#1
|
|||
|
|||
Problem hacking this game ..
Two things, how to approach reverse engineering and a concrete problem.
One. How do you excel at this subject.. course of learning, cracking the curve so to speak, tutorials, what? What have been your course of learning, background, motivation etc. Two. Im writing a bot for a game. Tools I use is ollydbg with hidedbg plugin and memoryhackingsoftware by l.spiro (awsome tool) Different characters will appear on screen from time to time, titled their 'names' I can find these names in memory with hackmem, however it is dynamic memory, ie. they will not apear in the same exact spot in memory, typically somewhere in the range of 0A000000 to 0CFFFFFF. There *is* a pattern, if i search the entire region of memory i can find these names and record them, however readProcessMemory is way too slow, this should take a max of 100ms. So I start the game with olly, i find the name in memory with hackmem, i put a breakpoint on memory access in olly.. it breaks.. so far so good. I step around a bit and notice the name in question has been pushed on the stack (the memory location of the name) ... Excellent i think... Now i return to memhack to inspect this piece of memory in the hexviewer (00120000 memory area) but i do NOT see the same data as i see in olly. WHY is that ? Even though the game is paused in the debugger this data seems to by dynamic and change whenever i move the mouse! Why is that ? Stupid questions im sure ... ? |
#2
|
|||
|
|||
got a solution
nvm and thanks anyway..
I dont know why there's all this garbage on the stack .. i suppose its supposed to be there!?(ill have to read up on that) Anyway, my solution is to read this memory 0012b000 and some 30kb ahead, scan it for references to memory wich is known to be in the area of the data i want .. read off 500 bytes from that particular address and evaluate it off a pattern. This works .. 50% of the time .. if i wanna be relatively sure i get it all i have to repeat that procedure about 10 times. I can problary optimize this by using my first postitive hit as a hint to narrow down the search area and optimize hit rate. SO .. i got a solution. But its a stupid one. I am sure! Feel free to tell my WHY its stupid, and in what direction i should study to make it smarter! ) Regards 01 (a bit of both) |
#3
|
|||
|
|||
As for finding the location when it seems dynamic, you'll most likely need to find where in memory the address to the string is stored, not just where the string is. Basically find the address of the string and then search for that address in memory to see what locations are storing it. This location isn't likely going to change as often as the string location (if at all, the string location is usually dynamic as to better utilize memory in games where ram use isn't a constant).
You're going to need to follow the actual flow more than just what memory it accesses in most games, to see how the memory is manipulated more clearly. For most games (assuming online) i find the final winsock call, set a bp on it and trace back from there when i see data that matches my criteria. It means that rather than performing each test by hand i can just browse back and generally find what data is used, how its used, and why its used. Last edited by Eleven; 10-31-2005 at 16:32. |
#4
|
|||
|
|||
Mind telling us what game it is? You could be finding the result of a lookup for the object name before it is rendered after targetting the object with your crosshair or highlighting. There is a good chance an array will exist that stores pointers to all objects the client knows about and unless the names are constantly queried from the server you'd have a better method of obtaining the information you need by scanning the array itself. Such arrays usually have a char* as part of the structure which would be the location you find with MemHack. If you can trace the code to determine where the location is read and check for offsets then you should be able to make your own structures for faster searching and reading. Just pad the unknown properties once you've found the structure pointer and fill in the rest with the known typedef as you discover them.
You should also look into using IDA for keeping track of interesting locations in the target. |
#5
|
|||
|
|||
Thanks for your suggestions. Helped alot, i have actually found the static pointers(if they are such?) and is able to perform an exact query in less that 100ms .. its a hard road to travel, yet i've gone from no solution to a stupid solution(a solution non the less) to what i believe is the right solution.
The game is conquer .. and the hacks i describe actually allready exists in other 'botting' software ... i just wanna make my own ... gotta start somewhere right ? |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Game and in-process memory hacking | redbull | General Discussion | 1 | 01-26-2005 01:28 |
A 96KB Game!! | ferrari | General Discussion | 9 | 06-02-2004 07:31 |