| View previous topic :: View next topic |
| Author |
Message |
Pokiaka
Cheater
![]() Reputation: 0
Joined: 09 Jul 2011
Posts: 48
|
 Posted: Wed May 16, 2012 4:03 am Post subject: Scanning for pointers problem |
 |
|
It keeps happening to me so many times, I really need help:
When I'm trying to get a pointer, I get the address, I'm finding out what access the address, and then when the value changes I get the op-codes.
So far it's okay, but then when I try to search the 'easy guess' in hex, I get no results at all.
And it's either my only op-code in the list, or I have more which are irrelevant (something like 0000D352) or repeating the previous pointer I received.
(Sometimes I get the first pointer and it works perfectly, and when I try to get the second one, it gives me the first again).
Example of when I have no results from the op-code:
mov eax,[edi+04]
EAX = 7C9F8380
EDI = 7D1F73BC
Thanks.
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 470
Joined: 09 May 2003
Posts: 25779
Location: The netherlands
|
| Posted: Wed May 16, 2012 5:55 am Post subject: |
|
|
| Quote: |
or repeating the previous pointer I received.
|
that's not possible.
At most the value is the same as the address of the pointer you found (address and value are different things)
Also, remember that the register states are shown AFTER the instruction has been executed.
So in the example code you gave the VALUE at address 7D1F73BC was 7C9F8380
In cases of mov eax,[eax+xxx] you have to remember what the address was that you used "find what accesses" on and then subtract the +xxx from that address to find eax
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Pokiaka
Cheater
![]() Reputation: 0
Joined: 09 Jul 2011
Posts: 48
|
| Posted: Wed May 16, 2012 11:09 am Post subject: |
|
|
| Dark Byte wrote: | | Quote: |
or repeating the previous pointer I received.
|
that's not possible.
At most the value is the same as the address of the pointer you found (address and value are different things)
Also, remember that the register states are shown AFTER the instruction has been executed.
So in the example code you gave the VALUE at address 7D1F73BC was 7C9F8380
In cases of mov eax,[eax+xxx] you have to remember what the address was that you used "find what accesses" on and then subtract the +xxx from that address to find eax |
You're right, I wasn't accurate. the repeat is same address, with different offset, although still it doesn't work, it lead me to address that goes something like 0000____ with both the offsets on it, and with the last one it lead me to an address that holds the value of 0.
And thanks for the advice, I tried to add the offset, subtracting makes much more sense  .
I'll give it a try, but what can I do when there's no offset at all and I still don't get anything from the search? it happened to me here:
mov [ecx],eax
ECX=0C69B1A8
EAX=00000062
Any suggestions?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25779
Location: The netherlands
|
| Posted: Wed May 16, 2012 11:22 am Post subject: |
|
|
just read it as "mov [ecx+00000000],eax"
Anyhow, look up the instructions above it and see how ecx gets the value. Parhaps the calculation is done earlier
but you really don't find anything when searching for addresses with the value 0c69b1a8 ?
Try scanning for 0c69b1a0, or 0c69b100, or 0c69b000, or 0c698000, or 0c690000 (the heapdata might be useful here)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Pokiaka
Cheater
![]() Reputation: 0
Joined: 09 Jul 2011
Posts: 48
|
| Posted: Wed May 16, 2012 11:48 am Post subject: |
|
|
| Dark Byte wrote: | look up the instructions above it and see how ecx gets the value. Parhaps the calculation is done earlier
but you really don't find anything when searching for addresses with the value 0c69b1a8 ? (just read it as [ecx+00000000] ) |
Yes, I get nothing.
You're right that the calculation was done earlier, didn't notice it:
00BAEE49 - mov ecx,[esp+10]
00BAEE4D - mov [ecx],eax
EAX=00000062
ECX=0C69B1A8
ESP=0032A644
But I'm confused about how to proceed.
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25779
Location: The netherlands
|
| Posted: Wed May 16, 2012 11:59 am Post subject: |
|
|
Try a different path, you're not going to find anything useful here (nothing that leads to a static, although if you go far enough, you might get to a decent stable point in the stack)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Pokiaka
Cheater
![]() Reputation: 0
Joined: 09 Jul 2011
Posts: 48
|
| Posted: Wed May 16, 2012 1:08 pm Post subject: |
|
|
| Dark Byte wrote: | | Try a different path, you're not going to find anything useful here (nothing that leads to a static, although if you go far enough, you might get to a decent stable point in the stack) |
That's the only op-codes I get.
I tried to mess with the value a lot to see what I can achieve but still nothing.
So what other paths do I have?
And if it's not much to ask, could you explain how is it possible it doesn't work?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25779
Location: The netherlands
|
| Posted: Wed May 16, 2012 2:56 pm Post subject: |
|
|
Code injection should work
As for why the current path won't find it (have you tried find what access instead of writes? ) is because if the value is stored in the stack you can't make a easy scan for the value as the location will be overwritten often with other random values.
You might be able to track down the origin of that value closer to the base of the stack where it won't change often, but you will need to do single step debugging for that. Which sucks
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Pokiaka
Cheater
![]() Reputation: 0
Joined: 09 Jul 2011
Posts: 48
|
| Posted: Wed May 16, 2012 11:38 pm Post subject: |
|
|
| Dark Byte wrote: | Code injection should work
As for why the current path won't find it (have you tried find what access instead of writes? ) is because if the value is stored in the stack you can't make a easy scan for the value as the location will be overwritten often with other random values.
You might be able to track down the origin of that value closer to the base of the stack where it won't change often, but you will need to do single step debugging for that. Which sucks |
Oh I see, sucks indeed. especially that I can't code inject in this case because it probably won't affect only the player, but oh well.
Thank you very much Dark Byte, you've really helped me.
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25779
Location: The netherlands
|
| Posted: Thu May 17, 2012 5:25 am Post subject: |
|
|
If all else fails, try the pointerscan
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Pokiaka
Cheater
![]() Reputation: 0
Joined: 09 Jul 2011
Posts: 48
|
| Posted: Thu May 17, 2012 8:23 am Post subject: |
|
|
| Dark Byte wrote: | | If all else fails, try the pointerscan |
I did with success. thank you for your help, it's a great tool.
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
