Source Code FindDMAAddy - C++ Multilevel Pointer Function

[Rake]

HOW TO POINTER C++?!?!
( need a C# version? )​

This is a commonly asked question!
How do I find the end address of a multi level pointer using C++?
How to use a pointer in C++?
How to calculate pointers with offsets?

Perfer video tutorials? This code is covered in this video:

Background
A pointer itself points to only one address. But when you have a list of offsets you can walk that pointer chain to find the end address.

When you find a pointer in Cheat Engine, what you're finding is a path from one address to another using pointers and relative offsets. This is how computers locate and act on data stored in memory. It's not magic! The logic behind this is based on 2 important features of modern object oriented programming:

• Applications are made memory efficient by dynamically allocating memory objects only when needed and assigning pointers to point at them only when needed.
• Classes can contain member variables that are pointers, specifically pointers to other objects in memory.

The baseAddress or first pointer in the pointer chain is generally one that exists in static memory, meaning it's always located at the same address or can be accessed using a relative offset from the base address of a module.

Imagine this code:

class PlayerClass
{
public:
int health;
int armor;
char* name;
}

PlayerClass* localPlayer;
localPlayer = new PlayerClass();

Class:
Health is offset 0x0, armor is offset 0x4 and name is offset 0x8, because int is a 4 byte variable in this example(32bit x86)

First line:
PlayerClass is the name of the class, the "*" tells the compiler that this is a pointer to an object of type PlayerClass and it's identifier is "localPlayer". In this example it is not initialized. Meaning, no memory has been allocated for it.

Second line:
When the player starts a game, the localPlayer object is allocated a spot in memory on the heap and the pointer is assigned the address of the object.

The address of the localPlayer object wouldn't be consistent and you would need to find a pointer to it. If you used Cheat Engine's "Find What Accesses this Address" or the pointer scanner you would find a pointer with the BaseAddress of the localPlayer pointer and offset 0x8.

It simply uses the same logic that the computer does to find the address of the variable. In the source code of this application if you wanted to get the value of name variable you would use the "->" (the structure dereference operator) like this: "localPlayer->name".

When the compiler compiles this code into assembly the logic that the code follows is this:

1. Dereference the localPlayer pointer to get the dynamic address of the object
2. Add offset 0x8 to get to the name pointer
3. Dereference the name pointer to get the dynamic address of the name value

We can manually do it for every pointer by doing something similar to:

ReadProcessMemory(handle, (LPVOID)pointeraddress, &newpointeraddress, sizeof(newpointeraddress), NULL);
ReadProcessMemory(handle, (LPVOID)(newpointeraddress+ offset[0]), &newpointeraddress, sizeof(newpointeraddress), NULL);
ReadProcessMemory(handle, (LPVOID)(newpointeraddress + offset[1]), &newpointeraddress, sizeof(newpointeraddress), NULL);
ReadProcessMemory(handle, (LPVOID)(newpointeraddress + offset[2]), &newpointeraddress, sizeof(newpointeraddress), NULL);

But you don't want to waste your time doing that for every pointer, instead you make a function that does it for you:

We want to emulate that exact logic in our function and make it able to handle the de-referencing of multiple offsets.

Here's a function that does that for x86 and x64, it's a hybrid of code from Fleep, Rake & IXSO

External:

uintptr_t FindDMAAddy(HANDLE hProc, uintptr_t ptr, std::vector<unsigned int> offsets)
{
    uintptr_t addr = ptr;
    for (unsigned int i = 0; i < offsets.size(); ++i)
    {
        ReadProcessMemory(hProc, (BYTE*)addr, &addr, sizeof(addr), 0);
        addr += offsets[i];
    }
    return addr;
}

To get the Current Weapon Ammo address you would do it like this:

uintptr_t ammoAddr = FindDMAAddy(hProcess, dynamicPtrBaseAddr, { 0x374, 0x14, 0x0 });

Internal:

uintptr_t FindDMAAddy(uintptr_t ptr, std::vector<unsigned int> offsets)
{
    uintptr_t addr = ptr;
    for (unsigned int i = 0; i < offsets.size() ; ++i)
    {
        addr = *(uintptr_t*)addr;
        addr += offsets[i];
    }
    return addr;
}

Need to learn how to find multilevel pointers?
START HERE Beginners Guide to Learning Game Hacking - Guided Hacking

Still confused about what a Multilevel pointer actually is?
WTF are Multi Level Pointers Tutorial - Guided Hacking

 

[Mark123]

Thanks !!!1

 

[ATrashyProgrammer]

Make A youtube video on this plz

 

[Rake]

Make A youtube video on this plz

Everyone struggles with understanding pointers, you just have to keep at it and eventually it will click in your mind and you will understand it.

The absolute most important thing is you need to LEARN C++ first. Use our code, get it to work and then step through it with the Visual Studio debugger until you understand it. If you run into trouble, ask a question

 

[ATrashyProgrammer]

Everyone struggles with understanding pointers, you just have to keep at it and eventually it will click in your mind and you will understand it.

The absolute most important thing is you need to LEARN C++ first

I'm Pretty decent at C++ I take courses at Udemy so I don't think that's a problem. It might be that this is just the first time I'm trying to create a game hack

 

[Rake]

Well pointers are just variables that contain addresses, they are an integral part of c++. If you understand c++ well, understanding pointers is not a problem.

 

[Mark123]

Tnks sir Rake for sharing ^^

 

[Rake]

Someone was just needing an internal version of this so here you go, does not include any error checking, just for PoC

uintptr_t FindDMAAddy(uintptr_t ptr, uintptr_t offsets[], unsigned int numOffsets)
{
    uintptr_t addr = ptr;
    for (unsigned int i = 0; i < numOffsets; ++i)
    {
        addr = *(uintptr_t*)addr;
        addr += offsets[i];
    }
    return addr;
}

 

[coltonon]

Someone was just needing an internal version of this so here you go, does not include any error checking, just for PoC

uintptr_t FindDMAAddy(uintptr_t ptr, uintptr_t offsets[], unsigned int numOffsets)
{
    uintptr_t addr = ptr;
    for (unsigned int i = 0; i < numOffsets; ++i)
    {
        addr = *(uintptr_t*)addr;
        addr += offsets[i];
    }
    return addr;
}

Howdy, my first post over here, coming from UC.

If you've already got the classes mapped out, just declare an instance and deref normally. This is also great because you don't directly work with offsets anymore.

Externally you want to stay as close to that as you can.

template <class C>
C read(DWORD_PTR(Address)) {
    C c;
    ReadProcessMemory(hProcess, reinterpret_cast<LPCVOID>(Address), &c, sizeof(c), nullptr);
    return c;
}

//internal
Offsets::ClientGameContext* pStaticGameContext = (Offsets::ClientGameContext*)OFFSET_GAMECONTEXT;
//access player manager
pStaticGameContext->GameContext->PlayerManager

//external
Offsets::ClientGameContext pStaticGameContext = mem.read<Offsets::ClientGameContext>(OFFSET_GAMECONTEXT);
Offsets::GameContext pGameContext = mem.read<Offsets::GameContext>(pStaticGameContext.GameContext);
//accessing player manager
Offsets::PlayerManager pPlayerManager = mem.read<Offsets::PlayerManager>(pGameContext.PlayerManager);

The philosophy is to keep internals and externals as similar as possible when it comes to reading/writing. Only difference is you have to call RPM every time you need to dereference, otherwise you can use the same reclass output after changing every pointer to something like a DWORD_PTR.

 

[hage_fale]

Is it possible to Make that it automatic detects how many stages(level) the Pointner have? Its just a theoretically question.

 

[mambda]

Is it possible to Make that it automatic detects how many stages(level) the Pointner have? Its just a theoretically question.

use an stl container that would have a size property

 

[Rake]

Is it possible to Make that it automatic detects how many stages(level) the Pointner have? Its just a theoretically question.

It does do that.

 

[wilfryhd23]

GOOd CLASS, you explain wells.

 

[JonathanREmery]

This was very interesting thanks for the tutorial.

 

[TorCracker]

Good tutorial, this is very interesant for beginner thanx bro

 

[sayewivifi]

1. Dereference the localPlayer pointer to get the dynamic address of the object
2. Add offset 0x8 to get to the name pointer
3. Dereference the name pointer to get the dynamic address of the name value

———

When you deterrence name pointer to get address of name value, can you explain this part?

Isn’t name pointer pointing to the name property’s address?

If you deference the name pointer that’s pointing to the name property, aren’ttly accessing the name ? Why is it getting dynamic address of the name value instead?

I don’t get it, pls correct me, thank you

 

[Rake]

When you deterrence name pointer to get address of name value, can you explain this part?
Isn’t name pointer pointing to the name property’s address?
If you deference the name pointer that’s pointing to the name property, aren’ttly accessing the name ? Why is it getting dynamic address of the name value instead?

When we say dereference during reverse engineering, we are talking addresses. In C++ if the pointer has type char array, dereferencing it gives you that address represented by a null terminated char array.

Don't be confused by this, a pointer is just an address that contains another address. Any "typing" of the address is only understood as a construct for the compiler.

 

[Edizzz]

Ty <3

 

[myspring]

_wcsicmp compares strings and returns comparing result as an integer. But what is the meaning of this "!_wcsicmp(procEntry.szExeFile, procName)" if it's not a boolean?
Does the "!_wcsicmp" mean "if equals to"?


Relevant snippet of code:

if (!_wcsicmp(procEntry.szExeFile, procName)) //приводит строки в ловеркейс и сравнивает их
                {
                    procId = procEntry.th32ProcessID;
                    break;
                }

 

[myspring]

_wcsicmp compares strings and returns comparing result as an integer. But what is the meaning of this "!_wcsicmp(procEntry.szExeFile, procName)" if it's not a boolean?
Does the "!_wcsicmp" mean "if equals to"?


Relevant snippet of code:

if (!_wcsicmp(procEntry.szExeFile, procName)) 
                {
                    procId = procEntry.th32ProcessID;
                    break;
                }

What i found is that: if (c) is the same as if (c != 0). And if (!c) is the same as if (c == 0).
That's make clear why it works.