View previous topic :: View next topic |
Author |
Message |
whismerhill How do I cheat? Reputation: 0
Joined: 18 Apr 2017 Posts: 5
|
Posted: Tue Apr 18, 2017 11:08 am Post subject: Cheat Engine Hex Autoconversion to DLL+Offset ? |
|
|
hi,
first I'm a noob albeit a little programmer.
I managed to follow the tutorial up until the multiple pointers
which just got me confused after a while :p
I recently used cheat engine 6.6 and tried dealing with pointers (apparently simple pointers)
and I made a discovery of sort:
I first found a bunch of addresses for multiple values, and I could refind them each executable relaunch.(with a search)
then I found a pointer listed as green (so a static address if I'm right)
I added it as a pointer
however restarting cheat engine & the executable left the pointer to ??????
so I researched the pointer again
I found an address that held the pointer
it was 0x6a0c7a6c again listed as green and it pointed to 0x05765630 (however that last one varies obviously)
I first added it as a normal address
I then added it as a pointer
now restarting the executable
the pointer was P->????????? again
HOWEVER the normal address (not pointer) of 0x6a0c7a6c got Automagically translated to "D3D9.DLL + 37A6C" by cheatengine itself I suppose cause I did nothing of the sort
then replacing the address of the pointer to "D3D9.DLL + 37A6C" made the pointer working all the time over executable restarts
questions :
-can anyone sort of explain what happened there ?
-if cheat engine does this translation/conversion for normal addresses why doesn't it do it for pointers ?
Thanks for any answer (even go RTFM, even if that won't help me much cause I'm really lost and reading stuff on internet I don't understand it all yet most of the time :p)
|
|
Back to top |
|
|
FreeER Grandmaster Cheater Supreme Reputation: 53
Joined: 09 Aug 2013 Posts: 1091
|
Posted: Tue Apr 18, 2017 12:41 pm Post subject: |
|
|
What's happening is that the address is static, in reference to the module it is part of, that module is named "D3D9.DLL" and the address is always at the start of the dll + 37A6C bytes, so if D3D9.DLL was loaded at 0 then the pointer would be at 37A6C if it was loaded at 400000 (default for executable modules, .exe files) then it'd be at 400000 + 37A6C = 437A6C. If the module was placed into the same memory every time then the pointer would always be at the same address, but if it's loaded into a different place in memory each time (which dlls often are) then the pointer would be at a different place in memory but still have the same offset to the module.
CE will replace the name of a module in quotes (eg. "D3D9.DLL") with the module's "base address", if you were using a language like C++ to write a trainer then you'd need to look up that base address yourself and use it instead.
Can't say off the top of my head why / when CE will add the module name as part of an address and when it won't however.
http://opensecuritytraining.info/LifeOfBinaries.html goes over some of this info though it's not really related to CE in any way (I also found the x86 courses there helpful when I started writing scripts).
|
|
Back to top |
|
|
whismerhill How do I cheat? Reputation: 0
Joined: 18 Apr 2017 Posts: 5
|
Posted: Tue Apr 18, 2017 2:42 pm Post subject: |
|
|
thanks a lot for that.
is there a way to know where dlls are loaded though ?
kind of hum ... a listing of currently loaded DLLs & their base addresses ?
|
|
Back to top |
|
|
FreeER Grandmaster Cheater Supreme Reputation: 53
Joined: 09 Aug 2013 Posts: 1091
|
Posted: Tue Apr 18, 2017 4:21 pm Post subject: |
|
|
Certainly Open the memory view and go to view->"Enumerate DLL's and Symbols" or use the shortcut ctrl+alt+s in the memory viewer, the shortcut is context dependent so if you don't have a memory viewer window focused it won't do what you expect, you can use ctrl+m to open the memory viewer from the main CE window, inside the memory viewer that will toggle whether it shows the address using the module name or not (eg "Tutorial-i386.exe"+14D910 vs just 0054D910).
You can also go to view->"Memory Regions" from the memory viewer (ctrl+r in the memory viewer) and see separate sections of memory and their protection (whether you can read, write, or execute data in it), many of the entries (seemingly all of the "image" ones, which tend to be modules) will have a path and name for what module it belongs to
Note that you can also use the module name when using "goto address" (ctrl+g), typing ntdll.dll would take you to the base address of the ntdll.dll module (assuming it's loaded, and it is a common windows dll) and typing ntdll.dll + 55 would take you to the base address + 55
|
|
Back to top |
|
|
|