Multiple Pointers [Black_Wolf]

Intro

Well guys, fresh from the psp scene, this is Black_Wolf. I'm really looking forward to hacking with you guys, so I'm hoping to share a bit of my knowledge with hacking for you all.


Currently I don't even own a USBGecko, but I'm in the process of saving up for one soon Wink I've been doing a fair bit of research about it though.


Now this guide does not go into detail for actually writing codes with this knowledge, as I'm still a little blurry on the details, bit if someone would like to just give me a quick help with getting this knowledge INTO code form, it would be great to add to this guide.


Ok, so as I've said before, I'm straight from the psp scene, back there I was an experienced hacker, and it was essential that one had a deep understanding of the pointer system. Now, many of you should know about single pointers (if not read the stickied guides in this section) but what I will be explaining is a deeper form of pointers.


What is a multi-pointer?

Now most pointers are base, 1st level, but occasionaly you will come across a game (usually online) where the only pointer leading to your variable is not static, making the usual methods useless. All is not lost however, with a little time, and the right knowledge, you can overcome this issue.


So your generic pointer is like this [POINTER VALUE] +OFFSET = CODE ADDRESS. However, sometimes, dma is so heavily used that it starts to look like this


[[POINTER VALUE] + OFFSET] + OFFSET = CODE


Basically, what this means is, that you have a base pointer, like usual, but instead of pointing to you object are, it instead points to another area, of dynamic pointers (you still have to apply an offset to find the right one). This can continue for any number of levels, the most I've come across is five levels of pointers. Frustrating.


Ok, so this is great and all, but HOW can we find this "Base Pointer" if all it points to, is a MOVING POINTER. Well the most common method, is what I will be teaching you.


The Method

So we start out the normal way, simply find yourself a value you know is multiple dma levelled. This could be health, ammo, whatever. In this case we'll say its ammo.


Ok so you have your dynamic ammo address. What you want to do, is SEARCH this address. No results? Subtract 4 from this address and search again. Lets say your ammo address is 0x8122C784 (remember, we are not using ba this time around, so we need to use the TRUE address). Then we get no results, so we search 0x8122C780.


We keep subtracting 4, till we get to, lets say, 0x8122C700. With this, we get a couple of results. Great, this is a real start. Generally, if you have a FEW results, take the one with the lowest address. But to be safe, its best to right them down. Remember, in this process, do NOT let the ram reset itself by dying or anything, as you will have to start again.


So lets say the ADDRESS that contained the VALUE of 0x8122C700 is 0x8114CB60. So far we have


[0x8114CB60]+0x84] = Ammo Code (get the offset by subtracted the pointer value from the original code.)


Now this isn't good enough, as this pointer is most likely dynamic (usually you can tell by the address, if its too high)


Alright, so what now? WELL we repeat the process, but instead of using the AMMO address, we use the first pointer address (0x8114CB60) so go ahead and search that as a value, and do the minus 4 method again. You eventually find a result by searching 0x8114CB40 (0x20 down from the original). The address is 0x8021445C


So now we have this.

[[0x8021445C]+0x20]+0x84 = Ammo Code


Usually, its best to test at double. So go ahead and die, and follow the pointer line in the ram viewer (if you need this explained just let me know) if it DOESN"T lead to the ammo address, well just find ammo again, subtract 0x84 from the address, search, subtract 0x20 from that address, and your back where you were, ready to search another level of dma (just repeat process)


HOWEVER, if it does lead to you ammo, you've successfully found your base pointer, yay. Make this into a code by putting the base pointer in PO, loading and adding 0x20, loading THAT address in PO, then loading and adding 0x84, and writing to your code (not too sure how to do this, looking into it, if its not possible with wiird, you can always just use ASM)


Ok, so thats a LOT to remember. For those like me who like to know what they are doing in their hacking, keep reading. If you just want to follow a method without understanding, skip this lol.



The Explanation

So why do we do this? Well its simple really, you know that pointers are simply addresses with a VALUE of another address right? Well by directly searching for the address, we can find the pointer in that way. Why minus 4? Well pointers always point to 32bit addresses, thats 0x0, 0x4, 0x8 and of course 0xC. Otherwise, your pointer would be pointing to HALF a value, which, to my knowledge, isn't too common. So we do this until we find a base pointer, in other words, the pointer that POINTS to another pointer (wow). Basically, by treating our dynamic pointer, simply as another code, we can find the value.


So why can't we just use the normal method for finding pointers i.e dying and searching the difference between our addresses. Well the reason is, we have NO IDEA, from our first address, HOW much the pointers are moving by. So we'd just find a bunch of dynamic pointers, that wouldn't work next time we die anyway. If you REALLY want, and you are SURE how many levels of pointers you're looking at, you can use the original method for finding the base. But its silly unless you know its double dma, or triple dma, so its best just to use the -4 when dealing with pointers.



Summary

So here's a brief summary of how to find your pointer line


  1. Find your dynamic value (the actual thing you want to change)

  2. Search its address as a value

  3. Subtract 4 from this search, until you get some results showing

  4. Figure out (and write down) your first offset. (CODE ADDRESS - POINTER 1's VALUE)

  5. Repeat steps 1-4 using the POINTER instead of your original code

  6. Continue this until you find a stable base.


So, I hope with this guide, that some of you will be able to better understand the pointer system, and while not many games use it now, in the future that may not be the case. Hope this helps. My home site is http://www.onehitgamer.com for anyone who wants to have a look.


-Black_Wolf

onehitgamer