 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Hatschi
Master Cheater
![]() Reputation: 2
Joined: 28 Jan 2010
Posts: 327
|
 Posted: Fri May 26, 2017 8:50 am Post subject: Store static address in AA (64bit) |
 |
|
In 32bit games when there is a static address accessed in opcodes we can use readmem to store it.
In 64-bit games however the bytes does not represent the location in memory, so how can I store a static address like this in an AA script?
| Code: | | 8B 0D 0FCE8D00 - mov ecx,[7FF66EB48D9C] |
|
|
| Back to top |
|
 |
panraven
Grandmaster Cheater
![]() Reputation: 55
Joined: 01 Oct 2008
Posts: 942
|
| Posted: Fri May 26, 2017 9:26 am Post subject: |
|
|
The long address is absolute address, while 0f ce 8d 00 (0x8dce0f) is the relative offset from the starting address (addr) of next instruction. The absolute address should be addr + 8dce0f
May try AA command | Code: | dstAddr:
reassemble(srcAddr) |
, which will try assemble the instruction from srcAddr to dstAddr while recalculate the correct relative offset if possible.
If not possible, eg. distance between srcAddr and dstAddr > 2G,
but know where the offset bytes is (the 0f ce 8d 00) eg. from aobscan, it can be calculate manually like:
| Code: |
aobscan(sym, 8b 0d ?? ?? 00 00 --- some other bytes--)
//offset:sym+2 => ----------- ^-- begin of next instruction: sym+6
...
push rax
mov rcx, sym+6 // next instruction address
movsxd rax,[rcx-4] // get signed offset, address is sym+6-4 = sym+2
add rcx,rax // obtain absolute address
pop rax
mov ecx,[rcx] // == mov ecx,[7FF66EB48D9C]
|
When allocating the codecave, AA command alloc can have 3rd parameter to suggest where the allocation is near, so that reassemble can be working. eg. in above aobscan case:
| Code: |
alloc(cave, $100, sym)
|
then manually calculate offset is not need.
_________________
- Retarded.
Last edited by panraven on Fri May 26, 2017 2:28 pm; edited 1 time in total |
|
| Back to top |
|
|
Hatschi
Master Cheater
![]() Reputation: 2
Joined: 28 Jan 2010
Posts: 327
|
| Posted: Fri May 26, 2017 9:35 am Post subject: |
|
|
I'm not at home yet but in my case it would be:
| Code: | aobscanmodule(moneyAOB, game.exe, 8B 0D ? ? ? ? 8B 0D ? ? ? ? C3)
....
alloc(money, 8)
registersymbol(money)
money:
reassemble(moneyAOB+2) |
where it stores 7FF66EB48D9C in money label? How does reassemble command knows how many bytes to take?
|
|
| Back to top |
|
|
panraven
Grandmaster Cheater
![]() Reputation: 55
Joined: 01 Oct 2008
Posts: 942
|
| Posted: Fri May 26, 2017 10:33 am Post subject: |
 |
|
The addr of reassemble should be the starting address of the instruction, should exactly be moneyAOB .
The CE will known how to given it possible.
It can be imagined that CE as a person look into the srcAddr, disassemble the srcAddr, so get something of text like: mov ecx,[7FF66EB48D9C] , instead of bytes by bytes copy like readmem, then the CE assemble the text at dstAddr (the code cave).
Each reassemble work only on one Instruction.
The alloc can have an address hint as :
| Code: |
alloc(money, 256,moneyAOB) // should need more than 8 bytes, in case there is extra alloc
|
ADDED:
oh, I miss the keyword "store" the static address, may need the manual calculation version:
| Code: |
...
globalalloc(pStoreHere,16)
...
push rax
mov rcx, moneyAOB+6 // next instruction address
movsxd rax,[rcx-4] // get signed offset, address is sym+6-4 = sym+2
add rcx,rax // obtain absolute address
mov rax,pStoreHere // storing the address
mov [rax],rcx
pop rax
mov ecx,[rcx] // == mov ecx,[7FF66EB48D9C]
|
or if moneyAOB is registered symbol, in another script by lua (because need to read a 4byte address or the aobscaned code will not be executed,ie. executed only in initialization):
| Code: |
{$lua}
autoAssemble("globalalloc(pStoreHere,16)") -- make sure pStoreHere available
local addr = readInteger("moneyAOB+2") -- 4 bytes offset
if addr and addr>0x7fffffff then -- may be signed
addr = addr - 0x100000000 -- correction
end
addr = addr and addr + ( GetAddress("moneyAOB") + 6) -- offset + (next instruction addr)
if addr then writeQword("pStoreHere",addr)end -- store absolute static address
|
-----
May work for CE 6.7:
| Code: |
...
label(pStoreHere)
registersymbol(pStoreHere)
$(readInteger('moneyAOB+2',true)+GetAddress('moneyAOB+6')):
pStoreHere:
...
|
note 1: 'true' in readInteger('moneyAOB+2',true) make it read the value as signed, so should correctly add the offfset to obtain absolute address..
note 2: previous pStoreHere using globalalloc store the target static address as content at address pStoreHere, while in this using label, the pStoreHere is the static address.
_________________
- Retarded. |
|
| Back to top |
|
|
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Sat May 27, 2017 7:05 am Post subject: |
|
|
| Code: | autoAssemble([[
aobscanmodule(money, game.exe, 8B 0D ? ? ? ? 8B 0D ? ? ? ? C3)
registersymbol(money)
]])
local address = getAddress("money")
unregisterSymbol("money")
address = readInteger(address + 2) + address + 6
-- offset bytes start at "+2" and instruction length is "+6"
registerSymbol("money", address, true) |
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
