Memory Hacking Software

Discussions Regarding Memory Hacking Software

Skip to content

Complex Address: How you make it ?

Technical Discussions not Related Directly to MHS. For Example, Coding, Hex Editing, General Hacking, Etc.

Moderators: g3nuin3, SpeedWing, WhiteHat

Post a reply

Complex Address: How you make it ?

Postby WhiteHat » Tue May 20, 2008 1:55 pm

As far as i can tell, there are various methods to obtain complex address...

So far, i only know one method to obtain them: Using MHS Pointer Search
combined with AutoHack. It has not been always successful anyway... even
i often failed to obtain the complex address for doing so...

If any of you guys/girls have specific method, please feel free to share it here...

Many thanks and appreciation in advance...

:)
.. to boldly go where no eagle has gone before...
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...
Top

Postby mezzo » Tue May 20, 2008 7:40 pm

complex addresses are great, but when it's too much trouble to figure
out the entire pointer path, there are other methods of finding what you want.

Lets assume that we want to know the location of money in neverwinter2.
We did the initial search, we found the money, we did a pointer search
and we got thousands of results. We did a "find what writes" and found
an instruction that changes our money. We already tried by analysing the
ASM instruction to determine how the pointer/address is build up, but for
whatever reason it's far too complex to waste all this time in...
Sounds familiar ? :-)

So what can we do to bypass all this searching for the complex address?
one answer... a breakpoint script.

most likely when you used the "find what writes/reads/accesses", you ended up looking at a "MOV somelocation, somevalue".

Okay, looks like we have everything we want, no ?
We know that if we force the game to trigger this instruction, that the money location will be in a register or at least somewhere we can use it.

lets say for instance (just sucking this example out of my thumb here, don't shoot me if it's not 100% accurate):

0040653204: MOV [EAX+064], amount_of_money_after_buying_stuff

Okay, so we need a breakpoint on this instruction.
We need a breakpoint script to read out ECX and add 0x064 to it.
When we have done that, we know the location of the money.
Every time this breakpoint script fires, it will renew the location, so we always know where the money is.

Code: Select all
/////////////////////////////////////////////////////////////////////////////////////////////
// BREAKPOINT #1
/////////////////////////////////////////////////////////////////////////////////////////////
void ON_BP_1( LPVOID lpvAddress, LPPROC_INFO_MHS lpProcInfo ) {
if ( DEBUG ) PrintF( "DEBUG: Breakpoint hit at 0x%08X.", (DWORD)lpvAddress);
   
   DWORD bp_ptr = lpProcInfo->pcContext->Ecx;
   PrintF( "Money is at [0x%8X+0x64] or [0x%8X]", (DWORD)bp_ptr, (DWORD)bp_ptr+0x64);
   
}


Some other breakpoint scripts I found on my work PC...
apparently they are meant for unlimited ammo and 'no cost buying'
(all in nwn2).

Code: Select all
VOID On_BP_4( LPVOID lpvAddress, LPPROC_INFO_MHS lpProcInfo ) {
if ( fix_ammo ) {
   DWORD ammo = lpProcInfo->pcContext->Eax;
   ammo++;
   lpProcInfo->pcContext->Eax |= ammo;
   lpProcInfo->bSetContext = TRUE;
   PrintF( "Increase ammo to %d", ammo); }
if ( DEBUG ) PrintF( "DEBUG: Breakpoint hit at 0x%08X.", (DWORD)lpvAddress);   
}
/////////////////////////////////////////////////////////////////////////////////////////////
VOID On_BP_5( LPVOID lpvAddress, LPPROC_INFO_MHS lpProcInfo ) {
if ( fix_money ) {
   
   bp_money = lpProcInfo->pcContext->Edi;
   extern DWORD moneyptr = {"", bp_money + 0xDC4};
   
   DWORD cost = lpProcInfo->pcContext->Ebx;
   DWORD money = lpProcInfo->pcContext->Eax;
   DWORD original = cost + money;
   
   lpProcInfo->pcContext->Eax |= (DWORD)original;
   lpProcInfo->bSetContext = TRUE;
   PrintF("Added 0x%X to 0x%X to make 0x%X", cost, money, original );
   PrintF("Added %d to %d to make %d", cost, money, original );
   PrintF( "Money is at [0x%8X+0xDC4] or 0x%8X", (DWORD)bp_money, (DWORD)bp_money+0xDC4);
   money_flag = true;
   }
if ( DEBUG ) PrintF( "DEBUG: Breakpoint hit at 0x%08X.", (DWORD)lpvAddress);   
}


hope this gives you some ideas to play with..
Last edited by mezzo on Tue May 20, 2008 10:22 pm, edited 1 time in total.
- No thanks, I already have a penguin -
User avatar
mezzo
El Mariachi
 
Posts: 739
Joined: Mon Apr 30, 2007 10:27 pm
Location: Antwerp
Top

Postby WhiteHat » Tue May 20, 2008 10:02 pm

mezzo wrote:We already tried by analysing the
ASM instruction to determine how the pointer/address is build up, but for
whatever reason it's far too complex to waste all this time in...
Sounds familiar ? :-)

Ya... Sounds very familiar...
But i forgot where and when i heard of that... :oops:

mezzo wrote:...hope this gives you some ideas to play with..

I’m in a dark cave searching for an exit, when i saw a dim light within distance... (how’s my English ?)
Seriously, i really need to really start my real C studies for real...


Thanks, mezzo...

PS: (edit: my PM replied... thank you !)
.. to boldly go where no eagle has gone before...
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...
Top
Post a reply

Return to Technical Unrelated

Who is online

Users browsing this forum: No registered users and 0 guests

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
cron