Jump to content
Moopler Closing Read more... ×
Moopler
Sign in to follow this  
Crusax

How do you guys find the memory addresses?

Recommended Posts

So I'm a junior developer and have always wondered how you guys find the memory addresses. I did some java reflection in the past (that stuff wasn't that hard). But I'm really in a dead end on how to search for the correct memory addresses.

I would really love to create my own scripts and share them with you guys if I find something interesting. I did some reverse engineering in the past (Used OllyDBG and IDA but don't really understand these programs).

So I hope someone can help me in the right direction on how to find correct memory addresses.

Thanks!

Share this post


Link to post

For more simple games, addresses to cheat with health and stuff are simple to get. You scan for a value and rescan the inc/dec, etc. The result will (probably) be a dynamic address that points to the value. Afterwards you do a pointerscan, or backtrace it to the static address that writes to the dynamic address in memory. The place where that address is, will (most likely) be the function that will handle, in this example, health.

For maplestory, the two most used methods is to either reverse code from pdb, or backtrace the return address of a packet. Both of these methods are very powerful, but one of them has a limit. Backtracing the return address of a packet is limited to if that function has SEH, Structured Exception Handling. Most of the functions in maplestory uses SEH, so this isn't much of a problem. On the other hand, being able to reverse code from pdb will always be the ultimate tool, how far you can get with this entirely depends on your knowledge. Limits can be complex code that you cannot understand, or in worst case, mutated code. (Some people are leet and can actually read mutated code and reverse it).

I would recommend that you start of with the basics of ASM and C, how different calling conventions work in windows, etc. This will be useful for understanding the parameters functions can take and how they work in stack. From there you should just try to expand your knowledge on your own by trial and error. Though a good place to look for help if you are stuck with a complex problem would be tuts4you.com.

Share this post


Link to post

Thanks man!

I will do what you recommended(will take a long time...) and if I have any questions then I'll return.

Thanks once again.

Share this post


Link to post
21 hours ago, Taku said:

For more simple games, addresses to cheat with health and stuff are simple to get. You scan for a value and rescan the inc/dec, etc. The result will (probably) be a dynamic address that points to the value. Afterwards you do a pointerscan, or backtrace it to the static address that writes to the dynamic address in memory. The place where that address is, will (most likely) be the function that will handle, in this example, health.

For maplestory, the two most used methods is to either reverse code from pdb, or backtrace the return address of a packet. Both of these methods are very powerful, but one of them has a limit. Backtracing the return address of a packet is limited to if that function has SEH, Structured Exception Handling. Most of the functions in maplestory uses SEH, so this isn't much of a problem. On the other hand, being able to reverse code from pdb will always be the ultimate tool, how far you can get with this entirely depends on your knowledge. Limits can be complex code that you cannot understand, or in worst case, mutated code. (Some people are leet and can actually read mutated code and reverse it).

I would recommend that you start of with the basics of ASM and C, how different calling conventions work in windows, etc. This will be useful for understanding the parameters functions can take and how they work in stack. From there you should just try to expand your knowledge on your own by trial and error. Though a good place to look for help if you are stuck with a complex problem would be tuts4you.com.

How does the SEH limit return-address tracing?

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×