C ++，作弊引擎/OllyDBG查找基础“静态".来自多级指针的地址 [英] C++ , Cheat Engine / OllyDBG finding base "static" address from multi-level pointers

问题描述

我又回来了，沮丧并且拼命寻找帮助:D.

I'm back again, frustrated and desperately searching for help :D.

我正在尝试为一个简单的程序创建一个作弊程序，它基本上是一个.dll文件，当使用基地址将其注入到主程序中时，它将更改主程序中整数的值.问题是，我无法使用作弊引擎找到它，主要是因为有多个带有NEGATIVE的级别指针?抵消.例如:

I am trying to create a cheat for a simple program, it's basically going to be a .dll file which will change an integer's value from the main program when it's injected to it using its base address. The thing is, I can't find it using cheat engine mainly because there are multiple level pointers with NEGATIVE? offsets. for example:

//Starting pointer address
0x0033FCF0 -> 200

//Finding second level pointer using "Find out what's accessing this address" in Cheat Engine
**(mov eax,[ebp+08])** // **EAX=0x00000007** , **EPB=0x0033FCE8 => mov 00000007,[0033FCE8+08]**

2nd Level Pointer:
**(0033FCE8+18) -> 200**

因此，我继续使用查找..."来查找下一个指针，但是在将T-SEARCH与第二级指针地址一起使用时，我得到了7-8个新的静态地址.

So I proceed to find the next pointer using "Find out what's .... " but while using T-SEARCH with the second-level pointers address and i get like 7 - 8 new static addresses.

问题是，我不能说出哪个是正确的，因为作弊引擎拒绝让我使用负数添加指针?偏移量.

The thing is, I cannot tell which one is correct because cheat engine REFUSES to let me add a pointer using a NEGATIVE? offset.

示例:

Base Pointer:
**mov eax,[epb-18] !!!** // Notice the **MINUS**

最重要的是，作弊引擎拒绝接受带有负偏移量的指针！

And on top of everything Cheat Engine refuses to accept a pointer with a negative offset!

那么，还有另一种方法可以从多个级别的指针中查找基址吗? 欢迎使用OlyDBG/Idapro解决方案.谢谢大家！

So , is there another way of finding the base address from multiple level pointers? OlyDBG / Idapro solutions are welcome. Thanks alot guys!

这是我要破解的简单程序的源代码:

Here's the source code of the simple program I'm trying to hack:

#include <iostream>
#include <conio.h>
#include <windows.h>
#include <stdlib.h>

int main(){
    int hp = 100;
    while(1){
        std::cout << hp << std::endl;
        Sleep(3000);
        hp += 10;
        system("cls");
    }
    return 0;
}

我要尝试的是使用此.dll编辑hp整数

What i am trying to do is edit the hp integer with this .dll

#include <windows.h>
#define BASE    0xBASE_POINTERS_ADDRESS_WHICH_I_NEED_TO_FIND
#define OFFSET  0xTHE_OFFSET
#define VALUE   90
void MainFunction()
{
      while(1)
      {
            if (GetAsyncKeyState(VK_MENU)&0x8000 && GetAsyncKeyState('C')&0x8000) 
            MessageBox(0,L"Alt + C was pressed!",L"MessageBox! ",0);
            *(int*)((*(int*)BASE) + OFFSET) = VALUE;

            Sleep(100); //Let the program rest, otherwise it hogs cpu resources.
      }
}

BOOL WINAPI DllMain(HINSTANCE MyInstance,DWORD reason_for_call,LPVOID PointerToVoid)
{
         if (reason_for_call == DLL_PROCESS_ATTACH) CreateThread(0,0,(LPTHREAD_START_ROUTINE)&MainFunction,0,0,0);
         return true;
}

通过这种方式，我试图入侵hp！ 〜哦，等等，我已经说过了，哦，好吧；)

谢谢你们，上帝保佑你们！

Thank you guys, god bless you all!

推荐答案

我认为您误解了作弊引擎的目标.

I think you are misunderstanding the goal of Cheat Engine.

CE允许您修改以持久方式存储在内存中的值.例如，在堆上或在程序的静态数据中.

CE allows you to modify values that are stored in a durable way in memory. For example, on the heap, or in the program's static data.

例如，C ++对象是以确定性的方式分配的，因此它们永远不会移动.这就是为什么可以使用在对象的整个生命周期内保持不变的指针引用它们的原因.该对象有时由另一个对象拥有.如果找到指向所有者对象的指针，则会找到称为基本指针的东西.

For example, C++ objects are allocated in a deterministic way, and hence, they never move. This is why they can be referenced by a pointer that remains constant all over the object's lifetime. This object is sometime owned by another. If you find a pointer to the owner object, you found what is called a base pointer.

例如:

class Object
{
    bool dummy;
    int someField;
    Object* child;
};

现在，假设您有3个Object的嵌套树.这意味着您有一个根Object(n°1)，其根child是另一个Object(n°2)，其child是另一个Object(n°3).假设您做这样的事情:

Now imagine you have a nested tree of 3 Object. Meaning that you have a root Object (n°1), whose child is another Object (n°2), whose child is another Object (n°3). Imagine you do something like this :

int main(int argc, char** argv)
{
    Object root; // n°1
    root.child = new Object(); // n°2
    root.child->child = new Object(); // n°3

    return 0;
}

您有兴趣弄乱n°3的someField值.您知道相对于Object的someField地址是+sizeof(bool) = 1. 所以(void*)&(object n°3) + 1是您想要的someField的指针.

You're interested in messing with n°3's someField value. You know that the address of someField, relative to an Object, is of +sizeof(bool) = 1. So (void*)&(object n°3) + 1 is a pointer to the someField you want.

现在，如何找到指向对象n°3的指针? 知道child的相对地址是+sizeof(bool)+sizeof(int) = 5.我们知道，指向对象n°3的指针是(void*)&(object n°2) +5.

Now, how do you find a pointer to object n°3 ? Knowing that the relative address of child is +sizeof(bool)+sizeof(int) = 5. We know that a pointer to object n°3 is (void*)&(object n°2) + 5.

对象n°2的地址相同，我将其保留为练习.

Same goes for the address of object n°2, I'll leave that as an exercise.

但是对象n°1呢?它没有分配在堆上.它在堆栈上.废话因此，我们必须找到另一种方法来找到对象n°1的存储地址.

But what about object n°1 ? It's not allocated on the heap. It's on the stack. Crap. So we must find another way to find the address where object n°1 is stored.

局部变量存储在堆栈中.在汇编中，它们通过相对于寄存器EBP的偏移量来标识(如果函数不更改堆栈，则为ESP). EBP是堆栈的顶部，而ESP是堆栈的底部.

Local variables are stored on the stack. In assembly, they are identified by their offset relative to the register EBP (or ESP if the function does not change the stack). EBP is the top of the stack, while ESP is the bottom of the stack.

在此示例中:

function foo()
{
    int a;
    double b;
}

调用foo时，堆栈将增加到足以容纳a和b的大小，即sizeof(int)+ sizeof(double)或12个字节. a将存储在EBP - sizeof(int) = EBP - 4(与ESP + 8相同)，b将存储在EBP - sizeof(int) - sizeof(double) = EBP - 12(与ESP相同). 注意！.编译器可以更改此顺序，因此变量的声明顺序在内存中不一定相同.优化也可以完全改变这一点.但是让我们保持这个简单的好吗?

When foo is called, the stack will be increased just enough to hold a and b, that is, sizeof(int) + sizeof(double), or 12 bytes. a will be stored at EBP - sizeof(int) = EBP - 4 (same as ESP + 8) and b will be stored at EBP - sizeof(int) - sizeof(double) = EBP - 12 (same as ESP). Attention! The compiler can change this order, so the declaration order of your variables isn't necessarily the same in memory. Optimizations can also change this completely. But let's keep this simple okay ?

所以回到我们的主要例子.我们有哪些局部变量?仅root.因此，根目录将直接位于EBP - 9.但是，仅当main是调用堆栈顶部的函数时，才这样.没有调试器，您将无法做到.

So back to our main example. What local variables do we have ? root only. Therefore root will be located at EBP - 9 directly. But this, ONLY when main is the function on top of the call stack. Without a debugger, you can't do it.

让我们假设当调用main时，我们的EBP是0028FF28(取自刚编译的C程序).

Let's assume that our EBP is 0028FF28 when main is called (taken from a freshly compiled C program).

根位于(0x0028FF28-9)= 0x0028FF1F; 指向root.child的指针位于(0x0028FF1F + 5)=(0x0028FF24); 因此，root.child位于* 0x0028FF24.

root is then at (0x0028FF28 - 9) = 0x0028FF1F; the pointer to root.child is at (0x0028FF1F + 5) = (0x0028FF24); Therefore, root.child is located at *0x0028FF24.

指向root.child->child的指针位于(* 0x0028FF24 + 5)=(假设10000) 然后root.child->child为* 10000.

The pointer to root.child->child is at (*0x0028FF24 + 5) = (let's say 10000) Then root.child->child is at *10000.

最后，root.child->child.someField为* 10000 + 3.

Finally, root.child->child.someField is at *10000 + 3.

总结:您只需要找到root的静态地址即可找到其余的地址. root不在堆或任何类型的持久性内存上，而是在main的堆栈上，它在几乎所有程序中都持续存在，因此几乎就像是永久的一样. CE通过扫描整个过程内存空间来帮助您找到静态地址

To sum up: you just need to find the static address of root to find the rest. root is NOT on the heap or any kind of durable memory, but it is on main's stack, which lasts during almost all the program, so it's almost as if it were permanent. CE helps you find a static address by scanning the entire process memory space

牢记所有这些，您应该能够在堆栈上计算hp的相对地址并找到指向它的静态指针(main非常非常非常有可能每次您都具有一个静态帧地址启动程序).如果需要帮助，请使用调试器！我推荐使用Immunity Debugger.

With all this in mind, you should be able to calculate hp's relative address on the stack and find a static pointer to it (main is very, very, very likely to have a static frame address every time you launch the program). If you need help, use a debugger ! I recommend Immunity Debugger.

这篇关于C ++，作弊引擎/OllyDBG查找基础“静态".来自多级指针的地址的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！