BioShock...Pointer Problem

Need Help With an Existing Feature in Memory Hacking Software? Ask Here

Moderators: g3nuin3, SpeedWing, WhiteHat, mezzo

BioShock...Pointer Problem

Postby LykanthricAura » Wed Dec 01, 2010 12:54 pm

I tried doing a simple pointer search...the value changed every time you get/buy some more ammo or of course, restart the game.

Now I first tried doing simple pointer searches from the address I had found. Here's a Screenie of how I went about. By the 2nd pointer...or even the third...I was ok, but by the 4th...the "distance" was above 1000. I dont remember it for the 3rd, but that was pretty high too. And I wasn't getting to any static addresses nearby. Not sure, but I think the first pointer I found was precise...Since in the dissembler...the offset is 4C and the offset of the first pointer is also 4C

Image

So I tried doing it by the dissembler way and got stuck right on the first step. When I found the Ammo address and tried to find the address of the "Find out what Access this Address". I found what you see in the screenies. Now I dont know which values I must use.

Image

Image

Image

Image

So....Any idea what I must be doing wrong? Or what must I do to get the right thing.
LykanthricAura
I Ask A Lot Of Questions
 
Posts: 16
Joined: Fri Mar 26, 2010 7:38 pm

Re: BioShock...Pointer Problem

Postby L. Spiro » Wed Dec 01, 2010 6:11 pm

The actual address of your ammo is 0x0F13D06C.

In the very first screenshot you are quite lucky to have a 100% confirmation as to the offset within your player structure that your ammo is.
Further more, all of the instructions that manipulate your ammo are intuitive. You have one ADD for adding ammo to your player (when you pick up ammo or reload your clip) and one SUB for removing ammo (when you fire). CMP your ammo against 0 means there is (logically) a branch that is taken when you have no ammo. That is, if you fire and you have ammo, there will be a result. If you do not, nothing will happen.


All of the returns have the same structure offset, which is 0x4C.
The final address is BASE+OFFSET=FINAL.
FINAL = 0F13D06C.
OFFSET = 4C.
BASE = EAX.
Looking at the bottom window we see that EAX is 0x0F13D020.
0F13D020+4C=0F13D06C. It is entirely consistent.

Your start-point Complex Address would become [0F13D020h+4Ch].
This means there is a structure at 0F13D020, and 4C bytes from the start of that structure is the structure member that contains your ammo count.

But since 0F13D020 is not a static address, you must repeat the process from there.
Do so by performing a Pointer Search for exactly 0F13D020. Because every one of your offsets was 4C, the starting point of your structure is well defined and you typically (but not always) will not need to use a Range Search.
Once you have performed a Pointer Search for 0F13D020, you can take any of the returns and repeat the “Find What Accesses This Value” using that address.
Continue the process (disassemble, pointer search, disassemble, pointer search, etc.) until you find a static base.
For each step, keep a temporary copy of your Complex Address and replace each part as you go one level deeper into your search.
That is, my level-0 Complex Address would be:
Code: Select all
[0F13D06C]

Then I found that 0F13D020h+4Ch == 0F13D06C, so I replace 0F13D06C with 0F13D020h+4Ch and my level-1 Complex Address becomes:
Code: Select all
[0F13D020h+4Ch]

Then I might find that [XXX+65Ch] == 0F13D020h, so my new result would be:
Code: Select all
[[XXX+65Ch]+4Ch]


Of course when you enter the Complex Address into the Main Address List you would omit the outside [].


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Re: BioShock...Pointer Problem

Postby LykanthricAura » Thu Dec 02, 2010 11:31 pm

Ok. Ran a search for ammo this time. And the address is
Code: Select all
0x0F1FD71AC
did "What Access" thing and got the address to be
Code: Select all
0x0F1FD160
. Did a Exact Pointer search for this and found it on
Code: Select all
0x0BB14640
. Now I m doing "What Access" on
Code: Select all
0x0BB14640
and I again get a bunch of operations happening.
----------------------------------------------------------------------------
Image
----------------------------------------------------------------------------

The details below is in sequence to the operations in the image above

----------------------------------------------------------------------------
Code: Select all
Address: 10C77055
EAX (after): 00000000   ESP (after): 0033BEB4
ECX (after): 0F1FD160   EBP (after): 0033C398
EDX (after): 0BB14640   ESI (after): 00000077
EBX (after): 04E80A80   EDI (after): 02EC8400


Move [EDX] (F1FD160h) to ECX

------------------------------------------------
Code: Select all
Address: 10C78907
EAX (after): 0F1FD160   ESP (after): 0033E350
ECX (after): 00000000   EBP (after): 00000001
EDX (after): 00000000   ESI (after): 04DC5400
EBX (after): 00000001   EDI (after): 0BB14600


Move [EAX] (1106D70Ch) to EAX

------------------------------------------------
Code: Select all
Address: 10C78989
EAX (after): 0F1FD160   ESP (after): 0033E350
ECX (after): 0BC17A80   EBP (after): 00000000
EDX (after): 00000001   ESI (after): 00000001
EBX (after): 00000001   EDI (after): 0BB14600


Move [EDI+ESI*4+3C] (F1FD160h) to EAX

------------------------------------------------
Code: Select all
Address: 10C789BB
EAX (after): 0F1FD160   ESP (after): 0033E350
ECX (after): 0F1FD160   EBP (after): 00000000
EDX (after): 00000001   ESI (after): 00000001
EBX (after): 00000000   EDI (after): 0BB14600


Move [EDI+ESI*4+3C] (F1FD160h) to ECX

------------------------------------------------
Code: Select all
Address: 10C789E5
EAX (after): 00000000   ESP (after): 0033E350
ECX (after): 0033E370   EBP (after): 00000000
EDX (after): 0F1FD160   ESI (after): 00000001
EBX (after): 00000000   EDI (after): 0BB14600


Move [EDI+ESI*4+3C] (F1FD160h) to EDX

----------------------------------------------------------------------------

So you see....My problem is that I dont understand all this assembly language thing very well. So I don't know which address amongst all these to take up next to run the pointer search.
LykanthricAura
I Ask A Lot Of Questions
 
Posts: 16
Joined: Fri Mar 26, 2010 7:38 pm

Re: BioShock...Pointer Problem

Postby LykanthricAura » Sat Dec 04, 2010 12:03 pm

Bump.
LykanthricAura
I Ask A Lot Of Questions
 
Posts: 16
Joined: Fri Mar 26, 2010 7:38 pm

Re: BioShock...Pointer Problem

Postby L. Spiro » Sat Dec 04, 2010 3:48 pm

Very first entry says that EDX == 0x0BB14640. Meaning EDX already holds the pointer to your next level.
Look at the ASM and see how EDX became 0BB14640 before the code at address 10C77055.


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Re: BioShock...Pointer Problem

Postby LykanthricAura » Fri Dec 24, 2010 9:21 pm

Very noob question. But...
What is the difference when u write 03A46D70h and 0x03A46D70

Is a 03A46D70h a value and 0x03A46D70 an address?

And if yes...

What would this mean?

Move [EDX+EAX] (6C110026h) to EAX

Lol...I found a game which keeps looping me. The Sims 3.

Suppose the required value was found at Address A.
I run a pointer search for Addy A and get B. Then repeat and get Addy C.
I repeat for Addy C and get back to Addy B.
LykanthricAura
I Ask A Lot Of Questions
 
Posts: 16
Joined: Fri Mar 26, 2010 7:38 pm

Re: BioShock...Pointer Problem

Postby L. Spiro » Fri Dec 24, 2010 9:25 pm

They are exactly the same thing written in two different formats.
MHS recognizes both format for ease of use.

Handle looping pointers by using scripts that go over each pointer (until the first pointer is reached again) and check for a name or ID that indicates which player is yours.
Script Address can do this.


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan


Return to Help

Who is online

Users browsing this forum: No registered users and 0 guests