CE. Assembly, Pointers, and a dead end

[Beliroz]

I was hoping for some advice, as I'm relatively new to reverse engineering. I've written a few successful bots, but this (simple?) problem I ran into has me stumped:

I used CE to find a value, I'm sure I have the correct value, now I need its pointer, nothing I haven't done before, I check to see who writes and accesses the address and all signs point to the same direction:

Code:

mov eax,[esi+0C]

ESI has "some hex value" stored, and CE is telling me this is the value of the pointer needed to find this address.

Great! Now I scan the memory for "some hex value" (making sure to do a new scan, 4 byes, hex is checked) to find addresses that contain this value (which usually gives me a few candidates for the pointer I'm looking for) only to find ... NOTHING! This has never happened to me yet, it's a complete dead end and I have no idea how to proceed. Here is some more assembly:

Code:

push esi
mov esi,ecx
cmp byte ptr [esi+06],00
jne prog.exe+640010 (this jne doesn't jump)
mov eax,[esi+0C]

Did I forget something? How can this happen? Any advice is greatly appreciated, thanks in advance!

[DarkLinux]

Well the value your looking for will be at the address esi + 0x0C. Or just set a bp just after that line and read eax. That address could be on the heap for all we know. Why not just hook that function and get the address like that every time?

[Beliroz]

Well the value your looking for will be at the address esi + 0x0C

Yep, this is my known value. It's how I found the assembly above by using the "Find out what accesses/writes this address" function in CE.

My understand is that since the address at ESI is a heap address, I need to find out what 4-byte pointer (address) on the stack contains the same value (address) that ESI contains. Basically, where the hell did ESI get its value? I've been doing this by a 4-byte search for the hex of 0xWhateverValueESIholds. Unfortunately, this search is coming back with no results, and this is where I'm stuck. The dissassembly shows nothing about where ESI got its value either. Am I misunderstanding something?

[DarkLinux]

Post the asm code block and I'll take a look. What is the address for anyways? And what game?

[Beliroz]

Post the asm code block and I'll take a look.

I don't think looking at the asm for the function will help but here it is anyway:

Code:

push esi
mov esi,ecx
cmp byte ptr [esi+06],00
jne prog.exe+64D31E
mov eax,[esi+0C] <---------- this is the line that accesses my value
pop esi
ret

I believe what I need is a way to figure out is who writes the value to ESI. How would I go about doing this in CE?

This asm is for the function that updates item count in the player's inventory for ffxiv.

[DarkLinux]

Power up IDA and see who calls this function and then look at ecx. Or fallow it back / look at esp.