Multilevel Pointer - getting to base address menu

User Tag List

Results 1 to 13 of 13
  1. #1
    siriuz's Avatar Active Member
    Reputation
    78
    Join Date
    Jun 2009
    Posts
    69
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Multilevel Pointer - getting to base address

    Hi,

    I tried to find the base pointer of an dynamic address, but it seems to be digged very very depp ... and I mean really very deep! By manually searching for it using Cheat Engine, I gave up at level 20 - see screenshot - xD

    So is there an other+easier method to get such an deep thing?

    Multilevel Pointer - getting to base address
  2. #2
    Jadd's Avatar 🐸 Premium Seller
    Reputation
    1511
    Join Date
    May 2008
    Posts
    2,432
    Thanks G/R
    81/333
    Trade Feedback
    1 (100%)
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Place a read breakpoint and you'll see the offset from the class base it resides in. From here you can see where the class itself is referenced. Depending on how the process uses the class, it's possible to repeat this until you find a static address.

  3. #3
    siriuz's Avatar Active Member
    Reputation
    78
    Join Date
    Jun 2009
    Posts
    69
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    How exactly would I do this in CE?

  4. #4
    Jadd's Avatar 🐸 Premium Seller
    Reputation
    1511
    Join Date
    May 2008
    Posts
    2,432
    Thanks G/R
    81/333
    Trade Feedback
    1 (100%)
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by siriuz View Post
    How exactly would I do this in CE?
    Right click the address -> Find out what accesses this address.

    You should look into using IDA though. It will simplify all of this.

  5. #5
    siriuz's Avatar Active Member
    Reputation
    78
    Join Date
    Jun 2009
    Posts
    69
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Jadd View Post
    Right click the address -> Find out what accesses this address.
    This is exactly what I was doing ... I was going from pointer to pointer with this ... but after the 20th iteration I gave up ... so I thought there is a better and quicker method? IDA?

  6. #6
    ccKep's Avatar Member
    Reputation
    11
    Join Date
    Jan 2010
    Posts
    33
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by siriuz View Post
    I gave up at level 20 - see screenshot - xD
    Don't know what you're trying to read there, but: You're going in circles...

    https://i.imgur.com/mVTEtB0.png
    Attached Thumbnails Attached Thumbnails Multilevel Pointer - getting to base address-mvtetb0-jpg  

  7. #7
    siriuz's Avatar Active Member
    Reputation
    78
    Join Date
    Jun 2009
    Posts
    69
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    lol you're right ... maan this sucks ... what I'm trying is to catch when a BG queue invite pops up, but I guess my ASM knowleges are to weak for something like this :-/

  8. #8
    ccKep's Avatar Member
    Reputation
    11
    Join Date
    Jan 2010
    Posts
    33
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by siriuz View Post
    lol you're right ... maan this sucks ... what I'm trying is to catch when a BG queue invite pops up, but I guess my ASM knowleges are to weak for something like this :-/
    Take a look at API GetBattlefieldStatus and API GetMaxBattlefieldID

  9. #9
    siriuz's Avatar Active Member
    Reputation
    78
    Join Date
    Jun 2009
    Posts
    69
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by ccKep View Post
    I want to do it with mem reading only, but this maybe pushes me in the right direction ... thx

  10. #10
    ccKep's Avatar Member
    Reputation
    11
    Join Date
    Jan 2010
    Posts
    33
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by siriuz View Post
    I want to do it with mem reading only, but this maybe pushes me in the right direction ... thx
    Reverse those functions, they tell you what to monitor.

    GetMaxBattlefieldID tells you where to read the maximum amount of battlegrounds from, GetBattleFieldStatus tells you where to read the status from.

    Edit: There's a linked list with its head at WoW.exe + 0xACCAE8 (next pointer at offset 0x4, status offset at 0x34)

    Smashed together a small Lua script for CheatEngine (first time I used CE's lua engine): CheatEngine -> Memory Viewer -> Tools -> Lua Engine

    Code:
    function hasBGInvite()
             local cur = getNameFromAddress("[WoW.exe+ACCAE8]")
    
             while(true) do
                 -- CE Lua doesn't seem to have bitwise operations...
                 -- basically: if (cur & 1 || !cur) break;
                 local lsb = tonumber((""..getAddress(cur)):sub(-1))
                 if (lsb == 1 or lsb == 3 or lsb == 5 or lsb == 7 or lsb == 9 or cur == 0) then
                    break;
                 end
    
                 local status = readInteger(cur.."+34")
                 if status == 2 then
                    return true
                 end
    
                 cur = getNameFromAddress("["..cur.."+4".."]")
             end
    
             return false
    end
    
    if hasBGInvite() then
       print("Invite")
    else
        print("No Invite")
    end
    Last edited by ccKep; 02-07-2013 at 12:01 AM.

  11. #11
    siriuz's Avatar Active Member
    Reputation
    78
    Join Date
    Jun 2009
    Posts
    69
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    wow, thats way more trickier than I expected ...
    ... and you found this offsets by reversing GetBattleFieldStatus() right? So you have done this with IDA or can you recommend me an other tool?
    I want to dig into this and find out how do you get this number

  12. #12
    ccKep's Avatar Member
    Reputation
    11
    Join Date
    Jan 2010
    Posts
    33
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by siriuz View Post
    wow, thats way more trickier than I expected ...
    Atleast that's how the PvPFrame checks for invites:
    PVPFrame.lua in function PVP_UpdateStatus.

    Originally Posted by siriuz View Post
    ... and you found this offsets by reversing GetBattleFieldStatus() right? So you have done this with IDA or can you recommend me an other tool?
    I want to dig into this and find out how do you get this number
    Yes, IDA (+OllyDbg)

    You can take a look at [Guide] Finding not so simple stuff. to get a start.

    GetBattlefieldStatus() pseudo-C output from Hex-Rays (IDA Plugin): Link
    Interesting parts for your specific problem:
    - Line 21 gets the head of the linked list, dword_ECCAE8. My IDB is not rebased, so you have to subtract 0x400000 from that: 0xECCAE8 - 0x400000 = 0xACCAE8, the offset you see in the script up there.
    - Lines 25-39 walk the linked list to find the specified ID (GetBattlefieldStatus gets called with 1 argument: The ID of the BG to be queued)
    - Line 36 is said check à la if (cur->ID == wantedID) break;
    - Line 38 moves to the next element in the linked list à la cur = cur->next;
    - Lines 40-57 is a simple switch to check the status and push a string to the lua stack according to the status:

    Code:
    switch(cur->status)
    {
        // ...
        case 2:
            // Confirm = Invite Ready
            break;
        // ...
    }
    - Rest at the bottom is to get the map name etc.... that's some more complex stuff and shouldn't concern you if you just want to know if you have an invite pending.
    Last edited by ccKep; 02-07-2013 at 06:22 PM.

  13. #13
    siriuz's Avatar Active Member
    Reputation
    78
    Join Date
    Jun 2009
    Posts
    69
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ahh, with this C-Code all becomes clear ... thx for your detailed explaination
    (will give you more +rep when I can)

    Now I'm going to give IDA a go and try to get to the same C-Output as you
    Last edited by siriuz; 02-07-2013 at 06:39 PM.

Similar Threads

  1. How to get base address afer injecting DLL?
    By zeion in forum GW2 Memory Editing
    Replies: 0
    Last Post: 08-31-2013, 06:53 PM
  2. Anyone able to get base addresses + pointers etc..
    By b9er in forum Darkfall Online Exploits|Hacks
    Replies: 0
    Last Post: 05-07-2013, 10:49 AM
  3. [Bot] Base Address + pointer + offset = 0 :(
    By mrdennis87 in forum WoW Memory Editing
    Replies: 43
    Last Post: 07-19-2012, 10:31 AM
  4. Problem getting base address / pointer read
    By wootpeng in forum Diablo 3 Memory Editing
    Replies: 8
    Last Post: 07-06-2012, 05:33 PM
  5. Get Player Base NO TLS + Delphi code [2.3.3]
    By robotkid in forum WoW Memory Editing
    Replies: 26
    Last Post: 05-08-2008, 08:33 PM
All times are GMT -5. The time now is 07:06 PM. Powered by vBulletin® Version 4.2.3
Copyright © 2024 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2024 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search