Reversing / Debugging Q

So i got this address range in the 00ee0000 -> 00eeffff area ... its inventory bits /array of bytes(not bits) 1=inventory slot filled, and 0=not filled.

Thats good and all, but being dynamic and all means that the base address changes a bit from time to time.

SO I am looking for a pointer to that specific area of memory.
However i cannot find one ? The nearest pointer i find is like fff away from the destination!

MY question is this ; im obvsioly going about this wrong, finding a pointer to this address space so i can always look it up, not matter wich hardware configuration++ the game operates on... but what, and how should i be going about it!!

I could place a memory bp in olly, but dont see what that should give me in terms of finding a static pointer to my shit!



Ideas ? Please ;)

Quote:

Originally posted by abitofboth+Dec 25 2005, 00:47--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (abitofboth @ Dec 25 2005, 00:47)</td></tr><tr><td id='QUOTE'>However i cannot find one ? The nearest pointer i find is like fff away from the destination![/b]

like fff or is it exactly fff :P ?
I guess its not exactly, otherwise you would have had the idea to calculate the other one already ;)

<!--QuoteBegin--abitofboth@Dec 25 2005, 00:47
I could place a memory bp in olly, but dont see what that should give me in terms of finding a static pointer to my shit![/quote]
You would set that breakpoint on what exactly O_o ?
You don't mean a memory bp on the whole area do you :P ?


Anyway, do you know the code which reads/writes to that memory and where it is ?
I would try to screw around with that a bit...

its like fff, not exactly, cause yes otherwise i'd nailed it allready ;) ... i've also been looking into the construct staticpointer->dynamicpointer->target .. wich i've had success with before in other cases.

And naw, not the whole area, but i can do a search, find the first byte, place memory breakpoint, and the first time that is being accessed olly will break ... wich will yield the result as exactly what you're suggesting in your finalizing statement; finding the code that messes with that memory .... im still not too sure what i should make of that ? Ill give it another shot though. thx.

Quote:

Originally posted by abitofboth@Dec 26 2005, 08:52 its like fff, not exactly, cause yes otherwise i'd nailed it allready ;) ... i've also been looking into the construct staticpointer->dynamicpointer->target .. wich i've had success with before in other cases. And naw, not the whole area, but i can do a search, find the first byte, place memory breakpoint, and the first time that is being accessed olly will break ... wich will yield the result as exactly what you're suggesting in your finalizing statement; finding the code that messes with that memory .... im still not too sure what i should make of that ? Ill give it another shot though. thx.

you need a place in the code that acceses the dynamic memory adress

if it is inventory you could use the open inventory button or so

to find that code you place a breakpoint on the inventory bits and when its accessed it breakes

then you know a place where you can get the dynamic adress and then you replace that code with your own that writes the dynamic adress to a fixed memory space

so you can alwas get the dynamic address

or was it that what you meant by "staticpointer->dynamicpointer->target" ??

if so why does that not work?

Ultima -> Yes, thats next line of defence .. however i havent messed with code/dll injection before, so i have to wrap my head around that first (i could even write the address to a file or somethin' uber simpe)..

what i mean by "staticpointer->dynamicpointer->target" is simply that one fixed memory location( a static pointer) will point to a variable memory location(dynamic pointer) wich holds another pointer to the target...
For some god forsaken reason i cant seem to find any references to this area .. !!!weird!!!
( and to top it off hidedebug plugin has stopped working on my box ... suspecting zonealarm, even though its shut down..)

Quote:

Originally posted by abitofboth@Dec 27 2005, 01:26 Ultima -> Yes, thats next line of defence .. however i havent messed with code/dll injection before, so i have to wrap my head around that first (i could even write the address to a file or somethin' uber simpe).. what i mean by "staticpointer->dynamicpointer->target" is simply that one fixed memory location( a static pointer) will point to a variable memory location(dynamic pointer) wich holds another pointer to the target... For some god forsaken reason i cant seem to find any references to this area .. !!!weird!!! ( and to top it off hidedebug plugin has stopped working on my box ... suspecting zonealarm, even though its shut down..)

code injection is very easy

you can do it with TSearch to try it

i wish i could find the video tutorial...

ill search and post if i find it

It's probably a struct, and program access data using an offset + delta.

struct character ----> offset
{
int id;
char *name; + +4
.....
struct inventoryslots; + fff
}

try to find the nearest reference (smaller) of your dynamic data in static pointers and try to see if delta is always the same each time you run the app.

I hope it's help.

Quote:

Originally posted by Ultima@Dec 27 2005, 11:44 code injection is very easy you can do it with TSearch to try it i wish i could find the video tutorial... ill search and post if i find it

[Only registered and activated users can see links. Click Here To Register...] ?

Quote:

Originally posted by Lowfyr+Jan 4 2006, 16:06--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (Lowfyr @ Jan 4 2006, 16:06)</td></tr><tr><td id='QUOTE'> <!--QuoteBegin--Ultima@Dec 27 2005, 11:44 code injection is very easy you can do it with TSearch to try it i wish i could find the video tutorial... ill search and post if i find it

[Only registered and activated users can see links. Click Here To Register...] ? [/b][/quote]
danke hatte noch überlegt ob ich dich drum bitten soll^^

Thanks ..
(but i have a strict, dont download'n execute, policy when it comes to online communities ;))

hal -> Indeed, good suggestion... i'll find the nearest reference and see of offset is constant... good idea :)

Quote:

Originally posted by abitofboth@Jan 18 2006, 15:52 Thanks .. (but i have a strict, dont download'n execute, policy when it comes to online communities ;)) hal -> Indeed, good suggestion... i'll find the nearest reference and see of offset is constant... good idea :)

^^ its safe its an external link but you can also search for it
just google and youll find that link if you can risk it you should watch the movie its worth it

[Only registered and activated users can see links. Click Here To Register...]

in fact, i have a ownable vmware for just those kinda defcon-2 kinda apps (like keygens and such ;) ) .. ill give it a run then, thx.

If we're taling about toolbased memory injection, have you guys messed with memoryhackingtool ? Havent messed with the inject function yet, but that tool fucking rocks... (cant believe its still free, lspiro should get rich on that one someday!)