Originally Posted by
Marsicano
Step 8: Multilevel pointers:
This step will explain how to use multi-level pointers.
In step 6 you had a simple level-1 pointer, with the first address found already being the real base address.
This step however is a level-4 pointer. It has a pointer to a pointer to a pointer to a pointer to a pointer to the health.
You basicly do the same as in step 6. Find out what accesses the value, look at the instruction and what probably is
the base pointer value, and what is the offset, and already fill that in or write it down. But in this case the address
you'll find will also be a pointer. You just have to find out the pointer to that pointer exactly the same way as you did
with the value. Find out what accesses that address you found, look at the assembler instruction, note the probable
instruction and offset, and use that.
and continue till you can't get any further (usually when the base address is a static address, shown up as green)
Click Change Value to let the tutorial access the health.
If you think you've found the pointer path click Change Register. The pointers and value will then change and you'll
have 3 seconds to freeze the address to 5000
Extra: This problem can also be solved using a auto assembler script, or using the pointer scanner
Extra2: In some situations (like this) it is recommended to change ce's codefinder settings to Access violations when
encountering instructions like mov eax,[eax] since debugregisters show it AFTER it was changed, making it hard to
find out the the value of the pointer
Extra3: If you're still reading. You might notice that when looking at the assembler instructions that the pointer is
being read and filled out in the same codeblock. This doesn't always happen, but can be really usefull in finding a
pointer when debuggng is troublesome