Finding a changing base address

[Ghend]

I'm playing around with MHW hacking and want to change base Attack. The problem is that every time you change equipment, the address changes. Fortunately it's easy enough to find Sharpness (a separate address) and then find the base address of the Player Stats using "find what writes to", then Attack is always [base+19F4]. Changing it on a one-time basis then is really simple, but still a bit time consuming having to do every time the game is restarted or equipment changes.

So my question is, what would be the best way to find a static version of this Attack address, or how can I "find" the base address and record it with the offset +19F4 to get my Attack address?

I can do an AOB scan to Sharpness and get the Player Stats base address no problem, but again I cannot do "find what writes to" for Attack because right when the value changes, the base address that it's based off of has already changed and gives me no results. I've also tried generating a pointermap for 2 separate instances of the Attack value and comparing the 2, which gave me 0 results.

e: So I was able to use "Find What Accesses" on Sharpness, found an opcode and clicked "More Info" which gave me the probable pointer. Then I searched that in Hex 4byte, added the address of one of those values manually as a pointer + the offset for Sharpness (1DD0) and it worked. Then I used that same pointer+19F4 and that also worked for Attack, but then as soon as I changed equipment again it broke. There were no green values returned in my initial search, but am I on the right track?

[koderkrazy]

One thing you can do is do is 'what accesses' the base address or attack address or player stats. Then do bunch of actions like changing armor or hit something.
Read methods are called more often than write. With more available read spots you can inject at suitable spot. Like something constantly reading values for UI display. etc.

With big games it's not easy to find static address. You'll have to go all the way up the call stack using break and trace and conditional break points on data in hex view. So I think AOB injections are easier options.

[Ghend]

One thing you can do is do is 'what accesses' the base address or attack address or player stats. Then do bunch of actions like changing armor or hit something.
Read methods are called more often than write. With more available read spots you can inject at suitable spot. Like something constantly reading values for UI display. etc.

With big games it's not easy to find static address. You'll have to go all the way up the call stack using break and trace and conditional break points on data in hex view. So I think AOB injections are easier options.

Thank you for the reply.

I was able to do "what accesses" on the Attack value, hit some stuff and found the opcode that gets called when damage is dealt: mov eax, [rcx+19F4] with the address of rcx+19F4 being my Attack. Did a break and trace on that, hit something, and I'm kind of lost to be honest. Code injection and break+trace is fairly new to me, though I'm looking up some tutorials now to see if I can make sense of it. I can toggle a breakpoint on it to consistently find my Attack / the "player stats" base address when that does change, but beyond that I'm not sure how to make use of having this.

e: Other potentially useful info if this is helpful: The address of that instruction is MHW.exe+C09FB0F, bytes are "8B 81 F4190000"

Typically I use AOB injections when I make my own CTs, but the only method I know of is "find what writes to"-->"show in disassembler" then doing it via template.

[koderkrazy]

What I am suggesting is that you do aobScan injection on instruction mov eax, [rcx+19F4]
1. in your code create a symbol\variable using globalalloc(basePointer,8)
2. in newmem: write mov [basePointer],rcx
3. Now in your table 'Add Address Manually' and select pointer put basePointer as base and 19F4 as offset.
4. Activate cheat and try to hit tree or wall or enemy. You'll get your attack.

[Ghend]

What I am suggesting is that you do aobScan injection on instruction mov eax, [rcx+19F4]
1. in your code create a symbol\variable using globalalloc(basePointer,8)
2. in newmem: write mov [basePointer],rcx
3. Now in your table 'Add Address Manually' and select pointer put basePointer as base and 19F4 as offset.
4. Activate cheat and try to hit tree or wall or enemy. You'll get your attack.

Thank you for the continued help! This works to get me the base stats address stored in basepointer, and my Attack value as basepointer+19F4 manually added to my table. It requires I attack something first, but it works (it also requires me to attack something to update it when the actual address changes too, e.g. any time I change equipment / change the value ingame, it changes the address and I have to re-attack something to find the new address and be able to edit it in CE). Is there a way I can then turn this into a script that the game can "figure out" the base stat base address and then point to Attack without having to attack something?

Another user here, seikur0, has made a script that does this, and then has cheat entries that point to the correct address, and those can be used for typical "find what writes to"-->AOB injection, whereas mine I have to attack something every time the address changes in order to update basepointer+19F4 to the correct address so "find what writes to" gets me nothing useful.

Script

[ENABLE]
aobscanmodule(inj_playerstats,MonsterHunterWorld.exe,83 F8 20 75 08 33 C0 48 83 C4 20 5B C3 48 8B 83 ******** 48 85 C0 0F 84)
alloc(newmem,$1000,"MonsterHunterWorld.exe"+1BDAD36)

label(return)
label(return_jump)

label(p_playerstats)
registersymbol(p_playerstats)

newmem:
mov [p_playerstats],rax
test rax,rax
je return_jump
jmp return

p_playerstats:
dq 0

inj_playerstats+14:
jmp newmem
registersymbol(inj_playerstats)

inj_playerstats+1d:
return:

inj_playerstats+21:
return_jump:

[DISABLE]
//code from here till the end of the code will be used to disable the cheat
inj_playerstats+14:
db 48 85 C0 0F 84

unregistersymbol(p_playerstats)
unregistersymbol(inj_playerstats)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "MonsterHunterWorld.exe"+1BDAD36

"MonsterHunterWorld.exe"+1BDAD28: CC - int 3
"MonsterHunterWorld.exe"+1BDAD29: CC - int 3
"MonsterHunterWorld.exe"+1BDAD2A: CC - int 3
"MonsterHunterWorld.exe"+1BDAD2B: CC - int 3
"MonsterHunterWorld.exe"+1BDAD2C: CC - int 3
"MonsterHunterWorld.exe"+1BDAD2D: CC - int 3
"MonsterHunterWorld.exe"+1BDAD2E: CC - int 3
"MonsterHunterWorld.exe"+1BDAD2F: CC - int 3
"MonsterHunterWorld.exe"+1BDAD30: 40 53 - push rbx
"MonsterHunterWorld.exe"+1BDAD32: 48 83 EC 20 - sub rsp,20
// ---------- INJECTING HERE ----------
"MonsterHunterWorld.exe"+1BDAD36: 33 D2 - xor edx,edx
"MonsterHunterWorld.exe"+1BDAD38: 48 8B D9 - mov rbx,rcx
// ---------- DONE INJECTING ----------
"MonsterHunterWorld.exe"+1BDAD3B: E8 10 10 F3 FF - call MonsterHunterWorld.exe+1B0BD50
"MonsterHunterWorld.exe"+1BDAD40: 83 F8 20 - cmp eax,20
"MonsterHunterWorld.exe"+1BDAD43: 75 08 - jne MonsterHunterWorld.exe+1BDAD4D
"MonsterHunterWorld.exe"+1BDAD45: 33 C0 - xor eax,eax
"MonsterHunterWorld.exe"+1BDAD47: 48 83 C4 20 - add rsp,20
"MonsterHunterWorld.exe"+1BDAD4B: 5B - pop rbx
"MonsterHunterWorld.exe"+1BDAD4C: C3 - ret
"MonsterHunterWorld.exe"+1BDAD4D: 48 8B 83 90 72 00 00 - mov rax,[rbx+00007290]
"MonsterHunterWorld.exe"+1BDAD54: 48 85 C0 - test rax,rax
"MonsterHunterWorld.exe"+1BDAD57: 0F 84 E5 00 00 00 - je MonsterHunterWorld.exe+1BDAE42
}

[koderkrazy]

Why are you injecting after "MonsterHunterWorld.exe"+1BDAD43: 75 08 - jne MonsterHunterWorld.exe+1BDAD4D and not before?
If you inject before you'll get base address more frequently. In current scenario you are getting base address only when eax is not 20.

If you inject at "MonsterHunterWorld.exe"+1BDAD38: 48 8B D9 - mov rbx,rcx then write something like this.

Code: Select all

newmem:
push rax
mov rax,[rcx+00007290]
mov [p_playerstats],rax
pop rax

code:
xor edx,edx
 mov rbx,rcx
 jmp return

Is there a way I can then turn this into a script that the game can "figure out" the base stat base address and then point to Attack without having to attack something?

As I mentioned before do 'What access this' on the base stat pointer(NOT on attack pointer). And select instruction that is getting called more frequently, like non stop. And do AOB injection there.