Solved Game Hacking Code Book Help

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

xploiitz

Coder
Fleep Tier Donator
Trump Tier Donator
Nobleman
Jul 26, 2012
155
1,698
7
So I'm reading through this book and its written pretty nicely.

Source is provided and many parts of Cheat engine / Olly / concepts are explained quite well.

I'm stuck on Chapter 1 Memory pointers.

The instructions are

"this one requires
that you win 50 times in 10 seconds. Upon each win, the memory addresses
for the x- and y-coordinates will change, meaning you will be able to freeze
the value only if you have found a proper pointer path. Start this exercise the
same way as the previous one, but once you’ve found the addresses, use the
Pointer scan feature to locate pointer paths to them. Then, place the ball on
top of the black square, freeze the value in place, and press tab to begin the
test. Just as before, the game will let you know once you’ve won. (Hint: Try setting
the maximum level to 5 and the maximum offset value to 512. Also, play
with the options to allow stack addresses, terminate the scan when a static is
found, and improve the pointer scan with heap data. See which combination
of options gives the best results."

I'm able to find the X/Y coordinates of the ball every single time without any issues. I've even found pointers that points to the proper X Y every time the game starts. But once you run the tests it starts failing and changing. Freezing the pointer will crash the game and thus I can't win.

I can't seem to find a proper pointer path no matter what I try.

I've been at this particular lab for a ridiculously long time and I think I'm just missing a small concept.

If you follow the git link above you can clone the repo and see the source / run the exe your self (in the bin folder).

(If you get errors about loading fonts or map, move arial.ttf and game.map into the same directory as the binary and try again.)


I'm just trying to understand what I'm missing here :/

Can anyone help out?


**edit

forgot to provide links

The Book:
https://www.nostarch.com/gamehacking

Git Repo:
https://github.com/GameHackingBook/GameHackingCode

The specific Chapter I'm having issues with:
https://github.com/GameHackingBook/GameHackingCode/tree/master/Chapter1_MemoryPointers

(If you get errors about loading fonts or map, move arial.ttf and game.map into the same directory as the binary and try again.)
 
Last edited:

makane

Newbie
Full Member
May 23, 2016
5
353
1
Here's my approach (more traditional). Might not be the most efficient, but I understand this way better because I see each individual offset and see how the pieces fit together. I'm still very inexperienced, but I have it working



Open the lab and the first thing I see is that the x/y positions are probably stored as a 4 byte int value. (the ball moves 1 space at a time when you move it)



I'm going to try to find the base pointer that holds the x value of the ball.
I don't know its value, so I'll search for an uninitialized value.
Then, I'll move the ball to the right and search for increased value and move the ball to the left for decreased value.



I get down to 33 results and look through the list. Hmm... a value of 14 stands out. You probably can edit the value and see the ball move around.



I add the result to my list, right click the address and click "Find out what writes to this address". This is logical because an address holds/changes ball's x position.
One address pops up and I click on "more information".
Looking at the instruction that CE marked, mov [eax], ecx, the address that contains the x position must be in eax. EAX = 00EF2E48.
So, we are finding the pointer that contains x ~~~
uint32_t* pointer1 = x

Now, we must find what addresses access that address since this is still an allocated pointer. Type in CE the address. For me, 3 addresses show up. I go through each one and click on "Find out what accesses this address". This makes sense to do this since an address shouldn't usually change unlike a ball's position. I got one that had an instruction accessing the address. The rest didn't have any instructions appearing.
In this case we are finding the pointer that contains the pointer to x.
uint32_t** pointer2 = pointer1;



Keep on doing this and filtering out the results and you will see the base pointer. CE will mark this address with a green highlighting.



Now you should have the base address. Add an address manually and mark at is a pointer. Add the required offsets.
The base pointer should look something like this:
uint32_t***** base = 0x128ecc0;

When you add the required offsets, you are accessing x by doing this calculation
uint32_t x = *(*(*(*(*base) + 80) + 40) + 20) + 0);



y should be offseted by 4 in memory from x (Usually member variables are location very close to each other in memory)
For example, the implementation could have looked like this for the ball:
struct Ball
{
uint32_t x; // 0 offset
uint32_t y; // 4 offset
}



I freeze the variables and press tab to run the lab. It works out since I'm freezing the variable using the base pointer. If I were not using the base pointer, a new ball will be allocated each time an iteration runs and your pointer will be invalid.
Something like this should occur.

delete base->pointer1->pointer2->pointer3;
delete base->pointer1->pointer2;
delete base->pointer1;
allocate base->pointer1;
allocate the rest...


if you want to get a better sense of how this works behind the scene, I highly recommend looking at the source when you are done to see what is actually happening.
Location class represents the ball's x and y. It does almost the same as what I described with allocating/deleting. It becomes a multilevel pointer because it allocates itself 3 times and sets the pointer to point at these individual allocated objects.

I'm still learning, so this was a learning experience for me as well :)

Feel free to ask me for more clarification/criticize me for making a mistake.
 

Icew0lf

Software Ninjaneer
Dank Tier VIP
Fleep Tier Donator
Aug 20, 2013
603
17,558
43
do you have a link to said book please?
 

xploiitz

Coder
Fleep Tier Donator
Trump Tier Donator
Nobleman
Jul 26, 2012
155
1,698
7
Thanks a bunch. Your explanations were super helpful. I was able to get through it on my first attempt after following your steps.

The original instructions call for using the Pointer scanner.

After using your method, I went back and tried the Pointer scanner again, this time, I went back and really read and tried to understand the different settings you can turn on and off in the Pointer Scanner settings.

I was able to do this in one step in the Pointer Scanner with proper settings.


Here's an image that shows the settings

https://imgur.com/a/1TZK8

The yellow box is what I had turned on the first time in addition to the red.

When I had the "Stop traversing a path when a static has been turned on I ended up getting one address with one offset that pointed to one of the coordinates.
Freezing it would crash the game.

It was frustrating because scanning for static was checked, meaning my results were static addresses. But then the game would crash.

Got pretty pissed.


I still don't understand why having that option turned on didn't work.

Here are the instructions from the book regarding that option
"Stop traversing a path when a static has been found Terminates the
scan when it finds a pointer path with a static start address. This should
be enabled to reduce false positives and speed up the scan."

Finally, turning on the Red options in the image, speed up the process.
"Improve pointerscan with gathered heap data Allows Cheat Engine
to use the heap allocation record to determine offset limits, effectively
speeding up the scan by weeding out many false positives. If you run
into a game using a custom memory allocator (which is becoming
increasingly common), this option can actually do the exact opposite
of what it’s meant to do. You can leave this setting enabled in initial
scans, but it should be the first to go when you’re unable to find reliable
paths."

But how would I ever know to turn this on or off? Is this aspect of finding pointers just a grueling brute force process every single time?
 

makane

Newbie
Full Member
May 23, 2016
5
353
1
I actually haven't really used pointer scanning as it seems complicated(?) I'll try to find the coords again with pointer scanning this time around. I'll get back to you if I'm able to get it.
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods