Log in

View Full Version : locating static pointers to dynamic sections in memory - help?

dzCepheus
May 23rd, 2006, 21:47
Hi all. First post - please be gentle! :P

I've been searching on this for..... about 2 weeks. I'm probably using the wrong search terms, or whatever, but it's getting frustrating. So I figured I'd break down and actually ask for advice.

Here's what I'm trying to do. I'm working on a program to read the memory of a game process. Now, static values I'm having no problem with - things that don't change between instances of the process - but what I am having trouble with are things that *do* change.

I'll try to explain what I'm looking for without being too specific (as per the rules of the site) -- basically, this game has many things that are 'targettable', and what I'm trying to get at is a list of all the targettable things in the area. I'm trying to basically read this list so I can display the information contained in it to the user.

Can anyone help? Maybe offer pointers (heh) to what I need to search for, or where to search for it -- or how? Or maybe if someone is so enclined, maybe walk me through something similar? I'm a quick study, but I need a place to start.

Thanks.
Aquatic
May 25th, 2006, 17:33
The best option is probably the Cheat Engine pointer scanner, it basically maps out a pointer path from your value to a static pointer.

http://www.cheatengine.org

Also, check out the Cheat Engine weekly compiles here: http://www.cheatengine.org/weeklycompile/
It's not updated every week, but often enough. The latest version there has some big improvements to the pointer scanner.

The pointer scanner is found in Cheat Engine by clicking the "Memory view" button, and then "Tools", and then "Pointer scan".
Aquatic
May 25th, 2006, 18:14
I'm not really sure, but I think you're talking about locating a block of values in RAM, like a structure. Well to locate a block of values you will still probably need a static pointer anyway.

All the values in the structure will probably always remain in the same order.
dzCepheus
May 26th, 2006, 12:46
That is what I'm looking for - a pointer to a struct, but the struct's position in memory changes with each instance of the game.

Thanks everyone for your help with this - I feel I'm very close to finding what I need.
dzCepheus
May 26th, 2006, 13:08
Since the message board was acting up, a lot of really good replies to my initial post were lost, and since I still have all the replies in my inbox, I figured I'd drop em in here to help anyone else who's having similar problems I am.


Quote:
[Originally Posted by "disavowed"]
Sounds like your targets are living in the heap. I don't think there's a simple way to do this (without hooking heap functions or the functions that use your targets, etc.).



Quote:
[Originally Posted by "goggles99"]
What you need to do after you have located your target value (health, bullets, ect) is breakpoint that memory location in a debugger. once your debugger breaks... you have found code that reads or writes to that value, trace backwards into the program's assembly until you see a static pointer being read
EX: mov eax, Dword ptr[45E66C3]
This is your base pointer. Since it is in a static location. you can always read it and mimic what the game did to eventually find the final value.

Look for a program caled StructBuild on mpcforums or unknowncheats.

The aforementioned way is the best way to accomplish this, as it does not modify any game code or memory values.
Another way exists that is easier, but it is not as elegant (and can be detected by anti-cheat software. It involves writing some assembly code into the executable code location right before the memory is being read or written. The assembly code is just a jump to a "Code cave" that must also be injected into the program. In this cave, you should duplicate the overwritten op-codes from the jump, and write the value (that should be in a register) to a static location in memory.
This is basically an code-injected hook. If you have injected a dll into the process, you can just hook the location directly and store the value in a pre-defined variable in your dll. Just be sure to preserve the stack and registers before returning to the game-code. (best accomplished by using inline asm) search on mpcforums for "stealing dma" for tutorials on this second method.



Quote:
[Originally Posted by "autarky"]
I've used a German tool called MemHack that is designed for this kind of thing (provided variables aren't obfuscated in memory). You can use it to repeatedly scan through a processes memory space for specific values (filtering the results as you go), till you find what looks to be the variable you're looking for. A faster version of the needle in a haystack method.



Quote:
[Originally Posted by "goggles99"]here is the StructBuild Program. It is by DrUnKeN ChEeTaH.

It's not much use unless you know what you are doing though... If you do, it can be VERY USEFULL

It also has a mem-searcher that is the fastest I have ever seen...
--- I'll re-attach this program as soon as I'm back on my old computer.


Quote:
[Originally Posted by "dELTA"]
This:

http://www.woodmann.com/forum/showthread.php?t=5450

and this:

http://www.woodmann.com/forum/showthread.php?t=5908

might be of some help.



Thank you all again for your replies - they've been most helpful.