View previous topic :: View next topic |
Author |
Message |
nero1232 Advanced Cheater
Reputation: 0
Joined: 08 Mar 2017 Posts: 65
|
Posted: Sat Mar 11, 2017 1:59 pm Post subject: Saving addresses in my ABO script |
|
|
Hi,
I have a AOB script that compares a certain offset in the base address to '3653' if it is 3653 then I want to save this address in my own array (thousands of addresses are referenced by this instruction but I only need 8 of them, these 8 all have that 3653 in common).
How can I do this in the script? I would want a space in memory to write these specific 8 addresses when they are found but have no clue how to do this.
Also how can I then get a pointer to that new array I have made in memory?
E.g. I would want globalalloc(myarray,32) to hold the 8 values one after the other and then have some kind of pointer that I can access to this array, so I can then write some c++ to access it or something like that.
Thanks
|
|
Back to top |
|
 |
ParkourPenguin I post too much
Reputation: 152
Joined: 06 Jul 2014 Posts: 4695
|
Posted: Sat Mar 11, 2017 2:53 pm Post subject: |
|
|
See the code in this post; it's made for 10000 entries, but the same logic applies. (ignore the movaps instruction; it was what the jmp overwrote)
If the results need to be accessed outside of CE, I'd code the hook myself and forego CE. Another option would be to store a pointer to the results in some code cave in a module.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
 |
Zanzer I post too much
Reputation: 126
Joined: 09 Jun 2013 Posts: 3278
|
Posted: Sat Mar 11, 2017 2:57 pm Post subject: |
|
|
Code: | cmp [eax+10],#3653
jne code
xor ecx,ecx
mov ebx,myarray
myloop:
cmp [ebx+ecx*4],0
je saveit
inc ecx
cmp ecx,8
jge code
jmp myloop
saveit:
mov [ebx+ecx*4],eax |
|
|
Back to top |
|
 |
nero1232 Advanced Cheater
Reputation: 0
Joined: 08 Mar 2017 Posts: 65
|
Posted: Sat Mar 11, 2017 3:21 pm Post subject: |
|
|
ParkourPenguin wrote: | See the code in it's made for 10000 entries, but the same logic applies. (ignore the movaps instruction; it was what the jmp overwrote)
If the results need to be accessed outside of CE, I'd code the hook myself and forego CE. Another option would be to store a pointer to the results in some code cave in a module. |
Thanks that's great. I probably will end up coding the hook myself but to start with I wanted to test it was working. How do I get a pointer to the array, I get the storing it in a code cave part but how do I get the pointer in the first place?
If I code the hook myself I know you can do the AOB scan and everything in C++ but in CE I am using the "find addresses that this instruction accesses" and then filtering them as there are thousands and I only need 8 of them (hence my original question), can I replicate this in c++?
|
|
Back to top |
|
 |
ParkourPenguin I post too much
Reputation: 152
Joined: 06 Jul 2014 Posts: 4695
|
Posted: Sat Mar 11, 2017 4:11 pm Post subject: |
|
|
nero1232 wrote: | How do I get a pointer to the array, I get the storing it in a code cave part but how do I get the pointer in the first place? |
Find the base address of the module and add to it the offset where you stored the address of the results. There are many tutorials that cover finding the base address of a module online; use Google for examples.
nero1232 wrote: | in CE I am using the "find addresses that this instruction accesses" and then filtering them as there are thousands and I only need 8 of them (hence my original question), can I replicate this in c++? |
Yes, that is possible, albeit more complicated than necessary. Why not just hook the instruction like you were originally trying to with the AoB injection?
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
 |
nero1232 Advanced Cheater
Reputation: 0
Joined: 08 Mar 2017 Posts: 65
|
Posted: Sat Mar 11, 2017 4:23 pm Post subject: |
|
|
ParkourPenguin wrote: | nero1232 wrote: | How do I get a pointer to the array, I get the storing it in a code cave part but how do I get the pointer in the first place? |
Find the base address of the module and add to it the offset where you stored the address of the results. There are many tutorials that cover finding the base address of a module online; use Google for examples.
nero1232 wrote: | in CE I am using the "find addresses that this instruction accesses" and then filtering them as there are thousands and I only need 8 of them (hence my original question), can I replicate this in c++? |
Yes, that is possible, albeit more complicated than necessary. Why not just hook the instruction like you were originally trying to with the AoB injection? |
Right I know how to get the module base address but I still don't get how you get the address of my new memory created? So say I do globalalloc(myarray, 32) then how do I know the address of 'myarray'?
Say the base address is 32A343E0 can I just do 32A343E0 + 'myarray' or do I actually need the location of myarray?
Sorry yeah I was being stupid with the last bit I can just hook it the same! Just the above im still not sure about
|
|
Back to top |
|
 |
ParkourPenguin I post too much
Reputation: 152
Joined: 06 Jul 2014 Posts: 4695
|
Posted: Sat Mar 11, 2017 4:27 pm Post subject: |
|
|
nero1232 wrote: | So say I do globalalloc(myarray, 32) then how do I know the address of 'myarray'? |
myarray is the address.
Code: | alloc(stuff,32)
game.exe+1B5AC:
dd stuff
// game.exe+1B5AC is now a pointer to stuff |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
 |
nero1232 Advanced Cheater
Reputation: 0
Joined: 08 Mar 2017 Posts: 65
|
Posted: Sat Mar 11, 2017 6:22 pm Post subject: |
|
|
ParkourPenguin wrote: | nero1232 wrote: | So say I do globalalloc(myarray, 32) then how do I know the address of 'myarray'? |
myarray is the address.
Code: | alloc(stuff,32)
game.exe+1B5AC:
dd stuff
// game.exe+1B5AC is now a pointer to stuff |
|
Sorry mate I am new to assembly. Where are you getting the 1B5AC offset from? What about if game.exe+1B5AC already has code there?
|
|
Back to top |
|
 |
ParkourPenguin I post too much
Reputation: 152
Joined: 06 Jul 2014 Posts: 4695
|
Posted: Sat Mar 11, 2017 6:34 pm Post subject: |
|
|
I made that offset up. That was an example to illustrate my previous statement that a symbol can represent an address.
As I said previously, you should use a code cave in a module so that you aren't using something the game is already using.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
 |
nero1232 Advanced Cheater
Reputation: 0
Joined: 08 Mar 2017 Posts: 65
|
Posted: Sun Mar 12, 2017 7:35 am Post subject: |
|
|
Zanzer wrote: | Code: | cmp [eax+10],#3653
jne code
xor ecx,ecx
mov ebx,myarray
myloop:
cmp [ebx+ecx*4],0
je saveit
inc ecx
cmp ecx,8
jge code
jmp myloop
saveit:
mov [ebx+ecx*4],eax |
|
Hi Zanzer,
Just implementing this part now, you put EAX at the top was this an example?
My comparison is actually:
cmp [rbx+00000018],(int)3653
jne code
I am getting a bit confused with the last bit:
mov [ebx+ecx*4],eax
I have no eax so would mine be:
mov [ebx+ecx*4],ebx
I don't think that looks right?
|
|
Back to top |
|
 |
|