How to find pointer w/ offset [ecx+eax*4] (address offset?)

Question

I've seen this topic: How to find a point with offset eax+ebx*4

eax will be the pointer value to look for
ebx*4 will be the offset (ebx is the offset in an array with elements of 4 bytes long)
so:
ebx=0 : offset=0
ebx=1 : offset=4
ebx=2 : offset=8
ebx=3 : offset=c
ebx=4 : offset=10

But I'm still don't understand how can I determine ebx?

Here is my situation: I'm trying to get current ammo pointer for Red Faction: Guerrilla (gfwl version)

I see that the address of this ammo is changed when I load another save file. So I use "Find out what writes to this address" for the ammo pointer (which no longer working after load another save file)

Then I load another save file to see what it writes to the pointer: The result is the pointer with offset [ecx+eax*4]

So I make a pointer like this

ecx=00C1B988 (address 00C1B988 holds the value: ECX=00C1B994)

EAX*4= I don't know how to work with this, so I just put: E71*4

But it still doesn't work when I load another save file. I stuck at E71*4, what should I replace for E71? I even tried to search the value E71 (or 3697), but it seems like I'm going nowhere.

Does EAX change each time you run the game? Usually when you see ecx+eax*4 it's indexing into an array. ECX points to the array, EAX is the element # and 4 is size of the element. Often times when you see 4 or 8 it's because it's an array of pointers and that's the size of the pointer — GuidedHacking, Aug 27 '18 at 03:05
@GuidedHacking: Thanks for reply :) I think the developer of the game try to make it impossible to use cheat engine, I've never success find the pointer. That EAX change with different save game and with different progress of the game (if I don't start another save game and don't continue doing missions, then the EAX stay). So I think the problem is not the EAX change but the developer of the game use a method to make it impossible to find pointer. But luckily, I found out there are mods for this game that I can cheat the game any way I like: https://gaming.stackexchange.com/a/336026/198960 — 123iamking, Aug 30 '18 at 08:55
It's not anticheat, it's just how object oriented programming works and how C++ gets compiled — GuidedHacking, Aug 30 '18 at 17:46

GuidedHacking · Accepted Answer · 2021-11-07T17:17:22.407

Usually when you see ecx+eax*4 it's indexing into an array. ECX points to the array, EAX is the element # and 4 is size of the element. Often times when you see 4 or 8 it's because it's an array of pointers and that's the size of the pointer on x86.

What you're seeing is not some encryption/obfuscation/anticheat. It is just how object oriented programming/C++ gets compiled into assembly.

That pointer chain you're creating isn't going to work for you, the solution will be to get the address of the weapon/player object so you can offset into it to get address of the ammo. To do this you need to:

find another pointer manually
find another pointer using pointer scanner
pattern scanning + hooking and pulling the address out of the register

If perhaps this is some obfuscation, you can easily get the value of EAX by hooking the instruction and grabbing it's value.

So helpful. In my case, the array was 'argv' and it was referencing the last element via, 'ecx+eax*4-4'. — Syed Hasan, Nov 07 '21 at 08:53

How to find pointer w/ offset [ecx+eax*4] (address offset?)

1 Answers1