Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Cheat Engine Hex Autoconversion to DLL+Offset ?

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
whismerhill
How do I cheat?
Reputation: 0

Joined: 18 Apr 2017
Posts: 5

PostPosted: Tue Apr 18, 2017 11:08 am    Post subject: Cheat Engine Hex Autoconversion to DLL+Offset ? Reply with quote

hi,
first I'm a noob albeit a little programmer.
I managed to follow the tutorial up until the multiple pointers
which just got me confused after a while :p

I recently used cheat engine 6.6 and tried dealing with pointers (apparently simple pointers)
and I made a discovery of sort:
I first found a bunch of addresses for multiple values, and I could refind them each executable relaunch.(with a search)
then I found a pointer listed as green (so a static address if I'm right)
I added it as a pointer
however restarting cheat engine & the executable left the pointer to ??????
so I researched the pointer again
I found an address that held the pointer
it was 0x6a0c7a6c again listed as green and it pointed to 0x05765630 (however that last one varies obviously)
I first added it as a normal address
I then added it as a pointer

now restarting the executable
the pointer was P->????????? again

HOWEVER the normal address (not pointer) of 0x6a0c7a6c got Automagically translated to "D3D9.DLL + 37A6C" by cheatengine itself I suppose cause I did nothing of the sort Smile

then replacing the address of the pointer to "D3D9.DLL + 37A6C" made the pointer working all the time over executable restarts

questions :
-can anyone sort of explain what happened there ?
-if cheat engine does this translation/conversion for normal addresses why doesn't it do it for pointers ?

Thanks for any answer (even go RTFM, even if that won't help me much cause I'm really lost and reading stuff on internet I don't understand it all yet most of the time :p)
Back to top
View user's profile Send private message
FreeER
Grandmaster Cheater Supreme
Reputation: 53

Joined: 09 Aug 2013
Posts: 1091

PostPosted: Tue Apr 18, 2017 12:41 pm    Post subject: Reply with quote

What's happening is that the address is static, in reference to the module it is part of, that module is named "D3D9.DLL" and the address is always at the start of the dll + 37A6C bytes, so if D3D9.DLL was loaded at 0 then the pointer would be at 37A6C if it was loaded at 400000 (default for executable modules, .exe files) then it'd be at 400000 + 37A6C = 437A6C. If the module was placed into the same memory every time then the pointer would always be at the same address, but if it's loaded into a different place in memory each time (which dlls often are) then the pointer would be at a different place in memory but still have the same offset to the module.

CE will replace the name of a module in quotes (eg. "D3D9.DLL") with the module's "base address", if you were using a language like C++ to write a trainer then you'd need to look up that base address yourself and use it instead.

Can't say off the top of my head why / when CE will add the module name as part of an address and when it won't however.

http://opensecuritytraining.info/LifeOfBinaries.html goes over some of this info though it's not really related to CE in any way (I also found the x86 courses there helpful when I started writing scripts).
Back to top
View user's profile Send private message
whismerhill
How do I cheat?
Reputation: 0

Joined: 18 Apr 2017
Posts: 5

PostPosted: Tue Apr 18, 2017 2:42 pm    Post subject: Reply with quote

FreeER wrote:
...

thanks a lot for that.
is there a way to know where dlls are loaded though ?
kind of hum ... a listing of currently loaded DLLs & their base addresses ?
Back to top
View user's profile Send private message
FreeER
Grandmaster Cheater Supreme
Reputation: 53

Joined: 09 Aug 2013
Posts: 1091

PostPosted: Tue Apr 18, 2017 4:21 pm    Post subject: Reply with quote

Certainly Smile Open the memory view and go to view->"Enumerate DLL's and Symbols" or use the shortcut ctrl+alt+s in the memory viewer, the shortcut is context dependent so if you don't have a memory viewer window focused it won't do what you expect, you can use ctrl+m to open the memory viewer from the main CE window, inside the memory viewer that will toggle whether it shows the address using the module name or not (eg "Tutorial-i386.exe"+14D910 vs just 0054D910).

You can also go to view->"Memory Regions" from the memory viewer (ctrl+r in the memory viewer) and see separate sections of memory and their protection (whether you can read, write, or execute data in it), many of the entries (seemingly all of the "image" ones, which tend to be modules) will have a path and name for what module it belongs to

Note that you can also use the module name when using "goto address" (ctrl+g), typing ntdll.dll would take you to the base address of the ntdll.dll module (assuming it's loaded, and it is a common windows dll) and typing ntdll.dll + 55 would take you to the base address + 55 Smile
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites