Basic pointers ~ Tariq
Basic pointers ~ Tariq
Tariq on Sat Aug 23, 2008 5:23 pm
Hi, today we're going to learn basics about pointers.
Let's get started!
---------------------------------------------------------------------------------
To find a pointer:
Say you got an address, doesn't matter what, but let's say it's for health. Right click it and select "find out what writes to this pointer". Get hit.
You'll have some code, maybe more pieces... they could be something like this:
So, clearly, there is something with the 65. It is the offset. Now, if you double click one of those lines, a window will pop-up. It will tell you the values of eax,eci and all the others. Find the one that you need (for the first it would be eax, the second eci and third eax again). Now, start a new scan, 4 bytes and tick the box HEX. Scan for the value that we just looked up.
Worst case scenario: you get thousends of adresses.
Best: you get one
If you get one adress it's simple... If you got more it gets a bit harder. Anyway, look for green adresses in the search list. They are static (meaning that it doesn't change). If there are no greens, than just continue with a black one.
Click the button "add manualy". Check the box pointer and enter the adress we just found. In offset, enter 65. Done.
Now, if you didn't have a green adress, repeat for the pointer from the beginning. But make sure you find out what writes to the pointer, not the value pointed to.
--------
There is another way... Let's say you found this:
mov [eax+65],300
And you can't seem to find a pointer. Click "show assembler". The top most line is the code we found. Scroll up a bit, and you might find a line writing to eax.. for example, you might see this:
Now you need to know what [] is for. When something is between [], it meens it is treated as a pointer.
so
Back to the example. eax now holds 0026F286. It might be an adress (and it is in this case)
Now, "mov [eax],300" will write to the adress stored in eax, wich we just saw. So, our pointer has to be 0026F286 with offset 65.
--------------------
it is also possible to treat adresses as pointers, instead of registers. So
mov [0026F286],300
is the same as
mov eax,0026F286
mov [eax],300
The problem with this way is that you can't use an offset.. unless "mov [0026F286]+65,300" is allowed.
~ Tariq
Credits to Glest
Let's get started!
---------------------------------------------------------------------------------
To find a pointer:
Say you got an address, doesn't matter what, but let's say it's for health. Right click it and select "find out what writes to this pointer". Get hit.
You'll have some code, maybe more pieces... they could be something like this:
dec [eax+65]mov [eci+65],300
inc [eax+65]
So, clearly, there is something with the 65. It is the offset. Now, if you double click one of those lines, a window will pop-up. It will tell you the values of eax,eci and all the others. Find the one that you need (for the first it would be eax, the second eci and third eax again). Now, start a new scan, 4 bytes and tick the box HEX. Scan for the value that we just looked up.
Worst case scenario: you get thousends of adresses.
Best: you get one
If you get one adress it's simple... If you got more it gets a bit harder. Anyway, look for green adresses in the search list. They are static (meaning that it doesn't change). If there are no greens, than just continue with a black one.
Click the button "add manualy". Check the box pointer and enter the adress we just found. In offset, enter 65. Done.
Now, if you didn't have a green adress, repeat for the pointer from the beginning. But make sure you find out what writes to the pointer, not the value pointed to.
--------
There is another way... Let's say you found this:
mov [eax+65],300
And you can't seem to find a pointer. Click "show assembler". The top most line is the code we found. Scroll up a bit, and you might find a line writing to eax.. for example, you might see this:
mov eax,0026F286
mov [eax+65],300
Now you need to know what [] is for. When something is between [], it meens it is treated as a pointer.
so
mov eax,300 //moves 300 into eax
mov[eax],300 //moves 300 into the adress stored in eax.
Back to the example. eax now holds 0026F286. It might be an adress (and it is in this case)
Now, "mov [eax],300" will write to the adress stored in eax, wich we just saw. So, our pointer has to be 0026F286 with offset 65.
--------------------
it is also possible to treat adresses as pointers, instead of registers. So
mov [0026F286],300
is the same as
mov eax,0026F286
mov [eax],300
The problem with this way is that you can't use an offset.. unless "mov [0026F286]+65,300" is allowed.
~ Tariq
Credits to Glest
Last edited by Tariq on Sun Aug 24, 2008 1:40 pm; edited 1 time in total
_________________
Those are my Signatures
Hope you like it 
Tariq- Number of posts: 46
Registration date: 2008-08-16 
Re: Basic pointers ~ Tariq
Destiny on Wed Aug 27, 2008 7:18 am
lol nice u deleted my post and u added in credits >.>
_________________
Destiny- Admin
- Number of posts: 35
Registration date: 2008-08-12 -
Re: Basic pointers ~ Tariq
Tariq on Wed Aug 27, 2008 12:39 pm
yeah I know, now I need to do that with all :p
_________________
Those are my Signatures
Hope you like it
Tariq- Number of posts: 46
Registration date: 2008-08-16 -
Permissions of this forum:
You cannot reply to topics in this forum