How to find pointer w/ offset [ecx+eax*4] (address offset?)
I've seen this topic: How to find a point with offset eax+ebx*4
eax will be the pointer value to look for
ebx*4 will be the offset (ebx is the offset in an array with elements of 4 bytes long)
so:
ebx=0 : offset=0
ebx=1 : offset=4
ebx=2 : offset=8
ebx=3 : offset=c
ebx=4 : offset=10
But I'm still don't understand how can I determine ebx?
Here is my situation: I'm trying to get current ammo pointer for Red Faction: Guerrilla (gfwl version)
I see that the address of this ammo is changed when I load another save file. So I use "Find out what writes to this address" for the ammo pointer (which no longer working after load another save file)
Then I load another save file to see what it writes to the pointer: The result is the pointer with offset [ecx+eax*4]
![[ecx+eax*4]](https://i.sstatic.net/M5VE1.png)
So I make a pointer like this
ecx=00C1B988 (address 00C1B988 holds the value: ECX=00C1B994)
EAX*4= I don't know how to work with this, so I just put: E71*4
But it still doesn't work when I load another save file. I stuck at E71*4, what should I replace for E71? I even tried to search the value E71 (or 3697), but it seems like I'm going nowhere.
Usually when you see ecx+eax*4 it's indexing into an array. ECX points to the array, EAX is the element # and 4 is size of the element. Often times when you see 4 or 8 it's because it's an array of pointers and that's the size of the pointer on x86.
What you're seeing is not some encryption/obfuscation/anticheat. It is just how object oriented programming/C++ gets compiled into assembly.
That pointer chain you're creating isn't going to work for you, the solution will be to get the address of the weapon/player object so you can offset into it to get address of the ammo. To do this you need to:
- find another pointer manually
- find another pointer using pointer scanner
- pattern scanning + hooking and pulling the address out of the register
If perhaps this is some obfuscation, you can easily get the value of EAX by hooking the instruction and grabbing it's value.
- C++ ReadProcessMemory, base addresses
- How to find static assembly instruction address from CE (C++)
- Read score from EAs FIFA 19
- Cheat engine address to Intptr?
- WriteProcessMemory with Multi Level Pointer
- Memory Access Control in Windows Memory Management
- Where is the difference between those two Assembly code snippet's?
- Pymem doesn't read the right values while CE does
- Pymem Could not read memory at: , length: 4 - GetLastError: 299
- What are the differences between Cheat engine and other applications like IDA, Ghidra, and x64dbg?
- ReadProcessMemory returning errors
- Following pointer and offset arithmetic
- Trouble with ReadWriteMemory module in python to read 64bit process memory
- Why is id different through id() and through the cheat engine?
- How can I change the value of an memory-address in Python?
- How to find pointer w/ offset [ecx+eax*4] (address offset?)
- Unable to read value from memory using offsets
- Unity3D Speed Hack Detection
- Calculating Hex In Cheat Engine Lua?
- ReadWriteMemory reading memory as an int instead of a float
- Trying to dereference pointers programmatically to get the dynamic address c#
- Changing memory address values and hex data
- How to attach a debugger of cheat engine to an application that compiled by VS2015 successfully?
- Why should I use (void*) in second parameter of WriteProcessMemory() func?
- How Cheat Engine know what kind of value is in the memory
- Windows Virtual Address Space
- Where does int 32 value come from in Memory viewer, Cheat Engine
- cheat engine debug breakpoint on IDA function addresses
- Disable button once clicked Cheatengine Lua
- C++ read memory addresses within process range only