Solved Understanding sig scans

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

GainOSaurusFIex

Full Member
Apr 6, 2020
47
253
1
Game Name
ARK: Survival Evolved
Anticheat
N/A
How long you been coding/hacking?
2 Years
Coding Language
c#
I will try to describe my issue to the best of my ability, i'll start with the problem.
So I got to the point where I have a very good working hack but I use all offsets hardcoded even UWorld(this is a pointer in the Unreal engine that holds all the entities), now everytime my game updates I have the boot up ida load up the pdb and search for the following sig "48 8B 05 ? ? ? ? 48 8B 88 ? ? ? ? 48 85 C9 74 0E" wich is ok because it only takes 5 min while I can watch yt but If there is a way to automate things why not, we are here to learn anyway so I came across sig pattern scans and saw how the basics worked and alot of usage in c++ but not that much in c#.
I found a sigpattern scan "the fastest sig scan in c#" from @vmcall (thanks for this awesome work btw) he is a well respected member in the hacking community so I thought why not gave his work a go and it is really fast. (for anyone interested SigScanSharp.cs)
Now when I use this sig scan in ida in click on search for a sequence of bytes and enter my pattern and then I come to this address wich is what I want
1596651849496.png

I double click on ?GWorld@@3VUWorldProxy@@A.World and I got my offset.
1596651871843.png

Now here is where the problem begins, I tried to replicate this in c# and spent hours trying different combinations of + 3 +7 converting to uint and RPM with different addresses but I didn't get the result I wanted.
What I want is this offset with a sigscan
1596652005897.png

or the base module + uworld if the offset is not possible
1596652064685.png

Here are the things that I tried
SigScanning:
SigScanSharp Sigscan = new SigScanSharp(ourProcessez[0].Handle);
Sigscan.SelectModule(ourProcessez[0].MainModule);
long lTime;
UWorldOffset = Sigscan.FindPattern("48 8B 05 ? ? ? ? 48 8B 88 ? ? ? ? 48 85 C9 74 0E", out lTime);
ulong globaloffset = Memory.UWorldOffset;
uint Foundrelativeoffset = (uint)globaloffset + 3; // I thought this was the one I am looking for
ulong Totaladdress = ulong(globaloffset + Foundrelativeoffset + 7)
This is the result of printing out all the offsets (converted to long)
output:
Working offsets
Uworld:
72720168
Base Module:
140694967287808
base + uworld
1986902566464
Sigscan Test offsets
globaloffset:
140695009648144
relativeoffset:
470965779
finaladdress:
140695480613930
finaladdress + base:
281390447901738
If anyone could tell me what I am doing wrong any help would be appreciated.
Thanks in Advance
 

Attachments

wolf22j

Coder
Full Member
Nobleman
Mar 19, 2014
133
1,778
20
You need to actually read the displacement from memory to get the offset. You're just getting a pointer to the displacement but not actually reading it.

C#:
ulong Foundrelativeoffset = globaloffset + 3; // you have a pointer to the displacement here, now you need to read it. Make sure you keep it as ulong since it's an address
long displacement = (long)Memory.ReadInt32(FoundRealtiveoffset); // pseudo code, use whatever memory library you are using to read memory with to get the 4 byte displacement
ulong Totaladdress = (long)globaloffset + displacement + 7;
Don't add the base to totaladdr, subtract the base instead. 140700720144168 - 140700647424000 = 72720168 (0x4559F28)
 
Last edited:

GainOSaurusFIex

Full Member
Apr 6, 2020
47
253
1
You need to actually read the displacement from memory to get the offset. You're just getting a pointer to the displacement but not actually reading it.

C#:
ulong Foundrelativeoffset = globaloffset + 3; // you have a pointer to the displacement here, now you need to read it. Make sure you keep it as ulong since it's an address
long displacement = (long)Memory.ReadInt32(FoundRealtiveoffset); // pseudo code, use whatever memory library you are using to read memory with to get the 4 byte displacement
ulong Totaladdress = (long)globaloffset + displacement + 7;
So I tried what you said and it didn't work :(
Uworld:
ulong globaloffset = Memory.UWorldOffset;
ulong Foundrelativeoffset = globaloffset + 3;
long displacement = (long)Memory.Read_Int32(Foundrelativeoffset);
var totaladd = (long)globaloffset + displacement + 7;

with the following Read_int32 method
        internal static int Read_Int32(ulong lpBaseAddress)
        {
            bufferZ = ByteBuffer_4;

            this_MemoryApi.ReadProcessMemory(ProcessHan, (IntPtr)lpBaseAddress, bufferZ, 4, out Bytez_Read);

            return BitConverter.ToInt32(bufferZ, 0);
        }
and with the following output
Output:
Console.WriteLine("Working offsets");
Console.WriteLine("Uworld: \n" + Offsets.uWorld);
Console.WriteLine("Base Module: \n" + InternalSettings.Base);
Console.WriteLine("base + uworld \n" + InternalSettings.uWorldBs);
Console.WriteLine("Sigscan Test offsets");
Console.WriteLine("globaloffset: \n" + (long)Memory.UWorldOffset);
Console.WriteLine("relativeoffset: \n" + (long)displacement);
Console.WriteLine("totaladdr: \n" + (long)totaladd);
Console.WriteLine("totaladdr + base: \n" + ((long)totaladd + InternalSettings.Base));

leads to ->

Working offsets
Uworld:
72720168
Base Module:
140700647424000
base + uworld
1790965504192
Sigscan Test offsets
globaloffset:
140700689784336
relativeoffset:
30359825
totaladdr:
140700720144168
totaladdr + base:
281401367568168
Thanks for the reply though :)
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods