follow the pointer and then add 24 bytes

Ask for Help on Using the Language With Memory Hacking Software

Moderators: g3nuin3, SpeedWing, WhiteHat, mezzo

follow the pointer and then add 24 bytes

Postby mezzo » Mon May 21, 2007 6:47 pm

hey guys/girls, I have a pointer question.. Lets say I have following (semi-fictional) external structure:


extern struct CharacterHunger {
long nutrition;
char hunger;
} e_charHUNGER = { "NetHackW.exe", 0xDB6B9C };


This structure moves in memory, so the address 0xDB6B9C changes each time.
I found a pointer that points to the [structure - 24bytes] at address { "NetHackw.exe", 0x1E711C }.
I guess the below would be correct if the pointer would contain the address of the structure,
but I need to follow the pointer and then go 24bytes further... any ideas ?

extern struct CharacterHunger {
long nutrition;
char hunger;
};

extern CharacterHunger * e_charHUNGER = { "NetHackW.exe", 0x1E711C };
- No thanks, I already have a penguin -
User avatar
mezzo
El Mariachi
 
Posts: 739
Joined: Mon Apr 30, 2007 10:27 pm
Location: Antwerp

Postby L. Spiro » Tue May 22, 2007 9:33 am

Code: Select all
extern struct CharacterHunger {
    BYTE bBuffer[24];
    long nutrition;
    char hunger;
} * e_charHUNGER = { "NetHackW.exe", 0x1E711C };



Pointers that point to class/structure data always point to the starts of the class/structure unless the pointer is a temporary being used for certain types of algorithmic optimizations.
Which global pointers used to keep track of data aren’t.

It means that if you find a structure, and you find a global (static) pointer that points to a location before your structure, you didn’t fully map the structure you found something in the middle of the structure instead of at the very beginning.

So put a BYTE buffer there to fill the gap until you have time later to replace the buffer with real values as you find them.


You have found data inside a structure that starts 24 bytes after the start of the structure, so the only modification needed is to put a 24-byte buffer there to fill the space.


L. Spiro
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Postby mezzo » Tue May 22, 2007 7:18 pm

Hey Spiro, thanks, I was using that as a quick fix.. guess it is what I was supposed todo. to go further, I probably used a bad example.. I should have given the struct InventorySlot instead. anyway:

struct InventorySlot {
char bAmount;
char padding1[3];
char bModifier;
char bTypeOfItem;
char SlotCharID;
char padding2[1];
char bIdentified;
char padding3[3];
char ItemProperties;
char padding4[20];
char bWielded;
char padding5[14];
unsigned long PointerToNext;
char TheRest[20]; }

The thing that makes me wonder is the 'PointerToNext'... it's a pointer that points to the next InventorySlot structure... but it doesn't point to the beginning of this structure, it points to the PointerToNext field of this new struct. So, this pointer contains a new pointer and so on...

Am I to look at this like a linked list ? And if so, why doesn't the pointer point to the beginning of the next structure ? I guess that with some simple arithmetic this pointer value could be turned into the beginning of the structure... but that still makes little sense.. Any ideas ?
- No thanks, I already have a penguin -
User avatar
mezzo
El Mariachi
 
Posts: 739
Joined: Mon Apr 30, 2007 10:27 pm
Location: Antwerp

Postby L. Spiro » Tue May 22, 2007 8:44 pm

Code: Select all
char bAmount;
char padding1[3];

This probably not correct. You have a number that can only go from 0 to, say, 100, which means your idea of using only one byte (char) to represent that number is correct, but in reality the game programmers used an int (or long), which is why you always have 0’s for the following 3 bytes.
Though if you see those 3 bytes changing to other values I am wrong and you are correct to assign it this way. If they do indeed always stay 0, change it to unsigned long.


Code: Select all
unsigned long PointerToNext;

If this is indeed a pointer to another InventorySlot structure, change this to:
Code: Select all
InventorySlot * PointerToNext;




Am I to look at this like a linked list ?

Yes.


why doesn't the pointer point to the beginning of the next structure ?

If it is indeed not pointing to the actual beginning of the next structure, there is a reason, but in order to understand it you need to know all about class inheritance and virtual functions/overloading.
The short version is that classes can inherit from each other to mean that the first class will be left as it is and the new class will be added to the end of it to add more data and functions.
So in terms of data layout, think of it as the first structure, then at the end of that structure there is another, but they are treated as one big structure. You could still have the first structure without the new one at the end, but in order to have the new one you have to put down the first structure first.

With this layout, a pointer to either type of structure will still be at the very start of the whole thing. The new class is added at the end of the first class, but you won’t have a pointer there where the new class is added. A pointer to the new class will still be at the start of the entire set.

But when virtual functions are involved things are different. Then it becomes important to know where one class ends and the next begins. The way virtual functions work requires that each class/structure start with a pointer to a function table. You make the class/structure in a normal way, but the compiler will put a 4-byte pointer at the start of the class for you. Any pointer to that class points there, so when your new class is added to the first class, a pointer to the new class will point where the new class begins, after the first class.
So if the new class has virtual functions, the new class starts at the end of the first class, with 4 bytes there to be used as the function table pointer for that class, and then all the data inside the new class is added after that.


This is the most common case where pointers point to areas inside a structure rather than at the start of the entire set. When the programmer wants to cast down from the new class to the old class, the compiler generates code that subtracts a certain amount from the pointer, making it correctly point to the start of the first class instead of the new class.




So let’s say your PointerToNext pointer points to the next structure, but always 14 bytes deep into the structure (which would be where padding4[20] is inside the structure).
In that case, the real structure layout would look like this:


Code: Select all
class InventoryBase {
char bAmount;
char padding1[3];
char bModifier;
char bTypeOfItem;
char SlotCharID;
char padding2[1];
char bIdentified;
char padding3[3];
char ItemProperties;
};

class InventorySlot : public InventoryBase {
(4-byte virtual function table pointer here);
char padding4[16]; // Removed 4 bytes to account for the function table pointer.
char bWielded;
char padding5[14];
unsigned long PointerToNext;
char TheRest[20];

virtual void VirtFunc();  // A virtual function inside a class/structure makes the 4-byte table pointer appear at the start, and makes class pointers more complicated.
};



No, you can not do this in my language. There is no need. This is in C++ but you can map this fine with C, and with my language (since it is C).
I am showing a very very rough example of how it would look in C++ just to give an idea of how it would have looked from their end. We do not need to see it this way but if you can understand everything, you can shoot fireballs from your eyes and lightning from your ass (all Japanese can do this already).


I guess that with some simple arithmetic this pointer value could be turned into the beginning of the structure

And it is correct to do so. Since that is what the compiler would do anyway if the original programmer cast it down from the upper class to the lower class.
When you follow PointerToNext, look at where it is inside the structure. That offset in the structure should be another pointer and if you follow it you will get a list of pointers. Each pointer there points to code, so from that list you can follow any of them and see code that is related to that object. Each pointer represents a function that was declared in that class, and all of them accept a “this” pointer as the first parameter.

This is all very powerful to know and understand, because once you know where all those functions are, you can change them to stop decreasing your inventory or whatever you like. You can also use them to find the locations of every instance of InventorySlot structures there are, since the first parameter passed to them will be a pointer to one.


L. Spiro
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Postby mezzo » Tue May 22, 2007 10:28 pm

:shock:
You, my good man, must be the most thorough guy I've ever had the pleasure of talking to.

- Yes, I'm pretty sure you are right about the first char actually being an int/long instead. The game doesn't allow more then X items in a slot, but I haven't seen the next 3 bytes change, so I guess I'll make it into an unsigned long instead.

- I'm guessing you are right about "InventorySlot * PointerToNext;", but at the moment I only know what pointers do, but haven't worked enough with them lately to be able to use them myself

- Aha, I know linked lists.. too bad university was like 10+ years ago, and I hardly remember the first thing of working with them :)

- Wow.. I had to read the bit about the class like 10 times, and I'm still blown away.. I think I need to go over this quite a few more times and get my old C and C++ books out. Do you know of any good resources describing what classes are and how they are used (just to understand what I'm reversing here).

In the last 2 paragraphs you write about pointers pointing to code.. With the 'limited' knowledge that I have, do I look at this 'structure' as being approx the same as an object in object oriented code, with a pointer to a procedure that will execute some code on the object that referenced to this code ? (does that make sense ?)

(sorry for any dumb questions asked. feel free to ignore me if you get fed up with me)
- No thanks, I already have a penguin -
User avatar
mezzo
El Mariachi
 
Posts: 739
Joined: Mon Apr 30, 2007 10:27 pm
Location: Antwerp

Postby L. Spiro » Wed May 23, 2007 11:50 pm

Do you know of any good resources describing what classes are and how they are used (just to understand what I'm reversing here).

Not really. Classes are too large of a subject for a single resource to fully contain anyway, I believe. And if there was a single resource, there would be so much content that it would take an exceptionally long time just trying to absorb it all.

And furthermore, I have never encountered any resources that explain what I have explained above. This seemingly highly classified information somehow manages to fall upon only a lucky few, while the rest can still use virtual functions without ever needing to know how and why they work. The virtual table and pointer to it can be found in some resources with enough looking, but I have never seen any resource explain how things are aligned in memory, how the casting works from a compiler standpoint, when and why you should expect these types of situations (from the viewpoint of a person reverse-engineering these objects), how multiple-inheritance effects the data layout (again, from a reverser’s standpoint), etc.



do I look at this 'structure' as being approx the same as an object in object oriented code

In C++, structures and classes are exactly the same, except that structures default to having all members public and classes default to all private.
Also, everything that is done in C++ can be done manually in C (with only a few minor hacks in ASM). C++ just makes the concepts easier to code and enforces the rules that make everything work. That means you can do everything C++ can in C, and you could do it in my language if I allowed direct calls to function pointers (picky people start to ask about templates and other technicalities but I am talking specifically about actual final-result coding constructs that make object-oriented code work).
But to emulate things correctly, however, you would need to know all the technical details that run under the surface of C++ to make things work how they work, and there simply is no other way except from years of experience.




with a pointer to a procedure that will execute some code on the object that referenced to this code ? (does that make sense ?)

Functions that lay outside of classes are straight-forward; they are just functions you write and call.
Functions inside classes/structures (that are not static) end up the same way, in fact. You feel as you write the code that the function is “inside” the class, but what would that mean if it could even be possible?
The function itself resides as one copy in the code, just as all other functions, with the only exception being that it takes a hidden parameter at the start of the parameter list. That parameter is a pointer to an instance of that class/structure. That is how the function is related to the class/structure in the end. That is the only way.
Using that pointer, the function can access all the members on that class/structure. The language syntax makes all of this transparent, so you don’t have to add a “this” pointer to the function (you add it indirectly by putting the function in the class) and you don’t have to use indirection off that pointer inside that function to access its members.

However, once you know how this works in the end, you can do all of this manually to get the same end result.
Both in C and in my language, you could write a function with the first parameter being a pointer to a type of structure and inside the function you work with members of that structure. You could pretend that function is actually inside the structure, as a function member of it as in C++, but instead of having the language/compiler disguise it for you, you did it manually.


And with this understanding you can look at functions in your game as you hack and realize when a series of pointers accept, as the first parameter, a pointer to the same type of object. Those functions are class member functions of that object, and you gain insight into the structure of the original code.


L. Spiro
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Postby g3nuin3 » Wed Jul 18, 2007 2:00 am

Do you know of any good resources describing what classes are and how they are used (just to understand what I'm reversing here).


I do;
The best there is:
http://www.smart2help.com/e-books/

And FREE :roll:
g3nuin3
Acker
 
Posts: 96
Joined: Tue Jul 18, 2006 10:53 am


Return to Help

Who is online

Users browsing this forum: No registered users and 0 guests

cron