Can't find base addres with CE

DJK · 2010-11-29, 12:55 AM

Hzy, well I really I tried this for hours now and it's just not working, I'm using a small game just for testing purposes (and fast scanning) and this is what I do:

Game: vvvvvv
1. Boot up game, level
2. Boot up CE, attach to vvvvvv.exe
3. Search the "deaths" value (its a 4byte non static value, literally on screen)
4. Find the value "0D39F1CC" (this changes on every restart of game)
5. Right click and use "what writes to this address"
6. Double click the one resulted code line

------------------------
Screenshot up to this point
FULL SIZE (had to shrink to fit 800x800) --> www.mediansoft.net/cevvvvvv.jpg

------------------------

7. Toggle hex and search new scan on "0D39F0A0"
8. I find 5 results but none of them are static addresses.

------------------------
Screenshot up to this point
FULL SIZE (had to shrink to fit 800x800) --> www.mediansoft.net/cevvvvvv2.jpg

------------------------

At this point im lost... the tutorial from CE itself gave me just one nice green static at this point while here I get 5 black ones.. this gives me the impression I went wrong somewhere in step 7...

I can provide you with any more information you need but if anyone can nudge me in the right way, thanks a lot causse well I start to believe the tutorial was made to find the result easily while in actual practise this isn't so easy.... (unless I'm very wrong in step7)

Thanks a lot!
DJK

Dwar · 2010-11-29, 02:05 AM

Nope, you are in a right way. Just continue searching BA from found values
And read guide "Find BA with CE and OllyDbg", 'coz you can do all job with debugger

beBoss · 2010-11-29, 06:40 PM

DJK
Watch this tutorial:
http://www.youtube.com/watch?v=p6psMboRTUY

If you look carefully you will see how things are done (in min 3 - same situation like yours).
Just watch it carefully !!!

MrSmith · 2010-11-29, 07:01 PM

Which game are you trying to find the basepointer of ?

DJK · 2010-11-29, 10:57 PM

Hey,

I did watch it carefully trust me

and it looks so simple there. But it just doesn't work for me... So I always get 5 black values. I tried looking what accessses those 5 pointers one by one...

3 of them change when I change "the room im in" but not when I "die", of course when I die the room changes to last checkpoint so they change as well but I figure it can't be them because my pointer updates to the new "total of deaths", then the room changes and the the opcodes start emerging.. so I figured as the death counter "moved" already before the room changes those opcodes can't be "it".

1 does absolutely nothing, not when I die, not when I change rooms so I figure that's not "it"

1 changes as soon as I alt tab back in the game. Right away. So well at first I thought.. "this can't be it".. then I figured who knows, maybe it looks how many deaths you have at alt tabbing in for who knows what reason... of all the choices I had I went with this one as it seemed the most plausable...

I looked for the new hex and arrived at another 3 black values. And here I am stuck again.. the usual method to add this second pointer doesn't work anymore either because i'm following the "wrong path", or because I don't know the offset...

This is the opcode for the second pointer:
0112b9e4 - 8b 14 86 - mov edx,[esi+eax*4]

Do I need to calculate that esi+eax*4 ...? as in literal mathematics: esi + (eax*4) or well I don't know

If anyone has the game and is a cheating god and has some free time (I might even pay for it to learn...) please:

1. Go in the game (vvvvvv)
2. Unlock all content (its in options, otherwise u can't access time trails yet, unless you finish level one in campaign).
3. It's the "deaths" value literally on screen and very easy to find with a standard 4 byte search...

Thanks a lot again everyone who replied !

MrSmith · 2010-11-30, 02:20 AM

[esi+eax*4] indicates an array of bytes, in simple terms a list of items in memory. To calculate the offset it would be eax * 4 (hex). For example say if eax = 4 then the offset would be 10 (hex). Which game are you speaking of by the way ?

Dwar · 2010-11-30, 04:21 AM

I thought that the "vvvvvv" is just process name example... but this is a game name 8)
web site: thelettervsixtim.es/
And I like description: "VVVVVV is an old-school ultra-sadistic challenge-based puzzle platformer. "

DJK
Maybe, this game like a Battle of the Immortals where you can't ever find static address for speed

-- 2010-11-30, 04:21 --

DJK
Ok, I took 20 min from my lunch. You forgot to notice that this is a flash game. So you should use another cheating approach, but not finding BA for death with CE.
Decompile this game, and check ac3 scripts. You can activate all game mods, nodeathmod etc. Or if you still trying to find death count, check this routine:

Code:

public function deathsequence(param1:mapclass, param2:entityclass, param3:musicclass) : void
        {
            ;
            with (false)
            {
                var _loc_7:* = null * (null ^ null[null === null[true]]);
                var _loc_8:String = null;
                if (_loc_8 || param2)
                {
                    if (this.supercrewmate)
                    {
                        if (_loc_8)
                        {
                        }
                    }
                    if (this.scmhurt)
                    {
                        this.i = param2.getscm();
                    }
                    else
                    {
                        this.i = param2.getplayer();
                    }
                    param2.entities[this.i].colour = 1;
                    param2.entities[this.i].invis = false;
                }
                if (this.nodeathmode)
                {
                    param3.fadeout();
                    this.gameoverdelay = 60;
                }
                var _loc_4:String = this;
                if (_loc_8 || param2)
                {
                }
                var _loc_5:* = this.deathcounts + 1;
                if (_loc_8 || param3)
                {
                    _loc_4.deathcounts = _loc_5;
                }
                if (_loc_8)
                {
                    param3.playef(2, 10);
                    param2.entities[this.i].invis = true;
                    if (param1.finalmode)
                    {
                        var _loc_4:* = param1.roomdeathsfinal;
                        var _loc_5:* = this.roomx - 41 + 20 * (this.roomy - 48);
                        var _loc_6:* = param1.roomdeathsfinal[this.roomx - 41 + 20 * (this.roomy - 48)] + 1;
                        if (!_loc_7)
                        {
                            _loc_4[_loc_5] = _loc_6;
                        }
                        this.currentroomdeaths = param1.roomdeathsfinal[this.roomx - 41 + 20 * (this.roomy - 48)];
                    }
                    var _loc_4:* = param1.roomdeaths;
                    ;
                    var _loc_5:* = (null - (null >> (null & (null | param1.roomdeaths * this)))).roomx - 100 + 20 * (this.roomy - 100);
                    var _loc_6:* = null[(null - (null >> (null & (null | param1.roomdeaths * this)))).roomx - 100 + 20 * (this.roomy - 100)] + 1;
                    if (_loc_8 || param1)
                    {
                        _loc_4[_loc_5] = _loc_6;
                    }
                }
                this.currentroomdeaths = param1.roomdeaths[this.roomx - 100 + 20 * (this.roomy - 100)];
                if (_loc_8 || this)
                {
                    if (this.deathseq == 25)
                    {
                        param2.entities[this.i].invis = true;
                    }
                    if (this.deathseq == 20)
                    {
                        param2.entities[this.i].invis = true;
                    }
                }
                if (this.deathseq == 16)
                {
                    param2.entities[this.i].invis = true;
                }
                if (_loc_8)
                {
                    if (this.deathseq == 14)
                    {
                        param2.entities[this.i].invis = true;
                    }
                    if (this.deathseq == 12)
                    {
                        param2.entities[this.i].invis = true;
                    }
                }
                if (this.deathseq < 10)
                {
                    if (_loc_8 || this)
                    {
                        param2.entities[this.i].invis = true;
                    }
                }
                if (!this.nodeathmode)
                {
                    if (this.deathseq <= 1)
                    {
                        param2.entities[this.i].invis = false;
                    }
                }
                else
                {
                    var _loc_4:String = this;
                    if (_loc_8)
                    {
                    }
                    var _loc_5:* = this.gameoverdelay - 1;
                    if (_loc_7)
                    {
                        ;
                        param2 = _loc_7;
                        with (null << null == null)
                        {
                        }
                        if (!this)
                        {
                            _loc_4.gameoverdelay = _loc_5;
                        }
                    }
                    return;
        }// end function

iam_clint · 2010-12-12, 11:53 PM

Also you can use javascript in your address bar to directly edit variables in a flash game. example
javascript: var c = document.getElementById("game").SetVariable("Var Here", "New Value Here");

Thread: Can't find base addres with CE

Thread Tools

Display

Can't find base addres with CE

Re: Can't find base addres with CE

Re: Can't find base addres with CE

Re: Can't find base addres with CE

Posting Permissions