View Full Version : Another annoying problem.
dzCepheus
May 26th, 2006, 23:11
This is sort of a continuation of the problem I've been having, but I think it deserves a new thread since the other one has kinda been abused by the forum software. :P
Okay, I've found a static place in memory where my target ID lives, and I've found where in the ASM code the target ID is updated when the target changes. I've even found the dynamic place in memory where the target ID data is coming from. But what I'm unable to find is some kind of base pointer or offset to that dynamic data. I'm trying to find out how that data is being found by the game process.
Here's what I've been doing: Once I found the static memory location for Target ID, I put a breakpoint on it to see where it was written from. Once I found that, I put a breakpoint on the address in ASM where it was being written. That address was something like 'MOV [00xxxxxx], [edi+08]'. So the value of the EDI register, +8, is where the data is.
What I'm having trouble with now is, how can I use this to find the memory location from within another process? Do I need to keep searching for where EDI is set, and if so, how do I do that? I've been looking back through the assembly and I haven't found anything yet that actually sets EDI.
Any tips would be graciously appreciated.

Aquatic
May 27th, 2006, 03:12
For easy code injection, read the following as an example:
MOV [00xxxxxx], [edi+08]
To always find what EDI is, just go into the disassembler of L.Spiro's program, and then right-click the pointer line in the code, in this case "MOV [00xxxxxx], [edi+08]", then click "inject code", and then in this example you would just type the following line of code to be injected:
MOV [00zzzzzz], EDI
Where, for example [00zzzzzz] is a static storage address, an empty address that can be used to store the value of the register. Every process will probably have empty storage addresses available at different locations, they will have to be manually found. I'm just using 00zzzzzz here as an example, so don't use it.
The only line that you have to write in the code injector is:
MOV [00zzzzzz], EDI
The injector automatically finds a code cave, and adds all the required injection-loop-code. When all the code looks ready, you can go ahead and inject it.
Now to find out what [00xxxxxx] is, all you have to do is read the value at 00zzzzzz, and then add 8 to it. The value of EDI will always be written to 00zzzzzz.
There is also the option of allocating memory for the code cave. I don't think that the code cave takes up all the allocated memory, so there should be some empty addresses around it if you are in need of an empty storage address for the register value.
L. Spiro's program: http://www.memoryhacking.com/
dzCepheus
May 27th, 2006, 03:26
Well, what I'm really looking for is some type of list where all the targettables in the area are stored in memory. What that will give me is only the ID of the creature targetted - which I can already get.
goggles99
May 27th, 2006, 05:56
You are on the right track dzCepheus...
You must find out where that EDI register is being populated with your value.
Try the "execute till return" and step out of the call you are in. Set a BP on that call you were just in and F9. See if the EDI value has already been set before that call. If so, repeat until you can find a place far enough back to where it hasn't been set. place a BP there, and on the location it is being written to memory. Make sure your trace options are set to mark registers that have been modified. (I assume that you are using OllyDbg).
Trace from the "Upper" BP to the "Lower" and scroll up in the trace window. You can highlight any of the "Modified Registers" EDI in your case to help you find where EDI was modified.
If you can trace back enough, you will find your static pointer (Probably multiple levels).
You can read your memory value by mimicking what the game did with the static pointer either from inside the process via an injected DLL, or outside the process using ReadProcessMemory.
The CheatEngine Pointer Search can be usefull as a possible alternative (Get the weekly build), but I have found that it is often not reliable. The method I have mentioned may take a bit longer, but it has always worked for me.

dzCepheus
May 27th, 2006, 14:58
Thanks Goggles, I'll give that a try as soon as this thunderstorm passes... :P
dzCepheus
June 2nd, 2006, 22:36
This is getting more and more frustrating as I go through it. *ugh* I just don't *know* enough yet to be able to do this, and yet I can't stop trying!
I've been trying a different approach recently - specifically, I'm trying to find the memory location as it's being filled by the zone loading code. I've found the spot where (I think) the entities are being loaded into the zone, but I don't understand how it works.
I have a (very) basic knowledge of ASM, so I can kinda follow it - I know what the various opcodes do, the purpose of registers, the stack, etc. - but this is totally defeating me.

And I hate feeling like a moron... Lol
I hate to ask this (I don't know if this is a faux pas or not), but is there any way someone might be willing to tutor me with this? I'm willing to provide compensation for the teaching, and for any expenses that might be incurred during the process.
dELTA
June 3rd, 2006, 17:17
dzCepheus, maybe this seemingly quite advanced tool for different kinds of memory hacking might be of any interest/help for your project?
http://www.woodmann.com/forum/showthread.php?t=7883
dzCepheus
June 3rd, 2006, 17:21
I have used MHS- I quite like it actually. It hasn't been much help yet but that likely stems from my extremely limited knowledge (I just started getting into this a few weeks ago) rather than any limitation in the software. Thanks for the post though.
Pretty soon I'll be diving in to the Intel docs, and I probably won't be coming up for air any time soon... :P Hopefully once I've stuffed as much as I can in my head I'll be better able to understand what I'm supported to be doing.
dzCepheus
June 3rd, 2006, 17:24
I also wanted to add that despite my own failings here, you guys have all been exceptionally helpful and friendly, and I do appreciate that.

When I finally become a famous cracker (
snicker) I won't forget it.

dzCepheus
June 13th, 2006, 21:09
Can anyone help me? As I said before, I am willing to provide compensation to anyone who can tutor me in this.
Thanks everyone.

Woodmann
June 13th, 2006, 22:35
Howdy,
I dont want to seem like a prick but,
You have been given some great tips to follow yet,
you have come back with nothing.
If your target is too difficult, start at a lower level
to gain a better understanding of the "flow".
How much are you willing to pay to have someone
else figure out your problem ?
If you agree to pay, how will you know that the information
you receive will be correct ?
Your target will determine the price.
I can also tell you that whatever you have has already been defeated.
(OK so some cannot/have not been defeated yet).
What say you ?
Woodmann
Aquatic
June 14th, 2006, 13:57
I posted how to always get EDI using the code injector in MHS, and it will also generate the opcodes that you can paste into your own trainer.
Get your trainer to poke those opcodes into the game, you can then readprocessmemory/writeprocessmemory the value at the address EDI+8, (you'll first have to readprocessmemory the address held by EDI from the storage address). Then you can not only resolve that value at EDI+8 but also all the other values in that structure too since all values in a structure should remain in relative positions to eachother. Like if EDI+8=ammo, and defense is 2 addresses after ammo, then you should always be able to get defense by doing EDI+10
In the MHS injector you should probably find an address to store EDI manually because I don't know if there are opcodes generated when using allocation that allow your external trainer to use allocation too. So probably don't use allocation in MHS in this situation.
L. Spiro
June 18th, 2006, 00:22
Hello dzCepheus, and sorry for the late reply.
I also take responsibility for difficulties in using my software. One thing it has needed for a very long time is a help file, and not the old outdated PDF on the site.
This is a bit pre-emptive since it is not done, but I have been working hard over the last two weeks on this:
hXXp://www.memoryhacking.com/MemHack/Memory%20Hacking%20Software%20Help.rar
It’s not done, but you should still find it useful.
For your problem here, you may want to look into the help file at the topic covering Pointer Searches.
Aside from just explaining the tool, it also explains some details with general RAM and how pointers and structures work together.
There is an “About Pointers” link in that section, but unfortunately I haven’t yet had the time to write that page, so that link is dead. Most of the other pages work fine though.
This was planned for release with the next version of Memory Hacking Software, but it may help you a bit with looking for pointers, and also with what to do after that (injections), so I am posting a private link.
Hope it can help.
L. Spiro
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.