More on Accessing Memory [Solved]
More on Accessing Memory [Solved]
Ok, so thanks to Jason and Hassan I understand how to access pointers and stuff in memory. But the problem is I don't know how far to go in some situations. For example I have found the offset of my player's health in assault cube, it is an integer but i tried to access it by this and it didn't work:
I didn't affect the health and it didn't do anything to the gameplay. Then i got the base address of ac_client and then added to that the start of the player struct then the offset like this:
All that did was crash the game.
I don't understand why it's not working so it's hard to fix the problem. Any help is appreciated. Thanks.
Code:
*(int*)(0x4E4DBC(start of player struct) + 0xF4(player health offset)) = 200;
Code:
DWORD base = (DWORD) GetModuleHandleA("ac_client.exe");
*(int*) (base + 0x4E4DBC + 0xF4) = 200;
I don't understand why it's not working so it's hard to fix the problem. Any help is appreciated. Thanks.
Originally Posted by 258456
Ok, so thanks to Jason and Hassan I understand how to access pointers and stuff in memory. But the problem is I don't know how far to go in some situations. For example I have found the offset of my player's health in assault cube, it is an integer but i tried to access it by this and it didn't work:
I didn't affect the health and it didn't do anything to the gameplay. Then i got the base address of ac_client and then added to that the start of the player struct then the offset like this:
All that did was crash the game.
I don't understand why it's not working so it's hard to fix the problem. Any help is appreciated. Thanks.
Code:
*(int*)(0x4E4DBC(start of player struct) + 0xF4(player health offset)) = 200;
Code:
DWORD base = (DWORD) GetModuleHandleA("ac_client.exe");
*(int*) (base + 0x4E4DBC + 0xF4) = 200;
I don't understand why it's not working so it's hard to fix the problem. Any help is appreciated. Thanks.
I just tried quickly with it and I got a useless value.
Add Pointer at ( 0x400000 + 0x4E4DBC ) with offset 0xF4 points to nothing. Are you sure your 0x4E4DBC value is correct? I think that 0x4E4DBC was your physical address ( with base added already ). Try this:
Code:
DWORD base = (DWORD)GetModuleHandle("ac_client.exe");
DWORD playerStruct = base + 0xE4DBC;
int *hpPtr = (int*)(playerStruct + 0xF4);
*hpPtr = 200;
EDIT:
Sorry, made a mistake with the offsets.
Code:
#define PLAYER_STRUCT *(DWORD*)((DWORD)GetModuleHandle("ac_client.exe") + 0xE4DBC)
#define HP_OFFSET 0x000F4
#define NAME_OFFSET 0x00219
DWORD WINAPI main(LPVOID)
{
char *buffer = new char[10];
int* hpPtr = (int*)(PLAYER_STRUCT + HP_OFFSET);
sprintf(buffer, "%d", *hpPtr);
MessageBoxA(NULL, buffer, "Your HP:", MB_OK);
char *name = (char*)(PLAYER_STRUCT + NAME_OFFSET);
MessageBoxA(NULL, name, "Your Name:", MB_OK);
}
Thanks for the quick reply Jason. Thx for the code also but if you don't mind can you explain why for the player struct *(DWORD*) and not *(DWORD**) or something like that? I understand what they mean but my problem that I am having is that how do I know how many levels down a pointer is.
Originally Posted by Jason
Have you verified (through CE or something) that whatever (base + 0x4E4DBC + 0xF4) is pointing to is actually your health?
I just tried quickly with it and I got a useless value.
Add Pointer at ( 0x400000 + 0x4E4DBC ) with offset 0xF4 points to nothing. Are you sure your 0x4E4DBC value is correct? I think that 0x4E4DBC was your physical address ( with base added already ). Try this:
Code:
DWORD base = (DWORD)GetModuleHandle("ac_client.exe");
DWORD playerStruct = base + 0xE4DBC;
int *hpPtr = (int*)(playerStruct + 0xF4);
*hpPtr = 200;
Sorry, made a mistake with the offsets.
Code:
#define PLAYER_STRUCT *(DWORD*)((DWORD)GetModuleHandle("ac_client.exe") + 0xE4DBC)
#define HP_OFFSET 0x000F4
#define NAME_OFFSET 0x00219
DWORD WINAPI main(LPVOID)
{
char *buffer = new char[10];
int* hpPtr = (int*)(PLAYER_STRUCT + HP_OFFSET);
sprintf(buffer, "%d", *hpPtr);
MessageBoxA(NULL, buffer, "Your HP:", MB_OK);
char *name = (char*)(PLAYER_STRUCT + NAME_OFFSET);
MessageBoxA(NULL, name, "Your Name:", MB_OK);
}
Code:
*(float*)((*(DWORD*)((*(DWORD*)(CShell+0xA2A7E8)) +(4*i))) + 0x2424) = 100.0f;
Can you explain what all the ((*(DWORD*)((*(DWORD*) stuff is for? And the 4*i (i is a counter).
Originally Posted by _corn_
This is probably a little off topic but can you help me with this:
That is for a NoReload hack for crossfire.
Can you explain what all the ((*(DWORD*)((*(DWORD*) stuff is for? And the 4*i (i is a counter).
Code:
*(float*)((*(DWORD*)((*(DWORD*)(CShell+0xA2A7E8)) +(4*i))) + 0x2424) = 100.0f;
Can you explain what all the ((*(DWORD*)((*(DWORD*) stuff is for? And the 4*i (i is a counter).
Originally Posted by 258456
Thanks for the quick reply Jason. Thx for the code also but if you don't mind can you explain why for the player struct *(DWORD*) and not *(DWORD**) or something like that? I understand what they mean but my problem that I am having is that how do I know how many levels down a pointer is.
So, think of it this way (NOTE: this is just pseudocode so you get an idea of pointer depth)
Code:
PLAYER_STRUCT** pstruct; //player struct is a 2 level pointer. DWORD* firstPtr = (DWORD*)pstruct; //this has treated the pstruct as a DWORD*, ie C++ is saying treat this address as a pointer to a DWORD. DWORD val = *firstPtr; //dereferences the DWORD* to find out what the value was
0xDEADBEEF holds the integer value [0x00DEFACED] -> 0x00DEFACED holds the integer value [0xFEEDF00D] -> 0xFEEDF00D holds the PLAYER_STRUCT.
so treating 0xDEADBEEF as a DWORD* rather than a PLAYER_STRUCT** means follow where 0xDEADBEEF points to, then read a DWORD from that address, so dereferencing 0xDEADBEEF gives us 0x00DEFACED, which is 1 level closer to pstruct.
Code:
//moving up pointer levels: PLAYER_STRUCT** pstruct = somevalue; PLAYER_STRUCT* uplevel = (PLAYER_STRUCT*)*(DWORD*)pstruct;
To verify if a pointer is pointing to a valid location in memory before using it you can do:
IsBadReadPtr( Your_pointer ) and IsBadWritePtr() respectively. Also you can wrap your code in an exception handler to test for an invalid pointer.
As for your question, it's very simple, *(DWORD*) = pointer to a DWORD pointer. But is dereferenced in player struct, so all that remains is simply a pointer to your health or name.
IsBadReadPtr( Your_pointer ) and IsBadWritePtr() respectively. Also you can wrap your code in an exception handler to test for an invalid pointer.
As for your question, it's very simple, *(DWORD*) = pointer to a DWORD pointer. But is dereferenced in player struct, so all that remains is simply a pointer to your health or name.
To clarify my answer about why it's a double level pointer, as I was a bit hazy in the first post:
The address itself needs to be interpreted as a pointer for C++ to read a specific type from it. I.e say there was a value of 100 starting at 0xDEADBEEF (4 byte value btw)
You can't just go:
DWORD value = (DWORD)0xDEADBEEF
because that will just convert the hex "0xDEADBEEF" to an integer.
But yeah, hopefully you get it now.
The address itself needs to be interpreted as a pointer for C++ to read a specific type from it. I.e say there was a value of 100 starting at 0xDEADBEEF (4 byte value btw)
You can't just go:
DWORD value = (DWORD)0xDEADBEEF
because that will just convert the hex "0xDEADBEEF" to an integer.
But yeah, hopefully you get it now.
Thank you guys so much as usual. It makes a lot more sense to me now then it did yestarday, and that's a huge step for me. Thanks a bunch.
I doubt this is the end of my pointer problems so i will keep you guys updated but i really feel like i get it now. Thanks guys.
I doubt this is the end of my pointer problems so i will keep you guys updated but i really feel like i get it now. Thanks guys.
And if you're interested:
You just need to NOP the UNLIM_AMMO address for 2 bytes (note, singleplayer only)
Code:
#define BASE_ADDRESS (DWORD)GetModuleHandle("ac_client.exe")
#define PLAYER_STRUCT *(DWORD*)(BASE_ADDRESS + 0xE4DBC)
#define HP_OFFSET 0x000F4
#define NAME_OFFSET 0x00219
#define UNLIM_AMMO (BASE_ADDRESS + (DWORD)0x5B75F)
Ok, so i just tried dereferencing the pointer and changing the value of the health but the game crashes. I don't know why. This is my code:
@Jason
@Hassan
Code:
#include <Windows.h>
#include <iostream>
#include "player.h"
void hack();
DWORD base = (DWORD)GetModuleHandle(TEXT("ac_client.exe"));
DWORD *playerStruct = (DWORD*)(base + 0x4E4DBC);
int *hpPtr = (int*)(playerStruct + 0xF4);
player *me = *(player**)0x4E4DBC;
float zpos;
float xsaved;
float ysaved;
float zsaved;
void hack()
{
*hpPtr = 200;
while(true)
{
if(GetAsyncKeyState(VK_SPACE)&1)
{
me->z += 5;
zpos = me->z;
while(!GetAsyncKeyState(VK_NUMPAD1)&1)
{
if(GetAsyncKeyState(VK_SPACE)&1)
{
me->z+= 5;
zpos = me->z;
}
me->z = zpos;
}
}
if(GetAsyncKeyState(VK_SHIFT)&1)
{
me->z -= 5;
}
if(GetAsyncKeyState(VK_LEFT)&1)
{
me->x -= 5;
}
if(GetAsyncKeyState(VK_RIGHT)&1)
{
me->x += 5;
}
if(GetAsyncKeyState(VK_UP)&1)
{
me->y += 5;
}
if(GetAsyncKeyState(VK_DOWN)&1)
{
me->y -= 5;
}
if(GetAsyncKeyState(VK_NUMPAD8)&1)
{
xsaved = me->x;
ysaved = me->y;
zsaved = me->z;
}
if(GetAsyncKeyState(VK_NUMPAD9)&1)
{
me->x = xsaved;
me->y = ysaved;
me->z = zsaved;
}
}
}
BOOL APIENTRY DllMain (HINSTANCE hInst /* Library instance handle. */ ,
DWORD reason /* Reason this function is being called. */ ,
LPVOID reserved /* Not used. */ )
{
switch (reason)
{
case DLL_PROCESS_ATTACH:
CreateThread(NULL, NULL,(LPTHREAD_START_ROUTINE)hack, NULL, NULL, NULL);
break;
case DLL_PROCESS_DETACH:
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
}
/* Returns TRUE on success, FALSE on failure */
return TRUE;
}
@Hassan
You stuffed up the player struct value when declaring the hpPtr (you didn't dereference the playerstruct value), use the defines I gave you earlier:
Code:
#define BASE_ADDRESS (DWORD)GetModuleHandle("ac_client.exe")
#define PLAYER_STRUCT *(DWORD*)(BASE_ADDRESS + 0xE4DBC)
#define HP_OFFSET 0x000F4
#define NAME_OFFSET 0x00219
#define UNLIM_AMMO (BASE_ADDRESS + (DWORD)0x5B75F)
//globals
int* HP_POINTER = (int*)(PLAYER_STRUCT + HP_OFFSET);
player *MY_PLAYER = (player*)(PLAYER_STRUCT);
Oh, I just realized that it was also crashing because i wasn't even accessing the right offset. The struct is located at 0x4E4DBC, but when i add the base + offset of struct it is something else. So I should have written 0xE4DBC since the base address is 0x400000 and 0x400000 + 0xE4DBC = 0x4E4DBC, the address i wanted from the beginning.
Originally Posted by Jason
And if you're interested:
You just need to NOP the UNLIM_AMMO address for 2 bytes (note, singleplayer only)
Code:
#define BASE_ADDRESS (DWORD)GetModuleHandle("ac_client.exe")
#define PLAYER_STRUCT *(DWORD*)(BASE_ADDRESS + 0xE4DBC)
#define HP_OFFSET 0x000F4
#define NAME_OFFSET 0x00219
#define UNLIM_AMMO (BASE_ADDRESS + (DWORD)0x5B75F)
Or i can get "unlimited" ammo the cheap and easy way by making my bullet offset in the player class set to 99999999999999. Then being above the map after editing my z coordinate. Then editing another value in the player class that calculates how many cubes per second i can walk and set it to .1 so that i basically have no recoil. HAHAHAHAHa. Thanks for making it possible Jason.
your player class fmm. NOPing the ammo calculation is easy though, and if you have godmode on it doesn't matter that the bots have unlimited ammo too 
Similar Threads
- 5Last post
- 4Last post
- 17Last post
- 0Last post
- Tutorial Replies - Direct Memory Access (DMA) to Static Memory AddressesBy Dave84311 in General Game Hacking3Last post