TUTORIAL STRING POINTERS (USEFUL ) This is going to be a tutorial on how find the pointer that is a string in the xex,elf file or whatever you use it for. In are example we will be using the xbox360 xex of advance warfare tu5 . This works the same as single player xex which is "default.xex" we how ever will be using default_mp.xex" The use of this is to be able to get a strings pointer to the byte that it is stored in base file memmory. This works for all cods so go try it on a older cod and see what you find . First you will need to download my pack that i include everything you will need besides ida :whistle: i am sure you can find that your self. 360aim string pointer pack https://mega.co.nz/#!ItESwIoB!azn2jqITWQ5LgnZ5HxqRtbQby2Eg4_I-odQNLzVmLFw virus scan https://www.metascan-online.com/en/scanresult/file/6a40379955cf42a68c5d4cd5332cdfdb //for admins all i could find is this virustotal was down i will edit when back up and add that i trust it more :/ to start off once you have your "default_mp.xex" loaded in to ida if you do not have a strings tab press the following keys at the same time to open a strings tab "shift + f12" this will open a strings window for you once in there you will see a lot of interesting strings. your eyes will light up :dead:. Your strings windows should look like this if opened correctly . http://gyazo.com/bac106359df84c15ef5395f066b965f0 once you have your strings window open we will need to find a string that we wont to find the pointer to for are example be will do a simple strings such as "g_knockback". We have choosen are string to find now we will need to press the following keys at the same time while we are still on the strings window in ida. "alt + T" it will pop up a window that looks like this. http://gyazo.com/6af1c87bdc7b915cc34ff902b10faff7 once the window is open that says substring type in are string we are useing "g_knockback" we will type that in and it shoudl look like this. http://gyazo.com/7a90d6340725269bc42eec173ce47481 once we have it type in press enter and it should go right to are string. If it dose not press the keys "alt + T" and press enter again to search for the next string in the list that contains what you have searched. if you did it right it will look like this. http://gyazo.com/a1967b2e8866dc77f71f6a0ec81423f4 now that we have found are string in the strings window we will now double click it or press enter on it it will go to ida view and show you the string and its location. If you click the string correctly it will look somewhat like this. http://gyazo.com/49958eba866d806e405f34f16bba861d you have now found the location of our string and the address that we will be using to find the pointer that the string uses to hold its bytes in the memmory. we will now be using the tools i have provied for you. the first tool you are going to want to open is simple dumper++ this is for the xbox360 version as i have stated for pc users and ps3 users i am sure you have your own ways of dumping and programs . Once you open simple dumper++ it will look like this. http://gyazo.com/150c0430078af0eeecdd4b8c2cf57502 You will want to click connect it will use the default xbox in sdk installed on your computer to automaticly connect make sure you have advance warfare loaded and you are in a game just setting there for the best results. once you are connect you will want to click "dump 360 base file" if done correctly memmory address and lenght should change to the following and look like this. http://gyazo.com/b953525d2580e6073e7211f2ba8f4b78 What it means by base file is you are dumping the xex file we are using "Defualt_mp.xex" memmory that is loaded in to the ram in to a single file. you are going to want to click dump a window should pop up choose your location to store the file that we will be using to find are pointer. Make sure you remember where you store this file or you will have to dump it again this is a must. once the file is stored we are going to want to open hxd. hxd download http://mh-nexus.de/en/programs.php //if you need virus scan for this just tell me i will download and scan admins when you open hxd you will see a screen that looks like this if you do not something went wrong. http://gyazo.com/2381c6b0438c5809da3b4ec118b6f11f we are going to want to go to open in hxd and click file the file that we just dumped with simple dumper++ is the file we will be opening once you have the file loaded it will look some what like this dont be confused this is quiet easy as we are using are pointers from ida. http://gyazo.com/0b3e324e2d1cb890b4c0b6750d53e1c8 once that is loaded we are going to go back to ida where we left are string we are going to highlight the following part of the code in ida and copy it to are clip board to copy it rightclick or press the following keys at the same time "crtl + c". it should look like this if you did it correctly http://gyazo.com/e9e8d4779466d9b2464c53a5e9afbd8b now that we have that we are going to go back to hxd now that we have copyed are string offset to point us to the byte value stored in the memmory once in hxd click in where in there and press the following keys "crtl + f" at the same time a box should pop open like this. http://gyazo.com/72ca9ace1514c551aa6ee0bc0008af54 you are going to want to click "datatype" and select "hex values" than you are going to want to make sure "all" is selected. once you have that press the following keys in "search for" to paste are offset in the box "crtl + v" it will look like this if done correctly. http://gyazo.com/8b2021f07107095899284ca881c499c4 now you are going to press enter and it will take you to a address that may not make much sense to you but i will explain it to you. if you press enter you will be brought to here, it looks like this http://gyazo.com/70335886fe18f3ba8c68fd8d1029ed1b now we are almost done finding are offset for "g_knockback" but i want you to understand how this works if you plan on finding other offsets for strings on this game or another call fo duty. we have just search the memmory for the string from ida the pointer that we used to search in hxd is where the string is stored as a byte to act as a fuction. the offset int eh above picture hxd is calling that string as a refrence and setting the byte that i will show you now. http://gyazo.com/8734a99eb65be1c3bff078b6acf7c3b2 For advance warfare the structs how the memmory handles most strings is as follows like that 16 bytes across is the full function if it gose longer it bleeds in to something else. so for are offset as i said it is 16 bytes we only use the last for in advance warfare so we will go from our pointer to the last 4 bytes that are hightlighted witch are. http://gyazo.com/4e2c51e078b3dfb72fb53dd4d9d1447f this is are offset we go to the first byte witch in are case is "44" we will only highlight that to get the offset that we are going to use this "44" is the first bytes of "G_knockback" it is a 4 byte integer stored in the memmory i could go in to detail but i am trying to teach you where you will understand how to do it your self pretty much. so now we will highlight "44" it will look like this. http://gyazo.com/ffec5702633b96cc1aa6b1589a95ca6e as you can see we only have 1 byte select witch is the 13 byte in the list i said as the function uses 16 bytes. now that we have find are offset we are not done yet we need to get the address to do this with "44" selected in hxd press the following keys at the same time "crtl + e" a box will pop up that looks like this. http://gyazo.com/6ecbb7818aab1de0aaee513cdf8e28a5 you are going to want to highlight the start offset and press "crtl + c" to copy it to your clipboard we are not done we have not added are base dump address plus are offset. to do this i included a download of peekpoker for us to use open that. it will look some what like this but the ip will be blank you will need to type in your xbox ip to connect to your console. http://gyazo.com/faa179c58c2a17ea4b4e52c9b82527b4 ok it will say you have connected if done properly if not you will be there for about 30secs before it says you have not. after that click on search/dump tab it will look like this http://gyazo.com/cfa84fa093b15bdefee946e7c7d00361 now click on the tab dump and you will be brought here where a hex caculator is that we will add are base and offset + are need g_knokcback offset". once on that tab it should look like this. http://gyazo.com/57c5ea0d4ca8d8fc73b69dfb94fff9a8 now you are going to want to click value to and press "crtl + v" at the same time to paste are address in to the tab it will look like this http://gyazo.com/2eb6a0363288c14aad877312bb0e0cd8 for value one copy this in to it from here or go to simple dumper and copy the base address. "0x82000000" put that as value one than you are going to want to hit the "+" plus sign on peek poker and it will added your values it will look like this. http://gyazo.com/95b97ac17a0f7e837634437e7d895d2e the "answer" is are offset for "g_knockback" that is are final address for the string pointer to get the offset click the answer box and press "crtl + a" to highlight it than press "crtl + c" to copy the address to paste it somewhere press "crtl + v". i hope you enjoyed this tutorial i spend a little bit of time on it to help you guys out tell me what you think //credits me spelling errors -me lots of spelling errors im sure - me who ever made peek poker and of course ida lets not forget all the people from the pc scene where i got most of my research for this *notes* This is my first post for xpg i hope you enjoy i was looking in to something a little special for my first one tell me what you think tho i've tried on this all cods it works flawlessly :yes2:
