| View previous topic :: View next topic |
| Author |
Message |
Doctor Death
Cheater
![]() Reputation: 1
Joined: 26 Apr 2014
Posts: 42
Location: Breaking Code
|
 Posted: Sun Jan 25, 2015 5:13 pm Post subject: Questions Relating to Assembly |
 |
|
What does it mean when you do "eax+21" or "ebx-004"?
What is a pointer?
What is an offset?
This one, is a bit complicated: So I'm trying to get unlimited bombs on this game, so I find the address for the value of bombs I have, but when I have to restart the client (usually because of a crash) the address is always different. But one thing I notice, is that it always ends with "44".
How come it changes every time I restart, and how come the end of the address is always the same?
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25832
Location: The netherlands
|
| Posted: Sun Jan 25, 2015 5:34 pm Post subject: |
|
|
| Quote: | | What does it mean when you do "eax+21" or "ebx-004"? |
eax is a register in the cpu. It can contain a 32 bit value (a value between 0 and 0xffffffff )
if eax is 0, then eax+21 would be 21
if eax is 10000000 then eax+21 would be 10000021
same for ebx-004. ebx is a register in the cpu
| Quote: | | What is a pointer? |
a pointer is a memory location that holds 4 bytes that together make up an address.
that address can be loaded into a cpu register
| Quote: | | What is an offset? |
an offset is the distance in bytes after the address a pointer points to.
so if a pointer would hold the value 10000000 and the offset is 21, then the final address would be 10000021
| Quote: |
This one, is a bit complicated: So I'm trying to get unlimited bombs on this game, so I find the address for the value of bombs I have, but when I have to restart the client (usually because of a crash) the address is always different. But one thing I notice, is that it always ends with "44".
How come it changes every time I restart, and how come the end of the address is always the same?
|
that is because memory managers tend to allocate bigger memory blocks on a certain alignment.
let's say you have a Player object which contains all the data about the player, from the current position, total steps taken, to the number of bombs.
So, when the game allocated the Player object, it will always be allocated on an address that ends with 2 or 3 0's
e.g: 123456700 or abcd12c00
Now, because bombs is part of the player, it will always be at the same distance (offset) from the start of the player object. e.g 0x44 bytes, resulting it in an address of 123456744 or abcd12c44
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Doctor Death
Cheater
![]() Reputation: 1
Joined: 26 Apr 2014
Posts: 42
Location: Breaking Code
|
| Posted: Sun Jan 25, 2015 5:39 pm Post subject: |
|
|
| Dark Byte wrote: | | Quote: | | What does it mean when you do "eax+21" or "ebx-004"? |
eax is a register in the cpu. It can contain a 32 bit value (a value between 0 and 0xffffffff )
if eax is 0, then eax+21 would be 21
if eax is 10000000 then eax+21 would be 10000021
same for ebx-004. ebx is a register in the cpu
| Quote: | | What is a pointer? |
a pointer is a memory location that holds 4 bytes that together make up an address.
that address can be loaded into a cpu register
| Quote: | | What is an offset? |
an offset is the distance in bytes after the address a pointer points to.
so if a pointer would hold the value 10000000 and the offset is 21, then the final address would be 10000021
| Quote: |
This one, is a bit complicated: So I'm trying to get unlimited bombs on this game, so I find the address for the value of bombs I have, but when I have to restart the client (usually because of a crash) the address is always different. But one thing I notice, is that it always ends with "44".
How come it changes every time I restart, and how come the end of the address is always the same?
|
that is because memory managers tend to allocate bigger memory blocks on a certain alignment.
let's say you have a Player object which contains all the data about the player, from the current position, total steps taken, to the number of bombs.
So, when the game allocated the Player object, it will always be allocated on an address that ends with 2 or 3 0's
e.g: 123456700 or abcd12c00
Now, because bombs is part of the player, it will always be at the same distance (offset) from the start of the player object. e.g 0x44 bytes, resulting it in an address of 123456744 or abcd12c44 |
For the last question, how do people make code injection on exactly what they want, even if they restart the program?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25832
Location: The netherlands
|
| Posted: Sun Jan 25, 2015 6:45 pm Post subject: |
|
|
code injection is based on editing the code
Code is usually a static address that can be found by using the base address of the module it's loaded at and a specific distance.
An alternate method would be to look for a signature of that code (since code doesn't change at runtime) and find it that way.
Once found they do a code injection to store registers the code accesses and then work with that. (e.g they get the address of player, then add 0x44 to it go get the number of bombs)
--
Now, an alternate method besides code injection which is quite complex for a beginner, are pointers.
Pointers begin at a known location in memory that never changes, and they point to a path of other locations that eventually result in the address you're interested in
Pointers can be done quite easily. Using some manual debugging, or even easier, the pointerscan
The pointerscan is easy to use, just let it scan for your address, restart the game, find the address again, do a rescan for for the new address and you'll have a bunch of pointer paths that stayed the same during a restart of the game.
Note though that while pointerscan is easy to use, it can take a long time and WILL eat up every bit of RAM your system has, and then some.
Also, depending on the game, the default settings may not be good enough. Sometimes you need to increase the max offset and level if you find out it didn't find anything, but increasing them will increase the time to scan exponentially as well
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Doctor Death
Cheater
![]() Reputation: 1
Joined: 26 Apr 2014
Posts: 42
Location: Breaking Code
|
| Posted: Sun Jan 25, 2015 8:19 pm Post subject: |
|
|
| Dark Byte wrote: | code injection is based on editing the code
Code is usually a static address that can be found by using the base address of the module it's loaded at and a specific distance.
An alternate method would be to look for a signature of that code (since code doesn't change at runtime) and find it that way.
Once found they do a code injection to store registers the code accesses and then work with that. (e.g they get the address of player, then add 0x44 to it go get the number of bombs)
--
Now, an alternate method besides code injection which is quite complex for a beginner, are pointers.
Pointers begin at a known location in memory that never changes, and they point to a path of other locations that eventually result in the address you're interested in
Pointers can be done quite easily. Using some manual debugging, or even easier, the pointerscan
The pointerscan is easy to use, just let it scan for your address, restart the game, find the address again, do a rescan for for the new address and you'll have a bunch of pointer paths that stayed the same during a restart of the game.
Note though that while pointerscan is easy to use, it can take a long time and WILL eat up every bit of RAM your system has, and then some.
Also, depending on the game, the default settings may not be good enough. Sometimes you need to increase the max offset and level if you find out it didn't find anything, but increasing them will increase the time to scan exponentially as well |
lol
how do you do the pointerscan?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25832
Location: The netherlands
|
| Posted: Sun Jan 25, 2015 8:34 pm Post subject: |
|
|
memoryview->tools->pointerscan. Or just rightclick the address in the bottom addresslist and choose pointerscan
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Doctor Death
Cheater
![]() Reputation: 1
Joined: 26 Apr 2014
Posts: 42
Location: Breaking Code
|
| Posted: Sun Jan 25, 2015 9:36 pm Post subject: |
|
|
| Dark Byte wrote: | | memoryview->tools->pointerscan. Or just rightclick the address in the bottom addresslist and choose pointerscan |
wow.. there are lots of buttons & words O.o
how about debugging memory? what does that mean?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25832
Location: The netherlands
|
| Posted: Sun Jan 25, 2015 9:39 pm Post subject: |
|
|
Using the debugger to find the offsets and then randomly picking an address hoping it's being used and continue from there. (it's complex)
try the cheat engine tutorial step 6 and 8
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Doctor Death
Cheater
![]() Reputation: 1
Joined: 26 Apr 2014
Posts: 42
Location: Breaking Code
|
| Posted: Sun Jan 25, 2015 9:47 pm Post subject: |
|
|
| Dark Byte wrote: | Using the debugger to find the offsets and then randomly picking an address hoping it's being used and continue from there. (it's complex)
try the cheat engine tutorial step 6 and 8 |
okay, will do.
what else is the debugger used for?
|
|
| Back to top |
|
|
Doctor Death
Cheater
![]() Reputation: 1
Joined: 26 Apr 2014
Posts: 42
Location: Breaking Code
|
| Posted: Sun Feb 01, 2015 3:50 pm Post subject: |
|
|
Dark Byte..
Let's say I found a static address that contains a pointer, that ALWAYS points to an address holding a game's time.
How would I make an AA script that will nop that time address, no matter how many times I restart the game?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25832
Location: The netherlands
|
| Posted: Sun Feb 01, 2015 4:02 pm Post subject: |
|
|
| Code: |
[enable]
staticaddress: //written as modulename+offset
nop
nop
nop
nop
nop
//... as long as the instruction is
[disable]
staticaddress: //written as modulename+offset
originalcode
|
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Doctor Death
Cheater
![]() Reputation: 1
Joined: 26 Apr 2014
Posts: 42
Location: Breaking Code
|
| Posted: Sun Feb 01, 2015 4:20 pm Post subject: |
|
|
| Dark Byte wrote: | | Code: |
[enable]
staticaddress: //written as modulename+offset
nop
nop
nop
nop
nop
//... as long as the instruction is
[disable]
staticaddress: //written as modulename+offset
originalcode
|
|
Um, that code only nop'd the pointer's address.. not the address it pointed to..
:/
Also, another question:
h
ttp
:
/
/
puu.sh/fl3iL/
48921469de
.png
See under the check box, it has
"88", and
"bb8"
What are those? How do they help with the pointer? Because, when I don't include them, it says "???" for everything.
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25832
Location: The netherlands
|
| Posted: Sun Feb 01, 2015 4:25 pm Post subject: |
|
|
then use a memory record entry as shown in that screenshot
those are offsets, they describe the path to the address. But if as you say you found a static address that points to the specific address with no difference, then the offset is 0 and only 1 offset
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Doctor Death
Cheater
![]() Reputation: 1
Joined: 26 Apr 2014
Posts: 42
Location: Breaking Code
|
| Posted: Sun Feb 01, 2015 4:30 pm Post subject: |
|
|
| Dark Byte wrote: | | then use a memory record entry as shown in that screenshot |
But what if I don't want to create memory records every time I want to modify pointer addresses?
| Dark Byte wrote: |
those are offsets, they describe the path to the address. But if as you say you found a static address that points to the specific address with no difference, then the offset is 0 and only 1 offset |
How exactly do they describe the path to the address?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25832
Location: The netherlands
|
| Posted: Sun Feb 01, 2015 5:06 pm Post subject: |
|
|
once you have a memory record to a static pointer, you never have to modify it again (until the game gets an update)
| Quote: |
How exactly do they describe the path to the address?
|
the static base address holds a value which represents an address
the offset will increase that address with a given value, so it points to address+offset (so if the static address at 00400500 contains the value 12340000, then offset bb8 would make it 12340bb8)
do the pointer steps of the tutorial, it explains this
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
