No introductory explanations, let's just get straight to the point. xD (Try CE tutorials provided by CE itself if you don't have any experience to have an idea on the basics of CE.)


To start off, as always, just scan for "a value" you're looking for, then you will find an address of memory that holds that "value".


In my case, I'm reversing MAME v0.201 with Metal Slug 3 (NGM-2560) [mslug3] (Universal NeoGeo BIOS 3.3) ROM loaded.


I raked up "coins value", which is a value that counts the number of coins put (credits) in the game.


Right click on that record in CE, and "Find out what writes to this address" (I use this as a verb), which gives me a pointer.


0ED49650 holds 11EA1090 (base)

D20 (offset)


I found that the value that 0ED49650 holds is different every time the game is re-loaded, hence it's somewhat obvious that 11EA1090 is determined at runtime only. (In other words, 11EA1090 is useless.)


Thus,

[[0ED49650] + D20] = coins value




Then again, using "Find out what writes to this address" feature of CE on 0ED49650 I get,


0ED49610 + 40 = 0ED49650

0ED49610 (base)

40 (offset)


because it shows...

03D3B2CA - 66 0F1F 44 00 00  - nop [rax+rax+00]

03D3B2D0 - 48 8B 49 40  - mov rcx,[rcx+40]

03D3B2D4 - 48 89 73 40  - mov [rbx+40],rsi <<

03D3B2D8 - 48 85 C9  - test rcx,rcx

03D3B2DB - 74 0A - je mame64.exe+393B2E7


RBX=000000000ED49610


Therefore,

[[0ED49610 + 40] + D20] = coins value




Where did this program (process) get 0ED49610 (base) then?


0ED49610 is a mother of 0ED49650 and you know that it's a "mother" because (0ED49610 + 40 = 0ED49650).


Scan for 0ED49610 stored as value.


With "Find out what writes to this address" I discovered...

That 0ED49610 is stored in - 1. 0ED494F0+80=0ED49570

That 0ED49610 is stored in - 2. 0ED49690+48=0ED496D8

That 0ED49610 is stored in - 3. 0ED4ED68+D8=0ED4EE40


Another value scans...

0ED494F0 cannot be found anywhere in memory

0ED49690 are easily found in static memory (see below)

0ED4ED68 cannot be found anywhere in memory


In static memory,

mame64.exe+D97AE08 holds 0ED49690

mame64.exe+E39AAB0 holds 0ED49690


The reasoning behind that can be described as follows:

mame64.exe+D97AE08 = 0DD7AE08

mame64.exe+E39AAB0 = 0E79AAB0


[0DD7AE08] = 0ED49690

[0E79AAB0] = 0ED49690


[mame64.exe+D97AE08] = 0ED49690

[mame64.exe+E39AAB0] = 0ED49690


and 0ED49690 is a pointer so,

[[mame64.exe+D97AE08] + 48] = 0ED496D8

[[mame64.exe+E39AAB0] + 48] = 0ED496D8


0ED496D8 of [mame64.exe+D97AE08] or [mame64.exe+E39AAB0] holds ED49610 we're searching for.


My conclusion here is,

mame64.exe+D97AE08 = 0DD7AE08 (static address)

[0DD7AE08] = 0ED49690 (ptr to base)

[[0ED49690] + 48] = 0ED496D8 (ptr to base)

[[0ED496D8] + 40] = 0ED49650 (ptr to base)

[[0ED49650] + D20] = coins value


So I figured out that my "coins value" can be obtained using this ptr to a ptr to a ptr to a ptr.

[[[[mame64.exe+D97AE08] + 48] + 40] + D20] = coins value


(...Or a ptr to a ptr to a ptr. Or a ptr to a ptr to a ptr to a ptr to a ptr. That I'm not really sure; I can't even count that many numbers. xD)



Coconut Rum

Sept. 27th, 2018



Top