scripted complex address builder + pointer tracer

Ask for Help on Using the Language With Memory Hacking Software

Moderators: g3nuin3, SpeedWing, WhiteHat, mezzo

scripted complex address builder + pointer tracer

Postby mezzo » Tue Feb 19, 2008 9:10 pm

Since I don't like attaching debuggers to the online games that I pay for,
I spend a lot of time finding pointers to a variable and then either
putting them in notepad (address of the pointer + offset to the mem location)
and then forcing the pointer to update (ie. login again, restart game, etc)..
Most of the time this doesn't work the first time around, and I need to do all
the above again, but find the pointer+offset leading to another pointer+offset leading
to the actual value (ie 2 pointers deep..)

Since the above is repetitive and tedious and we already have quite a nice lineup of
scripted functions for searching and subsearching, I would like to ask the coders on this
forum to have a small brainstorm on how to best tackle this, so that we can build a
standard set of LSS functions to:

1) do a pointer search
target is the actual value we are trying to build a complex address for
(L.Spiro has already provided an example for this in the help file)
Results would be in the style of:
[some_address]+0xD4
...

2) perform a second pointer search
targets (!) are ALL the pointers found above
If I'm not mistaken, we should have result that look like=
[[some_lower_address]+0x64]+0xD4
...

3) repeat the above steps
until we have have pointers that are static in regards
to the main exe or a DLL or until we have gone X levels back.

the above should give a list of complex addresses (and their values; which initialy will all be the
value that you began to search for, ie amount of gold or whatever.)

Now the hard part...

4) build a search/subsearch routine that will ONLY search in the values returned by the complex addresses we have build.
so that if we logout of the game or die or whatever,
we can subsearch for the new value and after a while end up with the actual complex address that is the one we want.

Ideally those complex addresses that will be used for the ''new searchlist' should be able to be saved,
so that after a reboot they can be loaded again.


Does this make any sense and if so, who would be interested in helping create something like this ?
(L.Spiro and Shynd, I'm looking at you guys, since you're the C gurus.. but anybody else that has any constructive ideas or feedback, don't hesistate..)
- No thanks, I already have a penguin -
User avatar
mezzo
El Mariachi
 
Posts: 739
Joined: Mon Apr 30, 2007 10:27 pm
Location: Antwerp

Postby L. Spiro » Tue Feb 19, 2008 10:33 pm

This is similar to a feature I plan to implement but it may be a while.

It can be done and I would urge someone else to do it as another showcase of what can be done.


L. Spiro
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Postby mezzo » Tue Feb 19, 2008 10:44 pm

I'm currently going over your searching/scripting examples from the helpfile.
I will need to do some testing to see what kind of output is generated when doing a script search for pointers (your FindPointer example)..
I gather that I can put that output into an array/hash and reuse that to fuel a new pointer search with as 'search' parameters the addresses in the array/hash.

As I have no idea if anybody else wants to actively help with this and I'm not the greatest coder out there, I'm simply going to work on what I think is the right way to handle it.. I'll just post progress and questions in this thread. Again, if someone has any great ideas or just wants to help out, feel free to post or contribute code.

quick question, is there a way to give MHS a list of addresses to search ? Like loading a searchresult list ? Because that way I can keep using the LSS functions available.. otherwise I think I will have to go linked list and write code to search and order, which I truly hate :)
- No thanks, I already have a penguin -
User avatar
mezzo
El Mariachi
 
Posts: 739
Joined: Mon Apr 30, 2007 10:27 pm
Location: Antwerp

Postby mezzo » Wed Feb 20, 2008 6:03 am

@L.Spiro, could you please give me an example of the correct syntax of GetScanValue, please ? I can get my script to do the pointer search,
I get correct results in the window and can use GetScanTotal and so on to make a loop to parse through the results, but I think I'm using the getscanvalue function wrong... (probably the type definition of the parameters..)

Code: Select all
void On_HK_9(DWORD dw1, DWORD dw2) {   

DWORD index;
LPVOID * lppvAddress;
LPVOID lpvBuffer;

// hotkeyproc( 9, 0, 0 );

FindPointer( (LPVOID) 0x05B92250 );

DWORD results = GetScanTotal();
PrintF( "You had %d results.", results );

for (int i = 1; i < results + 1 ; ++i) {
   //PrintF( "Number %d", i );
   index = i;
   GetScanValue( index , lppvAddress, lpvBuffer);
   PrintF( "Index: %d, Address: %u, Value: %u", index, lppvAddress, pvBuffer);
   }
GetScanValue( 1 , lppvAddress, lpvBuffer);
}


I admit, I have no idea what LPVOID is, it was a lucky shot that I added it
in front of the parameter to FindPointer :-)
If it run it as is, it does the pointer search just fine, goes into the loop and prints all the index' and address 0, value 0 and then crashes :-)

UPDATE: just found the source of SetResultsTo0() in the helpfile. It is what I needed :D Will continue it from there.
- No thanks, I already have a penguin -
User avatar
mezzo
El Mariachi
 
Posts: 739
Joined: Mon Apr 30, 2007 10:27 pm
Location: Antwerp

Postby mezzo » Wed Feb 20, 2008 6:47 am

As usual, the helpfile told me what I needed to know...

Code: Select all
BOOL On_HK_9(DWORD dw1, DWORD dw2)
{   
DWORD index;
LPVOID * lppvAddress;
LPVOID lpvBuffer;

hotkeyproc( 9, 0, 0 );
FindPointer( (LPVOID) 0x05B92250 ); //just static for now

Clear();
DWORD dwTotal = GetScanTotal();

if ( !LockScanForRead() ) { return false; }

unsigned long money = 0x05B92250;  // just static for now.. :-)

for ( DWORD I = 0; I < dwTotal; I++ ) {
        LPVOID lpvAddress;
        unsigned long lValue;

        if ( GetScanValue( I, &lpvAddress, &lValue ) ) {
         PrintF( "%.3u: Address: %.8X.  Value: %.8X. Complex Address: [%.8X]+%.4X", I, lpvAddress, lValue, lpvAddress, (money - lValue)  );
         
      }
}
PrintF( "Search Results: %d", dwTotal );
return UnlockScanForRead(); }


1st crack at it.. next up is taking the lpvAddresses and doing yet another pointer search on those... more tomorrow :-) first sleepies
- No thanks, I already have a penguin -
User avatar
mezzo
El Mariachi
 
Posts: 739
Joined: Mon Apr 30, 2007 10:27 pm
Location: Antwerp

Postby CodeMaster.Rapture » Mon Mar 17, 2008 10:04 pm

In a couple games I've hacked, I've found that doing a Pointer Trail tracker like this won't work. The problem is the address you're looking for a pointer to may or may not be found by the searcher. Instead, you have to "do it manually" by finding your address, subtract the offset from what accesses/writes it, rinse, and repeat until you find the static pointer. I believe this is what L. Spiro was trying to achieve, but it doesn't always work.

So, I'm curious if there is a way to pull info from the Auto-Hacker and track down the static given a valid address. Here's what I do and want to duplicate via script:

Step 1.) Search for Ammo address
Step 2.) Find what accesses it (Auto-Hack)
Step 3.) Pick one of the intructions (MOV EAX, [EBP+38] for example)
Step 4.) Subtract Offset from my address (0x38 in this case)
Step 5.) Pointer Search for Above Pointer
Step 6.) If it isn't green, Repeat Steps 2-5 until so
Step 7.) Write down my offset trail.

I am also going to try and find the shortest path to my static if possible if there are different offsets found in step 3. I haven't had a chance to work on this idea, but I think it would be a nice addition to anyone's toolbox.

-CMR
CodeMaster.Rapture
Hackleberry Fin
 
Posts: 20
Joined: Sun Mar 16, 2008 2:15 pm

Postby L. Spiro » Mon Mar 17, 2008 11:27 pm

There is currently no scripted interface with the Auto-Hack feature. It is possible to add and may be in MHS 4.017.


L. Spiro
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Postby CodeMaster.Rapture » Tue Mar 18, 2008 7:50 pm

Are there any script functions for the hack-list?
CodeMaster.Rapture
Hackleberry Fin
 
Posts: 20
Joined: Sun Mar 16, 2008 2:15 pm

Postby L. Spiro » Tue Mar 18, 2008 7:59 pm

If you are referring to the Found Addresses list you can refer to the examples in the help file.


L. Spiro
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Postby CodeMaster.Rapture » Tue Mar 18, 2008 9:11 pm

No, the list that is the addresses you've selected from the Found Addresses List. Where you apply your complex address functions.
CodeMaster.Rapture
Hackleberry Fin
 
Posts: 20
Joined: Sun Mar 16, 2008 2:15 pm

Postby mezzo » Tue Mar 25, 2008 5:42 pm

bump

It would be very nice to have script functions to manipulate records
in the saved location list.. ie add, remove, read out the records values

I haven't given up on my original plan for the scripted complex addr. builder,
but without functions to manipulate the addresses stored, I will
have to resort to making array dumps to file which need to be copied
and pasted into LSS after rebooting etc.. not that I mind, but it would be
much nicer if it were possible through the script.
- No thanks, I already have a penguin -
User avatar
mezzo
El Mariachi
 
Posts: 739
Joined: Mon Apr 30, 2007 10:27 pm
Location: Antwerp

Postby L. Spiro » Tue Mar 25, 2008 6:23 pm

I intend to add functions to modify the list of stored addresses soon.


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan


Return to Help

Who is online

Users browsing this forum: No registered users and 0 guests

cron