pisto
16 Aug 2009, 17:49
this wormkit module is not for players, but it's a tool for programming other wormkit modules, expecially for those that change the gameplay.
This module makes easier to find the chain of pointers that lead to the specific memory structure that you want to modify, and fetches (if it doesn't fail) a static base.
I made this module because the only other pointer scan I know (Cheat Engine) is not usable. Better, I "optimized" this module for w:a.
Here are some technical info:
the pointer path (chain) must lie only in heap blocks (dinamically allocated memory, malloc/new). Only heap blocks allocated from the module WA.exe, positive offset and aligned pointers are accepted. Before scanning, the entire valid memory is scanned once, and a "web" of pointers is memorized: the scan will work on this web.
additionally, you can print a list of the heap blocks, with their size, their references from other heap blocks, the stacktrace of the thread that allocated them, and info about reallocations (original size, minimum size)
Scanning is quite fast, almost istantaneous with a maximum pointer chain length of 7, the default value.
You can send command to this module through a console. All offsets, addresses, size etc. are in hex format. The commands are:
- web: manually creates a web (if you want to print out references).
- print: prints in output.txt (a new file in worms folder) a list of all the heap blocks, with length, reallocation info (original, minimum size), cross references (if a web has made). A corss reference is printed out with the format @x(y:z): x is the offset to which the pointer points in the current heap block (the "son"), y is the address of the heap block with the pointer (the "dad"), z is the offset of the pointer in the "dad".
- print [address]: as above, but just for one block, and shows also the allocation stacktrace and its functions' arguments. Since it's impossible to determine how many arguments a function takes, you can see always 6 DWORD values: if you know, for instance, that a function takes 2 arguments, the last 2 of these 6 values are the arguments, in the same order as in the source code.
- start [address]: start a new scan for address. Automatically deletes old scan results and webs.
- checknow: checks that the pointer paths found are still valid.
- checknow [address]: same as above, but changes the target address first.
- printpath: shows the paths currently found, giving the base address, the relative offsets. You can add manually these numbers in Cheat Engine.
- save [filename]: save the current results to a file
- load [filename]: load results from a file (web will be deleted if the static base area saved in the file is different from the current)
- setmax [depth]: set the maximum length of the pointers chain (default: 7).
- setstatic [start] [end]: set the static base area. Default is from 0x6a3000 to 0x975400.
- heapcount: shows the number of heap blocks.
- cls: clear output.txt
http://www.webalice.it/micioptah/wkPointerScan.dll
Thanks to DC for the help with the console.
This module makes easier to find the chain of pointers that lead to the specific memory structure that you want to modify, and fetches (if it doesn't fail) a static base.
I made this module because the only other pointer scan I know (Cheat Engine) is not usable. Better, I "optimized" this module for w:a.
Here are some technical info:
the pointer path (chain) must lie only in heap blocks (dinamically allocated memory, malloc/new). Only heap blocks allocated from the module WA.exe, positive offset and aligned pointers are accepted. Before scanning, the entire valid memory is scanned once, and a "web" of pointers is memorized: the scan will work on this web.
additionally, you can print a list of the heap blocks, with their size, their references from other heap blocks, the stacktrace of the thread that allocated them, and info about reallocations (original size, minimum size)
Scanning is quite fast, almost istantaneous with a maximum pointer chain length of 7, the default value.
You can send command to this module through a console. All offsets, addresses, size etc. are in hex format. The commands are:
- web: manually creates a web (if you want to print out references).
- print: prints in output.txt (a new file in worms folder) a list of all the heap blocks, with length, reallocation info (original, minimum size), cross references (if a web has made). A corss reference is printed out with the format @x(y:z): x is the offset to which the pointer points in the current heap block (the "son"), y is the address of the heap block with the pointer (the "dad"), z is the offset of the pointer in the "dad".
- print [address]: as above, but just for one block, and shows also the allocation stacktrace and its functions' arguments. Since it's impossible to determine how many arguments a function takes, you can see always 6 DWORD values: if you know, for instance, that a function takes 2 arguments, the last 2 of these 6 values are the arguments, in the same order as in the source code.
- start [address]: start a new scan for address. Automatically deletes old scan results and webs.
- checknow: checks that the pointer paths found are still valid.
- checknow [address]: same as above, but changes the target address first.
- printpath: shows the paths currently found, giving the base address, the relative offsets. You can add manually these numbers in Cheat Engine.
- save [filename]: save the current results to a file
- load [filename]: load results from a file (web will be deleted if the static base area saved in the file is different from the current)
- setmax [depth]: set the maximum length of the pointers chain (default: 7).
- setstatic [start] [end]: set the static base area. Default is from 0x6a3000 to 0x975400.
- heapcount: shows the number of heap blocks.
- cls: clear output.txt
http://www.webalice.it/micioptah/wkPointerScan.dll
Thanks to DC for the help with the console.