Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Get start address and size of (.text) section

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Lua Scripting
View previous topic :: View next topic  
Author Message
RandName
Newbie cheater
Reputation: 0

Joined: 19 Jun 2015
Posts: 22
PostPosted: Mon Aug 10, 2015 11:50 am    Post subject: Get start address and size of (.text) section Reply with quote
Hi,

I want to create a copy of the .text section so I can cross-reference calls to the .text section to my copy.

How can I archive this with Lua or AA?

I know that there is a method by reading the PE Header but again, I don't know how to do this with Lua / AA.
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 458

Joined: 09 May 2003
Posts: 25284
Location: The netherlands
PostPosted: Mon Aug 10, 2015 11:57 am    Post subject: Reply with quote
Not .text only, but you can get the full size, both .text .data (and other sections) using getModuleSize("modulename")

If you want .text only you'll have to read the PE header.
For start, use getAddress("Modulename") to get the address of the MZ header
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
RandName
Newbie cheater
Reputation: 0

Joined: 19 Jun 2015
Posts: 22
PostPosted: Mon Aug 10, 2015 11:59 am    Post subject: Reply with quote
Dark Byte wrote:
Not .text only, but you can get the full size, both .text .data (and other sections) using getModuleSize("modulename")

If you want .text only you'll have to read the PE header.
For start, use getAddress("Modulename") to get the address of the MZ header


Code:
getAddress("Modulename")

This would give me the base address of the module if I am correct?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 458

Joined: 09 May 2003
Posts: 25284
Location: The netherlands
PostPosted: Mon Aug 10, 2015 12:05 pm    Post subject: Reply with quote
yes
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
RandName
Newbie cheater
Reputation: 0

Joined: 19 Jun 2015
Posts: 22
PostPosted: Mon Aug 10, 2015 12:47 pm    Post subject: Reply with quote
I wrote following function which dissects the PE Header for you.
As argument you have to enter your desired module to be dissected.

Code:

function dissectPEHeader(module)
  local base = getAddress(module)
  local msdosSize = byteTableToDword(readBytes(base + 0x3C, 2, true))
  local headerBase = base + msdosSize
  local numOfSections = byteTableToDword(readBytes(headerBase + 6, 2, true))
  local optionalHeaderSize = byteTableToDword(readBytes(headerBase + 20, 2, true))
  local sectionArrayBase = headerBase + 24 + optionalHeaderSize

  local pe_header = {
    base = base;
    msdosSize = msdosSize;
    headerBase = headerBase;
    numOfSections = numOfSections;
    optionalHeaderSize = optionalHeaderSize;
    sectionArrayBase = sectionArrayBase;
  };

  for i = 0, numOfSections - 1 do
    local sectionBase = sectionArrayBase + i * 40
    local sectionName = readString(sectionBase, 8)
    pe_header[sectionName] = {
      name = sectionName;
      base = sectionBase;
      size = byteTableToDword(readBytes(sectionBase + 8, 4, true));
      address = byteTableToDword(readBytes(sectionBase + 12, 4, true));
      sizeOfRawData = byteTableToDword(readBytes(sectionBase + 16, 4, true));
      pointerToRawData = byteTableToDword(readBytes(sectionBase + 20, 4, true));
      pointerToRawRelocations = byteTableToDword(readBytes(sectionBase + 24, 4, true));
      pointerToLineNumbers = byteTableToDword(readBytes(sectionBase + 28, 4, true));
      numOfRelocations = byteTableToDword(readBytes(sectionBase + 32, 2, true));
      numOfLineNumbers = byteTableToDword(readBytes(sectionBase + 34, 2, true));
      characteristics = byteTableToDword(readBytes(sectionBase + 36, 4, true));
    };
  end

  return pe_header
end


The code may not be perfect but it does its job well.
The function returns a table with the dissected data.

For example:
Code:

header = dissectPEHeader("Skype.exe") -- Enter your module here!

moduleBase = header.base -- moduleBase now contains the base address of the module
numberOfSections = header.numOfSections -- Number of sections in your module

-- For getting information about specific sections, just do it like below
textSectionSize = header['.text'].size -- Virtual Size of the section
textSectionAddress = header['.text'].address -- Virtual Address

dataSectionSize = header['.data'].size -- Virtual Size of the section
dataSectionAddress = header['.data'].address -- Virtual Address

print(string.format("0x%x", moduleBase))
print(numberOfSections)
print("")
print(string.format("%x", textSectionSize))
print(string.format("0x%x", textSectionAddress))
print("")
print(string.format("%x", dataSectionSize))
print(string.format("0x%x", dataSectionAddress))


Output for Skype:
Code:

0x400000
10
 
1b37b6c
0x1000
 
36da0
0x1b3f000
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Lua Scripting All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites