Log in

View Full Version : How to find static pointers in a process? (hlp)


Aquatic
May 14th, 2004, 00:46
Bear with me...

Say you wanted to always resolve the location for '# of lives' in your game.

You could do a function:

'Location held by static pointer' +/- distance to lives value.


Now this works because even though the locations of values are dynamically allocated at runtime, the relative distance between them remains the same. So whatever the distance between 'location held by static pointer' and your value is in one instance of live memory, that distance will be the same at the next runtime.

This does not work in dynamic pointers of course, because the location held by a dynamic pointer will change at each runtime. i.e (esi+4) (There is usually a register involved with dynamic pointers).

The beauty of static pointers is that you can use any one, you just need to add the distance between the location it holds and your value. Then if you wanted to resolve a second value, you can just use that same static pointer.

The problem is, how do you locate a static pointer's location in memory? 99% of values that you BP on in memory will be generated by dynamic pointers which are useless.

Static pointers are the only true non-dynamic part of live memory. (The only thing that has a predictable location.)



QUOTE:

Quote:

if you find the correct STATIC BASE POINTER, it's location never changes. the STATIC BASE POINTER (SBP) holds the address for the DYNAMIC BASE POINTER (DBP) which does change at run time. so, the SBP holds the hex in four bytes which points to the DBP which is the base pointer for the addresses in the code. for instance a line in the code might be MOV EAX, (EBP+0x09). if you did a breakpoint on an address (let's say the address which holds the field of view (zoom) is 4E5170A) and the code keeps showing code which references (EBP+0x09) then you know that you take the address which holds the zoom (4E5170A) and subtract the 0x09 from it which will give you the EBP address (4E51701) which would be the same as the DBP above. convert the address 4E51701 to decimal (let's just say that it is 21764521, although i don't have a converter handy). then you clear tsearch and then do a new search looking for a type LONG and value 21764521. this will show you the address which is the SBP which never changes. sometimes you will get several addresses that point to the DBP when you do that search. you have to look at them and sometimes test with different maps or different numbers of players in COOP or whatever and see which one really points to the actual address you are looking for.

after you know the SBP, then you work backwords. from within your trainer you:

1 do a LONG read of memory at the SBP address which will give you the DBP
2 add the offset that is in the code back (which in this case is 0x09)
3 this is the dynamic address holding the field of view. poke to it and:
4 change the field of view (poke using FLOAT, which is also four bytes)

hope this helps-


http://216.239.53.104/search?q=cache:wPZuqcARiUAJ:www.mpcheatz.de/mpc/forum/showthread/t-35738.html+%22static+pointer%22+trainer&hl=en


You guys understand what I am talking about now?

(Isn't there always at least one 'Global Static Base Pointer'?)


So, what is a quick way to locate these static pointers?

JMI
May 14th, 2004, 01:20
Gosh. There's something vaguely familiar about the contents of this post. Seems I've read it somewhere else very recently. Deja vu all over again. Hope you get more help here.

Regards,

Aquatic
May 14th, 2004, 01:44
Quote:
[Originally Posted by JMI]Gosh. There's something vaguely familiar about the contents of this post. Seems I've read it somewhere else very recently. Deja vu all over again. Hope you get more help here.

Regards,


me too. I deleted the old thread.

SysCall
May 14th, 2004, 01:53
Well if you have read the appropriate MPC threads regarding 'private hacks', DMA whatever you would have known that TSearch is your tool of trade.

There are lots of tutorials how to do that (no need to reiterate here).

Regards

Aquatic
May 14th, 2004, 01:58
Quote:
[Originally Posted by SysCall]Well if you have read the appropriate MPC threads regarding 'private hacks', DMA whatever you would have known that TSearch is your tool of trade.

There are lots of tutorials how to do that (no need to reiterate here).

Regards


Guh. You have to register to use their search function.

If you mean Eedock's tut, well that is a rubbish tut cause the game he uses has no dynamic pointers anyway. So dynamic pointer aren't even dealt with.

JMI
May 14th, 2004, 02:08
SysCall:

Don't you think the "attitude" of your post was more than a little condescending for someone who only started posting here three days ago?

Regards,

Aquatic
May 14th, 2004, 02:11
Quote:
[Originally Posted by JMI]SysCall:

Don't you think the "attitude" of your post was more than a little condescending for someone who only started posting here three days ago?

Regards,


Yeah, lol.

But let's not de-rail this thread.

JMI
May 14th, 2004, 02:13
No de-railment intended, but it IS my job to help maintain the sensibilities around here and it's a function I intent to carry out.

Regards,

Fake51
May 14th, 2004, 07:38
You're rather confusing here ... you seem to be mixing up static and dynamic pointers quite a bit.

Here's the thing: if a given variable resides at a dynamically allocated place, there's no way to know where that will be (unless you fire your executable up several times in a row under win9x, in which there is quite a chance that windows will respond each time with the same memory places allocated). Now, as for the relation between static pointers and dynamic pointers ... there is NONE. Not if you consider both pointers to point to places in data. However, the text you quoted seems to me to be about something else:
It looks as if the static pointer is actually a pointer to a place in the code, where the SAME variable is referred to. That place in the code will always refer to the same variable, and can therefore be used as a point of departure - since, by normal programmer praxis, the structure of the data array will be the same from time, for expediency.

Have you understoodthis? You see, I just don't get your reply:


The problem is, how do you locate a static pointer's location in memory? 99% of values that you BP on in memory will be generated by dynamic pointers which are useless.

If you BP on the memory that holds the variable, and you get to a place in the code that is responsible for changing the variable, you can then check if it changes that and only that location. If it does, lo and behold, there's your static pointer.



Static pointers are the only true non-dynamic part of live memory. (The only thing that has a predictable location.)

Yes, but because they are part of the code, not because they are pointers in any normal fashion.

Fake

EDIT: ramble ramble ramble. Are you in any way referring to apps/games that always allocate memory in the same every time? By way of virtualalloc, say. Then just break on the calls to the alloc functions. I still don't see any use of this, though. Much better to break on a part in the code that you know does the dirty work, and just get the address from there.

dELTA
May 14th, 2004, 10:32
Aquatic, isn't this practically the exact same thing you asked in a thread here some months ago? We were discussing following the pointer chain backward then too...

Anyway, I think you need to be a little more specific, but if you want to just know if a pointer at a certain memory address is in static or dynamic memory, I guess you could simply look if the pointer is located inside the memory range of a PE section or not. If it is, it is static, otherwise it is dynamic. If it is on the stack, it can be considered somewhere inbetween, also depending on how deep on the stack it is etc...

SysCall
May 14th, 2004, 13:42
Quote:
Guh. You have to register to use their search function.


Do we talk about same tool?
I used TSearch 1.6b some time ago (from http://membres.lycos.fr/tsearch/) which has no limitation i am aware of (though i never used it extensively).
I preferred attaching ollydbg to the running process or injecting helper dlls fixing up some stuff

Quote:

If you mean Eedock's tut, well that is a rubbish tut cause the game he uses has no dynamic pointers anyway. So dynamic pointer aren't even dealt with.


Dunno who that guy is. Just check the BF1942 and BFV subforums there is lots of stuff/tutorials posted on this topic (dynamic/static pointers).

Almost everything in this mutiplayer game has been hacked.
I bet there are 100s of private hacks around which have been built from the knownledge exposed in these threads.

The accompanying PB provides no protection at all.
I explained some of the inner workings in some threads just search for it.

Regards

Quote:
Don't you think the "attitude" of your post was more than a little condescending for someone who only started posting here three days ago?


No offense meant. Yes maybe ... sometimes i get a bit angry when questions get asked 1000 times.
There is much stuff around that topic in MPC subforums .. one only has to use search function.

dELTA
May 15th, 2004, 08:18
Quote:
The accompanying PB provides no protection at all.
I explained some of the inner workings in some threads just search for it

Your name over at that board isn't SysCall, is it? I searched for it, and didn't get any hits. Also, when searching for just "punk buster" and similar I got too many unrelated hits to be able to find any juicy ones. I've been a bit curious about it before, and exactly what it does, so if you have some good technical info about its internals, could you post some links to it here?

Aquatic
May 15th, 2004, 13:53
I guess there is no simple answer to my question.

So let me try and get everyone on the same wavelength here.

Lets go on a journey...


1. Search for value in game.

2. BP on it.

3. Find the pointer that points to the value. (holds the value's location).

4. restart game.

5. Go to the addy where the pointer was before. (It's the same pointer, but wait the memory location that it holds (points to), doesn't hold your value anymore). So it's a dynamic pointer. Now, if it were a static pointer, then the location it points to would always hold your value.

However, say you found a static pointer that has nothing to do with your value, ... well that's ok too, because all you need to know is the distance between your value and that of the value held at the location that this arbritrary static pointer points to.


...Up to this point I haven't even had to look at the asm code, all the above has to do with live memory locations. (Artmoney can do step 3 automatically for you.)


Why the hell am I asking this? Well think about it. Most trainers use the crude method of having to patch the asm code in order to defeat dynamic values, this requires way more work than is neccessary, and also it prevents you from altering client-side values whilst online. Oh man, don't you guys get it? My theory would allow you to manipulate client-side values without the server disconecting you for patching the game's raw asm.

*laughs hysterically as head explodes*

SysCall
May 15th, 2004, 15:06
Quote:
Your name over at that board isn't SysCall, is it?


Yes, i never use the same nick/handle for different message boards/forums.
Its better to keep low noise

Posting deep links to threads is not a good idea ... just search for punkbuster screenshot, console hack, code cave parts whatever.

Regards

Fake51
May 15th, 2004, 16:03
Quote:
[Originally Posted by Aquatic]I guess there is no simple answer to my question.

So let me try and get everyone on the same wavelength here.

Lets go on a journey...


1. Search for value in game.

2. BP on it.

3. Find the pointer that points to the value. (holds the value's location).

4. restart game.

5. Go to the addy where the pointer was before. (It's the same pointer, but wait the memory location that it holds (points to), doesn't hold your value anymore). So it's a dynamic pointer. Now, if it were a static pointer, then the location it points to would always hold your value.

However, say you found a static pointer that has nothing to do with your value, ... well that's ok too, because all you need to know is the distance between your value and that of the value held at the location that this arbritrary static pointer points to.


...Up to this point I haven't even had to look at the asm code, all the above has to do with live memory locations. (Artmoney can do step 3 automatically for you.)


Why the hell am I asking this? Well think about it. Most trainers use the crude method of having to patch the asm code in order to defeat dynamic values, this requires way more work than is neccessary, and also it prevents you from altering client-side values whilst online. Oh man, don't you guys get it? My theory would allow you to manipulate client-side values without the server disconecting you for patching the game's raw asm.

*laughs hysterically as head explodes*


Here's the where the chain snaps for me:
You find your dynamic pointer (a variable, that changes, since the memory place changes)
Your find your static pointer (which is, mysteriously, always the same, quite possibly because it's in the .data section)
The range between the two will be ... dynamic.

Hence, the only thing to do is to find the code that references the dynamic pointer, and grab the pointer from there.

If this is not what you're looking for, please do be more specific ... and logical.

Fake