Finding a Double Address type based on a 4 Byte Pointer?

Anything Cheat Engine related, bugs, suggestions, helping others, etc..
Algester
Expert Cheater
Expert Cheater
Posts: 291
Joined: Sun Mar 04, 2018 9:48 am
Reputation: 63

Finding a Double Address type based on a 4 Byte Pointer?

Post by Algester »

So I'm playing a VN SLG game from BISHOP I found a set of 4 byte pointers that seems to point to existing stats in game but when I tried to change the values or even freeze they dont seem to update so I tried to search the same values with All and lo behold they were actually a Double type address but when I tried to make pointer maps for these address I come out with nothing, I tried to use "what writes into this pointer" on the 4 byte and come out with nothing.

Am I derping up? Or is there something thats missing pressumably this should be simple as changing that double address actually reflects into the game

zachillios
Table Makers
Table Makers
Posts: 905
Joined: Fri Mar 03, 2017 9:05 am
Reputation: 760

Re: Finding a Double Address type based on a 4 Byte Pointer?

Post by zachillios »

Algester wrote:
Sun May 16, 2021 3:03 pm
So I'm playing a VN SLG game from BISHOP I found a set of 4 byte pointers that seems to point to existing stats in game but when I tried to change the values or even freeze they dont seem to update so I tried to search the same values with All and lo behold they were actually a Double type address but when I tried to make pointer maps for these address I come out with nothing, I tried to use "what writes into this pointer" on the 4 byte and come out with nothing.

Am I derping up? Or is there something thats missing pressumably this should be simple as changing that double address actually reflects into the game
There's a couple things that could've gone wrong. Firstly, if you're trying to make a scan type script, you would want to do what accesses this address rather than a what's writes. This is due to you presumably wanting to grab the address when you look at it, and not when it's changed. So key difference, you open up the menu and see the stats, and you want to know its address, then that's a find out what accesses this type of scenario. If you wanted for your pointer to update when you level up or your stats change, then that would be a what writes to kind of situation. The other issue is it 4bytes and doubles are structured completely separately. So you can't just change the Type from double to 4 byte and expect it to point to the right location. From your double address, right click the address and select to view it in memory. From there, changed the double address and look at what address changes. Right click on the first number in that chunk that changed and add that value as a 4byte. Once that's done, do a what accesses this address scan and you should have your Instruction for your pointer there. Sorry if that wasn't super clear.

ShyTwig16
Expert Cheater
Expert Cheater
Posts: 335
Joined: Thu Apr 06, 2017 7:14 pm
Reputation: 20

Re: Finding a Double Address type based on a 4 Byte Pointer?

Post by ShyTwig16 »

Try seeing what access the address of the values. Seeing what writes/accesses the pointer only looks at the base address not the value's address. But if changing the value has no effect, it's likely not the real value.

Algester
Expert Cheater
Expert Cheater
Posts: 291
Joined: Sun Mar 04, 2018 9:48 am
Reputation: 63

Re: Finding a Double Address type based on a 4 Byte Pointer?

Post by Algester »

So first I need to find the addresses of the double type values then turn that into a 4 byte and from there I can probably generate a pointer map? in theory it should work?

Since it seems that the double type address is actually writing into that 4 byte address that I initially thought was the right address apparently its just a reflecting value of what has changed but not "whats making the change"

Image

so here's whats happening once the number gets updated these 4 address poped up based on the double type address
0011925E - DC 47 10 - fadd qword ptr [edi+10]
00119267 - DD 5F 10 - fstp qword ptr [edi+10]
00119281 - DC 57 10 - fcom qword ptr [edi+10]
001192AF - DC 57 10 - fcom qword ptr [edi+10]

these correspond to add, store double and then 2 check real I think its the store double that I'm chasing?

by getting one of the bytes and changing it to 4 bytes I got this
0013149A - DD 01 - fld qword ptr [ecx]

User avatar
LeFiXER
LeFixer
LeFixer
Posts: 489
Joined: Wed Mar 24, 2021 9:35 am
Reputation: 251

Re: Finding a Double Address type based on a 4 Byte Pointer?

Post by LeFiXER »

This address is writing to an 8-byte pointer which EDI+10 points to. You shouldn't have to recast the datatype to achieve what you want. I would like to add that, from your post, you have found a reference to the pointer rather than the actual pointer. I would follow what ShyTwig16 suggested.

Algester
Expert Cheater
Expert Cheater
Posts: 291
Joined: Sun Mar 04, 2018 9:48 am
Reputation: 63

Re: Finding a Double Address type based on a 4 Byte Pointer?

Post by Algester »

I tried the generate pointer map based on zachillos' advice I did come out with a pointer but the offsets are pointing in the "wrong" set of bytes.... should I do an 8 byte on the first byte of the address but that would come out as a 0 result as it wont contain any changes?

since the AoB will come out with 00 00 00 00 00 40 60 40 (for 130) but it will take 4 bytes after 40 60 40 XX XX XX XX making it a "wrong" address when converted to double

I'm learning as I'm derping about while the double type address seems to work its also not pointable to a certain extent or at least my currently generated pointer isnt working so back to the drawing board

User avatar
LeFiXER
LeFixer
LeFixer
Posts: 489
Joined: Wed Mar 24, 2021 9:35 am
Reputation: 251

Re: Finding a Double Address type based on a 4 Byte Pointer?

Post by LeFiXER »

I messaged you on Discord but you are no longer on the server so my message was not delivered.

ShyTwig16
Expert Cheater
Expert Cheater
Posts: 335
Joined: Thu Apr 06, 2017 7:14 pm
Reputation: 20

Re: Finding a Double Address type based on a 4 Byte Pointer?

Post by ShyTwig16 »

Algester wrote:
Tue May 18, 2021 8:11 am
I tried the generate pointer map based on zachillos' advice I did come out with a pointer but the offsets are pointing in the "wrong" set of bytes.... should I do an 8 byte on the first byte of the address but that would come out as a 0 result as it wont contain any changes?

since the AoB will come out with 00 00 00 00 00 40 60 40 (for 130) but it will take 4 bytes after 40 60 40 XX XX XX XX making it a "wrong" address when converted to double

I'm learning as I'm derping about while the double type address seems to work its also not pointable to a certain extent or at least my currently generated pointer isnt working so back to the drawing board
If it's a 32 bit game the pointers are 32 bit (4 bytes), if it's a 64 bit game the pointers are 64 bit (8 bytes). The picture shows 32 bit game code. If you are pointer scanning for a value, you need to test the value to make sure it's the right address; so freeze or edit the value and see if it has an effect in game, if it doesn't then you don't have the right address. Once you have the right address then do a pointer scan for that address. You really shouldn't need to convert the value. And what are you using the AOB for, if you're trying to find data structures with an AOB scan then that tends to not work well, the bytes will change too much. Try doing the CE tutorial, it goes over a lot of the basics. For finding data structures you're better off using code injection to hook code that manipulates the data. Check the tutorial section of the forum, it has both text and video tutorials that can help.

Algester
Expert Cheater
Expert Cheater
Posts: 291
Joined: Sun Mar 04, 2018 9:48 am
Reputation: 63

Re: Finding a Double Address type based on a 4 Byte Pointer?

Post by Algester »

so I'm trying to have another crack at this I somehow ended up with a fld qword ptr [ecx] that is looking at a bunch of addresses that contain the double values in the game I tried to use it as an injection point to make the addresses appear but it seems it CT does point to the right addresses

worst case scenario I'm thinking this in the wrong way... I could start with the 4 byte stuff and look for whats writing or acessing that address even if the 4byte address are not the real values

Code: Select all


[ENABLE]

aobscanmodule(INJECT,tjslg.exe,DD 5F 10 E8 F1 E1 09 00) // should be unique
alloc(newmem,$1000)

label(code)
label(return)

newmem:

code:
  fstp qword ptr [edi+10]
  call tjslg.exe+D7460
  jmp return

INJECT:
  jmp newmem
  nop 3
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db DD 5F 10 E8 F1 E1 09 00

unregistersymbol(INJECT)
dealloc(newmem)
now I'm stumped I looked at what addresses this instruction accesses this store all the character double data thats writable... I mean I could just probably make a "freeze" value but... mmm

Algester
Expert Cheater
Expert Cheater
Posts: 291
Joined: Sun Mar 04, 2018 9:48 am
Reputation: 63

Re: Finding a Double Address type based on a 4 Byte Pointer?

Post by Algester »

Image
so here's where I'm currently at
8B 49 04 mov ecx,[ecx+4] has the pointers as shown by 661497
DD 01 fld qword ptr [ecx] has the values saved by mov ecx,[ecx+4] as shown by 66149A
I just want to expose the values in fld qword ptr [ecx] to that end I tried

Code: Select all

{ Game   : tjslg.exe
  Version: 
  Date   : 2021-12-28
  Author : Algester

  This script does blah blah blah
}

[ENABLE]

aobscanmodule(SAKIINJECT,tjslg.exe,8B 49 04 DD 01) // should be unique
alloc(newmem,$1000)

label(code)
label(return)
label(SAKIAOB)
registersymbol(SAKIAOB)

newmem:
SAKIAOB:
  db

code:
  mov [SAKIAOB],ecx
  mov ecx,[ecx+04]
  fld qword ptr [ecx]
  jmp return

SAKIINJECT:
  jmp newmem
return:
registersymbol(SAKIINJECT)

[DISABLE]

SAKIINJECT:
  db 8B 49 04 DD 01

unregistersymbol(SAKIINJECT)
unregistersymbol(SAKIAOB)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: tjslg.exe+51497

tjslg.exe+5147E: FF 24 85 EC 14 66 00  - jmp dword ptr [eax*4+tjslg.exe+514EC]
tjslg.exe+51485: 8B 41 04              - mov eax,[ecx+04]
tjslg.exe+51488: 5E                    - pop esi
tjslg.exe+51489: 59                    - pop ecx
tjslg.exe+5148A: C2 04 00              - ret 0004
tjslg.exe+5148D: 8B 41 04              - mov eax,[ecx+04]
tjslg.exe+51490: 8B 00                 - mov eax,[eax]
tjslg.exe+51492: 5E                    - pop esi
tjslg.exe+51493: 59                    - pop ecx
tjslg.exe+51494: C2 04 00              - ret 0004
// ---------- INJECTING HERE ----------
tjslg.exe+51497: 8B 49 04              - mov ecx,[ecx+04]
// ---------- DONE INJECTING  ----------
tjslg.exe+5149A: DD 01                 - fld qword ptr [ecx]
tjslg.exe+5149C: 83 EC 08              - sub esp,08
tjslg.exe+5149F: DD 1C 24              - fstp qword ptr [esp]
tjslg.exe+514A2: E8 B9 7C 0A 00        - call tjslg.exe+F9160
tjslg.exe+514A7: 83 C4 08              - add esp,08
tjslg.exe+514AA: E8 D1 D7 06 00        - call tjslg.exe+BEC80
tjslg.exe+514AF: 5E                    - pop esi
tjslg.exe+514B0: 59                    - pop ecx
tjslg.exe+514B1: C2 04 00              - ret 0004
tjslg.exe+514B4: 8B 74 24 0C           - mov esi,[esp+0C]
}
but either to mixed results or the game just simply crashes this could be easy had they been static addresses...
Last edited by Algester on Tue Dec 28, 2021 4:00 am, edited 2 times in total.

sbryzl
Expert Cheater
Expert Cheater
Posts: 146
Joined: Sat Mar 04, 2017 4:47 am
Reputation: 97

Re: Finding a Double Address type based on a 4 Byte Pointer?

Post by sbryzl »

Looks like the label in this line doesn't match the label you're using.
mov [AKIAOB],ecx >> mov [SAKIAOB],ecx ?
also need a label for this placed in the editable memory.

You have 2 registersymbol in the enable section but only 1 unregister so would also need unregistersymbol(SAKIAOB).

Code: Select all

[ENABLE]

aobscanmodule(SAKIINJECT,tjslg.exe,8B 49 04 DD 01) // should be unique
alloc(newmem,$1000)

label(return)
label(SAKIAOB)
registersymbol(SAKIAOB)
registersymbol(SAKIINJECT)

newmem:
  mov [SAKIAOB],ecx
  mov ecx,[ecx+04]
  fld qword ptr [ecx]
  jmp return
SAKIAOB:


SAKIINJECT:
  jmp newmem
return:

[DISABLE]

SAKIINJECT:
  db 8B 49 04 DD 01

unregistersymbol(SAKIINJECT)
unregistersymbol(SAKIAOB)
dealloc(newmem)

Algester
Expert Cheater
Expert Cheater
Posts: 291
Joined: Sun Mar 04, 2018 9:48 am
Reputation: 63

Re: Finding a Double Address type based on a 4 Byte Pointer?

Post by Algester »

yeah I figured out a bit late that the assembly I have is borked... still its not exactly "working" the game just simply "gives up" lol
sbryzl wrote:
Tue Dec 28, 2021 3:44 am
Looks like the label in this line doesn't match the label you're using.
mov [AKIAOB],ecx >> mov [SAKIAOB],ecx ?
also need a label for this placed in the editable memory.

You have 2 registersymbol in the enable section but only 1 unregister so would also need unregistersymbol(SAKIAOB).

Code: Select all

[ENABLE]

aobscanmodule(SAKIINJECT,tjslg.exe,8B 49 04 DD 01) // should be unique
alloc(newmem,$1000)

label(return)
label(SAKIAOB)
registersymbol(SAKIAOB)
registersymbol(SAKIINJECT)

newmem:
  mov [SAKIAOB],ecx
  mov ecx,[ecx+04]
  fld qword ptr [ecx]
  jmp return
SAKIAOB:


SAKIINJECT:
  jmp newmem
return:

[DISABLE]

SAKIINJECT:
  db 8B 49 04 DD 01

unregistersymbol(SAKIINJECT)
unregistersymbol(SAKIAOB)
dealloc(newmem)
I tried this assemble script and somehow its throwing me off the pointer... it "works"

sbryzl
Expert Cheater
Expert Cheater
Posts: 146
Joined: Sat Mar 04, 2017 4:47 am
Reputation: 97

Re: Finding a Double Address type based on a 4 Byte Pointer?

Post by sbryzl »

"works" means it's doing something but not exactly what you want?

ShyTwig16
Expert Cheater
Expert Cheater
Posts: 335
Joined: Thu Apr 06, 2017 7:14 pm
Reputation: 20

Re: Finding a Double Address type based on a 4 Byte Pointer?

Post by ShyTwig16 »

sbryzl wrote:
Tue Dec 28, 2021 3:44 am
Looks like the label in this line doesn't match the label you're using.
...
Good catch. Just to note, this is why all my scripts use the {$STRICT} tag so CE will throw an error for something like this.

ShyTwig16
Expert Cheater
Expert Cheater
Posts: 335
Joined: Thu Apr 06, 2017 7:14 pm
Reputation: 20

Re: Finding a Double Address type based on a 4 Byte Pointer?

Post by ShyTwig16 »

Algester wrote:
Tue Dec 28, 2021 3:00 am
...
so here's where I'm currently at
8B 49 04 mov ecx,[ecx+4] has the pointers as shown by 661497
DD 01 fld qword ptr [ecx] has the values saved by mov ecx,[ecx+4] as shown by 66149A
I just want to expose the values in fld qword ptr [ecx] to that end I tried

Code: Select all

//...
newmem:
SAKIAOB:
  db

code:
  mov [SAKIAOB],ecx
  mov ecx,[ecx+04]
  fld qword ptr [ecx]
  jmp return

SAKIINJECT:
  jmp newmem
return:
registersymbol(SAKIINJECT)
//...
You're storing the base address at "newmem" because it's at the same place as "SAKIAOB", and that's where you jump to for the injection point. And since you only use "db" with no bytes it's actually writing over the first line of code in the "code" section. So it's trying to execute random garbage thus it's likely crashing. Try changing the jmp newmem to jmp code.

And you are storing a pointer for the address thus in the address list it would need to be an address like this [[SAKIAOB]+4]+0 for it to show the value correctly. Try it like this.

Code: Select all

//...
newmem:
SAKIAOB:
  dd 0 // make sure you give enough space for the address to be stored.
align 10 // this isn't required but if you follow the jump to inspect your code it will look nicer.
code:
  mov ecx,[ecx+04]
  mov [SAKIAOB],ecx // here you'll get that values address and not the pointer's address.
  fld qword ptr [ecx]
  jmp return

SAKIINJECT:
  jmp code // so here you'll jump to the code and not the stored value.
return:
//...
Then you can set the address as [SAKIAOB] and set the value type to double.

EDIT:
And just to note, mov XXX,ecx this is moving the value of ecx and mov XXX,[ecx] is moving the value at the address of ecx. And it's the same with fld, and basically all instruction. You learn to read fld qword ptr [ecx] as "floating point load qword at the address of ecx" and mov eax,[ecx+4] as "move the value at the address of ecx+4 to ecx" or "set the value of ecx to the value at the address of ecx+4".

Post Reply

Who is online

Users browsing this forum: No registered users