Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


How do I find all the multi-pointers to base address?

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
pkedpker
Master Cheater
Reputation: 1

Joined: 11 Oct 2006
Posts: 412

PostPosted: Tue Dec 29, 2015 9:54 pm    Post subject: How do I find all the multi-pointers to base address? Reply with quote

How do I finds all the offsets for multi-pointers, if I have the root base address which all the offsets expand from.

I got a old cheat which worked from 1 base address for pretty much everything in the game.

Updating the base address to a new one was easy just finding something simple like X Map Coordinate, now I got complicated stuff that also have to span from the same base address, I found the value. How do I specify in cheat engine that that value's address is offsetted maybe from 5-6 pointers and offsets but the origin is this X base address.

When I check Base address must be in specific range From 01c904ac To 01c904ac.

It finds absolutely no pointers at all..
it uses 00400000 as it's base so mines at 01c904ac (could find this one in ollydbg/ida same location).

I tried 01c904ac-00400000 = From: 18904AC To: 18904AC still nothing.. found how can I do something like this?

Yes the Address to find is the address that holds the value for what I'm trying to update.

Also I'd like to add I know the first 3 offsets to the base address rarely change if I put those in it's really strange.

it says

Quote:

[X] Pointers must end with specific offsets.
____ Last offset
____
____

but I know the first 3 offsets I don't know the last ones.. say they are

Base Address -> (Value_TO_BA + 0xAA)
PTR_AA -> (PTR_AA_VALUE+ 0x123)
PTR_123 -> (PTR_123_VALUE + 0xABC)
PTR_ABC -> new address and chain continues..

so lets say I know it's AA,123,ABC

do I fill it out like this?

Quote:

[X] Pointers must end with specific offsets.
0xAA Last offset
0x123
0xABC

_________________
Hacks I made for kongregate.
Kongregate Universal Badge Hack: http://forum.cheatengine.org/viewtopic.php?p=4129411
Kongreate Auto Rating/Voter hack: http://forum.cheatengine.org/viewtopic.php?t=263576
Took a test lol
Back to top
View user's profile Send private message
Zanzer
I post too much
Reputation: 126

Joined: 09 Jun 2013
Posts: 3278

PostPosted: Tue Dec 29, 2015 10:04 pm    Post subject: Reply with quote

You say you know the first 3 offsets and there are only 5 to the address you want.
You can't manually find those last 2? Shouldn't be hard at all.
Just finding out what instruction touches the address you're after will get you the last offset.
Now you only need to find 1! And you know the base address that the 4th is pointing to!
Back to top
View user's profile Send private message
pkedpker
Master Cheater
Reputation: 1

Joined: 11 Oct 2006
Posts: 412

PostPosted: Tue Dec 29, 2015 10:19 pm    Post subject: Reply with quote

yes it's not that easy.. game is huge exe is 30 megs and over 130,000 functions I cant manually look, I want to make asm sequence signature for future updates, which will be a big challenge as game every revision almost completely changes in codebase real-time optimizations or some shit always produces code very similar in pseudo but very different in asm.. But i need to find these offsets and the faster the better.. since I wasted 5 hours + to find item offset and I only get the first item.. pretty stupid

Here is first item 2050:



see how far it goes

next item is at + 48 bytes 0x30 and I want to do it the right way.

This is the Read/Write BP's as you can see it doesn't really help me much..

I want to make a function like GetItemIdAt(int index).. and I can't figure it out properly... without doing it through the ass, I want to make this solid for future updates be no problem

Code:

      v39 = (const void *)(*(_DWORD *)(*(_DWORD *)(sub_4E3E68(
               *(_DWORD *)(v2 + 0x82C),
               *(_DWORD *)(a2 - 0x14),
               *(_DWORD *)(a2 - 0x24))
            + 0x5C)
         + 8)
      + 0x30 * *(_WORD *)(v5 + 4));

      int __thiscall sub_4E3E68(int this, int a2, unsigned int a3)
      {
         int result; // eax@4

         if ( a2 <= 0 || a2 >= *(_DWORD *)(this + 4) || a3 > 0xB )
         result = 0;
         else
         result = 672 * a3 + 0x1BFB8 * a2 + *(_DWORD *)this + 0x2530;
         return result;
      }

_________________
Hacks I made for kongregate.
Kongregate Universal Badge Hack: http://forum.cheatengine.org/viewtopic.php?p=4129411
Kongreate Auto Rating/Voter hack: http://forum.cheatengine.org/viewtopic.php?t=263576
Took a test lol
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Tue Dec 29, 2015 10:45 pm    Post subject: Reply with quote

Well, if you have no clue what the offsets are, you know what the base address is, the base address is a static, and you know what the end address of the pointer chain should be, then you can use the pointer scanner to find it very easily (tutorial). Just search for that address and select "Base address must be in specific range" near the bottom.
_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
pkedpker
Master Cheater
Reputation: 1

Joined: 11 Oct 2006
Posts: 412

PostPosted: Tue Dec 29, 2015 11:50 pm    Post subject: Reply with quote

I seen all these tutorials but it doesn't work for me at all.. i'm looking for alternative pointer scanners know of any others?

I found the base address in disassmbler, it's
Quote:
Atlantica.exe+18904AC
which evaluates to 0x01c904ac which has a value that's different everytime you start the game up but that value can be offseted by different values to find almost everything I need in the game.

I tried the pointer scan with 10 max level depth 2048 maximum offset value.

Running it for 5 minutes my computer is about to burn out, 2,000,000,000 /s Writing 0.00% and Pointer paths found: 0

For both

[X] Base address must be in specific range
from: 18904AC to: 18904AC
from: 01c904ac to: 01c904ac

only thing I didn't try is the random value.. assigned to pointer and if that works that's pretty messed up..

okay the random value assigned to base address pointer is
from: 06B2CF78 to: 06B2CF78

and same thing nothing found ran each test 5 minutes about.

afaik this base pointer has many class pointers which have access to most of the same pointers in many different areas so I should be able to find a bunch.

_________________
Hacks I made for kongregate.
Kongregate Universal Badge Hack: http://forum.cheatengine.org/viewtopic.php?p=4129411
Kongreate Auto Rating/Voter hack: http://forum.cheatengine.org/viewtopic.php?t=263576
Took a test lol
Back to top
View user's profile Send private message
Gniarf
Grandmaster Cheater Supreme
Reputation: 43

Joined: 12 Mar 2012
Posts: 1285

PostPosted: Wed Dec 30, 2015 5:32 am    Post subject: Re: How do I find all the multi-pointers to base address? Reply with quote

pkedpker wrote:
Base Address -> (Value_TO_BA + 0xAA)
PTR_AA -> (PTR_AA_VALUE+ 0x123)
PTR_123 -> (PTR_123_VALUE + 0xABC)
PTR_ABC -> new address and chain continues..
First thing to do is to pointerscan for PTR_ABC, specifying that base address is from 0x01c904ac to 0x01c904ac. Fiddle with the settings until you can get it to find at least this part of the path.
From personnal experience I don't recommend using the "improve pointerscan with..." option for example, stack addresses as static are also useless in your case.

Once you have made sure that the scanner can find stuff (ie: is not thwarted by weird protections or incorrect configuration) then you specify that base address must be from-to PTR_ABC, and accordingly reduce max level.

pkedpker wrote:
I know the first 3 offsets I don't know the last ones.
When doing a REscan you have the option to specify the offsets closer to the base. I'm pretty sure I saw this option for the first scan too in an older CE build, maybe 6.3 or 6.2, but CE 6.4 introduces some drastic improvements to the pointerscanner's speed.

pkedpker wrote:
On this image I see an hugealicious offset of 0x1e4e8, which means you'll need a max offset of at least 124 136 (suicide candidate, anyone?) for the pointerscanner to find this path, unless you manually specify this offset.
Same thing with 0x82c = 2092 > 2048 (default max offset). <-My guess is that is is the core of your problem.

Quote:
I tried the pointer scan with 10 max level depth 2048 maximum offset value.
Running it for 5 minutes my computer is about to burn out, 2,000,000,000 /s Writing 0.00% and Pointer paths found: 0
A Try disabling "only find paths with a static" and specify a small max level like 1-2 to make sure that CE can find a path to your address. If you can't find any (temporary) mini-path with this configuration, you're guaranteed not to find anything with the full level 10 scan.

BTW 2 Gptr/s that's nice, whatcha got? 16 cores at 4Ghz? Distributed pointerscan?

_________________
DO NOT PM me if you want help on making/fixing/using a hack.
Back to top
View user's profile Send private message
pkedpker
Master Cheater
Reputation: 1

Joined: 11 Oct 2006
Posts: 412

PostPosted: Wed Dec 30, 2015 5:32 pm    Post subject: Reply with quote

I got a very good deal on my cpu E5-2697 v2 3.5 ghz 12 core cpu from ebay for 200$, it's a ES (Electronic sample / fake, but it works just as good even if not better as it's unlocked). For 400$ you can now get a fake 16 cpu xeon cpu on ebay.

I will try changing the max offset to 10000 see how it goes.. I really need this to be solid as I will be updating these base address offsets pretty frequently game patches every week or so.

Is there any tools other tools like where
you put in Base Address
0x01C904AC
and put in final value and get the offsets in between of everything.


EDIT!!

Increasing the max offset to 130832 fixed the problem i'm getting pointers now.

New problem it always finds pointers non-stop I don't care about that but I set it to 10 Max offsets and it will always only find 10 never addresses with less paths like 5,6,7,8,9 offsets.. how can I get all the paths with less offsets as well.

Or even better..

Search like
First Offset in range of 0x800 to 0x900
Second Offset in range of 0x0 to 0x100

etc...

_________________
Hacks I made for kongregate.
Kongregate Universal Badge Hack: http://forum.cheatengine.org/viewtopic.php?p=4129411
Kongreate Auto Rating/Voter hack: http://forum.cheatengine.org/viewtopic.php?t=263576
Took a test lol
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Wed Dec 30, 2015 6:10 pm    Post subject: This post has 1 review(s) Reply with quote

Quote:

Is there any tools other tools like where
you put in Base Address
0x01C904AC
and put in final value and get the offsets in between of everything.

There is the the structure spider. It is like the pointerscanner, but it starts from the base, and goes through every possible path it can.

give it the base region your base pointer points at currently (so the address 0x01C904AC points to)

and you can tell it that the final pointer must be in the range of a specific address.

It is a lot slower than a pointerscan though

--

Offset ranges on a per level basis aren't in yet
Also, I believe you do get patsh with less than 10 offsets. They are just extremely rare compared to the ones with 10. Try sorting the last offset.

(also, never click stop in a pointerscan, doing so is a waste of your time as it's programmed to find the best paths at the very end)

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
pkedpker
Master Cheater
Reputation: 1

Joined: 11 Oct 2006
Posts: 412

PostPosted: Wed Dec 30, 2015 6:29 pm    Post subject: Reply with quote

Dark Byte wrote:
Quote:

Is there any tools other tools like where
you put in Base Address
0x01C904AC
and put in final value and get the offsets in between of everything.

There is the the structure spider. It is like the pointerscanner, but it starts from the base, and goes through every possible path it can.

give it the base region your base pointer points at currently (so the address 0x01C904AC points to)

and you can tell it that the final pointer must be in the range of a specific address.

It is a lot slower than a pointerscan though

--

Offset ranges on a per level basis aren't in yet
Also, I believe you do get patsh with less than 10 offsets. They are just extremely rare compared to the ones with 10. Try sorting the last offset.

(also, never click stop in a pointerscan, doing so is a waste of your time as it's programmed to find the best paths at the very end)


You said I have to get the address to 0x01C904AC ? I tried that address it says invalid address or something can't say as I'm running a new scan and don't want to terminate it.

That's sounds very promising... I also can find the struct size fairly easy as every patch it only grows so i always look for same value or higher.. assuming it's the struct it's the last offset then after I get that address.. I add mini-structs of 0x30 to get every item in game, I think all the items are just one huge array though.

I tried with structsize of 0x30 it instantly says nothing found in a split second.

Quote:

Last Patch:
004E3E86 69D2 A0020000 IMUL EDX,EDX,0x2A0 ; EDX = 0 * 2A0
Newest Patch:
005A91DF 69D2 BC020000 IMUL EDX,EDX,0x2BC ;EDX = 0 * 0x2BC


This is how the code looks like (if it wasn't for Google's / Zynamics BinDiff 4.2 ida plugin I wouldn't be able to find this old function in the new game.. thank god for it).

Old Patch
Code:

int __thiscall sub_4E3E68(int this, int a2, unsigned int a3)
{
  int result; // eax@4

  if ( a2 <= 0 || a2 >= *(_DWORD *)(this + 4) || a3 > 0xB )
    result = 0;
  else
    result = 672 * a3 + 0x1BFB8 * a2 + *(_DWORD *)this + 0x2530;
  return result;
}

Newest Patch
Code:

int __thiscall sub_5A91A0(int this, int a2, signed int a3)
{
  int result; // eax@3

  if ( a2 > 0 && a2 < *(_DWORD *)(this + 4) )
  {
    if ( a3 >= 0 && a3 < 0xC )
      result = 0x1CE68 * a2 + *(_DWORD *)this + 700 * a3 + 0x30A8;
    else
      result = 0;
  }
  else
  {
    result = 0;
  }
  return result;
}


Used to be 672 now it's 700, I'm sure it's a struct size because structure spider is actually working Smile


_________________
Hacks I made for kongregate.
Kongregate Universal Badge Hack: http://forum.cheatengine.org/viewtopic.php?p=4129411
Kongreate Auto Rating/Voter hack: http://forum.cheatengine.org/viewtopic.php?t=263576
Took a test lol
Back to top
View user's profile Send private message
Gniarf
Grandmaster Cheater Supreme
Reputation: 43

Joined: 12 Mar 2012
Posts: 1285

PostPosted: Wed Dec 30, 2015 6:42 pm    Post subject: Reply with quote

pkedpker wrote:
Search like
First Offset in range of 0x800 to 0x900
Second Offset in range of 0x0 to 0x100

etc...
The closest thing I see is that when doing rescans you can specify a lua function that will receive base, target, and offsets and should return true if you want to keep this path. You could check if offsets are in the desired range there, but I don't think performance is going to be pretty.
_________________
DO NOT PM me if you want help on making/fixing/using a hack.
Back to top
View user's profile Send private message
pkedpker
Master Cheater
Reputation: 1

Joined: 11 Oct 2006
Posts: 412

PostPosted: Wed Dec 30, 2015 6:51 pm    Post subject: Reply with quote

Ya I got no experience at all with lua scripting, o well both solutions seem to take ages haha.. I'll try to do something else here.
_________________
Hacks I made for kongregate.
Kongregate Universal Badge Hack: http://forum.cheatengine.org/viewtopic.php?p=4129411
Kongreate Auto Rating/Voter hack: http://forum.cheatengine.org/viewtopic.php?t=263576
Took a test lol
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Wed Dec 30, 2015 6:51 pm    Post subject: Reply with quote

Quote:

You said I have to get the address to 0x01C904AC

No, the address 0x01c904ac points to

the structure spider will scan through the block provided (up to structsize) and follow all the pointers and scan those as well
so in the screenshot it's going to follow all pointers it encounters from 0x01c904ac to 0x01C90768
(not that it's a bad thing as it's first going to scan through 0x01c904ac anyhow, but it may find some base addresses you didn't want to wait for)

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
pkedpker
Master Cheater
Reputation: 1

Joined: 11 Oct 2006
Posts: 412

PostPosted: Wed Dec 30, 2015 6:59 pm    Post subject: Reply with quote

Dark Byte wrote:
Quote:

You said I have to get the address to 0x01C904AC

No, the address 0x01c904ac points to

the structure spider will scan through the block provided (up to structsize) and follow all the pointers and scan those as well
so in the screenshot it's going to follow all pointers it encounters from 0x01c904ac to 0x01C90768
(not that it's a bad thing as it's first going to scan through 0x01c904ac anyhow, but it may find some base addresses you didn't want to wait for)


ah so struct size is how far it would go away from base address then I should specifiy 0 right?

I always get
Scan Done! 0 found

I still cant wrap my head around what address points to 0x01c904ac? if you don't mean the value of 0x01c904ac then I don't think any address points to it it's a solid address that you can find in ida pro like a global DWORD*


I tried 0xE8048625 0x258604E8 and 0x01C904AC no founds.. ah screw it

_________________
Hacks I made for kongregate.
Kongregate Universal Badge Hack: http://forum.cheatengine.org/viewtopic.php?p=4129411
Kongreate Auto Rating/Voter hack: http://forum.cheatengine.org/viewtopic.php?t=263576
Took a test lol
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Wed Dec 30, 2015 7:17 pm    Post subject: Reply with quote

in cheat engine, go to address 01c904ac in the bottom part of the memory view window
select the 4 bytes there and press space
the new address is the address it pointed to which is what you should use as base

the size is how far it will check every pointer it encounters. So do not set it to 0. Set it the the maximum size it can encounter on the path to the final address

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
pkedpker
Master Cheater
Reputation: 1

Joined: 11 Oct 2006
Posts: 412

PostPosted: Wed Dec 30, 2015 7:34 pm    Post subject: Reply with quote

Okay thanks so you did mean the value of the base address, because that's what spacebar seems to bring me to. About the maximum size it can encounter on the path to the final address this also makes little sense to me.. are you talking about the biggest offset it can encounter? if so I put it in..

Btw I updated the hack from old version to newest version by hand and it didn't turn out too bad..

Quote:

//Revisions
//AO International very outdated Offsets understanding
//--------------------------------------------------------------------------------------------------
//Offset #1 = 0x82C
//Offset #2 = 0
//Offset #3 = 0x1BFB8 + 0x2530 + 0x5C = 0x1E544
//Offset #4 = 8
//Offset #5 = (FKey * 0x30) //This starts from FKey [0 to 9] as first value is a item id.
//----------------------------------------------------------------------------------------------------
//AO International Newest Offsets understanding
//Offset #1 = 0x82C
//Offset #2 = 0
//Offset #3 = 0x1CE68 + 0x30A8 + 0x5C = 0x1FF6C
//Offset #4 = 8
//Offset #5 = (FKey * 0x38) //This starts from FKey [0 to 9] as first value is a item id.
//----------------------------------------------------------------------------------------------------


I'll just make these huge comment bricks on every address so I can update easier later on.

_________________
Hacks I made for kongregate.
Kongregate Universal Badge Hack: http://forum.cheatengine.org/viewtopic.php?p=4129411
Kongreate Auto Rating/Voter hack: http://forum.cheatengine.org/viewtopic.php?t=263576
Took a test lol
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites