Finding a Double Address type based on a 4 Byte Pointer?
Finding a Double Address type based on a 4 Byte Pointer?
So I'm playing a VN SLG game from BISHOP I found a set of 4 byte pointers that seems to point to existing stats in game but when I tried to change the values or even freeze they dont seem to update so I tried to search the same values with All and lo behold they were actually a Double type address but when I tried to make pointer maps for these address I come out with nothing, I tried to use "what writes into this pointer" on the 4 byte and come out with nothing.
Am I derping up? Or is there something thats missing pressumably this should be simple as changing that double address actually reflects into the game
Am I derping up? Or is there something thats missing pressumably this should be simple as changing that double address actually reflects into the game
-
- Table Makers
- Posts: 905
- Joined: Fri Mar 03, 2017 9:05 am
- Reputation: 760
Re: Finding a Double Address type based on a 4 Byte Pointer?
There's a couple things that could've gone wrong. Firstly, if you're trying to make a scan type script, you would want to do what accesses this address rather than a what's writes. This is due to you presumably wanting to grab the address when you look at it, and not when it's changed. So key difference, you open up the menu and see the stats, and you want to know its address, then that's a find out what accesses this type of scenario. If you wanted for your pointer to update when you level up or your stats change, then that would be a what writes to kind of situation. The other issue is it 4bytes and doubles are structured completely separately. So you can't just change the Type from double to 4 byte and expect it to point to the right location. From your double address, right click the address and select to view it in memory. From there, changed the double address and look at what address changes. Right click on the first number in that chunk that changed and add that value as a 4byte. Once that's done, do a what accesses this address scan and you should have your Instruction for your pointer there. Sorry if that wasn't super clear.Algester wrote: ↑Sun May 16, 2021 3:03 pmSo I'm playing a VN SLG game from BISHOP I found a set of 4 byte pointers that seems to point to existing stats in game but when I tried to change the values or even freeze they dont seem to update so I tried to search the same values with All and lo behold they were actually a Double type address but when I tried to make pointer maps for these address I come out with nothing, I tried to use "what writes into this pointer" on the 4 byte and come out with nothing.
Am I derping up? Or is there something thats missing pressumably this should be simple as changing that double address actually reflects into the game
Re: Finding a Double Address type based on a 4 Byte Pointer?
Try seeing what access the address of the values. Seeing what writes/accesses the pointer only looks at the base address not the value's address. But if changing the value has no effect, it's likely not the real value.
Re: Finding a Double Address type based on a 4 Byte Pointer?
So first I need to find the addresses of the double type values then turn that into a 4 byte and from there I can probably generate a pointer map? in theory it should work?
Since it seems that the double type address is actually writing into that 4 byte address that I initially thought was the right address apparently its just a reflecting value of what has changed but not "whats making the change"
so here's whats happening once the number gets updated these 4 address poped up based on the double type address
0011925E - DC 47 10 - fadd qword ptr [edi+10]
00119267 - DD 5F 10 - fstp qword ptr [edi+10]
00119281 - DC 57 10 - fcom qword ptr [edi+10]
001192AF - DC 57 10 - fcom qword ptr [edi+10]
these correspond to add, store double and then 2 check real I think its the store double that I'm chasing?
by getting one of the bytes and changing it to 4 bytes I got this
0013149A - DD 01 - fld qword ptr [ecx]
Since it seems that the double type address is actually writing into that 4 byte address that I initially thought was the right address apparently its just a reflecting value of what has changed but not "whats making the change"
so here's whats happening once the number gets updated these 4 address poped up based on the double type address
0011925E - DC 47 10 - fadd qword ptr [edi+10]
00119267 - DD 5F 10 - fstp qword ptr [edi+10]
00119281 - DC 57 10 - fcom qword ptr [edi+10]
001192AF - DC 57 10 - fcom qword ptr [edi+10]
these correspond to add, store double and then 2 check real I think its the store double that I'm chasing?
by getting one of the bytes and changing it to 4 bytes I got this
0013149A - DD 01 - fld qword ptr [ecx]
Re: Finding a Double Address type based on a 4 Byte Pointer?
This address is writing to an 8-byte pointer which EDI+10 points to. You shouldn't have to recast the datatype to achieve what you want. I would like to add that, from your post, you have found a reference to the pointer rather than the actual pointer. I would follow what ShyTwig16 suggested.
Re: Finding a Double Address type based on a 4 Byte Pointer?
I tried the generate pointer map based on zachillos' advice I did come out with a pointer but the offsets are pointing in the "wrong" set of bytes.... should I do an 8 byte on the first byte of the address but that would come out as a 0 result as it wont contain any changes?
since the AoB will come out with 00 00 00 00 00 40 60 40 (for 130) but it will take 4 bytes after 40 60 40 XX XX XX XX making it a "wrong" address when converted to double
I'm learning as I'm derping about while the double type address seems to work its also not pointable to a certain extent or at least my currently generated pointer isnt working so back to the drawing board
since the AoB will come out with 00 00 00 00 00 40 60 40 (for 130) but it will take 4 bytes after 40 60 40 XX XX XX XX making it a "wrong" address when converted to double
I'm learning as I'm derping about while the double type address seems to work its also not pointable to a certain extent or at least my currently generated pointer isnt working so back to the drawing board
Re: Finding a Double Address type based on a 4 Byte Pointer?
I messaged you on Discord but you are no longer on the server so my message was not delivered.
Re: Finding a Double Address type based on a 4 Byte Pointer?
If it's a 32 bit game the pointers are 32 bit (4 bytes), if it's a 64 bit game the pointers are 64 bit (8 bytes). The picture shows 32 bit game code. If you are pointer scanning for a value, you need to test the value to make sure it's the right address; so freeze or edit the value and see if it has an effect in game, if it doesn't then you don't have the right address. Once you have the right address then do a pointer scan for that address. You really shouldn't need to convert the value. And what are you using the AOB for, if you're trying to find data structures with an AOB scan then that tends to not work well, the bytes will change too much. Try doing the CE tutorial, it goes over a lot of the basics. For finding data structures you're better off using code injection to hook code that manipulates the data. Check the tutorial section of the forum, it has both text and video tutorials that can help.Algester wrote: ↑Tue May 18, 2021 8:11 amI tried the generate pointer map based on zachillos' advice I did come out with a pointer but the offsets are pointing in the "wrong" set of bytes.... should I do an 8 byte on the first byte of the address but that would come out as a 0 result as it wont contain any changes?
since the AoB will come out with 00 00 00 00 00 40 60 40 (for 130) but it will take 4 bytes after 40 60 40 XX XX XX XX making it a "wrong" address when converted to double
I'm learning as I'm derping about while the double type address seems to work its also not pointable to a certain extent or at least my currently generated pointer isnt working so back to the drawing board
Re: Finding a Double Address type based on a 4 Byte Pointer?
so I'm trying to have another crack at this I somehow ended up with a fld qword ptr [ecx] that is looking at a bunch of addresses that contain the double values in the game I tried to use it as an injection point to make the addresses appear but it seems it CT does point to the right addresses
worst case scenario I'm thinking this in the wrong way... I could start with the 4 byte stuff and look for whats writing or acessing that address even if the 4byte address are not the real values
now I'm stumped I looked at what addresses this instruction accesses this store all the character double data thats writable... I mean I could just probably make a "freeze" value but... mmm
worst case scenario I'm thinking this in the wrong way... I could start with the 4 byte stuff and look for whats writing or acessing that address even if the 4byte address are not the real values
Code: Select all
[ENABLE]
aobscanmodule(INJECT,tjslg.exe,DD 5F 10 E8 F1 E1 09 00) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
fstp qword ptr [edi+10]
call tjslg.exe+D7460
jmp return
INJECT:
jmp newmem
nop 3
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db DD 5F 10 E8 F1 E1 09 00
unregistersymbol(INJECT)
dealloc(newmem)
Re: Finding a Double Address type based on a 4 Byte Pointer?
so here's where I'm currently at
8B 49 04 mov ecx,[ecx+4] has the pointers as shown by 661497
DD 01 fld qword ptr [ecx] has the values saved by mov ecx,[ecx+4] as shown by 66149A
I just want to expose the values in fld qword ptr [ecx] to that end I tried
Code: Select all
{ Game : tjslg.exe
Version:
Date : 2021-12-28
Author : Algester
This script does blah blah blah
}
[ENABLE]
aobscanmodule(SAKIINJECT,tjslg.exe,8B 49 04 DD 01) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
label(SAKIAOB)
registersymbol(SAKIAOB)
newmem:
SAKIAOB:
db
code:
mov [SAKIAOB],ecx
mov ecx,[ecx+04]
fld qword ptr [ecx]
jmp return
SAKIINJECT:
jmp newmem
return:
registersymbol(SAKIINJECT)
[DISABLE]
SAKIINJECT:
db 8B 49 04 DD 01
unregistersymbol(SAKIINJECT)
unregistersymbol(SAKIAOB)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: tjslg.exe+51497
tjslg.exe+5147E: FF 24 85 EC 14 66 00 - jmp dword ptr [eax*4+tjslg.exe+514EC]
tjslg.exe+51485: 8B 41 04 - mov eax,[ecx+04]
tjslg.exe+51488: 5E - pop esi
tjslg.exe+51489: 59 - pop ecx
tjslg.exe+5148A: C2 04 00 - ret 0004
tjslg.exe+5148D: 8B 41 04 - mov eax,[ecx+04]
tjslg.exe+51490: 8B 00 - mov eax,[eax]
tjslg.exe+51492: 5E - pop esi
tjslg.exe+51493: 59 - pop ecx
tjslg.exe+51494: C2 04 00 - ret 0004
// ---------- INJECTING HERE ----------
tjslg.exe+51497: 8B 49 04 - mov ecx,[ecx+04]
// ---------- DONE INJECTING ----------
tjslg.exe+5149A: DD 01 - fld qword ptr [ecx]
tjslg.exe+5149C: 83 EC 08 - sub esp,08
tjslg.exe+5149F: DD 1C 24 - fstp qword ptr [esp]
tjslg.exe+514A2: E8 B9 7C 0A 00 - call tjslg.exe+F9160
tjslg.exe+514A7: 83 C4 08 - add esp,08
tjslg.exe+514AA: E8 D1 D7 06 00 - call tjslg.exe+BEC80
tjslg.exe+514AF: 5E - pop esi
tjslg.exe+514B0: 59 - pop ecx
tjslg.exe+514B1: C2 04 00 - ret 0004
tjslg.exe+514B4: 8B 74 24 0C - mov esi,[esp+0C]
}
Last edited by Algester on Tue Dec 28, 2021 4:00 am, edited 2 times in total.
Re: Finding a Double Address type based on a 4 Byte Pointer?
Looks like the label in this line doesn't match the label you're using.
mov [AKIAOB],ecx >> mov [SAKIAOB],ecx ?
also need a label for this placed in the editable memory.
You have 2 registersymbol in the enable section but only 1 unregister so would also need unregistersymbol(SAKIAOB).
mov [AKIAOB],ecx >> mov [SAKIAOB],ecx ?
also need a label for this placed in the editable memory.
You have 2 registersymbol in the enable section but only 1 unregister so would also need unregistersymbol(SAKIAOB).
Code: Select all
[ENABLE]
aobscanmodule(SAKIINJECT,tjslg.exe,8B 49 04 DD 01) // should be unique
alloc(newmem,$1000)
label(return)
label(SAKIAOB)
registersymbol(SAKIAOB)
registersymbol(SAKIINJECT)
newmem:
mov [SAKIAOB],ecx
mov ecx,[ecx+04]
fld qword ptr [ecx]
jmp return
SAKIAOB:
SAKIINJECT:
jmp newmem
return:
[DISABLE]
SAKIINJECT:
db 8B 49 04 DD 01
unregistersymbol(SAKIINJECT)
unregistersymbol(SAKIAOB)
dealloc(newmem)
Re: Finding a Double Address type based on a 4 Byte Pointer?
yeah I figured out a bit late that the assembly I have is borked... still its not exactly "working" the game just simply "gives up" lol
I tried this assemble script and somehow its throwing me off the pointer... it "works"sbryzl wrote: ↑Tue Dec 28, 2021 3:44 amLooks like the label in this line doesn't match the label you're using.
mov [AKIAOB],ecx >> mov [SAKIAOB],ecx ?
also need a label for this placed in the editable memory.
You have 2 registersymbol in the enable section but only 1 unregister so would also need unregistersymbol(SAKIAOB).
Code: Select all
[ENABLE] aobscanmodule(SAKIINJECT,tjslg.exe,8B 49 04 DD 01) // should be unique alloc(newmem,$1000) label(return) label(SAKIAOB) registersymbol(SAKIAOB) registersymbol(SAKIINJECT) newmem: mov [SAKIAOB],ecx mov ecx,[ecx+04] fld qword ptr [ecx] jmp return SAKIAOB: SAKIINJECT: jmp newmem return: [DISABLE] SAKIINJECT: db 8B 49 04 DD 01 unregistersymbol(SAKIINJECT) unregistersymbol(SAKIAOB) dealloc(newmem)
Re: Finding a Double Address type based on a 4 Byte Pointer?
"works" means it's doing something but not exactly what you want?
Re: Finding a Double Address type based on a 4 Byte Pointer?
You're storing the base address at "newmem" because it's at the same place as "SAKIAOB", and that's where you jump to for the injection point. And since you only use "db" with no bytes it's actually writing over the first line of code in the "code" section. So it's trying to execute random garbage thus it's likely crashing. Try changing theAlgester wrote: ↑Tue Dec 28, 2021 3:00 am...
so here's where I'm currently at
8B 49 04 mov ecx,[ecx+4] has the pointers as shown by 661497
DD 01 fld qword ptr [ecx] has the values saved by mov ecx,[ecx+4] as shown by 66149A
I just want to expose the values in fld qword ptr [ecx] to that end I triedCode: Select all
//... newmem: SAKIAOB: db code: mov [SAKIAOB],ecx mov ecx,[ecx+04] fld qword ptr [ecx] jmp return SAKIINJECT: jmp newmem return: registersymbol(SAKIINJECT) //...
jmp newmem
to jmp code
.And you are storing a pointer for the address thus in the address list it would need to be an address like this
[[SAKIAOB]+4]+0
for it to show the value correctly. Try it like this.
Code: Select all
//...
newmem:
SAKIAOB:
dd 0 // make sure you give enough space for the address to be stored.
align 10 // this isn't required but if you follow the jump to inspect your code it will look nicer.
code:
mov ecx,[ecx+04]
mov [SAKIAOB],ecx // here you'll get that values address and not the pointer's address.
fld qword ptr [ecx]
jmp return
SAKIINJECT:
jmp code // so here you'll jump to the code and not the stored value.
return:
//...
[SAKIAOB]
and set the value type to double.EDIT:
And just to note,
mov XXX,ecx
this is moving the value of ecx and mov XXX,[ecx]
is moving the value at the address of ecx. And it's the same with fld
, and basically all instruction. You learn to read fld qword ptr [ecx]
as "floating point load qword at the address of ecx" and mov eax,[ecx+4]
as "move the value at the address of ecx+4 to ecx" or "set the value of ecx to the value at the address of ecx+4".
Who is online
Users browsing this forum: No registered users