Solved find pointer of returned value from getFunction()

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

Trigun

Full Member
Dec 27, 2019
11
112
0
Warning: Fill out the form correctly - read the rules
Game Name
Shop Titans
Anticheat
No
How long you been coding/hacking?
15 yrs coding / few months hacking
Coding Language
ahk
hello,
i have a game with mono.dll and i need to understand how i can get the pointer of the user class, the problem is this:
i have my user class that is always called from a
Game.getUser()
Game is a static class so i can find it, but getuser is this:
C#:
public static hs User => SimManager?.CurrentContext?.ag();
(from ILSpy)
and the value get never stored
i can "easy" find it with a breakpoint on cheat engine at the end of the function and read the EAX value, but is something i have to do manually on each session, can't automate it
since i need the value for a few IF ELSE on my ahk script i can't manually put the pointer everytime or is pointless :)
how i can find the pointer ? on the picture there is an example on how i manually find the value

my main problem is that i don't want edit the game but just read values, so i can't call the function (when i tried to call from cheat engine the game crashed) and autohotkey isn't really friendly with memory
 

Attachments

Last edited:

BDKPlayer

No hack no life
Dank Tier VIP
Dank Tier Donator
Oct 31, 2013
380
13,688
36
and the value get never stored
Since the value gets returned by a static function Im pretty sure that there is a static variable for it. Which is pretty much the best case as finding static pointers to static/global variables is as easy as it gets. If it is just that you can use the address you found for example 0x20af50550 and just substract the base address. You should be good to go?


If that doesnt work just just scan for hex 4 bytes 0x20af50550. And see if there is a green (static) address. If there are a couple on non green ones it doesn't hurt to just search for them and see if you end up at a static one.

If that doesn't work you know the value you are trying to find a static pointer chain to. So what you can do is:

1. Start the game and fin the value using your method.
2. Add that address using "Add address" in CE
3. "Find out what accesses" this address.
4. Search for the value you get the access from for example: [rcx+ 90] search for HEX 8bytes and keep on doing this until you find a static aka green address in CE.


This seems to be an issue that could be solved by actually doing the guides.. which this website is kinda focused on. Doing the guides is so much better than solving tiny issues you have without understanding the bigger picture.

Btw. its always helpful if you tell us the game you are working on. It's not like its important to keep that a secret anyways but may help us to give better answers.
 
Last edited:

Trigun

Full Member
Dec 27, 2019
11
112
0
Since the value gets returned by a static function Im pretty sure that there is a static variable for it. Which is pretty much the best case as finding static pointers to static/global variables is as easy as it gets. If it is just that you can use the address you found for example 0x20af50550 and just substract the base address. You should be good to go?


If that doesnt work just just scan for hex 8 bytes 0x20af50550. And see if there is a green (static) address. If there are a couple on non green ones it doesn't hurt to just search for them and see if you end up at a static one.

If that doesn't work you know the value you are trying to find a static pointer chain to. So what you can do is:

1. Start the game and fin the value using your method.
2. Add that address using "Add address" in CE
3. "Find out what accesses" this address.
4. Search for the value you get the access from for example: [rcx+ 90] search for HEX 8bytes and keep on doing this until you find a static aka green address in CE.


This seems to be an issue that could be solved by actually doing the guides.. which this website is kinda focused on. Doing the guides is so much better than solving tiny issues you have without understanding the bigger picture.

Btw. its always helpful if you tell us the game you are working on. It's not like its important to keep that a secret anyways but may help us to give better answers.
the game is shop titans (a steam/mobile game) , but can be another game too, found this problem on more than 1 game, like i said is a unity game so i don't have static address in green (or atleast can't find that without go down 10+ pointers :p ) but still i found the static class of the Riposte.Game class with a pattern scan, i tried the guides but unity is always paired with dll injection and change functions, with ahk do that stuff isn't easy so i'm just limit myself with reading values

i tried all the basic guides but the few with unity use c# or c++ and since i need mouse clicks i used ahk, (and i don't know c++ or c#, i know java/javascript/otherlanguages and little bit of c from school)

if i scan the user value i get like 500 results, but from the code with ILSpy every time some1 need "user" the function always call Game.getUser(), so the only instance of the user is here
 

BDKPlayer

No hack no life
Dank Tier VIP
Dank Tier Donator
Oct 31, 2013
380
13,688
36
I mean you could always just look at the ASM:

From the screenshot above:

C++:
mov eax, [ebp + 0x8]
mov eax, [eax +14]

--> eax has the value you want

So its seems like the value you are looking for is inside the class that is pushed as first argument at offset 0x14 (I didn't bother to look at calling convention, I'm just trying to get the point across). Just go one function back in the callstack and see how that argument is being passed. Maybe that is a static location. If not just go back until you find some global.

So maybe it looks omething like this:
C++:
class CurrentContext
{
    char unknown[0x14];
    int32_t* user;
}
if that isn't static you may need to find "SimManager" from there.
 

Trigun

Full Member
Dec 27, 2019
11
112
0
ebp is the stack, so i don't think there is a relation from the class and the stack... from what i know about asm the stack is used when u launch a routine/function and u store all the vars for get it back when u leave from the routine, i don't know the rules from a higher language to a lower, but i think this is what the program do
btw i'll check again the currentcontext class but if i remember well (i'm not at the computer right now) that isn't stored
 

Trigun

Full Member
Dec 27, 2019
11
112
0
currentcontext isn't stored too... the only 1 with the stored value is the last class (k7).ag()
where ag() is something like
return XY in k7 class
C++:
// Riposte.Game
public static hs User => SimManager?.CurrentContext?.ag();
C++:
// Riposte.SimulationManager
public k7 CurrentContext
{
    get
    {
        if (_currentSimulationId != null && _simulations.TryGetValue(_currentSimulationId, out SimulationManagerContext value))
        {
            return value.sim.j();
        }
        return null;
    }
}
C++:
// k7
public hs ag()
{
    //Discarded unreachable code: IL_0012
    short num = 1;
    if (num != 0)
    {
    }
    num = 13903;
    short num2 = num;
    num = 13903;
    switch (num2 == num)
    {
    default:
        num = 0;
        if (num != 0)
        {
        }
        return o;
    }
}
hs class is autogenerated and isn't readable... but k7 have a var (hs) named "o"
so i think is just the getO() class
 

BDKPlayer

No hack no life
Dank Tier VIP
Dank Tier Donator
Oct 31, 2013
380
13,688
36
ebp is the stack, so i don't think there is a relation from the class and the stack... from what i know about asm the stack is used when u launch a routine/function and u store all the vars for get it back when u leave from the routine, i don't know the rules from a higher language to a lower, but i think this is what the program do
btw i'll check again the currentcontext class but if i remember well (i'm not at the computer right now) that isn't stored
Yes the value is on the stack. Depending on the architecture (in your case x86) and calling convention the stack is also used to pass parameters to a function (the alternative being usage of registers). x86 calling conventions - Wikipedia.

I can see from your ASM that a stack frame is created and the functions prolog saves ESP in EBP to have easy access to local vars and parameters (push ebp; mov ebp, esp). EBP+X in such cases is often used to access parameters pushed on the stack (before the call instruction that calls the current function) and EBP-X to access local variables.

Combined with what I posted previously this leads to me thinking that a pointer to the class you are looking for is pushed on the stack right before the function call (literally last instruction before the call) as its the first parameter to the function (because parameters are again depending on the calling convention probably passed in reverse order).
 
  • Like
Reactions: Rake

Trigun

Full Member
Dec 27, 2019
11
112
0
getUser is called from everywhere, this is 1 of the ticks i got with the breakpoint
ebp,[ebp]
like u can see the value 0x6831ada8 isn't present before the getUser call too
the only time the ebp change is when the stack is pushed or popped (i never see CE use pop but the result is the same when it do mov eax,[ebp]
ebp at the start of getUser is 0x005ff430 but when the result is out is at 0x005ff3f8 (14*4 byte stored in the stack?) but i still can't see a way for retrieve the data, the 0a0c3ef0 (after the first call) is the SimManager class (inside the Game.class)

1598731236216.png

1598731437894.png
1598731498958.png
1598731525028.png
 

Attachments

Last edited:

Trigun

Full Member
Dec 27, 2019
11
112
0
i know the SimManager, how i can reach the currentcontext? (subclass of simmanager)
1598791541076.png

if i can reach that object i think i can reach the last value i need, but is still the same problem, is a getSomething that isn't stored
the sim (k6) is the object that launch the last part (ag() )
 

BDKPlayer

No hack no life
Dank Tier VIP
Dank Tier Donator
Oct 31, 2013
380
13,688
36
If you post the address of the ASM line where EAX holds the value you want I can have a quick look. Remember that I need the address without ASLR or both the baseaddress and eax adress.
 

Trigun

Full Member
Dec 27, 2019
11
112
0
tnx i finally found the route :-D what was blocking me was the dictionary, a friend explained me how it should works and after that i found the way :) from the context to the user 0x20,0xc,0x1c,0xc,0x8,0x14 :)
and tnx to this i probably solved a lot more problems with all arrays :-D
ofc need to manually solve the map
 
Last edited:
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods