| View previous topic :: View next topic |
| Author |
Message |
Dahde
Newbie cheater
![]() Reputation: 0
Joined: 26 Feb 2008
Posts: 12
|
 Posted: Sun Mar 02, 2008 11:03 am Post subject: Capturing Chatbox from memory |
 |
|
I'm trying to capture the chatbox on poker academy (no real money there so don't worry, I'm doing it to avoid scraping the screen...)
I find the address OK, but when I look for a pointer I get this in the 2 windows:
| Quote: |
Window 1
77c472e1 - 72 29 -jb memmove+5c
|
| Quote: |
Window 2
77c472db - and edx,03
77c472de - cmp ecx,08
>>77c472e1 - jb memmove+5c
77c472e3 - repe movsd
77c472e5 - jmp dword ptr [edx*4+memmove+148]
Jump short if below/carry
EAX=101A98AA EDX=00000002 ESP=0503F7AC
EBX=12F92B98 ESI=101A9888 EBP=0503F7B4
ECX=00000008 EDI=12F950CC EIP=77C472E3
The registers shown here are AFTER the instruction has been executed.
To show them before the instruction is executed use Access Exceptions
instead of Debug Registers
|
I'm noob so I don't know what this means exactly...
Also, the chatbox transcript is contained in these memory regions that only contain 8 chars each. So one hand is taking up like 50-70 memory regions.
| Quote: |
12F95028 320035002C003500380030000A0043002 5 , 5 8 0 C
12F95038 7200750073006F006500200062006C00r u s o e b l
12F95048 69006E00640073002000240035000A00i n d s $ 5
12F95058 530061006E006A006100200062006C00S a n j a b l
12F95068 69006E00640073002000240031003000i n d s $ 1 0
12F95078 0A0059006F0075007200200068006F00 Y o u r h o
12F95088 6C006500200063006100720064007300l e c a r d s
12F95098 20006100720065003A00200051007300 a r e : Q s
|
I'm using Nomad memory.au3 to grab from the memory, anyone have any ideas on how to grab them better?
P.S. How soon can I post URL's? Doing OCR on CE sucks.... |
|
| Back to top |
|
 |
Labyrnth
Moderator
![]() Reputation: 10
Joined: 28 Nov 2006
Posts: 6301
|
| Posted: Sun Mar 02, 2008 6:24 pm Post subject: |
|
|
Yeah since you know the address use ollydbg and set a break point on it.
Then see what kind of instructions you get for it. |
|
| Back to top |
|
|
Dahde
Newbie cheater
![]() Reputation: 0
Joined: 26 Feb 2008
Posts: 12
|
| Posted: Mon Mar 03, 2008 5:27 am Post subject: |
|
|
| Labyrnth wrote: | Yeah since you know the address use ollydbg and set a break point on it.
Then see what kind of instructions you get for it. |
If I understand you correctly, you are saying that I should replicate what I just did with CE, with Olly.
In other words, I will attach to process, find the memory region that will be written to next, put a break there, and allow the program to write the value to the region, is that correct?
And then? |
|
| Back to top |
|
|
Labyrnth
Moderator
![]() Reputation: 10
Joined: 28 Nov 2006
Posts: 6301
|
| Posted: Mon Mar 03, 2008 11:23 am Post subject: |
|
|
| Set a break on that address in olly that you find in CE |
|
| Back to top |
|
|
Dahde
Newbie cheater
![]() Reputation: 0
Joined: 26 Feb 2008
Posts: 12
|
| Posted: Mon Mar 03, 2008 12:38 pm Post subject: |
|
|
Alright, I found a DMA tutorial that just chewed that up for me @ bwhacks dot com forum(still cant post URL's), if you have another link for a DMA tutorial it would be greatly appreciated.
In that tutorial he actually changes the instruction that he finds after stepping in. Since in this particular case I'm not trying to change anything, just grab it, what will I be doing once I'm there? |
|
| Back to top |
|
|
Labyrnth
Moderator
![]() Reputation: 10
Joined: 28 Nov 2006
Posts: 6301
|
| Posted: Mon Mar 03, 2008 1:30 pm Post subject: |
|
|
All you want is to read text?
Do scans for text in memory.
Once the address is found if it is static you can read process memory with it and output it to a textbox.
If it has dma, then you can find a pointer to do this same thing.
"ReadProcessMemory" |
|
| Back to top |
|
|
Dahde
Newbie cheater
![]() Reputation: 0
Joined: 26 Feb 2008
Posts: 12
|
| Posted: Tue Mar 04, 2008 1:36 am Post subject: |
|
|
| Labyrnth wrote: | All you want is to read text?
Do scans for text in memory.
Once the address is found if it is static you can read process memory with it and output it to a textbox.
If it has dma, then you can find a pointer to do this same thing.
"ReadProcessMemory" |
Clear enough, it's just when I try to look for pointer, I don't find one, and get the two strange windows from the OP. The addresses are DMA addresses, and I'm still fuzzy on how to get past the 2 OP windows in order to get to a pointer. |
|
| Back to top |
|
|
Labyrnth
Moderator
![]() Reputation: 10
Joined: 28 Nov 2006
Posts: 6301
|
| Posted: Tue Mar 04, 2008 2:36 am Post subject: |
|
|
| Quickest way is use pointer scan. |
|
| Back to top |
|
|
Dahde
Newbie cheater
![]() Reputation: 0
Joined: 26 Feb 2008
Posts: 12
|
| Posted: Tue Mar 04, 2008 5:02 am Post subject: |
|
|
When I do a pointer scan with CE with default options on one of the yellow addresses from the OP, I get 0 pointers.
It's more than likely my technique is flawed...
Is there a tutorial on pointer scanning? |
|
| Back to top |
|
|
Labyrnth
Moderator
![]() Reputation: 10
Joined: 28 Nov 2006
Posts: 6301
|
| Posted: Tue Mar 04, 2008 5:07 am Post subject: |
|
|
Not really i dont think.
Select the level of pointer i would try 4.
But you know what, this runs in the browser dont it ? it wont have a pointer. |
|
| Back to top |
|
|
Dahde
Newbie cheater
![]() Reputation: 0
Joined: 26 Feb 2008
Posts: 12
|
| Posted: Tue Mar 04, 2008 5:46 am Post subject: |
|
|
No , it's an actual exe...
I was able to get a bit further using Tsearch.
I set a 'write' breakpoint on an address that was about to be used, and got 2 addresses that write to the memory region in question...
| Code: |
77c47350 mov [edi],al
|
| Code: |
77c47358 mov [edi+0x1],al
|
Now are these the pointers I'm looking for? Tsearch is a bit different, so I'm unsure...
EDIT:
Alright, I figured out the correct setting for a pointer scan in CE, I had to scan with Max Level 5...
Now the pointer scan returned 135 pointers:
| Code: |
- PokerAcademyPro.exe+0001DA14
- PokerAcademyPro.exe+0001DA14
- 4
- 3E8
- 1E4
- 8
- 1A
- PokerAcademyPro.exe+0001DA14
- PokerAcademyPro.exe+0001DA14
- PokerAcademyPro.exe+0001DA14
- PokerAcademyPro.exe+0001DA14
- PokerAcademyPro.exe+0001DA14
- PokerAcademyPro.exe+0001DA14
- PokerAcademyPro.exe+0001DA14
- PokerAcademyPro.exe+0001DA14
- PokerAcademyPro.exe+0001DA14
- PokerAcademyPro.exe+0001DA14
- PokerAcademyPro.exe+0001DA14
- PokerAcademyPro.exe+0001DA14
- PokerAcademyPro.exe+0001DA14
- PokerAcademyPro.exe+0001DA14
- PokerAcademyPro.exe+0001DE44
- PokerAcademyPro.exe+0001DE44
- PokerAcademyPro.exe+0001DE44
- PokerAcademyPro.exe+0001DE44
- PokerAcademyPro.exe+0001DE44
- PokerAcademyPro.exe+0001DE44
- PokerAcademyPro.exe+0001DE44
- PokerAcademyPro.exe+0001DE44
- PokerAcademyPro.exe+0001DE44
- PokerAcademyPro.exe+0001DEE4
- PokerAcademyPro.exe+0001DEE4
- PokerAcademyPro.exe+0001DEE4
- PokerAcademyPro.exe+0001DEE4
- PokerAcademyPro.exe+0001DEE4
- PokerAcademyPro.exe+0001DEE4
- PokerAcademyPro.exe+0001DEE4
- PokerAcademyPro.exe+0001DEE4
- PokerAcademyPro.exe+0001DEE4
- PokerAcademyPro.exe+0001DEE4
|
Can you comment on those please...why are there so many? |
|
| Back to top |
|
|
Labyrnth
Moderator
![]() Reputation: 10
Joined: 28 Nov 2006
Posts: 6301
|
| Posted: Tue Mar 04, 2008 11:58 am Post subject: |
|
|
Ok now after you got all those pointers, Keep the pointer window open and close the game.
Run the game again and attach CE to it and rescan pointers to see how many are still valid. The number could decrease allot even to 0 or stay the same. Meaning any of them will work. |
|
| Back to top |
|
|
Dahde
Newbie cheater
![]() Reputation: 0
Joined: 26 Feb 2008
Posts: 12
|
| Posted: Wed Mar 05, 2008 3:43 am Post subject: |
|
|
| Labyrnth wrote: | Ok now after you got all those pointers, Keep the pointer window open and close the game.
Run the game again and attach CE to it and rescan pointers to see how many are still valid. The number could decrease allot even to 0 or stay the same. Meaning any of them will work. |
The number decreases to 0, simply because the addresses are DMA, and the old address we used when scanning the first time is not used when you restart the game...
I'm gonna try extracting some data using Nomads memory now, wish me luck ))
Thanks for your help L
EDIT:
Hey Lab,
Those pointers are not valid after I reattach, I can't find the right pointer...
I'm probably doing something wrong again.
Once I reattach, all the pointer addresses that I added to the CE table light up with P->????????
Some of them come back to life periodically and point to some new address, but those addresses don't contain the chat.
Can you describe again what I should do right after I reattach please? |
|
| Back to top |
|
|
Labyrnth
Moderator
![]() Reputation: 10
Joined: 28 Nov 2006
Posts: 6301
|
| Posted: Fri Mar 07, 2008 7:06 am Post subject: |
|
|
Rescan pointers.
And please dont make more topics on this same thing. |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
