Results 1 to 7 of 7
  1. #1
    Departure's Avatar
    Join Date
    Nov 2010
    Gender
    male
    Posts
    805
    Reputation
    125
    Thanks
    1,794
    My Mood
    Doh

    [Tut] Find PTC Addresses

    k Im going to try and explain how I found a new PTC address, I dont know why a lot of people here are calling it "pointers" there is no pointers(do you guys actually know what a pointer is?) .. let me show you what I was using in the hotkey hacks

    Code:
    Const
      dwPtcAddr = $00485E10;
    ....
    ....
    ....
    Procedure Pushit (const PCharCommand: PChar);
     asm
      PUSH PCharCommand
      MOV EAX, dwPtcAddr
      CALL EAX
      ADD ESP, $00000004
     end;
    end.
    Very simple yeah.. and no pointers, it actually worked very good and has worked for a few months now as I also used this address last year but in a "Gordons" method way.

    Anyway lets look in Olly at this address.

    Code:
    00485E10   /$  8B4424 04      MOV EAX,[ESP+4]
    00485E14   |.  50             PUSH EAX
    00485E15   |.  68 F0238000    PUSH 008023F0
    00485E1A   |.  E8 A1EDFFFF    CALL 00484BC0
    00485E1F   |.  83C4 08        ADD ESP,8
    00485E22   \.  C3             RET
    we can see two things that stick out here, it pushes "008023F0" to the stack and Calls address 00484BC0 then returns to its caller + 8.

    Btw I still don't see any of this infamous "pointers", one more thing to take note of is in the info panel

    Code:
    Local calls/jumps from 0046FA66, 004FB070, 004FB09C, 004FB0C8, 004FB0F7, 004FB4EE, 004FB51A, 004FB546, 004FB575
    This means everyone of these addresses Calls this address(00485E10), Try and remember this basic thing as it will help you find other addresses to use in the future. SO with that in mind lets look at the address that PTC(00485E10) calls, in this case it calls 00484BC0.

    Code:
    00485E1A   |.  E8 A1EDFFFF    CALL 00484BC0
    Now think logically here, We call 00485E10 so it calls 00484BC0, what if there are other address that also call 00484BC0? would it make sense we could use the others address if found instead of this one? Answer is yes, simply right click on "Call 00484BC0" and in the menu "Find Reference to---->Call Destination" now you see a huge list of addresses that call this, Go and analyze them and you will find a couple you can use as an alternative to 00485E10.. And btw Still no "Pointers" seen here.

    Also If this address(00485E10) is NOT detected as people claim why is my hotkey hack not working for PTC, everything else still works? but PTC works once I use another address using the method described above.
    Last edited by Departure; 02-28-2011 at 06:48 PM.

  2. The Following 3 Users Say Thank You to Departure For This Useful Post:

    whit (02-28-2011),yaserifti1 (02-28-2011),_Fk127_ (02-28-2011)

  3. #2
    _Fk127_'s Avatar
    Join Date
    Nov 2010
    Gender
    male
    Posts
    720
    Reputation
    16
    Thanks
    208
    My Mood
    Bitchy
    Quote Originally Posted by Departure View Post
    k Im going to try and explain how I found a new PTC address, I dont know why a lot of people here are calling it "pointers" there is no pointers(do you guys actually know what a pointer is?) .. let me show you what I was using in the hotkey hacks

    Code:
    Const
      dwPtcAddr = $00485E10;
    ....
    ....
    ....
    Procedure Pushit (const PCharCommand: PChar);
     asm
      PUSH PCharCommand
      MOV EAX, dwPtcAddr
      CALL EAX
      ADD ESP, $00000004
     end;
    end.
    Very simple yeah.. and no pointers, it actually worked very good and has worked for a few months now as I also used this address last year but in a "Gordons" method way.

    Anyway lets look in Olly at this address.

    Code:
    00485E10   /$  8B4424 04      MOV EAX,[ESP+4]
    00485E14   |.  50             PUSH EAX
    00485E15   |.  68 F0238000    PUSH 008023F0
    00485E1A   |.  E8 A1EDFFFF    CALL 00484BC0
    00485E1F   |.  83C4 08        ADD ESP,8
    00485E22   \.  C3             RET
    we can see two things that stick out here, it pushes "008023F0" to the stack and Calls address 00484BC0 then returns to its caller + 8.

    Btw I still don't see any of this infamous "pointers", one more thing to take note of is in the info panel

    Code:
    Local calls/jumps from 0046FA66, 004FB070, 004FB09C, 004FB0C8, 004FB0F7, 004FB4EE, 004FB51A, 004FB546, 004FB575
    This means everyone of these addresses Calls this address(00485E10), Try and remember this basic thing as it will help you find other addresses to use in the future. SO with that in mind lets look at the address that PTC(00485E10) calls, in this case it calls 00484BC0.

    Code:
    00485E1A   |.  E8 A1EDFFFF    CALL 00484BC0
    Now think logically here, We call 00485E10 so it calls 00484BC0, what if there are other address that also call 00484BC0? would it make sense we could use the others address if found instead of this one? Answer is yes, simply right click on "Call 00484BC0" and in the menu "Find Reference to---->Call Destination" now you see a huge list of addresses that call this, Go and analyze them and you will find a couple you can use as an alternative to 00485E10.. And btw Still no "Pointers" seen here.

    Also If this address(00485E10) is NOT detected as people claim why is my hotkey hack not working for PTC, everything else still works? but PTC works once I use another address using the method described above.
    Maybe your method is detected when it calls the function located at 00485E10. Because I use a completely different method than all of the public ones, and it still works for me.
    Ontopic: Nice simple tut, should help a lot of people.



    Put this image in your signature if you support HTML5 development!

  4. #3
    whit's Avatar
    Join Date
    Jan 2010
    Gender
    male
    Posts
    7,159
    Reputation
    490
    Thanks
    2,253
    Very Nice Tut...
    You gotta know Reverse Engineering or ASM ?
    Reverse Engineering Ftw

  5. #4
    Departure's Avatar
    Join Date
    Nov 2010
    Gender
    male
    Posts
    805
    Reputation
    125
    Thanks
    1,794
    My Mood
    Doh
    Well this small tutorial you don't need to know assembly, its just following the code flow. It does help to have some sort of understanding of assembly, for me this understanding comes with the RE scene and the last 5 years spent trying to learn.

  6. #5
    whit's Avatar
    Join Date
    Jan 2010
    Gender
    male
    Posts
    7,159
    Reputation
    490
    Thanks
    2,253
    Quote Originally Posted by Departure View Post
    Well this small tutorial you don't need to know assembly, its just following the code flow. It does help to have some sort of understanding of assembly, for me this understanding comes with the RE scene and the last 5 years spent trying to learn.
    5 years ewww
    Im just now getting into lena's Reversing tuts...
    Where did you learn from ?

  7. #6
    Departure's Avatar
    Join Date
    Nov 2010
    Gender
    male
    Posts
    805
    Reputation
    125
    Thanks
    1,794
    My Mood
    Doh
    Tuts4you where the Leana151 Tutorials come from, I can highly recommend them as I also have watched these tutorials, If your smart you will watch all of them and not miss any, From there I joined different forums dealing with RE and currently do keygenning. I am still on the tuts4you forum but also joined others, And other things I learnt from was the malware scene, which I don't personally code malware but I have done cryptors in the past and you can learn alot from this scene because it dealing with PE file structures ect.. I have only just decided to learn about the game hacking scene which so far I have picked up a few things from this forum thanks to your help and other members here.

  8. #7
    Sid's Avatar
    Join Date
    Jul 2010
    Gender
    male
    Location
    New York
    Posts
    10,712
    Reputation
    927
    Thanks
    1,265
    Quote Originally Posted by Departure View Post
    Tuts4you where the Leana151 Tutorials come from, I can highly recommend them as I also have watched these tutorials, If your smart you will watch all of them and not miss any, From there I joined different forums dealing with RE and currently do keygenning. I am still on the tuts4you forum but also joined others, And other things I learnt from was the malware scene, which I don't personally code malware but I have done cryptors in the past and you can learn alot from this scene because it dealing with PE file structures ect.. I have only just decided to learn about the game hacking scene which so far I have picked up a few things from this forum thanks to your help and other members here.
    Wanna pm meh the link