[Solved] - Stuck at Tutorial Step 6: Pointers.

lcmiracle

Cheater
Hello gang. I'm trying to learn to create tables as many old tables that I used for less mainstream games are now dysfunctional, having been abandoned by their creators. And shameful as I am, I've got to admit that I'm stuck at step 6.

The instruction tells me to :
First find the address of the value. When you've found it use the function to find out what accesses this address.
Which was done. I had the opcode that accessed the found address and four instructions:
Code:
``````[b]10002C5A1 - 8B 00  - mov eax,[rax][/b]
10002C61C - 89 02  - mov [rdx],eax
10002C625 - 8B 00  - mov eax,[rax]
10002C659 - 8B 10  - mov edx,[rax]``````
Since the tutorial does not specify which instruction to use, I used the first one.

The tutorial says:
If the assembler instruction doesn't have anything between a '[' and ']' then use another item in the list. If it does it will say what it think will be the value of the pointer you need.
So the extra info window I opened by double-clicking on the first instruction gives "the value of the pointer needed to find this address is probably 00000008".
Go back to the main cheat engine window (you can keep this extra info window open if you want, but if you close it, remember what is between the [ and ] ) and do a 4 byte scan in hexadecimal for the value the extra info told you.
Which I assume it was the value "8" in hex. I noted the address of the top-most value (20CF4 in this case) as the tutorial instructs and used it as the address and used for the next step, which is:
Now click on manually add and select the pointer checkbox.
This next step is what stumped me. The tutorial says:
If the assembler instruction has a calculation (e.g: [esi+12]) at the end then type the value in that's at the end. else leave it 0. If it was a more complicated instruction look at the calculation.
As I posted above, there is no offset to the register rax, and the address of the register was "00000008" - the value of the pointer. So I left the offset "0", but the value of the resulting address is "???". Putting "8" in the offset box doesn't work either.

I mean this is not a special case where there are offsets within the block brackets, like the tutorial described. What am I doing wrong? It might be because I'm not a native English speaker but I am rather confused by the instructions of the tutorial. Some help would be appreciated.

Thanks.

FreeER

RCE Fanatics
Talents
Code:
``10002C5A1 - 8B 00  - mov eax,[rax]``
Happens to be a bad one to use for this because eax is just the bottom half of rax, which means that the code is overwriting the address in rax by writing the value at that address into eax, and CE shows the value of the registers after the instruction has been ran, so you aren't getting the address but the value. If you use one of the instructions that isn't writing into the same register then you'll be able to see the actual address, alternatively you can set a breakpoint on the instruction and see what the address is before it runs. If an offset isn't shown then it's 0

Though you can also figure out the address yourself. For instance if it's reading/changing something at 0x7FF8 and there isn't an offset then the address has to be 0x7FF8, if there's an offset of +4 then the address has to be at 0x7FF8 - 4 = 0x7FF4. The windows calculator can do math in hexadecimal if you use the programmer mode so you don't even have to really understand that 7FF8 is 7*16^3 +15*16^2 + 15*16^1 + 4*16^0 to do math with larger offsets (google can do it too if you use the 0x prefix).

lcmiracle

Cheater
FreeER post_id=3815 time=1491245955 user_id=980 said:
Code:
``10002C5A1 - 8B 00  - mov eax,[rax]``
Happens to be a bad one to use for this because eax is just the bottom half of rax, which means that the code is overwriting the address in rax by writing the value at that address into eax, and CE shows the value of the registers after the instruction has been ran, so you aren't getting the address but the value. If you use one of the instructions that isn't writing into the same register then you'll be able to see the actual address, alternatively you can set a breakpoint on the instruction and see what the address is before it runs. If an offset isn't shown then it's 0

Though you can also figure out the address yourself. For instance if it's reading/changing something at 0x7FF8 and there isn't an offset then the address has to be 0x7FF8, if there's an offset of +4 then the address has to be at 0x7FF8 - 4 = 0x7FF4. The windows calculator can do math in hexadecimal if you use the programmer mode so you don't even have to really understand that 7FF8 is 7*16^3 +15*16^2 + 15*16^1 + 4*16^0 to do math with larger offsets (google can do it too if you use the 0x prefix).
You are right! Oh, how I wish I'd paid more attention when I was learning assembly code.