Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Defeating DMA - Pointer Searching using Tsearch
#1
Defeating DMA - Pointer Searching using Tsearch
by EEDOK
best read in 800x600 resolution, maximized
<!-- e --><a href="mailto:Mr_eedok[at]hotmail.com">Mr_eedok[at]hotmail.com</a><!-- e -->
-------------------------------------------------
What you'll need to do this tutorial:
Tsearch 1.5 or later
Tsongkie's GHME
Hexadecimal Calculator
--------------------------------------------------

Theory:

In many games that use DMA it is common to see commands like this: mov [esi+0x4],eax. What this
means is copy eax to an area of memory 4 bytes from a pointer. The pointer it refers to is
normally stored somewhere in the memory of the program. So to be able to hack programs that use
this, we would just read the pointer add the offset manually, and we would then have the address
which we want to hack.
This is beneficial over nopping, or reversing asm commands because:
1. You don't have to modify any of the asm code.
2. You can make the address any value, anytime.
3. A segment of code does not have to be initialized.
4. Allows for one sided hacks where certain functions are shared between the CPU and the player.

-----------------------------------------------------
Getting started:

1. Open up Tsearch and the GTM, pause the GTM and find the address for money

2. In Tsearch hit Autohack>enable debugger, Go into the GTM and unpause it until the money
changes, then go back into Tsearch, and hit Autohack>Autohack Window.

3. In the Autohack Window it should have popped at 4011DB: sub [esi+0x4],eax, what this means
is subtract the value of eax, from the area of memory 4 bytes away from the pointer. All we need
to know here is that the current address is +0x4 bytes from the pointer.

4. Open up your hexadecimal calculator and put in your current address(in hex), then subtract 4
from it(also in hex).

5. Convert the result of the previous step to decimal format and search for it in Tsearch. If
done correctly you should have the address 403138.

6. Hit the restart button so the location of the address of money changes, you should notice the
value of 403138 changes.

7. Read the value of 403138, convert the value to hexadecimal, then add 4 to it, this will give
you the new location of money. This will work even if you restart the program.

8. Make a function in your trainer to read address 403138 and add 4 to it, then write to that
offset.

------------------------------------------------------------
Possible problem and solution:

I noticed this when I was playing GTA3 and wanted to hack my health, and the problem was that
when I did a search for pointers I ended up with more than 50 addresses.. So here's what I did,
A)Had Artmoney to search for the new locations of my health value.
B)Had Tsearch open to find my pointer.
Well first I did the search for the pointer in Tsearch and immediately got 54 addresses. So I
restarted GTA3. After restarting I used artmoney to refind my health address, and upon finding
it I searched for my pointer value again. This resulted in 14 results for a pointer. So I
restarted the program again, and deleted the possible pointers that turned to 0, showing that
they're definitely not a pointer to what I wanted. I repeated finding my health and searching
for a new pointer, which resulted in 6 addresses being found. At this time I noticed that every
time I restarted the game, all 6 addresses were the same as each other, no matter how often or
at what time I started the game, so I just used the one closest to the programs entry point.
-----------------------------------------------------------------
Shouts to:

Devious: Stonerifik, Tsongkie, Omega, Synbios, Micral, Mini^Me, brzi, Invader, Sn0w
renzo, bie, ddh, Vortexion, routine_error, [Ginger], Ultimate, Zekk

Web sites:

<!-- m --><a class="postlink" href="http://devious.tsongkie.com">http://devious.tsongkie.com</a><!-- m -->
<!-- m --><a class="postlink" href="http://eedok.simplehost.com">http://eedok.simplehost.com</a><!-- m -->

Feel free to tell me about corrections, or additions I should make to this tutorial.
If you find a copy of this tutorial on a site not listed above, feel free to contact
me about it, I'll take care of the rest.
Reply

#2
In this program: <!-- m --><a class="postlink" href="http://www.memoryhacking.com/">http://www.memoryhacking.com/</a><!-- m -->

After you find a value that you want to resolve, and you find it's address, say it's address is (34891278). Try the following:

1. Select the pointer search.

2. Choose a "range" type search.

3. For the max value of the range put the address of the value you want resolved, for example (34891278). For the lowest part of the range set all the last 5 digits to '0' so (34800000). Make sure that the "only find static" pointers" box is ticked.

The first box is for the lowest value of the range, and the 2nd box, (the one on the right) is for the max value of the range.

That should search for static pointers that point to addresses in that range that are before the address of the value that you want resolved. Also, in the box that says "save offsets from", just put in the same address as the max value of the range (34891278).

Now in the results window it will show each static pointer and the offset distance between the address that they point to and the address of the value you want resolved. All the offsets distances will be listed with a "-" sign in front of them, since we are saving offsets from the max part of the range, so pick the one with the smallest negative offset, so "-500" is better than "-1000". The decimal offset distance is shown in brackets. It's easier to work with decimal offsets. There is also a "go to closest" button on the results window which should automatically show you the pointer with the smallest offset distance, it will highlight it.

Now with that static pointer, to test it just remember that you are adding that 500 to the address that the pointer points to, in order to get the value that you want resolved. So test it.

If that static pointer turns out to be unreliable, then you can try the next best one, for example the next best one could be "-600", it's a larger offset, but it may be a more reliable static pointer.
Reply



Possibly Related Threads…
Thread Author Replies Views Last Post
  Searching for Anti HS ExoGamer* 10 6,840 08-08-2013, 12:39
Last Post: aceed
  fun searching my programs kokole 14 7,105 07-25-2012, 21:52
Last Post: Arteq
  Help [C#] Function pointer? Pozzuh 3 3,911 03-31-2012, 22:26
Last Post: crAyon
  Searching moddels marsjee 2 2,438 10-09-2011, 18:53
Last Post: marsjee
  [Request] Searching a combat training aimbot. fsdfsd 7 4,856 08-15-2011, 22:15
Last Post: d0h!
  [Tutorial] Using variables as functions. (Function Pointer) master131 5 4,976 01-10-2011, 23:26
Last Post: master131
  [Searching for WaW map owners] Eekhoorn 3 2,663 11-13-2010, 15:01
Last Post: Eekhoorn

Forum Jump:


Users browsing this thread:
1 Guest(s)

Forum Powered By MyBB, Theme by © 2002-2024 Melroy van den Berg.