmm0, dword_10BBB458 ; 0x37800000h
.text:10309EC6                 cvtsi2ss xmm1, dword ptr [eax+14h]
.text:10309ECB                 lea     esi, [eax+14h]  ; esi contains pointer to base value used for XZY
.text:10309ECE                 mulss   xmm1, xmm0
.text:10309ED2                 movss   [esp+18h+var_C], xmm1
.text:10309ED8                 cvtsi2ss xmm1, dword ptr [esi+4]
.text:10309EDD                 mulss   xmm1, xmm0
.text:10309EE1                 movss   [esp+18h+var_8], xmm1
.text:10309EE7                 cvtsi2ss xmm1, dword ptr [esi+8]
.text:10309EEC                 mulss   xmm1, xmm0
.text:10309EF0                 lea     edx, [esp+18h+var_C]
.text:10309EF4                 mov     ecx, edi
.text:10309EF6                 movss   [esp+18h+var_4], xmm1
.text:10309EFC                 call    sub_10309940
.text:10309F01                 test    al, al
.text:10309F03                 jz      short loc_10309F53
.text:10309F05                 cvtsi2ss xmm1, dword ptr [esi] ; Convert signed double word int to single precision float
.text:10309F09                 movss   xmm0, dword_10BBB458 ; 0x37800000h
.text:10309F11                 mulss   xmm1, xmm0      ; multiply
.text:10309F15                 movss   [esp+18h+var_C], xmm1
.text:10309F1B                 cvtsi2ss xmm1, dword ptr [esi+4]
.text:10309F20                 mov     eax, [esp+18h+var_C] ; X Axis
.text:10309F24                 mulss   xmm1, xmm0
.text:10309F28                 movss   [esp+18h+var_8], xmm1
.text:10309F2E                 cvtsi2ss xmm1, dword ptr [esi+8]
.text:10309F33                 mov     ecx, [esp+18h+var_8] ; Z Axis
.text:10309F37                 mulss   xmm1, xmm0
.text:10309F3B                 movss   [esp+18h+var_4], xmm1
.text:10309F41                 mov     edx, [esp+18h+var_4]
.text:10309F45                 mov     [edi+5Ch], eax  ; Sets X Axis
.text:10309F48                 mov     [edi+60h], ecx  ; Sets Z Axis
.text:10309F4B                 mov     [esp+18h+arg_8], 1
.text:10309F50                 mov     [edi+64h], edx  ; Sets Y Axis


So the last three lines are what 'writes' to the float's I found for x/y/z in game.

I started working back from there, but I'm unsure at a couple of points. First off, I'm not sure why the 'original' values of the location get multiplied by these type of lines:

Code: Select all
.text:10309F09                 movss   xmm0, dword_10BBB458 ; 0x37800000h
.text:10309F11                 mulss   xmm1, xmm0      ; multiply


I tried to put a break point on thee actual function, in hopes I could see what called it and what set ESP, but it nver seemed to fire.

Anyone notice anything about this code that makes you say "ahh, that's a hash table and you need to figure out blah blah blah to get to a point where it's a static" or something like that?
Malakai
I Have A Few Questions
 
Posts: 4
Joined: Tue Jul 14, 2009 7:55 am
Top

Postby L. Spiro » Tue Jul 14, 2009 10:42 am

ESP is not explicitly set; you can not breakpoint it. It is the stack pointer.


Read up via Google on this key word.


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan
Top

Postby Malakai » Tue Jul 14, 2009 12:16 pm

Right, I forgot ESP was _that_ reg. I didn't want to break on 'ESP', I realize how futile that would be. I wanted to initially just break on Execute access to this function, but it never seemed to get called. Maybe because of the way I attached to the process. Not sure.

Knowing that this game client is an ugly union of Java and C++, chances are the stack is huge. I guess, each instance of an object is going to push it's private variables ( and non-constant static vars) onto the stack?

So if I know the Z-Axis value initially comes from "[esp+18h+var_8]" is there a trick to finding out what wrote the value at that location in the stack? At runtime, can I simply take the address of that pointer and put it into autohack and break on writes to it?

Thanks for any help,

-mal
Malakai
I Have A Few Questions
 
Posts: 4
Joined: Tue Jul 14, 2009 7:55 am
Top

Postby L. Spiro » Tue Jul 14, 2009 12:38 pm

Yes. Step out of the function and see what called it (which would be the function that put the parameters onto the stack).

If the game utilizes Java so much I would not recommend trying to find any static pointers.
Rather, do not count on finding any. Java virtual memory is another layer of virtual memory over the Windows virtual memory and without reversing the entire Java executable environment you are unlikely to be able to follow any of its pointers to meaningful data locations (and may require parsing strings to do so anyway, though luckily MHS can do this via scripts).

If you can not get it to break on that function, ensure the Debugger is attached, the function is being called, and that you are not using the Auto-Hack or Code Filter, as per the warnings provided in the help file.


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan
Top
Post a reply

Return to Help

Who is online

Users browsing this forum: No registered users and 0 guests

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
cron