C++ , Cheat Engine / OllyDBG finding base “static” address from multi-level pointers

前端 未结 1 1178
闹比i
闹比i 2021-02-09 20:28

I\'m back again, frustrated and desperately searching for help :D.

I am trying to create a cheat for a simple program, it\'s basically going to be a .dll file which will

1条回答
  •  暖寄归人
    2021-02-09 21:17

    I think you are misunderstanding the goal of Cheat Engine.

    CE allows you to modify values that are stored in a durable way in memory. For example, on the heap, or in the program's static data.

    For example, C++ objects are allocated in a deterministic way, and hence, they never move. This is why they can be referenced by a pointer that remains constant all over the object's lifetime. This object is sometime owned by another. If you find a pointer to the owner object, you found what is called a base pointer.

    For example :

    class Object
    {
        bool dummy;
        int someField;
        Object* child;
    };
    

    Now imagine you have a nested tree of 3 Object. Meaning that you have a root Object (n°1), whose child is another Object (n°2), whose child is another Object (n°3). Imagine you do something like this :

    int main(int argc, char** argv)
    {
        Object root; // n°1
        root.child = new Object(); // n°2
        root.child->child = new Object(); // n°3
    
        return 0;
    }
    

    You're interested in messing with n°3's someField value. You know that the address of someField, relative to an Object, is of +sizeof(bool) = 1. So (void*)&(object n°3) + 1 is a pointer to the someField you want.

    Now, how do you find a pointer to object n°3 ? Knowing that the relative address of child is +sizeof(bool)+sizeof(int) = 5. We know that a pointer to object n°3 is (void*)&(object n°2) + 5.

    Same goes for the address of object n°2, I'll leave that as an exercise.

    But what about object n°1 ? It's not allocated on the heap. It's on the stack. Crap. So we must find another way to find the address where object n°1 is stored.

    Local variables are stored on the stack. In assembly, they are identified by their offset relative to the register EBP (or ESP if the function does not change the stack). EBP is the top of the stack, while ESP is the bottom of the stack.

    In this example :

    function foo()
    {
        int a;
        double b;
    }
    

    When foo is called, the stack will be increased just enough to hold a and b, that is, sizeof(int) + sizeof(double), or 12 bytes. a will be stored at EBP - sizeof(int) = EBP - 4 (same as ESP + 8) and b will be stored at EBP - sizeof(int) - sizeof(double) = EBP - 12 (same as ESP). Attention! The compiler can change this order, so the declaration order of your variables isn't necessarily the same in memory. Optimizations can also change this completely. But let's keep this simple okay ?

    So back to our main example. What local variables do we have ? root only. Therefore root will be located at EBP - 9 directly. But this, ONLY when main is the function on top of the call stack. Without a debugger, you can't do it.

    Let's assume that our EBP is 0028FF28 when main is called (taken from a freshly compiled C program).

    root is then at (0x0028FF28 - 9) = 0x0028FF1F; the pointer to root.child is at (0x0028FF1F + 5) = (0x0028FF24); Therefore, root.child is located at *0x0028FF24.

    The pointer to root.child->child is at (*0x0028FF24 + 5) = (let's say 10000) Then root.child->child is at *10000.

    Finally, root.child->child.someField is at *10000 + 3.

    To sum up: you just need to find the static address of root to find the rest. root is NOT on the heap or any kind of durable memory, but it is on main's stack, which lasts during almost all the program, so it's almost as if it were permanent. CE helps you find a static address by scanning the entire process memory space

    With all this in mind, you should be able to calculate hp's relative address on the stack and find a static pointer to it (main is very, very, very likely to have a static frame address every time you launch the program). If you need help, use a debugger ! I recommend Immunity Debugger.

    0 讨论(0)
提交回复
热议问题