How To Find Offsets, Entity Addresses & Pointers

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
this is gonna be a pretty boring remake of a five-year-old video we've recently got some complaints that this video is not very good so I'm gonna attempt to remake it for you without losing my mind this video is gonna teach you the most basic parts of using cheat engine the first thing you always do in every game is you want to find the health address you're gonna track back from the health address to the local player object and get its address and then you're gonna find a pointer to the health and the local player object and then maybe we're gonna find some weapon ammo as well and just explain you the very basics so first thing in a salt cube you can't when you first start the game you're in a demo map you're not actually playing the game so you cannot use that and expect the addresses and offsets in the demo map to work in the real game so to start a real game you would go to single-player and create a Bop match okay once you've entered one of these BOTS matches you can continue this tutorial so you want to be in a map where it's easy to get a grenade like this one and what we're gonna do is we're going to search for our health which is probably a four byte integer so we're gonna start with that so these are all the addresses that represent addresses which contain the value 100 as a four byte integer so we are going to reduce our health by hurting ourselves with the grenade we now have 45 SL so we're gonna filter these results and now we have our address we double click it and we add it to our cheat table so this is the address of our health variable okay now we want to see does this thing work so let's set it to 9999 and let's grab another grenade and we are going to burn ourselves again and see what our help turns into okay it's 9 9 3 8 again so this is our actual health address if we did that and our health was shot down to like less than a hundred then that would mean we had found a visual health value that's the one that's used for the graphical in graphical user interface the GUI ok but in this case 9 9 3 8 this is our real health address so anytime you want to find a pointer - I'm sorry any time you want to find an empty object the health variable is probably in it so this is just defined in C as a class it's a player a local player a client in this case the structure is called an an entity so the class represents our local player is an entity object so we have the health address which is probably inside of the entity object now how does the CPU and the assembly code access the Health address well it knows some there's some function with an instruction that changes your health and it's done by getting the address of the entity object and then indexing into the health variable by using the help offset your compiler when you write your code and at the compile button the compiler figures that all out for you now when you're reversing this with using cheat engine it's it's actually very simple we're gonna right click the help address and we have two choices find that will access this is address and finds out what writes to this address one of these has overlapping results and one only has singular results I believe if you do find out what accesses it'll give you a list of all instructions which read and write to the health address if you just do writes it only shows you the ones that write to it so and how does this work this is actually just a read or a write break point which is just built into the way that the debugger works on on Windows so let's right click on this and do finds out what access is sometimes you have to do both sometimes you're not gonna find your result in just one and you need to do the other one but let's just do find out what access is to start this is gonna attach the windows debugger to the process and set that breakpoint and what we get here is a list of instructions which access that health address and we can see the count it's currently this is just part of the main game loop okay now we can get a more it's probably being updated and accessed throughout you know every single frame of the game now to get a more specific instruction what acts directly which executes directly when we're getting hit by something we can throw another grenade so we can stop this now and I'll stop the breakpoint so these two instructions access our thing only when we hurt ourselves and these get executed every tick now you'll see three of these are very similar you have a register + f8 in hex so f8 represents our offset now when you see this it will not be like that in every game like right here you see EB x + 4 so you can't just look at this and go ok the offsets for you you need to you need to form a hypothesis you need to test your hypothesis and you need to experiment and use trial and error and that's how you're gonna solve all your problems in game hacking this is a really key skill here we have a lot of people in the forum who they get to this part of the tutorial and then they come asking us for help you have to have the initiative the intuition and the ability to deduce what's happening giving the information you're provided you have to take the context of what you're looking at and apply everything you know about solving problems and about how coding and a computer works and you have to use these things to make yourself successful I can't do it for you so our offset is FA I know that but if you're just doing this you may not know it but you have three instructions that are all accessing it via f8 let's try doing find out what writes and let's see if we get any different instructions I don't think we will though let's try yeah we already got this one right here so nothing new there that's fine so so these two are reads and these this is a right and then this is a read okay because we're moving the address of the health variable into a X moving it into EAX and in this one we're subtracting the health of ETI from the health address so if you let's just do this bottom one here if we look at f8 we see that it's ESI + f8 now ESI is going to be the address of the entity object we don't know that but that is typically the case in most games and as you get more experience you'll come to understand this and you'll know what you're looking at again you have to look at what you're looking at take your at face value and if later you have a problem you then need to revisit your hypothesis and continue to create more experiments to test it until you get in full understanding of exactly how the game is built so let's look at ESI let's grab that address and let's add an address manually and paste that in and we're going to call this entity object address so what is an object an object is an instance of a class if you're coding and program you create a class which just defines what an object of that class will contain what its structure will be and what functions can act on it so when you find a class in memory its it's called an object now we've added that address of our entity object here and then we get this weird value well this value it's just reading the value which is that offset 0 of that object which is not important to us right now so the next thing you might do is let's take a look at this the structure of this object so let's grab that address let's go to memory view so we go to tools dissect data structures and we're going to paste in the address you click structures to find your structure and we're just going to call this entity and just use all the default settings so what this does is it gives you a list of all the variables that are that star at that Jess so you can think of all this information here is part of the class of the object that we're looking at which is the entity so at offset zero we we have a pointer then we have two floats three floats and some integers now these variable types are guessed Chi engine has an auto guess ability which tries to use the context of the variables to decide what they might be it will not always be correct so you can only use it as a guide you can find a lot of good information by looking at this so I see one two three floats in a row so that probably represents our coordinates if we jump we see the 4.5 turns into a six point Sutton and a seven point something so that's our Z coordinate if we move around the other two floats move so we could add that to our table this is our our vector of coordinates XY and Z and we can keep looking down here and the offset is listed on the left so if we go all the way down to the bottom here where F 8 is we can see that here's our health 9 7 6 1 I can see what looks like my amo here this is probably a mo for the different guns that we have I see a 16 and that's at offset 150 and that's the ammo in our current magazine and if we reload we are animal that we're holding the reserve is now 35 so that's our ammo and reserve 35 at offset 128 so something we can do just to show you how this all works is let's take our entity object address and let's add we want to add a address for our ammo so let's just call this assault rifle ammo mag address and we can paste in our the address of our entity object and then we can add the offset I think it was 140 I forget what it was so we had a 20 that's all set 150 not 140 so if we do like that we have our entity object address plus the offset which equals the address of the ammo and our magazine then you change that to 999 if we want and we can see that it works next step we want to find a pointer to our entity object the reason why is because everything is created dynamically in video games to be efficient a static address is one that is always relative to a module and that module is always loaded into the same place so let's take a look at that so we want to find a pointer to our entity object what's a pointer it's just an address which contains another address effectively its points to another address so we're going to do a new scan and we're going to use hacks because the address we're gonna paste it in is using hex notation and we're gonna do a scan now everything on the left-hand side here these are all variables which contain the address or entity object so effectively these are all pointers these green addresses are static addresses let's add the first three to the table and let's just double-click them you're gonna see that these have a relative address and a module name so AC client exe is a module that gets loaded into memory when the process is created it gets mapped into memory by the Windows OS loader each address each module in memory is loaded at a specific address at runtime if you take that specific address and you add this relative offset you get the address of a pointer which points to our entity object so what is the address of AC client XC I'm gonna show you a quick way we can look at that just for like a quickie just a little explanation so we go to a memory viewer dissect PE headers and these are the different modules that are loaded in memory we want AC client to EXCI if you click info it will load the information so it's address is currently this address here now this is very common because this is the default image base for all executables now many executables now use different parts of the windows security system like address space layout randomization which will randomize this address but in this case that is disabled on a salt cube and this is given as its default image base there are multiple headers for the PE header at the MZ header which is just a leftover from DOS and then the PE header so in the PE header which is the portable executable file format it has a header which contains a table of all the things that are gonna be loaded ok and if we scroll down here has a bunch of interesting information the entry point of the code the base of the data and the preferred image base so the preferred image base is where this module would like to load if that spa is free now it's not always free in case this was a DLL if this address is not free it will load anywhere that the operating system has space in the virtual memory but this is just a quick way if you're wondering how you find that that's where it is once you follow the rest of the beginners start your guide game hacking you will learn all about that ok back to our pointer so our green addresses these are all addresses which are relative they're use relative offsets to a module base address which gets loaded into a static address if we double-click these next two and look at these we just have an address so this is just a dynamic address it's not offset from any module so this is something that's probably on the heap or maybe it's out it's allocated by the keyword new and C or something like that so what this is saying right here is these three green addresses are gonna be the same the variables going to be in the same address each time you restart the game but these are all dynamic and they do not necessarily have to contain the same variable when you restart the game so your goal in finding a pointer is to trace backwards until you get a static address in this case we already have three so this is a multi-level pointer but it's it's only a one level pointer it said it's a pointer that points to our entity object one level no offsets just a relative address so let's delete these two that we just added those were dynamic and let's just look at these so we have AC client plus 1 0 9 B 7 4 and we have AC client +1 0 F 4 F 4 and then we have AC client plus 1 1 e 2 0 C so which one is the right one we don't know so in order to test this you went whenever you're researching and reversing and hacking a game you're gonna spending months on it so again I'm gonna find more form a hypothesis I'm gonna add these to our cheap table and I'm gonna say these always point to the correct address and I'm gonna save this cheap table and I'm gonna use it for the next if they stop working then I'm gonna re-evaluate my hypothesis coots no longer been proven to be true for the sake of this video and not making a three-hour long introduction I know this last one is not the one we want these two both of these addresses point to our local player object so you can use either of them now I would recommend that you use the second one which is 1 0 F 4 F 4 the reason I say this is because the reason I say to use this offset is because at offset F 8 you can find the entity list and if you look at the source code for the game you can find the local entity object pointer and the NT list pointer are defined right after each other one after the next so that leads me to believe that this is the most logical pointer so I'm gonna delete this other one and we're gonna call this a local entity pointer and when I say a logical pointer you can all pointer does is just point to another address you could have an address would just ran the memory in it which happens to represent the same address of your local entity object so this pointer is not logically defined by the game logic but it's still a valid pointer in memory that's where you need to be careful you may find things like that that don't follow the game logic and that will get you into trouble as you continue to learn all stuff so your goal when dealing with pointers is to find the one that uses the logical path of the game how do you find that logical path well you do find out what rights and what accesses and then you get the proper offsets the assembly code that the compiler created is accessing them via a specific path and a specific series of offsets then you know that that's the logic that the game uses you will learn in a later video how to use the pointer scanner and that brute forces them and you'll run into the same problem where you get thousands of like false positives but you want to use the one that's most logical so now we have the local entity pointer we're gonna actually define a pointer and cheat engine in the G&G table so grab this copy that add address manually and select pointer so this address down here is the base chess of the pointer this is where the pointer chain begins this is the first address and it's a static address in this case it's relative to AC client at Exe that's the module name and this is the relative offset so when you add these two numbers together you get an address which is a pointer when you dereference that pointer it points to this address so this address is not these two numbers together added together it's not the sum it's these two numbers added together and then dereference following this pointer to get to this address and you can see this address is the one we found for entity object address so we're dereferencing our pointer once it's the referenced we're gonna add our offset which is f8 and now if we click OK we can see it holds 9 7 6 1 which is our health so we can call this the health pointer we can change this to 666 and it works so this is our health pointer and this is our local entity pointer let's look at this one more time because people always get confused here is a module address which is at a static address we add our relative offset and now we are at an address which is a pointer we dereference that pointer and it gives us this address we take that address and you can see it right here and then we add f8 to it so this address plus FA equals this address you can see the syntax here the dash and then the carrot is a dereference and a plus and equal is just in addition in an equal so this is the sum so don't get those two confused and I know this might seem super confusing even though this is very simple for me it might be very complicated for you you are gonna learn this all over the next six months as you get experience so just take one step at a time and just focus on learning if you don't understand this 100% do the next couple videos if you get three or four videos in and you're still lacking like a solid understanding go back and start again and what you want to do is in the meantime you want to be practicing these things on a salt cube so just to test this let's close the salt cube and let's reopen it so we're gonna keep the address list and code list and we are currently in the demo map which it does work but we don't want to use it in this case so let's go to single deathmatch okay and then let's see so these three addresses these were all dynamic so all of these no longer work right the entity object is created dynamically and the game keeps track of that dynamic address using the pointer now this local entity pointer is still points to the correct address because this is a static address because we can see the module okay so that's it you've just learned the absolute basics of finding and to the objects alpha addresses pointers and you've learned about dynamic memory static pointers and that kind of thing this is the basis of everything you're gonna be doing in game 1/2 you don't understand it give it some time do some practice read some threads watch some other tutorials and it will come to you some people take 6 months to learn how a pointer works sometimes that's just how long it takes because it's kind of an abstract concept for someone who's just getting into this I wish you all the best of luck the most important thing you need to do is to practice you need to work hard and you need to be patient and you really need to just pay attention what people say in tutorials and guides and you need to take them very seriously because I can't make you learn these things I can't implant my experience and my knowledge into your brain you have to earn that for yourself there's absolutely nothing I can do to force you to learn correctly so it is up to you your journey is just beginning Godspeed
Info
Channel: Guided Hacking
Views: 312,287
Rating: undefined out of 5
Keywords: base address, entity address, how to find offsets, how to find local player, how to find pointers, how to find base address, dynamic memory allocation, entity base address, cheat engine, cheat engine tutorial, pointer tutorial, pointer scan, cheat engine (software), reverse engineering, game hacking, how to find offsets for any game, how to hack any game, cheat engine pointer, cheat engine pointers, how to find entity addresses, how to use cheat engine, hack any game
Id: YaFlh2pIKAg
Channel Id: undefined
Length: 22min 46sec (1366 seconds)
Published: Fri Jan 17 2020
Related Videos
Cheat Engine How to Pointer Scan with Pointermaps 🚨
Guided Hacking
185K
Learn Reverse Engineering (for hacking games)
cazz
860K
HOW ANTI-CHEAT BYPASSES WORK
cazz
322K
YOUR FIRST INTERNAL - BHOP HACK
cazz
94K
Making a mod menu is easy! (Here's how to make one with Python and Cheat Engine)
Kian Brose
742K
MAKE AIMBOT IN 10 MINUTES
cazz
710K
Why You NEED a DRIVER (for hacking games)
cazz
408K
Cheat Engine: Multi-level Pointers (tutorial 8) - Game Hacking Series
Intigriti
9.8K
How to Find the Entity list for ANY Source Engine Game!
swedz c#
13K
How to Hack Any Game C++ External Trainer Assault Cube 1/2
Guided Hacking
253K
How to Bypass Anti-Cheat for MODERN Game Hacking!
Guided Hacking
53K
Cheat Engine: Pointers (tutorial 6, part 1) - Game Hacking Series
Intigriti
15K
C++ Game Hacking Tutorial Ep.1 | Reading/Writing Memory
Hex Murder
611K
HOW TO FIND STATIC ADDRESSES WITH CHEAT ENGINE
Exploit Academy
101K
Learn Game Hacking - Introduction
loab
8.7K
How To Use Cheat Engine - Tutorial With Examples
Swashed
542K
LEGITBOT / LEGIT AIMBOT TUTORIAL CSGO
cazz
78K
How to find the Entity list using luck
swedz c#
3.6K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.