|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
Kajih Cheater Reputation: 1
Joined: 08 Feb 2021 Posts: 32
|
Posted: Thu Apr 21, 2022 12:08 pm Post subject: How do I access multi-level pointers? |
|
|
Hey guys, another quick question, I am having an issue trying to figure out how to load a multi-level pointer. I tried the following code:
Code: |
[ENABLE]
aobscanmodule(healthHover_hook,GameAssembly.dll,8B 41 30 89 45 10) // should be unique
alloc(newmem,$1000,healthHover_hook)
label(code)
label(return)
label(hHoverPTR)
label(factionPTR)
label(invalid)
newmem:
mov [hHoverPTR],rcx
push eax
mov eax,[rcx] // Base
or eax,eax
je short invalid
mov eax,[eax+10] // m_entity
or eax,eax
je short invalid
mov eax,[eax+80] // faction
or eax,eax
je short invalid
mov eax,[eax+30] // m_value
or eax,eax
je short invalid
mov [factionPTR],eax
invalid:
pop eax
code:
mov eax,[rcx+30]
mov [rbp+10],eax
jmp return
hHoverPTR:
dd 0
factionPTR:
dd 0
healthHover_hook:
jmp newmem
nop
return:
registersymbol(healthHover_hook)
registersymbol(hHoverPTR)
registersymbol(factionPTR)
[DISABLE]
healthHover_hook:
db 8B 41 30 89 45 10
unregistersymbol(healthHover_hook)
unregistersymbol(hHoverPTR)
unregistersymbol(factionPTR)
dealloc(newmem)
|
The instruction fires whenever I hover my mouse over a character, however when the code is active, the game crashes when I hover. All I'm trying to do here is get the info from the multi-level pointer right now which is rax+10+80+30. what I am trying to do eventually is to do a cmp on the pointer value.
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4291
|
Posted: Thu Apr 21, 2022 1:16 pm Post subject: |
|
|
`test eax,eax` is better, but in this case, you should be using try / except.
https://forum.cheatengine.org/viewtopic.php?p=5761822#5761822
Check if that instruction accesses any other addresses.
I'd use hHoverPTR instead. Add a memory record, pointer, base address "hHoverPTR", offsets 10, 80, 30 from what you said.
If the memory record works fine but the code injection doesn't, you're probably misunderstanding the pointer path.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
Kajih Cheater Reputation: 1
Joined: 08 Feb 2021 Posts: 32
|
Posted: Thu Apr 21, 2022 1:33 pm Post subject: |
|
|
Hi, so I took out my pointer code and just added a memory record of hHoverPTR with offsets 10,80,30 and I can see the correct value. So that works but whenever I try to access as per my code above, the game crashes.
I even tried an older method I learned a while back but it still crashes:
Code: |
[ENABLE]
aobscanmodule(healthHover_hook,GameAssembly.dll,8B 41 30 89 45 10) // should be unique
alloc(newmem,$1000,healthHover_hook)
label(code)
label(return)
label(hHoverPTR)
label(factionPTR)
newmem:
mov [hHoverPTR],rcx
mov eax,[rcx] // Base
cmp eax,0
je code
mov eax,[eax+10] // m_entity
cmp eax,0
je code
mov eax,[eax+80] // faction
cmp eax,0
je code
lea eax,[eax+30] // m_value
cmp eax,0
je code
mov [factionPTR],eax
code:
mov eax,[rcx+30]
mov [rbp+10],eax
jmp return
hHoverPTR:
dd 0
factionPTR:
dd 0
healthHover_hook:
jmp newmem
nop
return:
registersymbol(healthHover_hook)
registersymbol(hHoverPTR)
registersymbol(factionPTR)
[DISABLE]
healthHover_hook:
db 8B 41 30 89 45 10
unregistersymbol(healthHover_hook)
unregistersymbol(hHoverPTR)
unregistersymbol(factionPTR)
dealloc(newmem)
|
So i guess I don't fully understand the pointer path? I don't quite understand why my code is not working but the memory record is correct. what am I missing?
EDIT:
I am super confused right now, I stripped down my code to see what was going on and just try some stuff and for some reason, whenever I create a new symbol it messes up the first one, I have no idea why.
I created this code as a test:
Code: |
[ENABLE]
aobscanmodule(infHealth1,GameAssembly.dll,8B 41 30 89 45 10) // should be unique
alloc(newmem,$1000,infHealth1)
label(code)
label(return)
label(playerPTR)
label(factionPTR)
newmem:
mov [playerPTR],rcx
mov [factionPTR],rcx
code:
mov eax,[rcx+30]
mov [rbp+10],eax
jmp return
playerPTR:
dd 0
factionPTR:
dd 0
infHealth1:
jmp newmem
nop
return:
registersymbol(infHealth1)
registersymbol(playerPTR)
registersymbol(factionPTR)
[DISABLE]
infHealth1:
db 8B 41 30 89 45 10
unregistersymbol(infHealth1)
unregistersymbol(playerPTR)
unregistersymbol(factionPTR)
dealloc(newmem)
|
Then I just added these to my address list in CE, for some reason, they don't have the same address??? shouldn't these two be the same since I am getting them from the same register (rcx)? I feel like I'm losing my mind. lol
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4291
|
Posted: Thu Apr 21, 2022 2:44 pm Post subject: |
|
|
Oh, my bad, I just noticed you're assuming pointers are 32 bits. In 64-bit processes, pointers are 64 bits (8 bytes). eax should be rax, and dd should be dq.
Code: | ...
newmem:
mov [hHoverPTR],rcx
{$try}
mov rax,[rcx]
mov rax,[rax+10]
mov rax,[rax+80]
mov rax,[rax+30]
mov [factionPTR],rax
{$except}
mov eax,[rcx+30]
mov [rbp+10],eax
jmp return
align 8 CC
hHoverPTR:
dq 0
factionPTR:
dq 0
... |
If it still doesn't work, double click the address of the memory record that works and post an image of the "Change address" window so I can see the working pointer path.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
Kajih Cheater Reputation: 1
Joined: 08 Feb 2021 Posts: 32
|
Posted: Thu Apr 21, 2022 4:21 pm Post subject: |
|
|
Ah right! qd was the correct definition. Still doesn't seem to be working though I might have missed something else. Updated code:
Code: |
[ENABLE]
aobscanmodule(healthHover_hook,GameAssembly.dll,8B 41 30 89 45 10) // should be unique
alloc(newmem,$1000,healthHover_hook)
label(return)
label(hHoverPTR)
label(factionPTR)
newmem:
mov [hHoverPTR],rcx
{$try}
mov rax,[rcx]
mov rax,[rax+10]
mov rax,[rax+80]
mov rax,[rax+30]
mov [factionPTR],rax
{$except}
mov eax,[rcx+30]
mov [rbp+10],eax
jmp return
align 8 CC
hHoverPTR:
dq 0
factionPTR:
dq 0
healthHover_hook:
jmp newmem
nop
return:
registersymbol(healthHover_hook)
registersymbol(hHoverPTR)
registersymbol(factionPTR)
[DISABLE]
healthHover_hook:
db 8B 41 30 89 45 10
unregistersymbol(healthHover_hook)
unregistersymbol(hHoverPTR)
unregistersymbol(factionPTR)
dealloc(newmem)
|
I've attached a screenshot of my configuration, you can see that the factionPTR is not populated while the rest is.
Description: |
|
Filesize: |
79.88 KB |
Viewed: |
1791 Time(s) |
|
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4291
|
Posted: Thu Apr 21, 2022 4:52 pm Post subject: |
|
|
The broken pointer path in the AA script is basically a level 5 pointer where the first and last offsets are 0.
hHoverPTR is memory CE allocated. Dereferencing it gives you rcx (296D7789A10 in the image). You should add 10 to that and then dereference it (i.e. `mov rax,[rcx+10]`), instead of dereferencing rcx first (i.e. `mov rax,[rcx]`) and then adding 10 later.
You shouldn't dereference the final offset (" = " vs " -> " in the change address window).
Code: | ...
{$try}
mov rax,[rcx+10]
mov rax,[rax+80]
lea rax,[rax+30]
mov [factionPTR],rax
{$except}
... |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
Kajih Cheater Reputation: 1
Joined: 08 Feb 2021 Posts: 32
|
Posted: Thu Apr 21, 2022 5:14 pm Post subject: |
|
|
oh! ok I see now. Now I just have one final question, this was all a test on my end to see how I can load a multi-level pointer but I'm not too familiar with using try/except so I'm not sure how I can use that when doing a compare. For instance, here is my current code for damage:
Code: |
[ENABLE]
aobscanmodule(infHealth1,GameAssembly.dll,89 47 30 66 0F 6E C8) // should be unique
alloc(newmem,$1000,infHealth1)
label(code)
label(return)
newmem:
cmp [rdi+DA4],1 // is the player
jne code
mov eax,[rdi+30]
jmp return
code:
mov [rdi+30],eax
movd xmm1,eax
jmp return
infHealth1:
jmp newmem
nop 2
return:
registersymbol(infHealth1)
[DISABLE]
infHealth1:
db 89 47 30 66 0F 6E C8
unregistersymbol(infHealth1)
dealloc(newmem)
|
The instruction cmp [rdi+DA4],1 is not good, but the multi-level pointer I found (ie rdi+10+80+30) is. How can I use try/catch while doing a compare? Since I need to either jump the code if it's an enemy or grab the current health if its the player.
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4291
|
Posted: Thu Apr 21, 2022 5:37 pm Post subject: |
|
|
Use jmp instructions as shown in DB's post I linked.
You don't need try/except unless the pointer path is sometimes bad. If it works without them, then just use it.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|