Solved Can't get a pointer to this memory address.

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

B14CKS1D3

Newbie
Full Member
Apr 10, 2016
20
94
0
I'm trying to get the pointer for a memory address, but I can't get it, it changes randomly. (I want to use that address in my dll)
This instructions uses the address each tick (The one I want to get is rcx: 130D1B90)
I tried to do a pointer scan, I got nothing stable. The pointers I get from there will work for some times and some other times they won't;
C++:
140FF45AC - 48 85 C9  - test rcx,rcx
140FF45AF - 74 19 - je Game.exe+14945CA
140FF45B1 - 48 8B 01  - mov rax,[rcx] <<
140FF45B4 - FF 50 08  - call qword ptr [rax+08]
140FF45B7 - 84 C0  - test al,al

RAX=00000001413C54A8
RBX=0000000019835340
RCX=00000000130D1B90
RDX=0000000000000018
RSI=0000000000000000
RDI=0000000000000003
RSP=000000000029F5C0
RBP=0000000141EE08B0
RIP=0000000140FF45B4
R8=000000000000003B
R9=0000000141A2DB60
R10=0000000000000000
R11=000000000029F5E0
R12=0000000000000000
R13=0000000000000000
R14=0000000000000000
R15=0000000000000000
Can anyone help me figure this out?
 
Last edited:

bYt3_w4LK3r

Jr.Coder
Full Member
Nobleman
Nov 20, 2014
58
283
1
try to find the instruction that gives RCX that value...

Do these tutorials:
 
Last edited by a moderator:

B14CKS1D3

Newbie
Full Member
Apr 10, 2016
20
94
0
Is it there (I'm still learning assembly...)?
140FF45B1 - 48 8B 01 - mov rax,[rcx] <<
ASM Code from the function with the instruction above from ida:
(140FF45B1 is at 16925B1)
C++:
.text:000000000169252C sub_169252C     proc near               ; CODE XREF: sub_9D68C0+1Cp
.text:000000000169252C                                         ; sub_9E146Cj
.text:000000000169252C                                         ; DATA XREF: ...
.text:000000000169252C
.text:000000000169252C Dst             = dword ptr -0D8h
.text:000000000169252C var_8           = byte ptr -8
.text:000000000169252C arg_0           = dword ptr  8
.text:000000000169252C arg_8           = qword ptr  10h
.text:000000000169252C arg_10          = qword ptr  18h
.text:000000000169252C arg_18          = qword ptr  20h
.text:000000000169252C
.text:000000000169252C                 mov     [rsp+arg_8], rbx
.text:0000000001692531                 mov     [rsp+arg_10], rbp
.text:0000000001692536                 mov     [rsp+arg_18], rsi
.text:000000000169253B                 push    rdi
.text:000000000169253C                 sub     rsp, 0F0h
.text:0000000001692543 ; 19:   v1 = a1;
.text:0000000001692543                 mov     rbp, rcx
.text:0000000001692546 ; 20:   LODWORD(v2) = (unsigned __int64)memset(Dst, 0, 0xC8ui64);
.text:0000000001692546                 lea     rcx, [rsp+0F8h+Dst] ; Dst
.text:000000000169254B                 xor     edx, edx        ; Val
.text:000000000169254D                 mov     r8d, 0C8h       ; Size
.text:0000000001692553                 call    memset
.text:0000000001692558 ; 21:   v3 = *(_WORD *)(v1 + 88);
.text:0000000001692558                 movzx   r8d, word ptr [rbp+58h]
.text:000000000169255D ; 22:   v4 = 0;
.text:000000000169255D                 xor     esi, esi
.text:000000000169255F ; 23:   v5 = 0i64;
.text:000000000169255F                 xor     ebx, ebx
.text:0000000001692561 ; 24:   v6 = 0i64;
.text:0000000001692561                 xor     ecx, ecx
.text:0000000001692563 ; 25:   v7 = *(_WORD *)(v1 + 88);
.text:0000000001692563                 movsxd  rdx, r8d
.text:0000000001692566 ; 26:   if ( (signed int)v3 > 0 )
.text:0000000001692566                 test    r8d, r8d
.text:0000000001692569                 jle     short loc_1692583
.text:000000000169256B ; 28:     v2 = *(_QWORD *)(v1 + 80);
.text:000000000169256B                 mov     rax, [rbp+50h]
.text:000000000169256F ; 31:       v5 = *(_QWORD *)v2;
.text:000000000169256F
.text:000000000169256F loc_169256F:                            ; CODE XREF: sub_169252C+55j
.text:000000000169256F                 mov     rbx, [rax]
.text:0000000001692572 ; 32:       if ( *(_QWORD *)v2 )
.text:0000000001692572                 test    rbx, rbx
.text:0000000001692575 ; 33:         break;
.text:0000000001692575                 jnz     short loc_1692583
.text:0000000001692577 ; 34:       ++v6;
.text:0000000001692577                 inc     rcx
.text:000000000169257A ; 35:       v2 += 8i64;
.text:000000000169257A                 add     rax, 8
.text:000000000169257E ; 29:     do
.text:000000000169257E                 cmp     rcx, rdx
.text:0000000001692581                 jl      short loc_169256F
.text:0000000001692583 ; 39:   v8 = 0;
.text:0000000001692583
.text:0000000001692583 loc_1692583:                            ; CODE XREF: sub_169252C+3Dj
.text:0000000001692583                                         ; sub_169252C+49j
.text:0000000001692583                 xor     edi, edi
.text:0000000001692585 ; 40:   v9 = 0i64;
.text:0000000001692585                 xor     ecx, ecx
.text:0000000001692587 ; 41:   if ( (signed int)v3 > 0 )
.text:0000000001692587                 test    r8d, r8d
.text:000000000169258A                 jle     short loc_16925FC
.text:000000000169258C ; 43:     v2 = *(_QWORD *)(v1 + 80);
.text:000000000169258C                 mov     rax, [rbp+50h]
.text:0000000001692590 ; 46:       v5 = *(_QWORD *)v2;
.text:0000000001692590
.text:0000000001692590 loc_1692590:                            ; CODE XREF: sub_169252C+78j
.text:0000000001692590                 mov     rbx, [rax]
.text:0000000001692593 ; 47:       if ( *(_QWORD *)v2 )
.text:0000000001692593                 test    rbx, rbx
.text:0000000001692596 ; 48:         goto LABEL_10;
.text:0000000001692596                 jnz     short loc_16925A8
.text:0000000001692598 ; 49:       ++v9;
.text:0000000001692598                 inc     rcx
.text:000000000169259B ; 50:       ++v8;
.text:000000000169259B                 inc     edi
.text:000000000169259D ; 51:       v2 += 8i64;
.text:000000000169259D                 add     rax, 8
.text:00000000016925A1 ; 44:     do
.text:00000000016925A1                 cmp     rcx, r8
.text:00000000016925A4                 jl      short loc_1692590
.text:00000000016925A6                 jmp     short loc_16925FC
.text:00000000016925A8 ; ---------------------------------------------------------------------------
.text:00000000016925A8 ; 60:       v10 = *(_QWORD *)(v5 + 8);
.text:00000000016925A8
.text:00000000016925A8 loc_16925A8:                            ; CODE XREF: sub_169252C+6Aj
.text:00000000016925A8                                         ; sub_169252C+ADj ...
.text:00000000016925A8                 mov     rcx, [rbx+8]
.text:00000000016925AC ; 61:       if ( v10 )
.text:00000000016925AC                 test    rcx, rcx
.text:00000000016925AF                 jz      short loc_16925CA
.text:00000000016925B1 ; 63:         LODWORD(v2) = (*(int (__fastcall **)(__int64, signed __int64))(*(_QWORD *)v10 + 8i64))(v10, v7);
.text:00000000016925B1                 mov     rax, [rcx]      ; <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< Here
.text:00000000016925B4                 call    qword ptr [rax+8]
.text:00000000016925B7 ; 64:         if ( (_BYTE)v2 )
.text:00000000016925B7                 test    al, al
.text:00000000016925B9                 jz      short loc_16925CA
.text:00000000016925BB ; 66:           if ( v4 < 0x32 )
.text:00000000016925BB                 cmp     esi, 32h
.text:00000000016925BE                 jnb     short loc_16925CA
.text:00000000016925C0 ; 68:             LODWORD(v2) = *(_DWORD *)v5;
.text:00000000016925C0                 mov     eax, [rbx]
.text:00000000016925C2 ; 69:             v11 = v4++;
.text:00000000016925C2                 mov     ecx, esi
.text:00000000016925C4 ; 70:             Dst[v11] = *(_DWORD *)v5;
.text:00000000016925C4                 inc     esi
.text:00000000016925C6                 mov     [rsp+rcx*4+0F8h+Dst], eax
.text:00000000016925CA ; 74:       v5 = *(_QWORD *)(v5 + 16);
.text:00000000016925CA
.text:00000000016925CA loc_16925CA:                            ; CODE XREF: sub_169252C+83j
.text:00000000016925CA                                         ; sub_169252C+8Dj ...
.text:00000000016925CA                 mov     rbx, [rbx+10h]
.text:00000000016925CE ; 82:       if ( v12 >= *(_WORD *)(v1 + 88) )
.text:00000000016925CE                 movzx   r8d, word ptr [rbp+58h]
.text:00000000016925D3 ; 75:       v7 = v8;
.text:00000000016925D3                 movsxd  rdx, edi
.text:00000000016925D6 ; 57:     do
.text:00000000016925D6                 test    rbx, rbx
.text:00000000016925D9                 jnz     short loc_16925A8
.text:00000000016925DB ; 78:     v7 = 8i64 * v8;
.text:00000000016925DB                 shl     rdx, 3
.text:00000000016925DF ; 79:     v12 = v8 + 1;
.text:00000000016925DF                 lea     ecx, [rdi+1]
.text:00000000016925E2 ; 83:         break;
.text:00000000016925E2
.text:00000000016925E2 loc_16925E2:                            ; CODE XREF: sub_169252C+CEj
.text:00000000016925E2                 cmp     ecx, r8d
.text:00000000016925E5                 jge     short loc_16925FC
.text:00000000016925E7 ; 84:       v2 = *(_QWORD *)(v1 + 80);
.text:00000000016925E7                 mov     rax, [rbp+50h]
.text:00000000016925EB ; 85:       v7 += 8i64;
.text:00000000016925EB                 add     rdx, 8
.text:00000000016925EF ; 86:       ++v8;
.text:00000000016925EF                 inc     edi
.text:00000000016925F1 ; 87:       v5 = *(_QWORD *)(v7 + v2);
.text:00000000016925F1                 mov     rbx, [rdx+rax]
.text:00000000016925F5 ; 88:       ++v12;
.text:00000000016925F5                 inc     ecx
.text:00000000016925F7 ; 80:     do
.text:00000000016925F7                 test    rbx, rbx
.text:00000000016925FA                 jz      short loc_16925E2
.text:00000000016925FC ; 55:   while ( v5 )
.text:00000000016925FC
.text:00000000016925FC loc_16925FC:                            ; CODE XREF: sub_169252C+5Ej
.text:00000000016925FC                                         ; sub_169252C+7Aj ...
.text:00000000016925FC                 test    rbx, rbx
.text:00000000016925FF                 jnz     short loc_16925A8
.text:0000000001692601 ; 92:   if ( v4 )
.text:0000000001692601                 test    esi, esi
.text:0000000001692603                 jz      short loc_169262E
.text:0000000001692605 ; 94:     v13 = (__int64)Dst;
.text:0000000001692605                 lea     rbx, [rsp+0F8h+Dst]
.text:000000000169260A ; 95:     v14 = v4;
.text:000000000169260A                 mov     edi, esi
.text:000000000169260C ; 99:       LODWORD(v2) = sub_148A614(v1, &v17);
.text:000000000169260C
.text:000000000169260C loc_169260C:                            ; CODE XREF: sub_169252C+100j
.text:000000000169260C                 mov     eax, [rbx]
.text:000000000169260E                 lea     rdx, [rsp+0F8h+arg_0]
.text:0000000001692616                 mov     rcx, rbp
.text:0000000001692619 ; 98:       v17 = *(_DWORD *)v13;
.text:0000000001692619                 mov     [rsp+0F8h+arg_0], eax
.text:0000000001692620                 call    sub_148A614
.text:0000000001692625 ; 100:       v13 += 4i64;
.text:0000000001692625                 lea     rbx, [rbx+4]
.text:0000000001692629 ; 101:       --v14;
.text:0000000001692629                 dec     rdi
.text:000000000169262C ; 96:     do
.text:000000000169262C                 jnz     short loc_169260C
.text:000000000169262E ; 105:   return v2;
.text:000000000169262E
.text:000000000169262E loc_169262E:                            ; CODE XREF: sub_169252C+D7j
.text:000000000169262E                 lea     r11, [rsp+0F8h+var_8]
.text:0000000001692636                 mov     rbx, [r11+18h]
.text:000000000169263A                 mov     rbp, [r11+20h]
.text:000000000169263E                 mov     rsi, [r11+28h]
.text:0000000001692642                 mov     rsp, r11
.text:0000000001692645                 pop     rdi
.text:0000000001692646                 retn
.text:0000000001692646 sub_169252C     endp
 
Last edited:
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods