I previously asked a question here, but I was unregistered and could not edit my post (not sure if you can) or add any information about the problem. This time I will try to be more thorough so that I can get an answer ...
I am trying to find a static pointer and a list of offsets so that I can easily find information in the game every time I restart it. I was successful with every information, but ...
I am currently using CheatEngine to help me debug and find the right pointer paths.
The address of the value I want (which changes each time the game starts) is currently: 849576A. For reference, this is the first inventory slot of my first character. I know that each slot is offset by 20h and each character by 550h. Thus, the first two inventory slots are 849576A + 550h. Again, these addresses change every restart, but offsets do not.
Using CE, I see what access to this address ... it returns the following operation codes:
These two come back before doing anything in the game:
004b7ef9 - 0f bf 08 - movsx ecx,word ptr [eax] 004b542b - 0f bf 04 0a - movsx eax,word ptr [edx+ecx]
Then when moving items in my inventory, I get the following:
74be5008 - 72 2a - jb memcpy+84 004bfc3a - 0f bf 4c 02 60 - movsx ecx,word ptr [edx+eax+60] 004bf43f - 8d 7d 9c - lea edi,[ebp-64]
I'm not sure what to use, so I just select one and set a breakpoint on one of them, I chose 004b542b, here is the full code section:
004B53F0 | 55 | PUSH EBP | 004B53F1 | 8BEC | MOV EBP, ESP | 004B53F3 | 83EC 0C | SUB ESP, C | 004B53F6 | 894D F4 | MOV DWORD PTR [EBP-C], ECX | 004B53F9 | C745 FC 00000000 | MOV DWORD PTR [EBP-4], 0 | 004B5400 | 837D 08 00 | CMP DWORD PTR [EBP+8], 0 | 004B5404 | 7F 04 | JG 004B540A | 004B5406 | 33C0 | XOR EAX, EAX | 004B5408 | EB 43 | JMP 004B544D | 004B540A | C745 F8 0F000000 | MOV DWORD PTR [EBP-8], F | 004B5411 | EB 09 | JMP 004B541C | 004B5413 | 8B45 F8 | MOV EAX, DWORD PTR [EBP-8] | 004B5416 | 83C0 01 | ADD EAX, 1 | 004B5419 | 8945 F8 | MOV DWORD PTR [EBP-8], EAX | 004B541C | 837D F8 19 | CMP DWORD PTR [EBP-8], 19 | 004B5420 | 7D 28 | JGE 004B544A | 004B5422 | 8B4D F8 | MOV ECX, DWORD PTR [EBP-8] | 004B5425 | C1E1 05 | SHL ECX, 5 | 004B5428 | 8B55 F4 | MOV EDX, DWORD PTR [EBP-C] | 004B542B | 0FBF040A | MOVSX EAX, WORD PTR [EDX+ECX] | 004B542F | 3B45 08 | CMP EAX, DWORD PTR [EBP+8] | 004B5432 | 75 14 | JNZ 004B5448 | 004B5434 | 8B4D F8 | MOV ECX, DWORD PTR [EBP-8] | 004B5437 | C1E1 05 | SHL ECX, 5 | 004B543A | 8B55 F4 | MOV EDX, DWORD PTR [EBP-C] | 004B543D | 0FBF440A 02 | MOVSX EAX, WORD PTR [EDX+ECX+2] | 004B5442 | 0345 FC | ADD EAX, DWORD PTR [EBP-4] | 004B5445 | 8945 FC | MOV DWORD PTR [EBP-4], EAX | 004B5448 | EB C9 | JMP 004B5413 | 004B544A | 8B45 FC | MOV EAX, DWORD PTR [EBP-4] | 004B544D | 8BE5 | MOV ESP, EBP | 004B544F | 5D | POP EBP | 004B5450 | C2 0400 | RETN 4 |
I decided to set a breakpoint so that I could see the register values โโbefore and after the line that supposedly refers to my value (004B542B | 0FBF040A | MOVSX EAX, WORD PTR [EDX + ECX]).
BEFORE:
EAX: 00000000 EBX: 00000000 ECX: 000001E0 EDX: 0849558C ESI: 000000D0 EDI: 013A38A8 EBP: 00189CE0 ESP: 00189CD4 EIP: 004B542B
AFTER:
EAX: 00000DAD EBX: 00000000 ECX: 000001E0 EDX: 0849558C ESI: 000000D0 EDI: 013A38A8 EBP: 00189CE0 ESP: 00189CD4 EIP: 004B542F
For me, this means that EDX 0849558C should be the value I'm looking for, and then apply the offset 1E0. But. When searching for memory for hexadecimal values โโcorresponding to EDX, I get no results, which means there are no pointers to this address.
I used the same methods that I am trying to use here to successfully collect each static address and then apply the offsets. For example, here is the static address + offsets to find my health: 01263FC8 +284 + C +30 +90