View previous topic :: View next topic |
Author |
Message |
Leonidas Advanced Cheater Reputation: 0
Joined: 07 Mar 2005 Posts: 98
|
Posted: Mon Sep 19, 2005 1:46 am Post subject: pointer/structure scanner method |
|
|
Just something I thought about, just posting here so I don't forget it
Code: |
values: Not in range of allocated memory
pointer: value in range of allocated memory
read assembler opcodes:
mov eax,[00500000]
mov edx,[00700000+ebp]
determine type: (see static scanner)
00500000=pointer
00700000=base of struct or array
00700000:
value
value
pointer->00a00000
value
value
value
00500000->00800000 <------
value |
value |
pointer->00900000 |
value |
value |
value |
pointer->00800000--- recursive problem. Determine if address has already been defined to avoid infinite loops
value
value
pointer->00901000
value
value
value
value
pointer->00501100
pointer->00502000
value
value
pointer->00503000
value
value
address found: 00503004
found at 00503000+0x4
parent=00501100+0x4
parent=00500000+0x20
ce pointer notation
base pointer: 00500000
offset 0x20,0x4,0x4
|
|
|
Back to top |
|
|
Leonidas Advanced Cheater Reputation: 0
Joined: 07 Mar 2005 Posts: 98
|
Posted: Wed Sep 21, 2005 3:23 am Post subject: |
|
|
Add following presets:
crazy scan: all [xxxx] addresses in executable code 512 byte structure default, estimated time: few hours
psychotic scan: all values that represent a readable address in executable code, estimated time: a day
psychotic and retarded scan: all values that represent a readable address, don't care about allignment, estimated time: several days
insane psychotic and retarded scan: same as above but with structsize of 1024 or higher, estimated time: couple of years and requires a 128bit memory management, and couple of TB harddisk
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 463
Joined: 09 May 2003 Posts: 25476 Location: The netherlands
|
Posted: Sun Sep 25, 2005 1:05 pm Post subject: |
|
|
usefull as last resort:
Description: |
it's slow, and eats up lots of memory. |
|
Filesize: |
23.68 KB |
Viewed: |
21167 Time(s) |
|
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Turtle Advanced Cheater Reputation: 7
Joined: 25 Jul 2004 Posts: 85
|
Posted: Mon Oct 17, 2005 12:31 am Post subject: |
|
|
Interesting.
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 463
Joined: 09 May 2003 Posts: 25476 Location: The netherlands
|
Posted: Mon Oct 17, 2005 10:53 am Post subject: |
|
|
It certainly is, but keep in mind that it's almost the same as brute forcing a password. The more levels, and bigger structures, the longer it'll take
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 463
Joined: 09 May 2003 Posts: 25476 Location: The netherlands
|
Posted: Fri Oct 21, 2005 4:18 pm Post subject: |
|
|
Actually, I managed to get a decent speed increase by making use of dual threading (I got a dual core cpu) and deciding to give a fuck about memory
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 463
Joined: 09 May 2003 Posts: 25476 Location: The netherlands
|
Posted: Fri Oct 21, 2005 5:10 pm Post subject: |
|
|
Update: I managed to scan dungeon siege 2 in less than 30 minutes, and found the mana pointer for the the 4th character and the currently selected character (including monsters)
(level 5 pointers, structsize 512, base level size 4)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Turtle Advanced Cheater Reputation: 7
Joined: 25 Jul 2004 Posts: 85
|
Posted: Fri Oct 28, 2005 5:57 pm Post subject: |
|
|
How much of a difference do dual cores make?
Also what do you think of the static pointer searcher in L.Spiro's program
It's one of the search options, and there is a tickbox to only find static pointers. Why does his do a direct search based on a given address or range of addresses, but yours does a full scan? Just wondering.
Are some static pointers more reliable than others?
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 463
Joined: 09 May 2003 Posts: 25476 Location: The netherlands
|
Posted: Fri Oct 28, 2005 6:24 pm Post subject: |
|
|
pointers found by looking at the code instead of the data (and determining if it is accessible or not) returns less wrong addresses.
e.g the text 'this door goes to hell' may contains some addresses that point to accessible memory, while the static scanner only looks at code like 'mov esi,[00900000]' and then records 00900000 as a possible pointer
but for the pointer scanner you'll have both methods to choose from, it's just that with the method of scanning through the data instead of code you'll get a lot of extra wrong results, and that is especially a problem when you're applying it to base pointers.
e.g with a structsize of 512 disection of a base pointer would require in the worst case scenario 34359738368 compares(512/4=128 possible pointers in each structure, 128*128*128*128*128) if it is a pointer and if it points to the right address. (of course by filtering out duplicates and non pointers you can bring this down a lot)
and each wrong base pointer would result in a big time loss
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
|