Memory Hacking Software

[BadGuy]

Hey guys,

I'm trying to cheat on this game (duh) which is quite simple, but it's fun to mess around with. It has several resources (gold, wood, crystal) which are pretty easy to find (all Longs so generally 2/3 searches are enough to find the addresses). Obviously though since it's a relatively new game it's DMA so I'm trying to get the dynamic addresses through code injection. The thing is though: All resources use the same methods/functions to access the values. Which wouldn't be much of a problem usually if it was something similar to (EAX +8 EAX +F etc.) but even the timer that runs through the game accesses the same method. So what I'd like to do is set a breakpoint for a specific call (i.e. set breakpoint, decrease the gold value and look at the stacktrace and find the differences between traces for wood/crystal/time). I'd just like a hint on how I could do this and what to use. I just don't seem able to really even set a breakpoint and have it actually break.

To illustrate my point a bit though here's some info:
Gold (0835AF08)
Address OpCode Disassembly Hits
004117E6 8948 08 MOV DWORD PTR [EAX+8], ECX 8
00411936 8948 08 MOV DWORD PTR [EAX+8], ECX 7
00411649 894E 08 MOV DWORD PTR [ESI+8], ECX 1

Wood (0835AF18)
Address OpCode Disassembly Hits
004117E6 8948 08 MOV DWORD PTR [EAX+8], ECX 8
00411936 8948 08 MOV DWORD PTR [EAX+8], ECX 2
00411649 894E 08 MOV DWORD PTR [ESI+8], ECX 1

[L. Spiro]

If the game has anti-debugging protections you can not attach the debugger.

Otherwise right-click your address in the main list and “Find What Accesses This Address”.
Use the Auto-Hack.


L. Spiro

[BadGuy]

Well I'm being allowed to run MHS' debugger which is why I can see what accesses/writes the wood/gold/etc values. It seems to all be the same function at the same address though:

(this is the function)
004117E2 | 8B4C24 18 | MOV ECX, DWORD PTR [ESP+18]
004117E6 | 8948 08 | MOV DWORD PTR [EAX+8], ECX
004117E9 | 5F | POP EDI
004117EA | 5E | POP ESI
004117EB | 5D | POP EBP
004117EC | 5B | POP EBX
004117ED | 83C4 10 | ADD ESP, 10
004117F0 | C3 | RETN

So what I'm guessing is: the app keeps the value somewhere then reads it, does something the result is stored in ESP+18 and this function is called. If I try and do as you suggested (watching the 004117E2 address), it doesn't really give me anything. I see there's a 'stack' tab, but for some reason I can't get the application to break when I set any type of breakpoint on that address. I'm pretty sure this function gets called all the time as well.

I'd like to know what the best approach is for training in this case.

[L. Spiro]

If you found the function via Auto-Hack then you need to turn off Auto-Hack before you can trigger your own breakpoints.

What you have encountered is most likely a script system.
There is one function assigned for every type of data the script supports. That means one for doubles, one for floats, one for unsigned longs, and more.
In a complicated script, there will not be a flag saying which value is being read, so backtracing for a hint will be pointless.
In a simple script system, a flag may be assigned for each value the function can read (but this would be a pointless mechanism from the standpoint of the programmers who made the game and it is unlikely what they did, since a “flag” could just be an offset and over 5 times as fast).

The best way to defeat this is to create a Complex Address that describes the location of the value at all times, convert it to an ASM routine that can be executed from within the game at any time, and then compare the address being read in that function to the address of your ASM Complex Address.

But then if you are unable to create the Complex Address then this will not help you.

So your options are:
#1: Create the Complex Address manually via searching (plenty of tutorials on this site).
#2: Step up through the functions looking for some flag that might tell you which address is being read.


To be frank, the “right” way to get an address of something is by following pointers, not by hooking a function and grabbing one of its parameters. That is definitely one of the most fail-proned methods there is, and unreliable at best.


L. Spiro

[BadGuy]

Isn't following the pointers something that generally doesn't end up well? i.e. usually you can't really find a static to start from. I'll go through some more tutorials on that, thanks for the hints Spiro.

[L. Spiro]

Following pointers is always best unless you simply cannot find a base pointer. Other methods inferior alternatives.

In your case, if this is a script system, you will have an easier time following 100 pointers back to a base.


L. Spiro

[BadGuy]

Following pointers is always best unless you simply cannot find a base pointer. Other methods inferior alternatives.

In your case, if this is a script system, you will have an easier time following 100 pointers back to a base.


L. Spiro

Seems in this case the base pointer can't be found. I did find a looping system though (i.e. go through property a-z and update them), it uses the obvious flags and jzn's to loop/break. It's a bit too much for me to figure out right now though:

Code: Select all

00442D81 | 8B0D 94394500   | MOV     ECX, DWORD PTR [453994]       | (move [453994] (A984E40) to ECX)
00442D87 | 56              | PUSH    ESI                           | (Push ESI (87ABE38)  onto the stack)
00442D88 | 89B1 04040000   | MOV     DWORD PTR [ECX+404], ESI      | (Move ESI (87ABE38) to A984E40+404 )
00442D8E | 0FBF56 02       | MOVSX   EDX, WORD PTR [ESI+2]         |
00442D92 | FF1495 24104500 | CALL    NEAR DWORD PTR [EDX*4+451024] |
00442D99 | 83C4 04         | ADD     ESP, 4                        |

ESI seems to be the main dependency to figure out which type of 'property' requires changing (it does some stuff with ESP and ESI before this piece)

Seems the 'simple game' wasn't really all that simple to hack (I'm sure the veterans would have figured it out by now ) too much OO languages makes ASM hard on the eyes and mind

[L. Spiro]

There is an array of function pointers starting at 0x00451024 (static address), each accepting one parameter (ESI) and using __cdecl calling convention.

If you know ESI, you can find the index of the function to be called by adding 2 to it and reading the resulting address (beyond simple using Complex Addresses).


All you need is to know the index of the function you want to call and you can get its address directly and call it.


L. Spiro