-
Notifications
You must be signed in to change notification settings - Fork 149
Pointer Scanner
Right now this feature is still in experimental stage, so most of the feature design might change in the near future. Please bear with us while we iterate on it.
- Open up the Pointer Scanner window by right clicking on empty space inside the address table and selecting "Open pointer scanner".
- If you already have an address you want to scan for in the address table, just right click on it and choose "Pointer scan for this address", then skip to step 3.
- In Actions choose Scan which will pop up the scan settings dialog.
- Fill in the Address field if not already filled and change the File Path (which points to current working directory by default) if you want a different path or filename.
- We recommend leaving the optional parameters as default (0/empty) unless you know what you're doing or you have a specific need for them.
- Scan Range and Depth have a good default set in them, but you can increase them if you don't find a consistent pointer chain.
- Be warned though that increasing those two, especially Depth, will result in longer scan times and bigger scandata files
- Click Scan and wait for the dialog to disappear which will signal that the scan is done.
- You can now open the resulting .scandata file inside the Pointer Scanner window by clicking on File->Open.
- You can also sort this list of pointer chains if you wish so by pressing on Sort button.
Congratulations, you now have a pointer chain scandata that ultimately points to your value address, where each line is a single chain.
You can now input one of these in the Add Address Manually dialog in the main window, by pressing on the button with the same name. Make sure to check Pointer and you can fill in the new fields that popped up.
Eg: "kmines[4]+2C8->248->18->60":
- Base Address: kmines[4]+2C8
- Offset 1: 0x248 (offset fields grow upwards, bottom is the first offset, press on Add Offset if you need more)
- Offset 2: 0x18
- Offset 3: 0x60
I've got a .scandata file but most of the pointer chains inside do not work after restarting the game!?
Usually one scan is not enough to find all of the pointer chains that are stable and persist after every restart. The way to find consistent pointer chains is to restart the game after doing a scan and find your value once again with the normal scanning methods. After that, generate a second .scandata file following the steps above.
- Go back to Pointer Scanner window and access Actions->Filter.
- Put the two files in the respective fields.
- Press on Filter. This will clear out any remaining text inside Pointer Scanner and then display the pointer chains that appear in both of the scans. Optionally, you can also Sort the results and then save it as a .scandata file using File->Save As...
Logically, if a pointer chain appears in multiple scans, then it's way more likely for this pointer chain to be permanent or persist through multiple restarts of the game.
You should still have quite a few entries, depending on the size of the .scandata and game, and the only way to figure out which one of these are good is to keep doing scans after every restart and then filtering, or simply adding these chains in chunks and just play the game for some time checking which ones become invalid over time.
You can't escape trial and error in the reverse engineering world, so strap on your script kiddie hacker gloves and get to work.
You have to start over using different scan settings, like higher range or bigger depth.
If the target process is running through WINE, you might have issues such as reduced scanning performance or even trouble finding valid values as WINE messes with memory too much.