Cheat Engine OllyDbg: Finding Base Static Address from Multi-Level Pointers

Imagine having the power to unlock hidden values within a game’s memory, manipulate them to your advantage, and delve into the intricate world of memory hacking. In the realm of game hacking, tools like Cheat Engine and OllyDbg stand as pillars of strength for finding base static addresses from multi-level pointers. These tools are essential for enthusiasts seeking to explore the depths of memory manipulation and enhance their gaming experience with a touch of creativity and expertise.

Strategies for Finding Base Static Addresses

Finding base static addresses from multi-level pointers can be a challenging task, especially when dealing with negative offsets and complex memory structures. Let’s break down the process and explore some strategies to achieve your goal.

1. Cheat Engine (CE) Approach:

   • Scan the Entire Process Memory Space: CE helps you find static addresses by scanning the entire process memory space. Start by searching for the value you want to change using Cheat Engine.
   • Identify the Root Address: To find the base address, focus on the root of your data structure. In your case, you’re interested in modifying the “hp” integer. Since “main” likely has a static frame address on the stack, it’s a good place to start.
   • Calculate Relative Address: Calculate the relative address of “hp” on the stack. This relative address will serve as the starting point for finding the rest of the pointers.
   • Pointer Scans: Use CE’s pointer scan feature to find base addresses with offsets. You’ll likely encounter multiple candidates, so pay attention to the ones that make sense in the context of your program.

2. OllyDBG and IDA Pro:

   • Debugger Assistance: Debuggers like OllyDBG and IDA Pro can be powerful tools for reverse engineering. Attach OllyDBG to your target program and analyze its memory layout.
   • Static Addresses: Look for static addresses that remain consistent across different runs of the program. These addresses are likely to be base pointers.
   • Stack Frames: Since “main” is a common entry point, examine its stack frame. The stack frame typically contains local variables, including “hp.” You can find the base address by analyzing the stack frame.
   • Disassembly and Memory Dump: Use disassembly views and memory dumps to trace memory accesses and identify pointers. Look for patterns that lead you to the desired base address.

3. Your .dll Injection Code:

   • You’ve defined BASE, OFFSET, and VALUE in your .dll. Let’s break it down:
     • BASE: This should be the base address you’re trying to find.
     • OFFSET: The offset from the base address to the “hp” integer.
     • VALUE: The value you want to set for “hp.”
   • Modify the Base Address: Replace 0xBASE_POINTERS_ADDRESS_WHICH_I_NEED_TO_FIND with the actual base address you discover using the methods above.
   • Injecting the .dll: Your MainFunction modifies the “hp” value. Make sure your .dll is injected correctly into the target process.
   • Debugging and Testing: Use debugging tools to verify that your .dll is working as expected. Monitor the changes to “hp” and ensure they align with your intentions.

---

Understanding Pointer Dereferencing

When dealing with multi-level pointers in memory manipulation, dereferencing is essential to access the data stored at specific memory addresses. Let’s explore how to achieve this:

1. Pointer Dereferencing Basics:

   • The dereference operator (*) allows us to access the value stored at the memory location pointed to by a pointer. For instance:

     int* ptr = (int*) malloc(sizeof(int));
     *ptr = 10;
     printf("%d", *ptr); // Outputs: 10
     

     In this example, malloc allocates memory for an integer and returns the address of the first byte. By dereferencing ptr, we can store and retrieve values from that memory location.

2. Multi-Level Pointers:

   • Multi-level pointers occur when pointers point to other pointers. For instance, consider a scenario where you have static pointers pointing to dynamic addresses in a game.
   • These pointers may go up to multiple levels, making it cumbersome to manually dereference each level.
   • Instead of repeatedly doing ********pointer, you can use a function to simplify the process.

3. Function for Dereferencing Multi-Level Pointers:

   • Here’s an example function that dereferences multi-level pointers with offsets:

     int* getLowestPointer(int** highestPointer, int levels, int offsets[]) {
         for (int i = 0; i < levels; i++) {
             highestPointer = (int**) (*highestPointer + offsets[i] / sizeof(int));
             // Undo pointer arithmetic by dividing by sizeof(int)
         }
         return (int*) highestPointer;
     }
     

   • This function takes the highest-level pointer, the number of levels, and an array of offsets.
   • It iterates through the levels, adjusting the pointer based on the offsets.
   • The result is cast back to int* before returning.

4. Considerations:

   • While casting int* to int** might be considered “bad practice,” it’s necessary in this context.
   • Using typedefs can improve code readability.
   • If offsets aren’t multiples of sizeof(int), consider using char* and char** pointers to handle them more flexibly.

Remember that manipulating memory in this way requires a good understanding of memory models and assembly. Proceed with caution and ensure you’re not violating any ethical guidelines or copyright restrictions.

Game Hacking Tools: Cheat Engine and OllyDbg

When dealing with multi-level pointers and static addresses in game hacking, tools like Cheat Engine and OllyDbg can be incredibly useful. Let’s break down the process:

1. Cheat Engine:

   • Cheat Engine is a powerful memory scanner and debugger that allows you to find and manipulate values in running processes.
   • To trace multi-level pointers using Cheat Engine, follow these steps:
     1. Search for the Value: First, use Cheat Engine to search for the value you want to modify (e.g., health points, ammunition, etc.) within the game.
     2. Identify the Base Address: Once you’ve found the address, right-click on it and perform a pointer scan. This will give you multiple base addresses with associated offsets.
     3. Negative Offsets: You mentioned encountering negative offsets. Unfortunately, Cheat Engine doesn’t directly support negative offsets when adding pointers. However, there’s a workaround:
        • Instead of adding a pointer with a negative offset directly, consider using an intermediate pointer. For example, if you have a base address 0x0033FCF0 and an offset -18, create an intermediate pointer with a positive offset (e.g., 0x0033FCE8+18). Then, use this intermediate pointer to reach the desired address.
     4. Verify Correct Address: Test each base address with its associated offsets to find the correct one. You can do this by modifying the value and observing its effect in the game.
     5. Inject Your .dll: Once you’ve identified the correct base address, create your .dll file. In your .dll, modify the desired value using the base address and offset. For example:

        #include 
        #define BASE    0xBASE_POINTERS_ADDRESS_WHICH_I_NEED_TO_FIND
        #define OFFSET  0xTHE_OFFSET
        #define VALUE   90
        
        void MainFunction() {
            while (1) {
                if (GetAsyncKeyState(VK_MENU) & 0x8000 && GetAsyncKeyState('C') & 0x8000)
                    MessageBox(0, L"Alt + C was pressed!", L"MessageBox!", 0);
                *(int*)((*(int*)BASE) + OFFSET) = VALUE;
                Sleep(100); // Let the program rest to avoid hogging CPU resources
            }
        }
        
        BOOL WINAPI DllMain(HINSTANCE MyInstance, DWORD reason_for_call, LPVOID PointerToVoid) {
            if (reason_for_call == DLL_PROCESS_ATTACH)
                CreateThread(0, 0, (LPTHREAD_START_ROUTINE)&MainFunction, 0, 0, 0);
            return true;
        }
        

     6. Inject Your .dll: Inject your .dll into the game process using a tool like Cheat Engine or another injector.

2. OllyDbg:

   • OllyDbg is a popular x86 debugger for Windows.
   • While OllyDbg is primarily used for reverse engineering and analyzing executables, it can also help you understand how the game’s code works.
   • To trace multi-level pointers using OllyDbg, follow these steps:
     1. Attach to the Process: Open the game executable in OllyDbg and attach it to the running process.
     2. Set Breakpoints: Identify the relevant code section (where the value you want to modify is accessed) and set breakpoints.
     3. Analyze Registers: When the breakpoint is hit, analyze the registers (such as EAX, EBP, etc.) to find memory addresses.
     4. Follow Pointers: Use the registers to follow pointers step by step until you reach the desired static address.
     5. Modify Values: Once you’ve found the address, modify the value directly in memory.
     6. Test and Verify: Test the modification in the game to ensure it works as expected.

Strategies for Resolving Complex Memory Structures

Pointer analysis is a crucial aspect of memory analysis, especially when dealing with multi-level pointers. Let’s delve into some strategies for resolving these complex memory structures:

1. Andersen Analysis:

   • This approach focuses on flow-insensitive pointer analysis.
   • It computes what memory locations pointer expressions may refer to at any time during program execution.
   • While it’s less precise than flow-sensitive analysis, it’s commonly used for whole program analyses due to its scalability.
   • Useful for identifying available expressions (e.g., avoiding redundant computations) and constant propagation.
   • Example: If *p aliases a or b, the second computation of a + b is not redundant.

2. Steensgard Analysis:

   • Another flow-insensitive technique.
   • Determines memory locations that pointer expressions may refer to.
   • Often used for whole program analyses.
   • Helps optimize code by identifying redundant computations.
   • Example: If *p and x do not alias each other, then y is constant (x = 3; *p = 4; y = x).

3. Intraprocedural vs. Interprocedural:

   • Intraprocedural analysis focuses on a single function or procedure.
   • Interprocedural analysis considers interactions across function boundaries.
   • Both have their trade-offs in terms of precision and computational cost.

4. Flow-Sensitive vs. Flow-Insensitive:

   • Flow-sensitive analysis computes memory locations for each program point.
   • Flow-insensitive analysis computes memory locations at any time during execution.
   • Flow-sensitive analysis can be expensive but has been scaled successfully for large codebases.

5. Context-Sensitive vs. Context-Insensitive:

   • Context-sensitive analysis considers call contexts (e.g., different call sites).
   • Context-insensitive analysis treats all call contexts uniformly.
   • Context-sensitive analysis provides more precise results but can be computationally intensive.

6. Heap Modeling:

   • Consider how pointers interact with dynamically allocated memory (heap).
   • Different heap models impact the precision of pointer analysis.

Key Practices for Memory Manipulation in Game Hacking

When it comes to memory manipulation in game hacking, there are several essential practices to keep in mind. These techniques allow you to interact with a game’s memory, uncover hidden values, and potentially modify them. Here are some key points:

1. Cheat Engine: This powerful, all-in-one game hacking tool provides an extensive feature set. It allows you to scan and modify memory, making it a go-to choice for many game hackers. You can find varying versions for Mac, Linux, and Android.

2. Squalr: Developed in C#, Squalr is another performant game hacking tool that rivals and complements Cheat Engine. It’s worth exploring alongside Cheat Engine.

3. CrySearch: Similar to Cheat Engine, CrySearch is a memory scanner but offers different features and a cleaner user interface. It’s a valuable tool for identifying memory locations.

4. PINCE: This front-end/reverse engineering tool focuses on games and is essentially a work-in-progress Cheat Engine for Linux and MacOS.

5. Binary Ninja: A commercial reverse engineering platform, hex editor, and interactive graph-based disassembler. It’s useful for analyzing game binaries.

6. Ghidra: An open-source software reverse engineering framework maintained by the NSA. It includes disassembly, assembly, decompilation, graphing, and scripting capabilities. Ghidra is a powerful tool for analyzing compiled code.

7. x64dbg: An x86 (32-bit)/x64 (64-bit) debugger for Windows, serving as a spiritual successor to OllyDbg. It’s essential for examining game executables.

Remember that game hacking often involves understanding program structure, execution flow, and memory layouts. Techniques like NOPing, hooking, and dissecting common game memory structures are crucial for successful memory manipulation.

In conclusion, the journey of finding base static addresses from multi-level pointers using tools like Cheat Engine and OllyDbg is not just a technical endeavor but a testament to the art of game hacking. By leveraging the power of these tools, one can navigate through complex memory structures, unravel hidden values, and reshape the gaming experience to suit their preferences. Remember, the key lies in understanding memory models, mastering pointer analysis techniques, and treading carefully within ethical boundaries.

So, embrace the challenge, hone your skills, and embark on a thrilling adventure in the world of game hacking, armed with the knowledge to decipher the secrets that lie beneath the surface.