Pattern finding problem ESI,EAX,etc...

04/04/2013 09:11 cortexio#1
Hello,

I'm currently looking for patterns in GW2. I already have 1 pattern & works perfectly. But in that one it gave me the bytes that i needed.

Gw2.exe+4DEC7B - D9 1D 4C226E01 - fstp dword ptr [Gw2.exe+12E224C]

But now all i can find for my next addresses&pointers are things like these

Gw2.exe+83C691 - C7 46 0C 01000000 - mov [esi+0C],00000001

Now.. the problem is that esi or any other stack, i can't seem the read the address that's stored inside it. I'm trying to find where it stored the address into esi. But i'm kinda new to assembly, (it's a push right, what i'm looking for?). But i can't seem to find it.

Please help me out here :) i'll happely share my bot, it's just annoying when i have to shift the addresses when a new patch comes out.

EDIT: Quick overview on how i try to make my patterns
1. find address&pointers i need for a certain value in the game.
2. search what writes to address->pointers->value
3. go to the address where it writes to address->pointers->value
4. Copy that address , open it in ollydbg
5. Use sig maker to get the pattern (making sure i only have 1 result)
6. Use c# to read the address using the pattern & how many bytes it has to skip
7. Check if address = address i found in step 1
04/04/2013 12:45 Dr. Coxxy#2
u cant do this.

esi is a variable register, you cant get its variable content, by searching in code section.

you may do a hook at this position and then read esi @ runtime, or reverse what the content of esi will be at this moment.

esi will be filled most likely with a mov (move) or lea (load effective adress) instruction.
feel free to dump some asm output here.
04/04/2013 13:52 Shadow992#3
Quote:
Originally Posted by Dr. Coxxy View Post
u cant do this.

esi is a variable register, you cant get its variable content, by searching in code section.

you may do a hook at this position and then read esi @ runtime, or reverse what the content of esi will be at this moment.

esi will be filled most likely with a mov (move) or lea (load effective adress) instruction.
feel free to dump some asm output here.
You can hook or just use Code-Caves.
In my opinion code caves are easier to use for that problem, but tastes differ.
If you are able to understand german or if you have got a good translator, you can have a look at:
[Only registered and activated users can see links. Click Here To Register...]

There I explained how to use Code-Caves to e.g. get value of a register at a specific point in code.
04/04/2013 14:46 Dr. Coxxy#4
autoit... -.-

codecave technically IS a hook (atleast the technique used to actually execute the codecave).
04/04/2013 15:06 Shadow992#5
Quote:
Originally Posted by Dr. Coxxy View Post
autoit... -.-

codecave technically IS a hook (atleast the technique used to actually execute the codecave).
It is not AutoIt, I explained it for all languages.
04/04/2013 19:56 cortexio#6
Thanks guys! This helped me alot ^^