 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
coffeeAchiever
Newbie cheater
![]() Reputation: 0
Joined: 27 Dec 2014
Posts: 22
|
 Posted: Thu Jan 01, 2015 6:08 pm Post subject: Problem Finding a Static Pointer Address (newbie alert) |
 |
|
Newbie here. I'm trying to find the static pointer address for Crosskill pistol ammo in Payday: Heist. These are the steps I've taken.
A) The Relocatable Address
1. Trivial to get if you search for the total ammo count as a float.
B) What Accesses The Relocatable Address?
1. Right-click and choose "Find out what accesses this address".
2. Confirm "yes" to "This will attach the debugger..."
3. This window is brought up:
4. Go back to game. Unpause it.
5. In the game, shoot the Crosskill.
| Quote: | Side note:
At this point, the game crashed. I tried:
a. Turning off Windows Security Essentials (the MSWin virus scanner)
b. Don't scan memory that is protected with the No Cache option
c. Enabling "Try to prevent detection of the debugger"
None of these worked. What worked was changing the debugger from "Use windows debugger" to "Use VEH debugger". |
6. Upon shooting once, two instructions are displayed:
Interesting that the instructions at 0079 3D52 access our relocatable address about 15 times per shot while the other instructions at 0079 3EEF are one-for-one with the number of shots. But I think I understand why. The many-to-one code turns out to be a write from the relocatable address to other places, so there's probably data structs that share this piece of information (how many bullets you have total), for example, I'm sure the GUI needs to know.
C) Which instruction should I choose?
1a. Instructions at 0079 3D52 (the first move result):
Move the 4 bytes of memory at the address contained at EDI (1009 2030) into register EDX. This is the wrong direction. We want to look for stuff going *into* 1009 2030, not from 1009 2030.
1b. Instructions at 0079 3EEF (the second move result):
Move the contents of register ECX to the memory address contained in ESI (10092040). Sounds right!
2. So clearly I want the 2nd case since I care about stuff that writes to 1009 2030, not stuff that reads from 1009 2030. But either way, I want to do a memory search for 1009 2030:
3. So I played the game for a minute, and the pointer values (which are addresses) remained constant, so they're still all candidates for the amount of Crosskill total ammo. I add them to the list via:
4. So now I have:
D) Checking my work
1. I want to test my addresses, so I restart the level and discover that everything I did was garbage. None of it was good:
So my questions are:
1. Did I do anything wrong?
2. Clearly I need to go back to the drawing board. If I didn't make any missteps, what's my next course of action?
Note: I know there's memory scan, but if feasible, I'd like to do it the manual way for learning purposes. I'll use memory scan on the next thing I work on.
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25820
Location: The netherlands
|
| Posted: Thu Jan 01, 2015 6:47 pm Post subject: |
|
|
A and B ok
C1/C2
| Quote: |
Move the 4 bytes of memory at the address contained at EDI (1009 2030) into register EDX. This is the wrong direction. We want to look for stuff going *into* 1009 2030, not from 1009 2030.
|
that makes no difference for pointers. You need to find the path to it, no matter if it's a write or a read
anyhow, it makes no difference in this case (you're going to look for 1009 2030 in both cases)
C3 is where you go wrong in 2 ways
1: You enter the hexadecimal address. Instead you must first doubeclick the green address, and then copy/paste the address (which is in modulename+offset notation) and use that as base
2: Modules loaded in 7xxxxxxx are usually system modules, so are doubtful to contain an actual reference to the game specific address. (it's possible, but unlikely)
What you should have done is find what accesses 0008d854 and go from there. (and if that resulted in nothing 0008e4c8, 0008e538, etc...)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
coffeeAchiever
Newbie cheater
![]() Reputation: 0
Joined: 27 Dec 2014
Posts: 22
|
| Posted: Thu Jan 01, 2015 8:09 pm Post subject: |
|
|
| Dark Byte wrote: | A and B ok
C1/C2
| Quote: |
Move the 4 bytes of memory at the address contained at EDI (1009 2030) into register EDX. This is the wrong direction. We want to look for stuff going *into* 1009 2030, not from 1009 2030.
|
that makes no difference for pointers. You need to find the path to it, no matter if it's a write or a read
anyhow, it makes no difference in this case (you're going to look for 1009 2030 in both cases)
|
Oh, yeah. I'm not debugging an application. I'm just looking for pointers. I wasn't seeing the forrest through the trees. Thanks!
| Dark Byte wrote: |
C3 is where you go wrong in 2 ways
1: You enter the hexadecimal address. Instead you must first doubeclick the green address, and then copy/paste the address (which is in modulename+offset notation) and use that as base
2: Modules loaded in 7xxxxxxx are usually system modules, so are doubtful to contain an actual reference to the game specific address. (it's possible, but unlikely)
What you should have done is find what accesses 0008d854 and go from there. (and if that resulted in nothing 0008e4c8, 0008e538, etc...)
|
OK, got it. Thanks for the help!
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
