i like this forum so i like give to people like others. i write tutorial to inform all about some helpful thing cus look like many are start to play css. i see all the mods give address but dont show how they get address. this is what this tutorial is for.
for example i will use C_PlayerResource. thing 1 is to open sdk and do search for C_PlayerResource in client project. you get probably 34 results. let open C_PlayerResource.h
in that file we get 2 thing, the virtual class and the external pointer css use to glabaly access the it. in order to able use we need to get address of that pointer.
extern C_PlayerResource *g_PR;
let us open C_PlayerResource.cpp and we look for g_PR. one of thing catch your eye should be this function
IGameResources * GameResources( void ) { return g_PR; }
if look back at class definition we see IGameResources is one of 2 inherited class, so now it possible to get C_PlayerResource from IGameResources pointer. but how we get poitner? we well need find address of function GameResources
so now let do search for GameResources function in sdk. one place we find called is in void CSpectatorMenu::OnThink()
void CSpectatorMenu::OnThink()
in function that there are 2 string both "player" and in next function first string is "%d:%02d\n" so let now open ollydbg. start css and attatch olly to. since we know class defin i n client project we load client module from css module list.
{
BaseClass::OnThink();
IGameResources *gr = GameResources();
if ( !gr )
return;
next we right click, "search for", "all referenced text strings". let load and when finished load right click in result box and select "search for text". put in box "%d:%02d\n" without the qutos. you result 1 and above result u should see "player" and "player" above that, so you know you are right place
double click where it say it and it should bring you to part of code in client.dll where that text is. the function above is the function where we want. scroll up and you will see a function where there are two "player".
if we look back at original function in sdk we see that GameResources is one of first function calles, and we know also if it is null result the function leave. so lets look at top of function that we in ddebug.
240853B0 53 PUSH EBX
hmm the second call look right so lets check it out
240853B1 56 PUSH ESI
240853B2 57 PUSH EDI
240853B3 8BF1 MOV ESI,ECX
240853B5 E8 868B1900 CALL client.2421DF40 ; first call but nothing stored
240853BA E8 B10B0700 CALL client.240F5F70 ; second call
240853BF 8BF8 MOV EDI,EAX ; store result of call
240853C1 85FF TEST EDI,EDI ; check result
240853C3 0F84 BE000000 JE client.24085487 ;this lead to return from function
240F5F70 A1 E8433024 MOV EAX,DWORD PTR DS:[243043E8]
hmm this function look right becuase it is just return a pointer if pointer is valid. so it look like our search is in success! but if you are lazy like me you dont want define function you just want pointer! and by look at function the pointer to "C_PlayerResource *g_PR" is 0x243043E8
240F5F75 85C0 TEST EAX,EAX
240F5F77 74 06 JE SHORT client.240F5F7F
240F5F79 05 80040000 ADD EAX,480
240F5F7E C3 RET
240F5F7F 33C0 XOR EAX,EAX
240F5F81 C3 RET
but what if this change? let make sure we always have this address and we do this with help dominik codes that search for signature. but how could we select signature that will only find this peice code in client.dll? well if you are really parranoid you can see use whole function becuase it small so your sig would look this:
\xA1\xE8\x43\x30\x24\x85\xC0\x74\x06\x05\x80\x04\x00\x00\xC3\x33\xC0\xC3
with code above we can do this
"x????xxxxxxxxxxxxx"
DWORD d = (DWORD)(findpattern( ... )+0x01);
that give us address of pointer. but we can make this shorter and i will leave to you to find that.
so, now you got auto update for C_PlayerResource pointer. so what can use for? i use for alive list.
i hope you like this, i just try to give back to good comunity. thankQ for reading and i would like to see response
Credits by KidBuu
Using OllyDBG To Get Addresses In CSS
On domingo, 15 de agosto de 2010
0
comentarios
Suscribirse a:
Enviar comentarios (Atom)
0 comentarios:
Publicar un comentario