[Tutorial] Automate finding Pointers & Offsets

In the last Tutorial, we learned, how to unpack the Client, and remove the hacking-protection.
This enables us to use Debuggers, to analyze the Client.

Some stuff might become realy annoying, if we have to do the same things over and over again,
whenever the client changes. This tutorial will show you, how you can automate such operations,
if you've managed to find out stuff once.

Our goal in this tutorial will be, to filter usefull stuff from the client, without even having to run it

Step 1: Find out Stuff

Quote:

we've analyzed the DE client, and found the MainBaseAdress, and the offset to the CharStruct. in the current DE client, they look like this: Code: DWORD mainBaseAdress: 0x0070D968 DWORD charStructOffset: 0x00000ADC

Step 2: Realize how the Client handles them

Quote:

All Character informations are stored in one and the same struct in 4Story. if the Client want's to access the struct, he needs to figure out the Adress too. in asm that might looks like this: Code: mov eax, [mainBaseAdress] // eax now stores the adress, the mainBaseAdress points to mov eax, [eax + charStructOffset] // eax stores the adress of the Character Struct the CPU parses adresses from the right, to the left. this means our mainBaseAdress (00 70 D9 68) have to be stored as (68 D9 70 00) somewhere in the client.

Step 3: Search the Client for the desired adress

Quote:

I will use OllyDbg, since i did it in the last tutorial too. 1. Get into the main Modules code (check the last tutorial if you don't know how to) 2. Press CTRL + B to start a Binary Search, and search for the reversed mainBaseAdress  Spoiler [Only registered and activated users can see links. Click Here To Register...] 3. Press CTRL + L, untill you've found a nice piece of code, containing your adress Quote: to be able to filter the information from the client, it shouldn't be just 2 lines of code. the best thing would be to scan for a full function. even better would be a function containing more than just one information, we wanna filter. the TClient got one small function containing both of the named informations.  Spoiler [Only registered and activated users can see links. Click Here To Register...] This is a screenshot of 4Story EG. But it's allmost the same in the DE Client (Check the comparison screenshot in Step5).

Step 4: Grab the Code

Quote:

the easiest way to get the code out of olly, is to mark it and press CTRL + C now it's stored in the clipboard, and can be pasted into your favorite editor. the code looks like this in my case:  Spoiler Code: 004E7E60 /$ 55 PUSH EBP 004E7E61 |. 8BEC MOV EBP,ESP 004E7E63 |. 6A FF PUSH -1 004E7E65 |. 68 10E46800 PUSH TClient.0068E410 ; SE handler installation 004E7E6A |. 64:A1 00000000 MOV EAX,DWORD PTR FS:[0] 004E7E70 |. 50 PUSH EAX 004E7E71 |. 64:8925 00000000 MOV DWORD PTR FS:[0],ESP 004E7E78 |. 51 PUSH ECX 004E7E79 |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] 004E7E7C |. 53 PUSH EBX 004E7E7D |. 56 PUSH ESI 004E7E7E |. 8B35 68D97000 MOV ESI,DWORD PTR DS:[70D968] 004E7E84 |. 0FB786 60948700 MOVZX EAX,WORD PTR DS:[ESI+879460] 004E7E8B |. 8901 MOV DWORD PTR DS:[ECX],EAX 004E7E8D |. 8B8E DC0A0000 MOV ECX,DWORD PTR DS:[ESI+ADC] 004E7E93 |. 8B11 MOV EDX,DWORD PTR DS:[ECX] 004E7E95 |. 57 PUSH EDI 004E7E96 |. 8965 F0 MOV DWORD PTR SS:[EBP-10],ESP 004E7E99 |. C745 FC 00000000 MOV DWORD PTR SS:[EBP-4],0 004E7EA0 |. FF92 00020000 CALL DWORD PTR DS:[EDX+200] 004E7EA6 |. 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C] 004E7EA9 |. D955 08 FST DWORD PTR SS:[EBP+8] 004E7EAC |. D918 FSTP DWORD PTR DS:[EAX] 004E7EAE |. 8B8E DC0A0000 MOV ECX,DWORD PTR DS:[ESI+ADC] 004E7EB4 |. 8B11 MOV EDX,DWORD PTR DS:[ECX] 004E7EB6 |. FF92 08020000 CALL DWORD PTR DS:[EDX+208] 004E7EBC |. D955 08 FST DWORD PTR SS:[EBP+8] 004E7EBF |. 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10] 004E7EC2 |. D918 FSTP DWORD PTR DS:[EAX] 004E7EC4 |. B0 01 MOV AL,1 004E7EC6 |. 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C] 004E7EC9 |. 64:890D 00000000 MOV DWORD PTR FS:[0],ECX 004E7ED0 |. 5F POP EDI 004E7ED1 |. 5E POP ESI 004E7ED2 |. 5B POP EBX 004E7ED3 |. 8BE5 MOV ESP,EBP 004E7ED5 |. 5D POP EBP 004E7ED6 \. C3 RETN

Step 5: Eliminate useless and variable Stuff

Quote:

now it's time to decide which method we wanna use to filter the code later. i will use AutoIt to build the final tool. the most efficient way, to handle such a lot of characters in autoit, are the regex functions. if we compare the function to the same one in other clients, we notice, that the main code stays the same. the only thing that might differ, are the values in the code.  Spoiler [Only registered and activated users can see links. Click Here To Register...] sry it should be named 4Story EG (not BE) :s regex offers realy easy to use placeholders. since we're scanning HEX-code only, we can simply replace all numbers by: Code: .{[length of number]} beside that, we only need the binary code. the asm code, adresses and special stuff can simply be removed. the cleaned up table looks like this:  Spoiler Code: 55 8BEC 6AFF 68.{8} 64A100000000 50 64892500000000 51 8B4D.{2} 53 56 8B35(.{8}) 0FB786.{8} 8901 8B8E(.{8}) 8B11 57 8965.{2} C745.{2}00000000 FF92.{8} 8B45.{2} D955.{2} D918 8B8E.{8} 8B11 FF92.{8} D955.{2} 8B45.{2} D918 B0.{2} 8B4D.{2} 64890D00000000 5F 5E 5B 8BE5 5D C3 as you can see, i've added brackets, to the values we wanna filter later. This tells regex, to only save those values, and ignore the rest. the last step now is, to remove the newlines to get one single string, we can use as pattern later in our tool =)  Spoiler Code: "558BEC6AFF68.{8}64A1000000005064892500000000518B4D.{2}53568B35(.{8})0FB786.{8}89018B8E(.{8})8B11578965.{2}C745.{2}00000000FF92.{8}8B45.{2}D955.{2}D9188B8E.{8}8B11FF92.{8}D955.{2}8B45.{2}D918B0.{2}8B4D.{2}64890D000000005F5E5B8BE55DC3"

Step 6: Write the Tool

Quote:

As allready mentioned before, i'll use AutoIt to build the final tool. since most people in this section seem to be kinda familar with autoit, the code shouldn't need any further explanation: (i've added lots of comments, which should be self explaining)  Spoiler Code: #NoTrayIcon ;// open and read the client in binary mode $file = FileOpen('TClient.exe', 16) $content = FileRead($file, FileGetSize('TClient.exe')) ;// filter the wanted stuff from the code $filter = StringRegExp($content, "558BEC6AFF68.{8}64A1000000005064892500000000518B4D.{2}53568B35(.{8})0FB786.{8}89018B8E(.{8})8B11578965.{2}C745.{2}00000000FF92.{8}8B45.{2}D955.{2}D9188B8E.{8}8B11FF92.{8}D955.{2}8B45.{2}D918B0.{2}8B4D.{2}64890D000000005F5E5B8BE55DC3", 1) FileClose($file) ;// if the regex filter worked, display the results in a simple gui If IsArray($filter) Then GUICreate('Offset Finder', 175, 55, Default, Default, 0x10C80000) GUICtrlCreateLabel('MainBaseAdress:', 10, 7, 85, 20) GUICtrlCreateInput('0x'&reverseHex($filter[0]), 95, 5, 70, 20, 0x801) GUICtrlCreateLabel('CharStructOffset:', 10, 32, 85, 20) GUICtrlCreateInput('0x'&reverseHex($filter[1]), 95, 30, 70, 20, 0x801) While GUIGetMsg()<>-3 WEnd Else MsgBox(16, 'Error', 'oooops looks like something went wrong :s') EndIf Func reverseHex($string) Local $return ;// if the string got a odd length, add a zero in front of it If Mod(StringLen($string),2)<>0 Then $string = '0'&$string ;// reverse the hex patterns For $i=1 To StringLen($string) Step 2 $return = StringMid($string, $i, 2)&$return Next ;// remove the left-hand zeros While StringLeft($return, 1)='0' $return = StringTrimLeft($return, 1) WEnd Return $return EndFunc

Step 7: Proof of concept

Quote:

just as a proof of concept, i'll attach the script and coimpiled versions for x64, x86 and add a screenshot, showing the script used on 4Story DE/EG, to proof, that it works not only with the current DE client.  Spoiler [Only registered and activated users can see links. Click Here To Register...]

Bonus:

Quote:

knowing the path to the charStruct can speed up finding other offsets (the first time) extrmely, it's pretty easy to build a tool, which scans the charStruct for specific values. here's a simple example for an extremely easy tool:  Spoiler Code: #NoTrayIcon Dim $kernel32 = DllOpen('kernel32.dll') Dim $limit = 0x2000, $state GUICreate('CharStructSearcher', 235, 230, Default, Default, 0x10C80000, 8) GUICtrlCreateGroup('mainBasePointer', 5, 5, 110, 40) $mainBaseControl = GUICtrlCreateInput('0x6F11D0', 10, 20, 100, 20) GUICtrlCreateGroup('charStructOffset', 120, 5, 110, 40) $charStructControl = GUICtrlCreateInput('0xAAC', 125, 20, 100, 20) GUICtrlCreateGroup('Search Value', 5, 45, 110, 40) $searchValueControl = GUICtrlCreateInput('', 10, 60, 100, 20) GUICtrlCreateGroup('Search Type', 120, 45, 110, 40) $searchTypeControl = GUICtrlCreateCombo('', 125, 60, 100, 20, 3) GUICtrlSetData(-1, "byte|word|dword|float|char", "dword") $sizeControl = GUICtrlCreateCombo('', 125, 90, 100, 20) $ok = GUICtrlCreateButton('Start', 10, 90, 100, 20) $log = GUICtrlCreateEdit('', 10, 120, 215, 100, 0x200844) Dim $set For $i=1 To 255 $set&=$i&'|' Next GUICtrlSetData($sizeControl, $set, 1) While 1 $typeCheck = GUICtrlRead($searchTypeControl) $state = GUICtrlGetState($sizeControl) $msg = GUIGetMsg() If $msg=-3 Then ExitLoop If $msg=$ok Then Search() If ($typeCheck ='char' Or $typeCheck = 'byte') And $state <> 80 Then GUICtrlSetState($sizeControl, 64) ElseIf $typeCheck <> 'char' And $typeCheck <> 'byte' And $state <> 144 Then GUICtrlSetState($sizeControl, 128) EndIf WEnd DllClose($kernel32) Func Search() Local $scan, $type = GUICtrlRead($searchTypeControl), $value = GUICtrlRead($searchValueControl), $i, $editString, $matches = 0 If $value='' Then ConsoleWrite('error'&@CRLF) Return 0 EndIf Local $processHwnd = OpenProcess (ProcessExists('TClient.exe')) Local $charStruct = ReadProcessMemory($processHwnd, ReadProcessMemory($processHwnd, GUICtrlRead($mainBaseControl)) + GUICtrlRead($charStructControl)) $editString &= '--- start searching for ' & $value&' ---'&@CRLF If $charStruct<>0 Then For $i=0 To $limit If $state = 80 Then $scan = ReadProcessMemory($processHwnd, $charStruct + $i, $type&'['&GUICtrlRead($sizeControl)&']') Else $scan = ReadProcessMemory($processHwnd, $charStruct + $i, $type) EndIf If $type = 'float' Or $type = 'double' Then $scan = Int($scan) $value = Int($value) EndIf If $scan = $value Then $editString &= ' '&CleanUp(Hex($i))&' ('&CleanUp(Hex($charStruct + $i)&')'&@CRLF) $matches += 1 EndIf Next $editString &= '--- '&$matches&' matches found! ---'&@CRLF&@CRLF GUICtrlSetData($log, $editString&GUICtrlRead($log)) Else MsgBox(16, 'Error', "Looks like you've set a wrong Pointer or Offset"&@CRLF&"or you've got no access to the Client!") EndIf CloseHandle($processHwnd) EndFunc Func OpenProcess($pid) Local $mid = DllCall($kernel32, 'int', 'OpenProcess', 'int', 0x1F0FFF, 'int', 1, 'int', $pid) Return $mid[0] EndFunc Func ReadProcessMemory($processHwnd, $adress, $type = 'dword') Local $struct = DllStructCreate($type) DllCall($kernel32, 'int', 'ReadProcessMemory', 'int', $processHwnd, 'int', $adress, 'ptr', DllStructGetPtr($struct), 'int', DllStructGetSize($struct), 'int', '') Return DllStructGetData($struct, 1) EndFunc Func CloseHandle($hwnd) DllCall($kernel32, 'int', 'CloseHandle', 'int', $hwnd) EndFunc Func CleanUp($string) While StringLeft($string,1)='0' $string = StringTrimLeft($string,1) WEnd Return '0x'&$string EndFunc screenshot:  Spoiler [Only registered and activated users can see links. Click Here To Register...]

Hey lolkop , can you explain the tutorial in german?

ich denke das english ist nicht zu fachbezogen gewählt, und sollte eigentlich leicht verständlich sein.

aso, du kannst deutsch aber machst das tut in englisch? aber trotzdem würdest du vielen helfen wenn du das in deutsch machst

Quote:

Originally Posted by ☼WhatIsThat☼ aso, du kannst deutsch aber machst das tut in englisch? aber trotzdem würdest du vielen helfen wenn du das in deutsch machst

Wer das Englisch nicht versteht, hat gelitten.
Hört sich einfach an, aber Bedarf hab ich jetzt nicht.

Quote:

Originally Posted by ☼WhatIsThat☼ aso, du kannst deutsch aber machst das tut in englisch? aber trotzdem würdest du vielen helfen wenn du das in deutsch machst

Sobald ich wieder Zeit habe, werde ich es machen.

Quote:

Originally Posted by Lasch24 Wer das Englisch nicht versteht, hat gelitten. Hört sich einfach an, aber Bedarf hab ich jetzt nicht.

Du musst aber auch bedenken, dass wir eine Community sind. Hier hilft jeder jeden. Außerdem gehe ich davon aus, dass ungefähr 50% des 4Story Bereichs noch etwas jüngere sind, die diese Sprache noch nicht Beherschen bzw. noch lernen werden.

Update:
i've added some kind of extended offsetfinder as attachment, with some more offsets, which could help newbies to understand, how to add more stuff to search for =)

[Only registered and activated users can see links. Click Here To Register...]