Project 3: Cheat Engine Pointer Chains

Discover a stable pointer chain that resolves a dynamic value across restarts.

Quick Reference

Attribute	Value
Difficulty	Level 3
Time Estimate	1-2 weeks
Main Programming Language	Tool-driven (Cheat Engine)
Alternative Programming Languages	N/A
Coolness Level	Level 4
Business Potential	Level 1
Prerequisites	P02 scan workflow
Key Topics	Pointer chains, ASLR stability

---

1. Learning Objectives

By completing this project, you will:

1. Identify a stable root (module base) for pointer chains.
2. Validate pointer paths across multiple restarts.
3. Build a documented pointer map for HP.

---

2. All Theory Needed (Per-Concept Breakdown)

Pointer Chains and Dynamic Addresses

• Fundamentals Addresses in modern programs change across runs because of ASLR and dynamic heap allocation. Pointer chains provide a stable path by following offsets from a fixed base. In practice, you anchor the chain on a module base or a static pointer, then walk through multiple levels until you reach the target value. This transforms unstable addresses into reproducible references.

• Deep Dive into the concept When a program allocates an object on the heap, the absolute address depends on the allocator state, which changes each run. However, the pointer to that object is usually stored in a more stable structure, such as a global manager object or a static module. This creates the possibility of pointer chains: a series of dereferences and offsets that lead to the target. The root is typically a module base or a static pointer that remains at a consistent relative address. From there, each offset corresponds to a field inside a structure.

  Cheat Engine’s pointer scanning automates discovery of these chains by searching the process memory for pointers that lead to your target address. The difficulty is that pointer scans often produce many false positives. Memory is full of values that happen to look like pointers. Therefore, validation is crucial: you must restart the process and verify that the chain still resolves to the correct value. A chain that works once but fails on restart is not reliable.

  Depth is another trade-off. A chain with many hops is fragile; if any intermediate structure changes layout, the chain breaks. Shallow chains are more stable but harder to find. This is why pointer scanning settings matter: depth, max offsets, and module constraints should be tuned to balance stability and discovery rate. In a lab, you can reduce noise by using your deterministic sandbox and by ensuring your target value is in a stable object.

  Another practical issue is pointer size and alignment. On 64-bit systems, pointers are 8 bytes; on 32-bit, they are 4 bytes. Scans must match the correct pointer size, or you will get misleading results. Also, if your target is a float or a packed field, offsets might be subtle. Understanding the likely structure layout helps you reason about which pointer paths are plausible.

• How this fit on projects Pointer chains are the stability layer for scanning results. This concept powers Project 3 and informs Projects 7 and 8.

• Definitions & key terms
  • Pointer chain: A series of dereferences and offsets.
  • Module base: Stable load address of a binary module.
  • Offset: A byte distance from one field to another.
  • ASLR: Randomizes base addresses across runs.
• Mental model diagram ``` Stable Root -> Offset -> Pointer -> Offset -> Target

[Module Base] + 0x120 -> ptr ptr + 0x40 -> ptr ptr + 0x18 -> HP

- **How it works (step-by-step)**
  1. Find the target address via scanning.
  2. Run pointer scan to find candidate chains.
  3. Filter by module base and depth.
  4. Restart the process and validate the chain.

- **Minimal concrete example**

Base: game.exe + 0x120 Offsets: 0x40, 0x18 Result: HP resolves correctly after restart

- **Common misconceptions**
  - “Any pointer chain is good.” (You need stable, minimal chains.)
  - “Pointer scans are always correct.” (False positives are common.)

- **Check-your-understanding questions**
  1. Why do pointer chains survive restarts?
  2. What makes a chain fragile?
  3. How do you validate a chain?

- **Check-your-understanding answers**
  1. The root is anchored to a stable module base.
  2. Too many hops or changing structures.
  3. Restart and confirm it resolves correctly.

- **Real-world applications**
  - QA tooling that needs stable memory addresses.
  - Automation scripts for internal testing.

- **Where you’ll apply it**
  - This project’s §5.4 and §6.2.
  - Also used in: P07-linux-gdb-watchpoints.md, P08-linux-proc-ptrace-observer.md.

- **References**
  - Cheat Engine Wiki: Pointer Scans.
  - CSAPP - Ch. 9 (virtual memory).

- **Key insights**
  Stability comes from anchoring to a fixed root and minimizing hops.

- **Summary**
  Pointer chains are the bridge between dynamic addresses and reproducible analysis.

- **Homework/Exercises to practice the concept**
  1. Sketch a 3-hop chain and label each offset’s likely field.
  2. Compare two candidate chains and choose the more stable one.

- **Solutions to the homework/exercises**
  1. The root should be a module base; each hop should represent a structure.
  2. Prefer shorter chains anchored to stable modules.

---

## 3. Project Specification

### 3.1 What You Will Build

A stable pointer chain for HP and ammo in your sandbox, validated across at least three restarts. You will document the chain and explain why it is likely stable.

### 3.2 Functional Requirements

1. Identify module base and use it as root.
2. Use pointer scan to generate candidate chains.
3. Validate chain stability across restarts.
4. Document offsets and validation steps.

### 3.3 Non-Functional Requirements

- **Performance**: Pointer scan completes under 10 minutes.
- **Reliability**: Chain resolves correctly after 3 restarts.
- **Usability**: Documentation includes offsets and reasoning.

### 3.4 Example Usage / Output

Pointer Chain: Base = game.exe + 0x120 Offsets = 0x40 -> 0x18

### 3.5 Data Formats / Schemas / Protocols

- **Pointer chain record**: base module + list of offsets.

### 3.6 Edge Cases

- Chain works once but fails after restart.
- Multiple chains resolve to the value.

### 3.7 Real World Outcome

#### 3.7.1 How to Run (Copy/Paste)

1. Attach Cheat Engine.
2. Scan for HP address.
3. Run pointer scan and validate.

#### 3.7.2 Golden Path Demo (Deterministic)

After three restarts, the chain resolves to HP with the same offsets.

#### 3.7.3 Failure Demo

Chain fails on restart because root pointer was not module-based.

---

## 4. Solution Architecture

### 4.1 High-Level Design

[Module Base] -> [Pointer Scan] -> [Candidate Chains] -> [Validation]

### 4.2 Key Components

| Component | Responsibility | Key Decisions |
|-----------|----------------|---------------|
| Root Selection | Stable anchor | Module base |
| Validation | Restart testing | 3 runs |

### 4.3 Data Structures (No Full Code)

- **Chain record**: base + offsets + validation notes.

### 4.4 Algorithm Overview

**Key Algorithm: Chain Validation**
1. Resolve chain.
2. Verify value matches HP.
3. Restart and repeat.

**Complexity Analysis**
- Time: O(k) per chain validation.
- Space: O(k) offsets.

---

## 5. Implementation Guide

### 5.1 Development Environment Setup

- Use Windows VM with Cheat Engine.

### 5.2 Project Structure

project/ ├── pointer-chains.md └── screenshots/

### 5.3 The Core Question You're Answering

> "How can I reliably locate a value that moves every time the program runs?"

### 5.4 Concepts You Must Understand First

- ASLR and dynamic allocation
- Pointer dereference paths

### 5.5 Questions to Guide Your Design

1. What module is most stable to use as root?
2. What is the smallest depth that still resolves correctly?

### 5.6 Thinking Exercise

Draw a chain diagram with offsets and hypothesize what each pointer represents.

### 5.7 The Interview Questions They'll Ask

1. "Why are pointer chains necessary?"
2. "How do you validate a chain?"
3. "What is the impact of ASLR on addresses?"

### 5.8 Hints in Layers

**Hint 1:** Use module base as root.
**Hint 2:** Keep depth small.
**Hint 3:** Restart three times.
**Hint 4:** Validate with freeze tests.

### 5.9 Books That Will Help

| Topic | Book | Chapter |
|-------|------|---------|
| Virtual memory | CSAPP | Ch. 9 |

### 5.10 Implementation Phases

#### Phase 1: Scan (2-4 hours)
- Locate HP address.
- Start pointer scan.

**Checkpoint:** Candidate chains listed.

#### Phase 2: Filter (4-6 hours)
- Reduce chains by module root.

**Checkpoint:** 3-5 candidates.

#### Phase 3: Validate (4 hours)
- Restart and verify chain stability.

**Checkpoint:** Stable chain confirmed.

### 5.11 Key Implementation Decisions

| Decision | Options | Recommendation | Rationale |
|----------|---------|----------------|-----------|
| Root | Module base vs heap | Module base | Stable across runs |
| Depth | 2-5 | 2-3 | Less fragile |

---

## 6. Testing Strategy

### 6.1 Test Categories

| Category | Purpose | Examples |
|----------|---------|----------|
| Stability | Restart tests | 3 runs |
| Accuracy | Value match | Freeze check |

### 6.2 Critical Test Cases

1. Chain resolves to HP on three consecutive restarts.
2. Freeze via chain and verify behavior.

### 6.3 Test Data

Restart count: 3 Expected: HP resolves each time ```

---

7. Common Pitfalls & Debugging

7.1 Frequent Mistakes

Pitfall	Symptom	Solution
Too deep chain	Breaks often	Reduce depth
Wrong root	Fails after restart	Anchor to module

7.2 Debugging Strategies

• Compare chains across runs.
• Validate against authoritative value, not UI copy.

---

8. Extensions & Challenges

8.1 Beginner Extensions

• Find a stable chain for ammo.

8.2 Intermediate Extensions

• Compare chains for HP and ammo.

8.3 Advanced Extensions

• Build a pointer map for multiple objects.

---

9. Real-World Connections

9.1 Industry Applications

• Internal QA trainers.

9.2 Related Open Source Projects

• Use the sandbox from P01.

9.3 Interview Relevance

• Demonstrates understanding of ASLR and pointer stability.

---

10. Resources

10.1 Essential Reading

• Cheat Engine Wiki: Pointer Scanning
• CSAPP Ch. 9

10.2 Video Resources

• Pointer scan walkthroughs (tool demos).

10.3 Tools & Documentation

• Cheat Engine documentation.

10.4 Related Projects in This Series

• P02-cheat-engine-value-scanning.md
• P07-linux-gdb-watchpoints.md

---

11. Self-Assessment Checklist

11.1 Understanding

• I can explain why addresses move.
• I can describe a pointer chain.

11.2 Implementation

• Chain validated across restarts.
• Offsets documented.

11.3 Growth

• I can reproduce the chain without notes.

---

12. Submission / Completion Criteria

Minimum Viable Completion:

• Stable chain for HP documented.

Full Completion:

• Chains for HP and ammo.

Excellence (Going Above & Beyond):

• Pointer map for multiple objects.