| View previous topic :: View next topic |
| Author |
Message |
ken1882
How do I cheat?
![]() Reputation: 0
Joined: 28 May 2020
Posts: 4
|
 Posted: Thu May 28, 2020 1:28 am Post subject: How do I write pointerscan using C++ |
 |
|
I only know how to "use" the pointer scan and pointer map etc. and my guess is the address is obtained via the RVAs in PE's section table somehow, but I don't know whether my guess is correct, and even it is, it's just a very ambiguous concept. A good way to understanding is to write it myself and I've browsed through CE's github but still have no clue (sorry for the noob).
Could please anyone explain how those address are obtained and their relation with the PE sections? Greatly appreciated!
|
|
| Back to top |
|
 |
ParkourPenguin
I post too much
 Reputation: 154
Joined: 06 Jul 2014
Posts: 4753
|
| Posted: Thu May 28, 2020 10:38 am Post subject: |
|
|
It doesn't start at exe/dlls, it starts at the address you're scanning for. PE sections have nothing to do with it.
A really high level overview:
- Start at a base address
- Search for pointers to any address within the specified offset range
- For all results that come up, repeat the previous step recursively
- Log static addresses (those in an exe/dll or first few values in first few threads' stacks)
- Stop searching a path e.g. when a static address is found, a path begins to loop, max level offset is reached, etc.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
ken1882
How do I cheat?
![]() Reputation: 0
Joined: 28 May 2020
Posts: 4
|
| Posted: Thu May 28, 2020 8:03 pm Post subject: |
|
|
| ParkourPenguin wrote: | It doesn't start at exe/dlls, it starts at the address you're scanning for. PE sections have nothing to do with it.
A really high level overview:
- Start at a base address
- Search for pointers to any address within the specified offset range
- For all results that come up, repeat the previous step recursively
- Log static addresses (those in an exe/dll or first few values in first few threads' stacks)
- Stop searching a path e.g. when a static address is found, a path begins to loop, max level offset is reached, etc.
|
Thanks for the reply.
But I'm doubting it has nothing to do with sections. Since the "pointer" we found (such as pointer to player's HP, `Game.exe+0x12345 plus some offsets`) will works even on different Windows machines, doesn't this means when the OS load the PE data to logical memory, it has a "preferred address" that makes it works on different Windows machine? And the information of that "how to mapping to preferred address" doesn't store in PE's section table? If not, how does that even work?
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 154
Joined: 06 Jul 2014
Posts: 4753
|
| Posted: Thu May 28, 2020 11:03 pm Post subject: |
|
|
CE finds exe/dll files loaded into memory by using APIs such as CreateToolhelp32Snapshot. Addresses specified by "game.exe+1234" will be translated into a virtual address at runtime. It has nothing to do with whatever "preferred address" you're talking about.
The same pointer path is able to work on multiple machines due to how the game is programmed. It has little to do with Windows.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
ken1882
How do I cheat?
![]() Reputation: 0
Joined: 28 May 2020
Posts: 4
|
| Posted: Fri May 29, 2020 6:20 am Post subject: |
|
|
Sorry I'm not convinced, all memory have to be allocated by OS, and the program is compiled and generated to a portable executable file by Windows that matches its format so the program can be executed and run.
| Quote: | | CE finds exe/dll files loaded into memory by using APIs such as CreateToolhelp32Snapshot. Addresses specified by "game.exe+1234" will be translated into a virtual address at runtime. |
I agree with that, but
| Quote: | | It has nothing to do with whatever "preferred address" you're talking about. The same pointer path is able to work on multiple machines due to how the game is programmed. It has little to do with Windows. |
Maybe I'm too stupid to see the relation with these two statements?
Let me ask this way:
why "game.exe+1234" plus some magical offsets can always reach the target adress I want to found and what's the relation and logic behinds it? How do Windows know to place the data to that specified address that calculated by the offset that imo works kinda like a hierarchy page table, or is it something else?
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 154
Joined: 06 Jul 2014
Posts: 4753
|
| Posted: Fri May 29, 2020 10:50 am Post subject: |
|
|
It's literally how the game is programmed.
Values are organized into contiguous sequences called structures. e.g. a "player" structure could look like this:
| Code: | struct Player {
void *vtable;
int id;
double health;
Armor *armor;
std::string name;
Enemy *current_target;
// ...
} |
Structures can contain primitive values (id, health) and pointers to other structures (*armor, *current_target) or data (name).
There are three facts relevant to understanding how pointer paths work:
- The location of each element in the structure relative to the beginning depends on how the game was programmed and will never change at runtime.
- Pointers to other structures will point to the beginning address of the other structure.
- Games will create values whose lifetimes span for that of the process itself (more or less). i.e. static variables and the first several threadstack values of the first few threads.
Thus, given a player structure and a goal of accessing some value in the enemy structure pointed to by *current_target, you'd do something like "[player+3C]+...". It doesn't matter where windows allocated memory for the enemy structure or the player structure. That pointer will always point to the correct address because that's how the game is programmed.
For a base address, there could be a "world state" structure or something stored either globally (exe) or early on locally (threadstack) and will contain some path to the player structure.
To someone trying to find pointer paths, it doesn't matter where memory was allocated for values- the game handles that. You just need to use what the game is already doing.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
ken1882
How do I cheat?
![]() Reputation: 0
Joined: 28 May 2020
Posts: 4
|
| Posted: Sat May 30, 2020 9:52 am Post subject: |
|
|
| ParkourPenguin wrote: | | It's literally how the game is programmed...... |
Thanks for the informative answer!
So it looks like the address and offsets already defined when it was object file and it'll work even on Linux I guess?
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 154
Joined: 06 Jul 2014
Posts: 4753
|
| Posted: Sat May 30, 2020 10:27 am Post subject: |
|
|
The base address would likely be different. ELF files are different from EXE files. Besides that, sure, "good" paths like the one I described should work.
The pointer scanner can find paths the game doesn't use too. Some of those might not work.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
