How would I setup my scripts to auto update memory addresses

[Exempt]

How would I setup my scripts to auto update memory addresses?

[Administrator]

I'm not sure what you're asking. Are you talking about something like the update script for RoM that will automatically scan for the new addresses after a patch? Or do you just mean to update the pointers while the game is running?

[Exempt]

OH sorry, I mean like the update script you use.

[Administrator]

First, find the current static addresses. Next, use a debugger such as OllyDbg to find a constant (right click in CPU window, Search for->Constant). Search for the address.

You should be brought to something like this:

Code: Select all

005D7F6F   8B0D C0939600    MOV ECX,DWORD PTR DS:[9693C0]

This is the code that moves the address (0x9693C0 in this example) into a register. 8B0D is, simply put, the MOV to ECX register command. What you're after here is creating a pattern from the surrounding bytes (that will usually not change unless they change that function in the game client).

The nearby ASM is as follows:

Code: Select all

005D7F67   0F84 07040000    JE Client.005D8374
005D7F6D   8B07                  MOV EAX,DWORD PTR DS:[EDI]
005D7F6F   8B0D C0939600    MOV ECX,DWORD PTR DS:[9693C0]
005D7F75   56                     PUSH ESI
005D7F76   50                     PUSH EAX

So you could use a pattern like:
0F 84 ?? ?? ?? ?? 8B 07 8B 0D ?? ?? ?? ?? 56 50

You use findPatternInProcess() to find the pattern in the executable. Once found, it's simple math. You will find the start of the pattern (0x5D7F67 in my example), so you just need to add a few bytes to get it to the location of the start of the actual address we need (0x5D7F71). There is a 10 byte difference, so just add 10 to the found location, and you now know the location of the address we want to read. Now, just memoryReadInt() it.

The actual patterns I used in the update script are slightly different than the above example, but you should be able to figure it out.

Code: Select all

local charUpdatePattern = string.char(0x8B, 0x07, 0x8B, 0x0D, 0xFF, 0xFF, 0xFF, 0xFF, 0x56, 0x50, 0xE8);
local charUpdateMask = "xxxx????xxx";
local charUpdateOffset = 4;

function findOffsets()
	local staticcharbase, staticmacrobase;

	-- Find the character's static base
	local found = findPatternInProcess(getProc(), getCharUpdatePattern(), getCharUpdateMask(), 0x550000, 0xA0000);
	if( found == 0 ) then
		error("Unable to find static char base pointer in module.", 0);
	end

	addresses.staticpattern_char = found;
	addresses.staticbase_char = memoryReadInt(getProc(), found + getCharUpdateOffset());

	if( addresses.staticbase_char == nil ) then
		error("Found char pattern, but unable to read memory.\n");
	end


	-- Find the macro static base
	local found = findPatternInProcess(getProc(), getMacroUpdatePattern(), getMacroUpdateMask(), 0x6F0000, 0xA0000);
	if( found == 0 ) then
		error("Unable to find static macro base pointer in module.", 0);
	end

	addresses.staticpattern_macro = found;
	addresses.staticbase_macro = memoryReadInt(getProc(), found + getMacroUpdateOffset());

	if( addresses.staticbase_macro == nil ) then
		error("Found macro pattern, but unable to read memory.\n");
	end



	printf("addresses.staticbase_char: 0x%X\n", addresses.staticbase_char);
	printf("addresses.staticbase_macro: 0x%X\n", addresses.staticbase_macro);
end

[Exempt]

Do I need to start adding the pattern from the JPE SHORT fff... all the way to the address i need or do i keep going down a few?

Code: Select all

03B85066   7A 69            JPE SHORT fff.03B850D1
03B85068   0300             ADD EAX,DWORD PTR DS:[EAX]
03B8506A   0000             ADD BYTE PTR DS:[EAX],AL
03B8506C   6203             BOUND EAX,QWORD PTR DS:[EBX]
03B8506E   0000             ADD BYTE PTR DS:[EAX],AL
03B85070   005D 55          ADD BYTE PTR SS:[EBP+55],BL
03B85073   47               INC EDI
03B85074   0000             ADD BYTE PTR DS:[EAX],AL
03B85076   0000             ADD BYTE PTR DS:[EAX],AL
03B85078   3F               AAS                                      ////////////////This is the address I need.///////////////////////
03B85079   0000             ADD BYTE PTR DS:[EAX],AL
03B8507B   0029             ADD BYTE PTR DS:[ECX],CH
03B8507D   5C               POP ESP
03B8507E   8F               ???                                      ; Unknown command
03B8507F   3F               AAS
03B85080   0000             ADD BYTE PTR DS:[EAX],AL
03B85082   0000             ADD BYTE PTR DS:[EAX],AL
03B85084   0000             ADD BYTE PTR DS:[EAX],AL
03B85086   0000             ADD BYTE PTR DS:[EAX],AL
03B85088   0000             ADD BYTE PTR DS:[EAX],AL
03B8508A   0000             ADD BYTE PTR DS:[EAX],AL

[Administrator]

Do I need to start adding the pattern from the JPE SHORT xenimus

You start wherever you want.

03B85078 3F AAS ////////////////This is the address I need.///////////////////////

I don't think so. There's no address in an AAS command. You're looking for a constant first.

[Exempt]

Edit: 03785078 is the address I need to read from in my script. Also this address has no pointers or anything like that, it's the address that never changes unless an updates to the game.

Edit: I'm having some trouble finding the correct address for this. The address I need it to find is 03785078.

Code: Select all

printf("fff\n");
setStartKey(key.VK_DELETE);
setStopKey(key.VK_END);
 
 
function main()

	myProc = openProcess( findProcess("fff") );
	
	local HPPattern = string.char(0x3F, 0x00, 0x00, 0x00, 0x29, 0x5C, 0x8F, 0x3F);
	local HPMask = "xxxxxxxx";
	local HPAddress = findPatternInProcess(myProc, HPPattern, HPMask, 0x300000, 0x10000);
	if( HPAddress == 0 ) then
		printf("Failed to find the pattern in the process.\n");
	end
	
	printf("HP Adress: %d\n", HPAddress);
	HP = memoryReadByte(myProc, HPAddress);
	printf("HP Value: %d\n", HP);

	

		
    running = false;
    while(running) do
		--curX = memoryReadInt(myProc, 0x02C85944); --My current X position
        --curY = memoryReadInt(myProc, 0x0157D78C); --My current Y position
	
    end
end
startMacro(main);

[3cmSailorfuku]

Do I need to start adding the pattern from the JPE SHORT xenimus... all the way to the address i need or do i keep going down a few?

Start the game a few times and make snapshots of the same stack area to find out which opcodes are dynamic and which not.
It's probably the easiest way to do this if you are unsure.

And yes, it doesn't matter where you start. You could take a point that is 200 lines/offsets away, aslong as the distance doesn't change of the adress you want.

[Exempt]

Hm, I must be doing this wrong then. When i start OllyDBG this is what I see.

Code: Select all

77AE000D   C3               RETN
77AE000E   90               NOP
77AE000F   90               NOP
77AE0010   8B4C24 04        MOV ECX,DWORD PTR SS:[ESP+4]
77AE0014   F641 04 06       TEST BYTE PTR DS:[ECX+4],6
77AE0018   74 05            JE SHORT ntdll.77AE001F
77AE001A   E8 411D0100      CALL ntdll.ZwTestAlert

I go to Search -> Constant then I type in the address I need in the Hex Box which is 03785078.
After that it does nothing at all, it shows the exact same addressesas above.

I typed to Search for the memory Adress with Go To -> Expression -> Type in 03785078.
I get this...

Code: Select all

03B85078   3F               AAS
03B85079   0000             ADD BYTE PTR DS:[EAX],AL
03B8507B   0029             ADD BYTE PTR DS:[ECX],CH
03B8507D   5C               POP ESP
03B8507E   8F               ???                                      ; Unknown command
03B8507F   3F               AAS
03B85080   0000             ADD BYTE PTR DS:[EAX],AL
03B85082   0000             ADD BYTE PTR DS:[EAX],AL

I used 3F 00 00 00 29 5C 8F 3F in my pattern.

Code: Select all

local HPPattern = string.char(0x3F, 0x00, 0x00, 0x00, 0x29, 0x5C, 0x8F, 0x3F);

My full code is in the post above.

[Administrator]

You're not trying to find that address directly. You're trying to find code that references that address. If you need to search for a byte array, you need to do it in reverse order. That is, if your address is 0x12345678, you search 78 56 34 12.

It looks like you are using the address directly, too. You probably should have a base pointer (entry to struct) plus some offset instead. You'd need to search for the pointer to the struct; not the actual address.

[Exempt]

Hm, It's not an array I'm looking for it's a 1 byte value for my HP in game (0-63).

[Administrator]

Again, you are misunderstanding what I'm saying. If you are searching for 0x03785078 (the address you gave me), the byte order is going to be reversed in the binary, so you search for 78 50 78 03, not 03 78 50 78.

[Exempt]

Alright, thats easy enough. Where do I search for that at exactly? When I tried searching for that value with the Search For -> Constant it would only search for 78. I'm still doing something wrong here.

I went to Search For -> Binary String and came to this...

Code: Select all

77B6F546   EB 07            JMP SHORT ntdll.77B6F54F
77B6F548   33C0             XOR EAX,EAX
77B6F54A   40               INC EAX
77B6F54B   C3               RETN
77B6F54C   8B65 E8          MOV ESP,DWORD PTR SS:[EBP-18]
77B6F54F   C745 FC FEFFFFFF MOV DWORD PTR SS:[EBP-4],-2
77B6F556   6A 00            PUSH 0
77B6F558   E8 1B2DFBFF      CALL ntdll.RtlExitUserThread
77B6F55D   CC               INT3
77B6F55E   90               NOP
77B6F55F   90               NOP

What exactly do I put in the search box when i search for a constant?

[Administrator]

I think I just noticed your problem. You use a 64 bit OS, don't you? Since the game is (probably) 32 bit, it's run through a compatibility layer. This means that when you open it with Olly, you're automatically dumped into ntdll, not the game itself. I often make this mistake myself. Open the executables module window (if it's not open already, press ALT+E). Double click on the game client. Make sure you check the Path section in this window to make sure you get the right one (For example, I see C:\...\Client.exe for Runes of Magic).

Now, you go back to the CPU window, right click, search for, constant. You type the full address, as is (not reverse byte order) without the 0x. Since your address is 0x03785078, search for the constant 03785078.

[Exempt]

Ah, good I'm not completely stupid after all. I am using a 64 bit OS. I will give this a try, thanks a bunch.

Edit: Thats seemed to work for me but I'm still not getting the right addresses.

This is what i get after i search for a constant.

Code: Select all

004198F6   . E8 5583FEFF    CALL fff.00401C50
004198FB   . B9 98D88506    MOV ECX,Xenimus.0685D898
00419900   . E8 8B7FFEFF    CALL fff.00401890
00419905   . A1 B0D88506    MOV EAX,DWORD PTR DS:[685D8B0] --This is where search constant stops.
0041990A   . 8B0D B4D88506  MOV ECX,DWORD PTR DS:[685D8B4]
00419910   . 8B15 B8D88506  MOV EDX,DWORD PTR DS:[685D8B8]
00419916   . A3 BCC91903    MOV DWORD PTR DS:[319C9BC],EAX
0041991B   . 2B05 2490F403  SUB EAX,DWORD PTR DS:[3F49024]
00419921   . 890D 8C32E502  MOV DWORD PTR DS:[2E5328C],ECX
00419927   . 890424         MOV DWORD PTR SS:[ESP],EAX

I use this as my pattern.

Code: Select all

0xA1, 0xFF, 0xFF, 0xFF, 0xFF, 0x8B, 0x0D, 0xFF, 0xFF, 0xFF, 0xFF,
		0x8B, 0x15, 0xFF, 0xFF, 0xFF, 0xFF, 0xA3

I end up with this as my address

Code: Select all

mouseX Address: 0x419905
mouseY Address: 0x419909
mouseX Value: -95
mouseY Value: 6
Stopping execution.

My code is

Code: Select all

printf("fff\n");
setStartKey(key.VK_DELETE);
setStopKey(key.VK_END);
 
 
function main()

	myProc = openProcess( findProcess("fff") );
	
	local mouseXPat = string.char(0xA1, 0xFF, 0xFF, 0xFF, 0xFF, 0x8B, 0x0D, 0xFF, 0xFF, 0xFF, 0xFF,
		0x8B, 0x15, 0xFF, 0xFF, 0xFF, 0xFF, 0xA3);
	local mouseXMask = "x????xx????xx????";
	local mouseXAdd = findPatternInProcess(myProc, mouseXPat, mouseXMask, 0x400000, 0x40000);
	local mouseYAdd = mouseXAdd + 0x4;
	if( mouseXAdd == 0 ) then
		printf("Failed to find the pattern in the process.\n");
	end
	mouseX = memoryReadByte(myProc, mouseXAdd);
	mouseY = memoryReadByte(myProc, mouseYAdd);
	printf("mouseX Address: 0x%X\n", mouseXAdd);
	printf("mouseY Address: 0x%X\n", mouseYAdd);
	printf("mouseX Value: %d\n", mouseX);
	printf("mouseY Value: %d\n", mouseY);
	
    running = false;
    while(running) do
		--curX = memoryReadInt(myProc, 0x02C85944); --My current X position
        --curY = memoryReadInt(myProc, 0x0157D78C); --My current Y position
	
    end
end
startMacro(main);

[Administrator]

local mouseXAdd = findPatternInProcess(myProc, mouseXPat, mouseXMask, 0x400000, 0x40000) +1;

Since your pattern starts with the MOV command (0xA1), you need to add 1 byte to the result so that you're reading the address; not the 0xA1 + 3 bytes of the address.

You should also verify that 0x685D8B0 is pointing to the right address (if it's not already the address you need) since it's a DWORD pointer.

[Exempt]

hm, 0685D8B0 is the green address in cheat engine. I assume it's the right address.

Edit: I double checked and tried adding the +1 it till does not return the address containing my mouse X coord.

Edit: It's only return the constant address to me not the address of the mouse X.

[Administrator]

If that's the correct address, then ignore what I previously said. You're heading in the right direction. Add a print statement to print out the value of mouseXAdd first. Take things from there.

[Exempt]

It's only return the constant address to me not the address of the mouse X.

Code: Select all

Started.
mouseX Address: 0x419905 --This is the address it returns
mouseY Address: 0x419909 --This address is mouseX +0x4
mouseX Value: -2049396575 --This is mouseX's value
mouseY Value: -1274180858 --This is mouseY's value
Stopping execution.

[Administrator]

You're using memoryReadByte(), not memoryReadInt() in the code you posted before. Have you changed this? You should definitely be reading 4 bytes from 0x419906.