Reputation: 2703
How to find pointer w/ offset [ecx+eax*4] (address offset?)
I've seen this topic: How to find a point with offset eax+ebx*4
eax will be the pointer value to look for
ebx*4 will be the offset (ebx is the offset in an array with elements of 4 bytes long)
so:
ebx=0 : offset=0
ebx=1 : offset=4
ebx=2 : offset=8
ebx=3 : offset=c
ebx=4 : offset=10
But I'm still don't understand how can I determine ebx?
Here is my situation: I'm trying to get current ammo pointer for Red Faction: Guerrilla (gfwl version)
I see that the address of this ammo is changed when I load another save file. So I use "Find out what writes to this address" for the ammo pointer (which no longer working after load another save file)
Then I load another save file to see what it writes to the pointer: The result is the pointer with offset [ecx+eax*4]
![[ecx+eax*4]](https://i.sstatic.net/M5VE1.png)
So I make a pointer like this
ecx=00C1B988 (address 00C1B988 holds the value: ECX=00C1B994)
EAX*4= I don't know how to work with this, so I just put: E71*4
But it still doesn't work when I load another save file. I stuck at E71*4, what should I replace for E71? I even tried to search the value E71 (or 3697), but it seems like I'm going nowhere.
Upvotes: 1
Views: 3306
Answers (1)
Reputation: 3923
Usually when you see ecx+eax*4 it's indexing into an array. ECX points to the array, EAX is the element # and 4 is size of the element. Often times when you see 4 or 8 it's because it's an array of pointers and that's the size of the pointer on x86.
What you're seeing is not some encryption/obfuscation/anticheat. It is just how object oriented programming/C++ gets compiled into assembly.
That pointer chain you're creating isn't going to work for you, the solution will be to get the address of the weapon/player object so you can offset into it to get address of the ammo. To do this you need to:
- find another pointer manually
- find another pointer using pointer scanner
- pattern scanning + hooking and pulling the address out of the register
If perhaps this is some obfuscation, you can easily get the value of EAX by hooking the instruction and grabbing it's value.
Upvotes: 2
Related Questions
- Following pointer and offset arithmetic
- x86 E8 and FF calls, how to find the E8 shifting address 'on the fly'? basic x86 ASM calls
- Adding 20 Byes Offset To Pointer Address
- Finding pointer with 'find out what writes to this address' strange offset
- Finding offset for code segment in x86 assembly program
- How to change the value on an ADD EAX with C++ knowing the offset
- How to find the base structure address with negative offsets
- C address offsets
- C++ , Cheat Engine / OllyDBG finding base "static" address from multi-level pointers
- Retrieving Memory Offset Address Using Assembly