Memory Hacking Software

[Felheart]

Hi there guys!

I know there are lots of tutorials and stuff. But i still have some special
questions about complex adresses.

Thist time the game is: "WARCRAFT 3: TFT"

Whitehat kindly postet a table of ComplexAdresses for players gold values.

Here is the ComplexAdress for the first player
(of course taken from whitehat):

Code: Select all

[[[game.dll+87d7bc]+0xC]+((1-1)*0x140)+0x14]+0x78

Now I wanted to know how he made this complex.
He said the complex would resemble the ASM so i started the game
and looked up my gold value the old way(searching...).

Then I used autohack "Find what writes this adress".

It showed up like this:



So the last segment ( '0x78' ) is clear.
But I dont see 0x14, or the other things in the disassambly!
And whats up with this part [game.dll+0x87d7bc]
How do i get the static offset from game.dll?

Could someone please explain that to me ?
Could someone explain the whole Complex adress ?
I wish I could make a tutorial about these things, but I dont understand
them well enough.

[mezzo]

read out the valu eof EAX at that instruction and then use MHS to figure out how this value got to be what it is. (search for DWORD).

[Felheart]

How do i find out how EAX became what it is ?
AutoHack or Disassembly ? And why search for DWORD instead of pointers?

[mezzo]

autohack or disassembly?

indeed

why search for DWORD ?

Because




EAX is a CPU register, so first you need to figure out where in memory this value lives. Then you treat it as a regular value, which you can search for. When you have found where in memory it is, you can autohack it and study the code.

[L. Spiro]

Use the Real-Time Expression Evaluator to create the Complex Address as you go.

See the value of EAX in this post. Let us assume it is 0x200A044. Your Complex Address is now 0x200A044+0x78. Enter it into the Real-Time Expression Evaluator and verify the result is the address you want.

You have to find out how EAX was last modified before being used in this MOV. It went through a SUB/NEG/SBB/NOT/AND decoding routine, so you do not know what the value of EAX was before that and how it got that value.
So you need to put a breakpoint higher where EAX was last assigned by a MOV operation. Address 6F088DE7.

At that moment you have EAX being assigned by a value in EDX. You will have to set the breakpoint to see what EDX is, but you will get another address, for example 0x200FEE00. For the sake of simplicity, let us remove the decoding code and pretend you just have:
MOV EAX, DWORD PTR [EDX+18] ; EDX = 0x200FEE00
MOV DWORD PTR [EAX+78], EDX ; EAX = 0x200A044 or something
In your Complex Address we replaced EAX with 0x200A044. If EAX is [EDX+18], we know that [EDX+18] is 0x200A044. Therefore the following Complex Addresses are the same:
0x200A044+0x78
[EDX+0x18]+0x78 <- Except that we can’t use EDX in the Complex Address, so change it to its real value at that time.
[0x200FEE00+0x18]+0x78

The last one brings us closer to a full Complex Address but 0x200FEE00 is still a dynamic address.


Repeat the above steps. Look up to see what set EDX.
We see that it was address 6F088DE3.
Which means EDX = 0x200FEE00 = [EDX+EAX*8+4].
Our Complex Address changes again:
[[EDX+EAX*8+4]+0x18]+0x78
You have to debug to find the actual values for EDX and EAX here, but we will just assume they are 0x200004EC and 1.
[[0x200004EC+1*8+4]+0x18]+0x78


This keeps going until you find a MOV or LEA that references a constant number (no registers).
For example, MOV EAX, [6F0088034].


You have chosen a very bad place to try to make a Complex Address since you have to add some decoding routine.
The Complex Address you get can not equal the one WhiteHat made. Using this code, yours will have a +0x18 and a 1*8+4.

The game will store many different ways to get to the final value, which is where the 0x78 is common. You need to find a different path to it, using only simple MOV and LEA instructions on the registers involved.


L. Spiro

[Sychotix]

Yo L. Spiro, I'm having a similar problem. When I use the pointer search, it comes up with no or wrong results. I was wondering if I could use this process to find a pointer for it. Both give the same effect so it doesnt matter which you pick. whichever is easier to follow up with.

http://i79.photobucket.com/albums/j153/ ... meplz1.jpg
http://i79.photobucket.com/albums/j153/ ... meplz2.jpg

any help? (photo's are kinda big so no tags) I think i started doing it correct on the second one (i put the thing in there as well). I think that one is the easier of the two

[L. Spiro]

Both paths suck.
The first image does not show you how ESI was set; you will have to step back out of the function and see how it was set before it went into that function.

The second has too many JMP’s and CALL’s. After each CALL ESI is modified by a POP (though the value may not change at all, but you need to know by debugging) and any combination of JMP’s could be taken, which again you have to discover via debugging.


L. Spiro

[Sychotix]

yeah i thought as much... I guess im either going to have to wait for juggy to get on or scan to see if i can find anything else close to what i found. The address is for mana... and the encryption method is fucked up as hell. to decrypt it, divide the value by 100 and then round up. Just scan in a range and you find it easily =P

Thanks for checking it out though... you ever checked out playing Age of Conan? its a very fun game... rivals WoW imo =D

[Felheart]

First thank you L.Spiro for telling me how to reverse the adress via the Disassambler.

'You have chosen a very bad place to try to make a Complex Address since you have to add some decoding routine.'

I understand that. But why would the game encode/decode the adress?
Protection? Or just needed because of working with structs/classes or whatever?

Anyway,
this means I should look for another Instruction wich changes my gold ?
But there is only this instruction listed in AutoHack. It is used for all things that have to do with a players gold. ( Buying and selling things, scripted things... everything )

The only way to reproduce THIS way the adress is made would be using LSS because so you can easily add the decoding function.

But Whitehat has the same version/game as me (his complex work for me too);
So I think I can make the same complex address as him if I find the right instruction to begin my reversing with ( but as I already said, there is no other).

I already PM'd Whitehat a few days ago about this, I hope he can tell me how he made his adress...

Anyway thanks LSpiro, its a pity this doesnt work out because of the en/decoding.

[L. Spiro]

The game could have any number of reasons for encoding the pointer. Though if it really is just a pointer, encoding would only be done to prevent hacking attempts.


This decoding routine can be done entirely with Complex Addresses.
SUB = x - y.
NEG = -x.
SBB = x - y.
NOT = ~x.
AND = x & y.


L. Spiro