Reading Pointer Value

[BruceCopperField]

I am able to get a pointer's address using Cheat Engine and that address value seems to be static even if I restart the game. But the question is, would that address be the same every time I REBOOT the machine or run it in another machine (with or without the same version of windows)?

[Inverted]

Probably always the same (unless it's inside a dll of course)

Well, of course you can test it yourself or on friend's PCs.

Edited February 15, 2009 by Inverted

[geasiki]

The pointer will stay the same.

but the adress it's pointing to it will probably change.

[Inverted]

The pointer will stay the same.

but the adress it's pointing to it will probably change.

Well, that's why he's interested in the pointer ...

[BruceCopperField]

Thx for all of the replies. I wrote a short program in C (I know this is an autoit forum but it can't test this kind of thing, right!) and found that the address values are the same in a few different Windows XP SP? machines. I don't have a chance to test it in Vista yet. But, is it some thing guaranteed by Windows?

expandcollapse popup

#include "stdafx.h"
#include <windows.h>

int globalVar=23;
void loop();
int _tmain(int argc, _TCHAR* argv[])
{
    loop();
    Sleep(60 * 1000);
    return 0;
}
void loop() {
    struct Date {
        int year;
        int month;
        int day;
    };
    long address;
    struct Date * pArray[30];
    struct Date *pBirthday;
    pBirthday =(struct Date*) malloc(sizeof(struct Date));

    address = (long) &pBirthday;
    printf("value of auto pointer address %x\n", address);

    long gAddress = (long) &globalVar;
    printf("value of global int address %x\n", gAddress);

    if (address== 0x12ff78L) 
        printf("auto same as expected value\n");
    else 
        printf("auto different from expected value!\n");

    if (gAddress == 0x403018)
        printf("global same as expected value\n");
    else 
        printf("global different from expected value!\n");
    
}

[Authenticity]

Then it's probably just a normal variable and not a pointer because allocation of the same address each restart of the game or windows or even different machines is not logically possible.

[BruceCopperField]

Then it's probably just a normal variable and not a pointer because allocation of the same address each restart of the game or windows or even different machines is not logically possible.

All 4 different Windows XP machines I tested on gave me the same addresses for the 2 variables (see my source code). But on another Vista machine, the addresses are different.

I am now reading the book Microsoft Windows Internals by Mark E. Russinovich & David Solomon. Unfortunately, it only says the virtual address space of a user's process has 4GB inside which the first 2GB is reserved for application code and global variables. There doesn't seem to have text describing to how the user application code, global variables and local variables are allocated within the user address space.

[BrettF]

Search for NomadMemory.au3.

Cheers,

Brett

[Inverted]

In order to fully understand, you should learn about the Windows PE file format and the way process loading works in windows.

From your example :

0x12ff78 is an address in stack, totally unreliable.

0x403018 should be inside the program's code or data section (because programs get loaded at 400000) Its contents may be stable everywhere.

Like Brett said, use the NomadMemory UDF to easily make a test case script.

Edited February 15, 2009 by Inverted

[BruceCopperField]

I am studying this _MemoryGetBaseAddress()

http://www.autoitscript.com/forum/index.php?

showtopic=78834&st=0&p=568869&#entry568869://http://www.autoitscript.com/forum/i...mp;#entry568869://http://www.autoitscript.com/forum/i...mp;#entry568869://http://www.autoitscript.com/forum/i...mp;#entry568869

But a few things I don't understand in _MemoryGetBaseAddress(),

i) Local $iv_Address = 0x00100000 <-- why initial value is 0x00100000?

ii) While $vType <> "00000080" <--- if I am correct, 0x80 means PAGE_EXECUTE_WRITECOPY, why we look for this, does it mean code/data has this memory protection constant only?

iii) If Hex($iv_Address) = "01000000" Then ExitLoop <-- why terminate the check at 0x01000000?

iv) the whole function try to return the Allocation Base, but why this is what we want?

Edited February 15, 2009 by BruceCopperField

[BruceCopperField]

In order to fully understand, you should learn about the Windows PE file format and the way process loading works in windows.

From your example :

0x12ff78 is an address in stack, totally unreliable.

0x403018 should be inside the program's code or data section (because programs get loaded at 400000) Its contents may be stable everywhere.

Like Brett said, use the NomadMemory UDF to easily make a test case script.

Thx for the reply.

If the things in the stack (like my 0x12ff78) are totally unreliable, then what about games that solely put all its pointers in the stack - i.e. all pointers are declared as local variables inside some C functions. In that case, does it mean there is no guarantee these addresses are the same every time we reboot, although in my test code they are, so happened, the same.

[Inverted]

Finding the memory base is only useful for loaded dlls (libraries) because they can get loaded in different locations. All executables load at 400000.

So if you want to patch a dll's memory you have to find its base address in memory and add the offset you want.

100000 is just a starting value, it keeps comparing sections of code to see if they are PAGE_EXECUTE_WRITECOPY, otherwise it adds 65536 (which is 10000 in hex) and checks again.

In other words, it loops to find the lowest memory section with the PAGE_EXECUTE_WRITECOPY attributes, starting from 100000.

EDIT: Yes, local variables go in the stack, never use these addresses, they are totally unreliable, even if you think they stay the same. Also, I think you don't get the difference between variables, addresses, and pointers.

Edited February 15, 2009 by Inverted

[BruceCopperField]

Finding the memory base is only useful for loaded dlls (libraries) because they can get loaded in different locations. All executables load at 400000.

So if you want to patch a dll's memory you have to find its base address in memory and add the offset you want.

100000 is just a starting value, it keeps comparing sections of code to see if they are PAGE_EXECUTE_WRITECOPY, otherwise it adds 65536 (which is 10000 in hex) and checks again.

In other words, it loops to find the lowest memory section with the PAGE_EXECUTE_WRITECOPY attributes, starting from 100000.

EDIT: Yes, local variables go in the stack, never use these addresses, they are totally unreliable, even if you think they stay the same. Also, I think you don't get the difference between variables, addresses, and pointers.

Ok, let me give an example. Suppose the online game I want write a bot on stores the HP/Mana, etc in a structure local to some function. e.g. (C code)

...
 function someHypotheticalFunctionOfTheGame() {
   struct userInfo {
      int hp;
      int mana;
      ... 
   };
   struct userInfo* pUserInfo;
   pUserInfo = (struct userInfo*) malloc(...);
   grabUserInfoFromServer(pUserInfo);
    ..
 }

This means I need to use Cheat Engine to locate the address of pUserInfo (the pointer to my desired data structure holding the Health point,mana,etc). But since pUserInfo is local to some function meaning it is stored in the stack and its address may change after a reboot,etc, right?. If this is true, how could I know which memory to read to get this pUserInfo even If I am able to locate it by cheat engine the first time and even its value looks like constant over a reboot?

Hope I have explained my concern clearly.

Once again, thx for all the replies

Edited February 15, 2009 by BruceCopperField

[Inverted]

Important values like health,mana etc should be stored somewhere globally, so that other functions can use them. 12xxxx addresses are in the stack, you should do a more thorough search with Cheat Engine to find the values elsewhere. Or you can find the code that reads or writes to these addresses and modify or NOP that command.

Of course, those values are also saved server-side, if you intend to change them in your client you may run into trouble.

[geasiki]

Honestly, go to the Cheatengine forum and do some more research on the 'tutorials' section about 'ponters' There are very detailed guides about it there