| View previous topic :: View next topic |
| Author |
Message |
first100used
Newbie cheater
![]() Reputation: 0
Joined: 23 Mar 2012
Posts: 11
|
 Posted: Sat Mar 24, 2012 1:54 pm Post subject: Finding a pointer (please help) |
 |
|
I have not been successful finding a pointer in Kingdoms of Amalur: Reckoning. I found the address of the value that I wish to modify, and searched for what writes to this address, and this is what came up:
| Code: | 008FB3C6 - 8B 76 04 - mov esi,[esi+04]
008FB3C9 - 89 48 08 - mov [eax+08],ecx
008FB3CC - 89 70 0C - mov [eax+0C],esi <<
008FB3CF - 8B 47 0C - mov eax,[edi+0C]
008FB3D2 - 8D 0C 85 00000000 - lea ecx,[eax*4+00000000]
EAX=7D22C210
EBX=137E5280
ECX=00000003
EDX=00000004
ESI=00000064
EDI=7D05E520
ESP=0018EFA0
EBP=0018EFB0
EIP=008FB3CF |
The value of the pointer needed to find this address is probably 7D22C210
I searched for 7D22C210, and 3 results were found. One of the results was green, and the other two were black. I've tried all 3 results so far and I use 0C as the offset, but when I restart the game none of these point to the correct address. I was able to find correct pointers in the CE tutorial, but I can't find any pointers that work in this game. Can you offer any advice please?
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25829
Location: The netherlands
|
| Posted: Sat Mar 24, 2012 3:06 pm Post subject: |
|
|
Have you done step 8 of the tutorial? Multilevel pointers? Or did you cheat on that by using a youtube movie ?
Anyhow, find out what accesses all the 3 addresses and find the pointers to there. If nothing accesses an address, you can throw it away
And if all else fails: pointerscan or code injection
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
first100used
Newbie cheater
![]() Reputation: 0
Joined: 23 Mar 2012
Posts: 11
|
| Posted: Sat Mar 24, 2012 8:47 pm Post subject: |
|
|
| Dark Byte wrote: | | Have you done step 8 of the tutorial? Multilevel pointers? Or did you cheat on that by using a youtube movie ? |
This is not a very kind thing to say. It really seems like you don't like people who are not efficient at using your program. I have posted on this forum a total of 2 times, and you replied to each of those posts with negative comments that made me feel bad, followed by some advice. Thanks for the advice, but no thanks for the belittlement. I was having a great day, and I was very excited about CE, but you totally discouraged me.
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25829
Location: The netherlands
|
| Posted: Sat Mar 24, 2012 9:37 pm Post subject: |
|
|
Sorry if I offended you. My comments are not meant to be negative, but to poll the experience/knowledge level and to make you think about the basis of the problem.
It's just that people often mention that they've done the tutorial, and later we find out that they only did step 1 to 6, and skipped the most important step 8, or just saw it on a youtube movie showing off the tutorial solution, or read the required offsets in someone's post and applied them, without ever learning why it works like that. Your explanation for example didn't mention anything about even trying to go for the second level pointer, so I asked if you did step 8, and if you understood it, or just bypassed the learning potential of that specific step. Based on that I would recommend redoing that step or explain it better
On this forum we don't often feed the direct answer, but try to make you solve them instead
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
first100used
Newbie cheater
![]() Reputation: 0
Joined: 23 Mar 2012
Posts: 11
|
| Posted: Sun Mar 25, 2012 2:55 am Post subject: |
|
|
| Thanks for the apology; I appreciate it, and again, thanks for the advice.
|
|
| Back to top |
|
|
first100used
Newbie cheater
![]() Reputation: 0
Joined: 23 Mar 2012
Posts: 11
|
| Posted: Sun Mar 25, 2012 5:55 pm Post subject: |
|
|
| I tried to find out what accesses each of the addresses, and nothing accesses any of them. If I use pointerscan, I get thousands of results. There is nothing in the tutorial about how to use this feature. Could you help me understand it better please? Also, How would I use code injection in this scenario? I don't fully understand the purpose of code injection. Would I be attempting to redirect where the pointer points when I load the game, or would I be attempting to do something else?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25829
Location: The netherlands
|
| Posted: Sun Mar 25, 2012 6:02 pm Post subject: |
|
|
After the pointerscan is finished and you have billions of results(that's normal), restart the game, and then use the rescan option of the pointerscan and look for the new address. That will filter out the paths that are not working.
Repeat this a few times and you'll be left with a couple of thousand or so pointers that will be valid most of the time. (You can filter out those that go bad on occasion by using a delayed rescan)
Just pick one. (I recommend the one with the lest number of offsets and the smallest values)
If the pointerscan finds nothing then try a higher level, or a bigger structure size
---
As for code injection first do a "Find out what addresses this code accesses" on "mov [eax+0C],esi"
Then see if it accesses more than one (most likely), how often, and if there is a way to distinguish between the address you need and the ones you do not need
Then use the code injection template of the auto assembler and write a routine that saves the address of eax to a known location (e.g allocated yourself) and then use a pointer entry in the addresslist to reference it.
If you can't find out the difference, see what accesses the address instead of writes. Perhaps you have more luck with one of the readers (gui updates tend to access your variable only)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
first100used
Newbie cheater
![]() Reputation: 0
Joined: 23 Mar 2012
Posts: 11
|
| Posted: Sun Mar 25, 2012 6:39 pm Post subject: |
|
|
| Dark Byte wrote: | | Then use the code injection template of the auto assembler and write a routine that saves the address of eax to a known location (e.g allocated yourself) and then use a pointer entry in the addresslist to reference it. |
Would you please give me an example of what this routine might look like?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25829
Location: The netherlands
|
| Posted: Mon Mar 26, 2012 4:23 am Post subject: |
|
|
| Code: |
alloc(myscript,2048)
alloc(pointerlocation1,4)
registersymbol(pointerlocation1)
label(originalcode)
label(returnhere)
myscript:
//add an optional check here to see if the state is what you want
mov [pointerlocation1],eax //store the value of eax into "pointerlocation1"
originalcode:
//the original code. e.g:
mov [eax+0C],esi
mov eax,[edi+0C] //2 instructions because the first one was too small. CE will do this automatically for you when using the template)
jmp returnhere //go back to the origin
008FB3CC:
jmp myscript
nop
returnhere:
|
Now you can add a pointer that looks like
| Code: |
off1: 0c
base: pointerlocation1
|
pointerlocation1 can be used just like that when the script has been executed.
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
first100used
Newbie cheater
![]() Reputation: 0
Joined: 23 Mar 2012
Posts: 11
|
| Posted: Tue Mar 27, 2012 4:40 pm Post subject: |
|
|
| Dark Byte wrote: | [/code]
Now you can add a pointer that looks like
| Code: |
off1: 0c
base: pointerlocation1
|
pointerlocation1 can be used just like that when the script has been executed. |
Will this segment be a separate routine?
Do I have to write an address or a register after "pointerlocation1"? I don't really understand what "pointerlocation1" means/ does. I'm rather confused.
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25829
Location: The netherlands
|
| Posted: Tue Mar 27, 2012 5:05 pm Post subject: |
|
|
after the script has been executed you can just give as address pointerlocation1
just like that, as a string
ce will interpret the string to an address (specifically, the address the script allocates)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
