Jump to content
Moopler
  • 2
Sign in to follow this  
maplernothaxor

Discussion Finding Pointers/Offsets

Question

Hey Moopler, newfag here.

 

I was wondering if you guys had any tips on finding pointers/offsets from scratch without any previous AoBs or opcodes to match up. Any resources or methods would be very much appreciated.

 

Much love and happy new year!

  • Like 1

Share this post


Link to post

5 answers to this question

Recommended Posts

  • 1

for startes id recommend getting the real names of the Pointers and offsets.

In that note i would download maplestory's pdb file.

Keep in mind you would need to install IDA to use this. The PDB file can be found in ragezone iirc, or maybe someone posted it here, iirc exekiel released his, anyways.
 

Once u have the ida file running and u know the actual names of the pointers, i would search for them in the pdb and create new Aobs. I can help out if ud like. 

Share this post


Link to post
  • 1
Guest
9 hours ago, maplernothaxor said:

Thanks! Ive got the IDA, pdb leak files and pointers/offsets names Im interested in. 

Could you expand on your last sentence? How do I go about turning these functions into new Aobs? If you still have the files maybe an example would be nice.

 

Thanks so much for your help!

Depends on where you plan on applying those aobs. If the client is/isn't optimized compared to the idb you may run into small issues. It doesn't take much to fix the aobs for conversion but may stall you, as a newcomer, for some time. When making aobs most tend to filter out the constants in the assembly code.
For example:
73637.png
Your aob could be something as the following: 51 8D 4D ?? E8 ?? ?? ?? ?? C6 45 ?? 00 8D 4D ?? E8 ?? ?? ?? ?? 8B 55 ?? 52 51 8B CC
Some use other methods like doing every first opcode on each line, example: 51 ?? ?? ?? E8 ?? ?? ?? ?? C6 ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 52 51 8B ?? 
Or on just on certain registers like ecx which may continue to switch from ecx to ebx every version.  

Not to fear there are also sig-making tools for ida. Personally I enjoy this:
https://github.com/dude719/SigMaker-x64

Of course you don't have to rely on aobs at all. There are many ways to navigate towards, or find functions / offsets / pointers. Following access to strings, xrefs, or calls are just some of the few ways; other such methods could include frequency patterns.

Edited by Guest

Share this post


Link to post
  • 1
On 1/7/2018 at 04:05, Ezekiel said:

Depends on where you plan on applying those aobs. If the client is/isn't optimized compared to the idb you may run into small issues. It doesn't take much to fix the aobs for conversion but may stall you, as a newcomer, for some time. When making aobs most tend to filter out the constants in the assembly code.
For example:
73637.png
Your aob could be something as the following: 51 8D 4D ?? E8 ?? ?? ?? ?? C6 45 ?? 00 8D 4D ?? E8 ?? ?? ?? ?? 8B 55 ?? 52 51 8B CC
Some use other methods like doing every first opcode on each line, example: 51 ?? ?? ?? E8 ?? ?? ?? ?? C6 ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 52 51 8B ?? 
Or on just on certain registers like ecx which may continue to switch from ecx to ebx every version.  

Not to fear there are also sig-making tools for ida. Personally I enjoy this:
https://github.com/dude719/SigMaker-x64

Of course you don't have to rely on aobs at all. There are many ways to navigate towards, or find functions / offsets / pointers. Following access to strings, xrefs, or calls are just some of the few ways; other such methods could include frequency patterns.

Thanks for the clear explanation. Ive been messing around with the idb files and it seems the aobs are different from current clients for some functions (tried both methods of first opcode and removing constants). Is this due to the structure of assembly code for the function having changed between the leak and current client? Either way, should I keep pursuing aobs as a method of locating functions or could you perhaps expand on the last few methods mentioned.

Once again, many thanks for putting up with me.

Share this post


Link to post
  • 1

As it seems for me you are new to this and you want to learn, downloading the already available leaks and copy the names and create an AoB with the plugin provided wont teach you anything.

Lets start by clarifying what you are looking for is a structure base and the "variable" inside it

	struct tChar {
	int hp; << Offset
	int mp; << Offset
	}
	tChar MainChar; << Base pointer
	

 

You are looking for a allocated memory location for the structure that have been created (Base pointer) and you want to read/edit something in that structure (offset). Once you find a basepointer you can use something called struct dissect in cheatengine and see tons of different offsets in live view in that structure. this way you can find and edit very hard to find values that you cant just find by searching. You can also use the "Hex view" in the bottom of the memory view to see live bytes that changes around nearby found to find more hard to find offsets.

 

Once you have found the baseoffset you are looking for you can easily use "find out what access this address"  to get a memory location where it is being used or you can use the dissasembler search and just search for the base pointer.

Offsets on the otherhand is something different, they are only changed once a structure is changed (added or removed variable or simple moved around) to create an aob for this you need to use read what access this address and find a memory location its being used, you cant just search for it, however its rater easy to find using the struct dissect in cheatengine since you have the basepointer.

 

To create a good AoB to find the memory location again you need to understand what to save and what to remove

AoB is basiclly array of bytes every byte can be 00 - FF and you want to make it as short as possible in case the function is rewritten but also strong enough to change by small edits like offsets and register uses

The picture Ezekiel posted describe it very well.

 

If your goal is to cheat and you want to learn the basics you can check on youtube there is several people who make tutorials. my personal recommendation would be "Cheat The Game" which have tons of different examples and uses lua/AA and find hard values and bypasses CRC checks and so on.

 

///////////////

Took the time to make an example. The first thing i did was to search for the ammo which gives me the direct memory location the ammo is stored, to findout what location reads this i use "what access this address" which points me to a location where i can find my offset

example mov eax, [esi+14] that means the base pointer im looking for is in esi and the offset in that structure is 0x14. note there sometimes they use structures in structures (multi pointer, you just do the same thing but several offsets).

Anyway in the window which shows "mov eax, [esi+14]" you can look a bit down and see the value aka "base pointer" esi = XXXXXXXX. i simply copy the esi value. now we have the memory location of the structure however we need to find the address that holds this memory location. we take the XXXXXXXX value and go to exact scan and search for this value. If you find a Green address you are done if not its a multi layer pointer and u need to continue this several times.

 

Now save the green base address you have and go to dissect struct/data and paste your address and let the fun begin.

d23d3d.thumb.PNG.f595483e9f90b643b931a68dcf921ecb.PNG

in my case there was several layers to find the destination and the location i found i could edit playername, health, positions and everything in the game even the game modes and this example would be undetected by any game, no require crc bypasses or anything.

Edited by Chubbylitooo
  • Like 3
  • Thanks 2

Share this post


Link to post
  • 0
7 hours ago, Fameguy said:

for startes id recommend getting the real names of the Pointers and offsets.

In that note i would download maplestory's pdb file.

Keep in mind you would need to install IDA to use this. The PDB file can be found in ragezone iirc, or maybe someone posted it here, iirc exekiel released his, anyways.
 

Once u have the ida file running and u know the actual names of the pointers, i would search for them in the pdb and create new Aobs. I can help out if ud like. 

Thanks! Ive got the IDA, pdb leak files and pointers/offsets names Im interested in. 

Could you expand on your last sentence? How do I go about turning these functions into new Aobs? If you still have the files maybe an example would be nice.

 

Thanks so much for your help!

Edited by maplernothaxor
  • Like 1

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×