Solved Path of Exile dynamicly alocated pointers?

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

gerion

Newbie
Full Member
Dec 29, 2016
8
34
0
Hi everyone, it's my first post in here but I'm a fan for some time now as I've became addicted to knowing more and more about stuff that i want to do. On daily basis im a JS dev, but the world that we (you) are dwelving into here is so much deeper and complex that there's no comparison :)

Ok, lets cut it to the chase. I'm trying to get some basic data from game called Path of Exile, and while It's easy to find the values and pointers to those values in CE, the problem is that the pointers are also dynamically allocated. They are different every time the game starts. After headbanging to a wall for some time with that, I've started to do this (sorry for links instead of pictures, somehow the website kept telling me the file is invalid, both jpg and png):

1. At this point I've got the HP value for currently opened game together with the pointer to it.


2. I'm checking what's writing to this address through the pointer, which gives me a mov assembly method with mov [edi+000008DC], ecx


What I assumed from this is that edi might be the base address of player object, and edi + 8DC should be the pointer to the character hit points. ECX is the value of the HP after changes (I equiped/removed a ring with +hp to toggle the change).

3. I've made a C++ script that put a hardware breakpoint at 013BB169, read the EDI base address, then removed the hardware breakpoint and moved to regular ReadMemory loop of EDI + 8DC offset to check for current HP. And even thou it turned out its harder, I was so happy at this point :-D

Problem occured when I've changed the characters, and actualy went out on the map to play. It turned out that the same instruction (from point 2) is being used to transfer the value of Energy shield (in this game its like additional HP, on top of regular hp you have shield) and mana. So my assumption at this point was, that it's some kind of middle-man function that accepts an argument with the value and type of value, like changeStats(hp, 123). What it thought at this point was that I need to go up in the function to find a place where I can check for this arguments and based on them, act:

1. Ive made CE select the function that involves my instruction:


2. CE then points to this location in memory:


The location its pointing to is pathofexile.exe + 1AAd70, which is 013BAD70 (checked in CE).
Following the IDA tutorials from GH I've loaded the game into IDA and used jump -> jump to address to find that function and decompile it. The problem is that this address is not being found by IDA, unless I attach the currently running game to the program. I feel like my brain is missing some crucial knowledge about why its not being found, because it feels like im missing something simple. Is it because thats a dynamically allocated function only after the game starts?

Anyway, i keep going! So, after decompiling the function, im here:


And, I guess at this point, my question is, Am I doing stuff right, and now it's only about spending tons of hours in that decompiled code to actually name some variables till the 'oh ive got it!' moment comes, or there's something utterly wrong in my process and I'll waste my time going that direction?

Thanks in advance for all the help guys!
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,099
78,998
2,373
gerion welcome to GuidedHacking! I added the img tags for you so now they show all pretty like

You may just need to find a longer chain of pointers, meaning one with more offsets. If you're having trouble tracing back that far you can try the pointer scanner. I'm 99% sure you can do this with just pointers, no crazy stuff.

It is possible for the code to be loaded dynamically. but the game must know where it's located in order to work. The CPU only understands addresses + relative offsets, so there must be a pointer chain you can follow to get there ya know. For instance in a quake engine game called OpenArena, the game engine is a virtual machine / interpreter and the modules that have the byte code are dynamically loaded at runtime. I could trace back a pointer that existed in the client module but the address of the module was always changing. Sounds easy enough but the offsets changed everytime I loaded the game, turns out the offsets into the bytecode were dynamically calculated from the base address of the .exe and not the base address of the module. This added another layer of pain to my reversing process because the game engine and the virtual machines running inside the game engine were using different offsets for the same damn thing. But then I found a table of structs called the VMTable that contains a pointer to each module, size of the module etc...In the end I had a multilevel pointer that looked like this:

Static Address -> Pointer to VMTable -> Pointer to Client Module + [dynamically calculated offset] -> Pointer to local Player

In the end I just needed a dank ass pointer, but tracing back in the assembly was really painful. I ended up writing down the the address of the modules, subtracting them to find the difference and then I calculated the size of the modules, then I found a memory allocation routine that was allocating memory chunks that were the same size as the modules, CHAAAAAAA CHINNNNNG and the rest is history

Pointer Scanning Like a Boss
 
Last edited:

sitapea1337

Newbie
Full Member
Aug 31, 2016
6
52
0
There has to be a pointer somewhere. Even that EDI needs to be generated in some part of the code and that would be your pointer.

Breakpoints are a bit dangerous, because those can be detected by 3rd party.

You sure your base pointer is correct? There can be a lot more offsets than 1 or 2, most I've seen is 12 I think, but it was long time ago and probably could've solved it with less pointers.
 

gerion

Newbie
Full Member
Dec 29, 2016
8
34
0
@Rake thank you for warm welcome and for the hints, I'll work on it and keep going, hopefuly not bothering you all guys too much on the way :)

@SitaPea - you sure you meant that hardware breakpoints are dangerous? I did read quite few times that software ones are because they put INT3 in the code and that's a modification so its detectable, but hardware breakpoints are put on a processor level, so apart from the fact that a debugger is being attached to the app for part of the second, there's no way of trackin it?

Thanks in advance for all the answers guys!
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods