Cheat Engine

[Bunny_Wabbit]

Just finished watching another video by Stephen Chapman and I noticed in memory view there are were some instructions under the opcode column that had the name of the EXE followed by a + and then another address. I've seen that a few times. Others will be MOV instructions, or ADD, SUB, JMP, whatever, but then I see game.exe+1C0FFD10.

Edit: Hmm, I feel like his video 'Cheat Engine 6.4 Tutorial Part 10: Introduction to Multilevel Pointers!' is a bit too fast compared to his earlier ones. He introduces a bit too many processes in too little time without explaining much. Maybe I'll try watching it again. I mean, I get the concept of a multilevel pointer, like getting to the company CEO by going up the chain of command, but I don't know why he copies the register address AND the offset. Why not just add it up on a hex calculator and wipe the need to type in the offsets?

[ParkourPenguin]

When you start a program on your computer, the operating system is responsible for setting everything up so that it can run. This involves giving it its own memory and loading the .exe file into that memory. When CE displays an address as "game.exe+XXXX", CE is saying that address is a part of the exe file that was loaded into memory. CE does this because the OS might load the exe at a different location in memory; however, values in the exe file (usually) don't change their location inside the exe file. This lets CE find that address again by simply figuring out where the exe file is loaded and adding an offset to that.

The ability to easily find these addresses even when the game is restarted makes them suitable as a base address for a pointer path.
DB put up a series of videos covering the CE tutorial that you may find useful (step 8 here; see step 6 for his brief intro to pointers). There is an overwhelming amount of information on pointers, so if you don't understand one person's explanation, there's a million more you can listen to.

[predprey]