complex addresses are great, but when it's too much trouble to figure
out the entire pointer path, there are other methods of finding what you want.
Lets assume that we want to know the location of money in neverwinter2.
We did the initial search, we found the money, we did a pointer search
and we got thousands of results. We did a "find what writes" and found
an instruction that changes our money. We already tried by analysing the
ASM instruction to determine how the pointer/address is build up, but for
whatever reason it's far too complex to waste all this time in...
Sounds familiar ?
So what can we do to bypass all this searching for the complex address?
one answer... a breakpoint script.
most likely when you used the "find what writes/reads/accesses", you ended up looking at a "MOV somelocation, somevalue".
Okay, looks like we have everything we want, no ?
We know that if we force the game to trigger this instruction, that the money location will be in a register or at least somewhere we can use it.
lets say for instance (just sucking this example out of my thumb here, don't shoot me if it's not 100% accurate):
0040653204: MOV [EAX+064], amount_of_money_after_buying_stuff
Okay, so we need a breakpoint on this instruction.
We need a breakpoint script to read out ECX and add 0x064 to it.
When we have done that, we know the location of the money.
Every time this breakpoint script fires, it will renew the location, so we always know where the money is.
- Code: Select all
/////////////////////////////////////////////////////////////////////////////////////////////
// BREAKPOINT #1
/////////////////////////////////////////////////////////////////////////////////////////////
void ON_BP_1( LPVOID lpvAddress, LPPROC_INFO_MHS lpProcInfo ) {
if ( DEBUG ) PrintF( "DEBUG: Breakpoint hit at 0x%08X.", (DWORD)lpvAddress);
DWORD bp_ptr = lpProcInfo->pcContext->Ecx;
PrintF( "Money is at [0x%8X+0x64] or [0x%8X]", (DWORD)bp_ptr, (DWORD)bp_ptr+0x64);
}
Some other breakpoint scripts I found on my work PC...
apparently they are meant for unlimited ammo and 'no cost buying'
(all in nwn2).
- Code: Select all
VOID On_BP_4( LPVOID lpvAddress, LPPROC_INFO_MHS lpProcInfo ) {
if ( fix_ammo ) {
DWORD ammo = lpProcInfo->pcContext->Eax;
ammo++;
lpProcInfo->pcContext->Eax |= ammo;
lpProcInfo->bSetContext = TRUE;
PrintF( "Increase ammo to %d", ammo); }
if ( DEBUG ) PrintF( "DEBUG: Breakpoint hit at 0x%08X.", (DWORD)lpvAddress);
}
/////////////////////////////////////////////////////////////////////////////////////////////
VOID On_BP_5( LPVOID lpvAddress, LPPROC_INFO_MHS lpProcInfo ) {
if ( fix_money ) {
bp_money = lpProcInfo->pcContext->Edi;
extern DWORD moneyptr = {"", bp_money + 0xDC4};
DWORD cost = lpProcInfo->pcContext->Ebx;
DWORD money = lpProcInfo->pcContext->Eax;
DWORD original = cost + money;
lpProcInfo->pcContext->Eax |= (DWORD)original;
lpProcInfo->bSetContext = TRUE;
PrintF("Added 0x%X to 0x%X to make 0x%X", cost, money, original );
PrintF("Added %d to %d to make %d", cost, money, original );
PrintF( "Money is at [0x%8X+0xDC4] or 0x%8X", (DWORD)bp_money, (DWORD)bp_money+0xDC4);
money_flag = true;
}
if ( DEBUG ) PrintF( "DEBUG: Breakpoint hit at 0x%08X.", (DWORD)lpvAddress);
}
hope this gives you some ideas to play with..