Use AoB to find base address

Memory scanning, code injection, debugger internals and other gamemodding related discussion
TheOrigan
Novice Cheater
Novice Cheater
Posts: 16
Joined: Sun Dec 10, 2017 1:59 pm
Reputation: 0

Use AoB to find base address

Post by TheOrigan »

Hello everyone. I've been using cheat engine for quite a while now, but as I like to keep it simple with cheating, I used to stick with pointer scanning to make my own tables. Recently however, for some games pointer scanning didn't work (no useable pointers, or too many offsets). For example Stronghold 2 or Stronghold Crusader 2.

So I got a little deeper into the tutorial and learned about AoBscans. I followed Rydian's superb tutorial ([Link]) to learn how to make a script that finds the base address every time the game restarts (and then add the base+offset manually, which automatically updates).

Rydian mentions that in order for this to work you need the following condition fulfilled:
If 'Find out what addresses the instruction accesses' only shows one address as being accessed (which is in this case our health address) then you're good. However if it shows multiple addresses as being accessed, then that's not a decent target for this technique
This is the case for Stronghold 2, but unfortunately for Stronghold Crusader 2 when you look up the value for gold, only 1 useable opcode exists, and it is a code that accesses both my own gold and the gold of my enemies (nothing else):

Code: Select all

mov [edx+edi*4],eax
Thus, messing around with this code will give everyone the same amount of gold.

Furthermore, when I added the following script:

Code: Select all

[ENABLE]

aobscanmodule(INJECT,StrongholdBase.dll,89 04 8A 5B 74 1A) // should be unique
alloc(newmem,$1000)

label(code)
label(return)

globalalloc(_playerbase,4)
globalalloc(_multiplier,4)

newmem:

code:
  mov [_playerbase],edx
  mov [_multiplier],ecx
  mov [edx+ecx*4],eax
  pop ebx
  je StrongholdBase.StrongholdBase::Estate::GetKeep+2712
  jmp return

INJECT:
  jmp newmem
  nop
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db 89 04 8A 5B 74 1A

unregistersymbol(INJECT)
dealloc(newmem)
Then I 'Add address manually' with the following instruction: [_playerbase]+[_multiplier]*4

But the address I add constantly changes to reflect the last gold address that was accessed by the opcode. So I would like to ask, if no unique opcode can be found for gold (or at least not by me, I'm a complete assembly noob), how can I alter my script so that _playerbase and _offset only get stored if it's my gold that is being accessed by the opcode. Or is there an easier way to find an opcode that does only access my gold?

Thanks in advance!

User avatar
Blayde
Expert Cheater
Expert Cheater
Posts: 230
Joined: Fri Aug 25, 2017 2:37 pm
Reputation: 47

Re: Use AoB to find base address

Post by Blayde »

TheOrigan wrote:
Sun Dec 10, 2017 2:19 pm
...I'm a complete assembly noob....

Thanks in advance!
No good. :?
You must try/learn:
Registry compare.
Backtrack.
TheOrigan wrote:
Sun Dec 10, 2017 2:19 pm
Then I 'Add address manually' with the following instruction: [_playerbase]+[_multiplier]*4
Will not work.
I'm so bad at explaining things.

User avatar
jungletek
Shogun
Shogun
Posts: 179
Joined: Tue Oct 17, 2017 7:31 am
Reputation: 62

Re: Use AoB to find base address

Post by jungletek »

Blayde wrote:
Sun Dec 10, 2017 5:57 pm
Registry compare.
Register compare.

TheOrigan
Novice Cheater
Novice Cheater
Posts: 16
Joined: Sun Dec 10, 2017 1:59 pm
Reputation: 0

Re: Use AoB to find base address

Post by TheOrigan »

Blayde wrote:
Sun Dec 10, 2017 5:57 pm
Will not work.
I'm so bad at explaining things.
Actually, it does work, but because the opcode accesses all gold values, this address keeps moving between the gold addresses of every player when the opcode executes, which is several times per second. All I would like to know is if there is a way to either discern the gold values so I'm left with only mine OR maybe save all of the gold values, so I can just check which one's mine without having to dive into the disassembler every time..

I tried following Geri's tutorial, in which he describes a way to do this with 'Find out what Accesses..' which should point to the displayed value, which is supposed to be only my gold, but the offset is the same: ecx*4

PS: how do you backtrack? I get the feeling this might lead me to a solution for my problem..

User avatar
jungletek
Shogun
Shogun
Posts: 179
Joined: Tue Oct 17, 2017 7:31 am
Reputation: 62

Re: Use AoB to find base address

Post by jungletek »

TheOrigan wrote:
Mon Dec 11, 2017 8:59 am
Blayde wrote:
Sun Dec 10, 2017 5:57 pm
Will not work.
I'm so bad at explaining things.
Actually, it does work, but because the opcode accesses all gold values, this address keeps moving between the gold addresses of every player when the opcode executes, which is several times per second. All I would like to know is if there is a way to either discern the gold values so I'm left with only mine OR maybe save all of the gold values, so I can just check which one's mine without having to dive into the disassembler every time..

I tried following Geri's tutorial, in which he describes a way to do this with 'Find out what Accesses..' which should point to the displayed value, which is supposed to be only my gold, but the offset is the same: ecx*4

PS: how do you backtrack? I get the feeling this might lead me to a solution for my problem..
[Link]

[Link]

User avatar
Blayde
Expert Cheater
Expert Cheater
Posts: 230
Joined: Fri Aug 25, 2017 2:37 pm
Reputation: 47

Re: Use AoB to find base address

Post by Blayde »

jungletek wrote:
Mon Dec 11, 2017 7:17 am
Blayde wrote:
Sun Dec 10, 2017 5:57 pm
Registry compare.
Register compare.
:oops:
English is not my native language

Break and trace: (look at 22:00 min)
[Link]

Backtrace Encrypted Values:
[Link]

Using Different Registries:
[Link]

Comparing Multi Level Pointers:
[Link]

User avatar
Blayde
Expert Cheater
Expert Cheater
Posts: 230
Joined: Fri Aug 25, 2017 2:37 pm
Reputation: 47

Re: Use AoB to find base address

Post by Blayde »

TheOrigan wrote:
Mon Dec 11, 2017 8:59 am
I tried following Geri's tutorial, in which he describes a way to do this with 'Find out what Accesses..' which should point to the displayed value, which is supposed to be only my gold, but the offset is the same: ecx*4
Is ecx value the same for you and enemies?

TheOrigan
Novice Cheater
Novice Cheater
Posts: 16
Joined: Sun Dec 10, 2017 1:59 pm
Reputation: 0

Re: Use AoB to find base address

Post by TheOrigan »

Blayde wrote:
Mon Dec 11, 2017 11:49 am
TheOrigan wrote:
Mon Dec 11, 2017 8:59 am
I tried following Geri's tutorial, in which he describes a way to do this with 'Find out what Accesses..' which should point to the displayed value, which is supposed to be only my gold, but the offset is the same: ecx*4
Is ecx value the same for you and enemies?
I'm not sure, but I think so. I once listed the gold values for every player in the game and edx for a certain gold address is bigger than that of the lowest gold address, so I think it's edx that changes. ecx is a small offset I think, as it's always something like 00000010 or 0000000A. But as far as I know, you can't count back with a certain offset?

User avatar
Blayde
Expert Cheater
Expert Cheater
Posts: 230
Joined: Fri Aug 25, 2017 2:37 pm
Reputation: 47

Re: Use AoB to find base address

Post by Blayde »

TheOrigan wrote:
Mon Dec 11, 2017 1:39 pm
I'm not sure, but I think so. I once listed the gold values for every player in the game and edx for a certain gold address is bigger than that of the lowest gold address, so I think it's edx that changes. ecx is a small offset I think, as it's always something like 00000010 or 0000000A. But as far as I know, you can't count back with a certain offset?
In this situation you must backtrack edx. Where does value come from.

Someting like:
Image

TheOrigan
Novice Cheater
Novice Cheater
Posts: 16
Joined: Sun Dec 10, 2017 1:59 pm
Reputation: 0

Re: Use AoB to find base address

Post by TheOrigan »

Blayde wrote:
Mon Dec 11, 2017 1:51 pm
TheOrigan wrote:
Mon Dec 11, 2017 1:39 pm
I'm not sure, but I think so. I once listed the gold values for every player in the game and edx for a certain gold address is bigger than that of the lowest gold address, so I think it's edx that changes. ecx is a small offset I think, as it's always something like 00000010 or 0000000A. But as far as I know, you can't count back with a certain offset?
In this situation you must backtrack edx. Where does value come from.

Someting like:
Image
So if I understand correctly you went back to check where [rdi] comes from, as its [rdi] that went into rax? Because the first address + the offset does not equal the second address.

Anyway, I'll be sure to check your tutorial links. Maybe it solves my problems for me. I'll report back when I've seen them!

User avatar
Blayde
Expert Cheater
Expert Cheater
Posts: 230
Joined: Fri Aug 25, 2017 2:37 pm
Reputation: 47

Re: Use AoB to find base address

Post by Blayde »

TheOrigan wrote:
Mon Dec 11, 2017 2:35 pm

So if I understand correctly you went back to check where [rdi] comes from, as its [rdi] that went into rax? Because the first address + the offset does not equal the second address.
This was only an example "how to".

You need to look for something like:
mov edx,[somevalue]
lea edx,[somevalue]

In worst case
mov edx,[ebp+offset]
mov edx,[esp+offset] (stack sh!t)

Edit:
Check what happens before (mov rdi instruction) using address/opcode right after "ret". (Bad example :D )

TheOrigan
Novice Cheater
Novice Cheater
Posts: 16
Joined: Sun Dec 10, 2017 1:59 pm
Reputation: 0

Re: Use AoB to find base address

Post by TheOrigan »

So I've taken a look at the tutorials and already learned a lot. Unfortunately I still don't really know to what point I should backtrace until I found a 'branch' that is unique to my gold value. For example, placing a return at the start of the first branch disables taxes (can't really know for sure wether it's only my taxes or everyone's). Dissecting the data structure yields nothing of value.

I have noticed that the value for EDX is still my (player, not any of the enemies) base address in 52561F36, but changes in the next operation.
Image

EDIT: I checked this opcode and it writes to a few addresses that always have the same value. One address has value 0, the other has value 1, ... The amount of addresses reflect how many players are in the game. So I assume I have found something. How could I use this to my advantage?
Last edited by TheOrigan on Tue Dec 12, 2017 7:37 pm, edited 1 time in total.

User avatar
jungletek
Shogun
Shogun
Posts: 179
Joined: Tue Oct 17, 2017 7:31 am
Reputation: 62

Re: Use AoB to find base address

Post by jungletek »

Blayde wrote:
Mon Dec 11, 2017 11:43 am
:oops: English is not my native language
It's okay, I thought so, but I'm just helping, not criticizing ;)

TheOrigan
Novice Cheater
Novice Cheater
Posts: 16
Joined: Sun Dec 10, 2017 1:59 pm
Reputation: 0

Re: Use AoB to find base address

Post by TheOrigan »

TheOrigan wrote:
Mon Dec 11, 2017 9:30 pm
So I've taken a look at the tutorials and already learned a lot. Unfortunately I still don't really know to what point I should backtrace until I found a 'branch' that is unique to my gold value. For example, placing a return at the start of the first branch disables taxes (can't really know for sure wether it's only my taxes or everyone's). Dissecting the data structure yields nothing of value.

I have noticed that the value for EDX is still my (player, not any of the enemies) base address in 52561F36, but changes in the next operation.
Image

EDIT: I checked this opcode and it writes to a few addresses that always have the same value. One address has value 0, the other has value 1, ... The amount of addresses reflect how many players are in the game. So I assume I have found something. How could I use this to my advantage?

Hello everyone. Thought I'd follow trough with what I find a working solution. I stumbled upon the opcode above and decided to make a first aob script that copies the value for EDX only when [esi+4C] = 0 (which is player 1). Then I simply made a second AoB scan that targets my operation that writes to gold and stores the value of ECX. This gives me EDX and ECX and thus allows me to 'add address manually' so I can find gold easily and freeze it in game (it's still encrypted, but I don't mind)


EDIT: well, apparently [esi+4C] isn't player 1 when the value is 0, it's the position you take on the map. 0 is the default starting position. When I place an AI on the default spot, the script finds his gold address, although it's verry buggy and constantly moves between 0 and his EDX. When I take the default position it works without a hitch.
Attachments
Crusader2.CT
(243.91 KiB) Downloaded 65 times

User avatar
Blayde
Expert Cheater
Expert Cheater
Posts: 230
Joined: Fri Aug 25, 2017 2:37 pm
Reputation: 47

Re: Use AoB to find base address

Post by Blayde »

TheOrigan wrote:
Tue Dec 12, 2017 8:52 pm
Hello everyone. Thought I'd follow trough with what I find a working solution. I stumbled upon the opcode above and decided to make a first aob script that copies the value for EDX only when [esi+4C] = 0 (which is player 1). Then I simply made a second AoB scan that targets my operation that writes to gold and stores the value of ECX. This gives me EDX and ECX and thus allows me to 'add address manually' so I can find gold easily and freeze it in game (it's still encrypted, but I don't mind)


EDIT: well, apparently [esi+4C] isn't player 1 when the value is 0, it's the position you take on the map. 0 is the default starting position. When I place an AI on the default spot, the script finds his gold address, although it's verry buggy and constantly moves between 0 and his EDX. When I take the default position it works without a hitch.

Here :89 04 8A 5B 74 1A
Player EBX=0
Enemy EBX=1

Gold value before being encrypted.
But the problem is how to compare Player vs Enemy.

Code: Select all

[ENABLE]
aobscanmodule(p_gold,StrongholdBase.dll,78 77 07 C7 45 FC 00 00 00 00 D9 45 FC 8B E5)
alloc(newmem,$100)

label(code)
label(return)

newmem:
code:
  mov [ebp-04],(float)999999
  fld dword ptr [ebp-04]
  mov esp,ebp
  jmp return

p_gold+0A:
  jmp newmem
return:
registersymbol(p_gold)

[DISABLE]
p_gold+0A:
  db D9 45 FC 8B E5

unregistersymbol(p_gold)
dealloc(newmem)
EDIT: (mov [edx+edi*4],eax)
Btw edx and eax are encrypted

Post Reply

Who is online

Users browsing this forum: No registered users