Cheat Engine

The0neThe0nly · Posted: Sat May 31, 2014 11:10 pm Post subject: Tracing a jump

I've come across some assembly code that is jumped to and I would like to figure out what address the jump is occurring from. Normally I would use Dissect Code or if it was a call I would use break and trace but I noticed that when I breakpoint the address being jumped to, the address stored in EAX is the address being jumped to. I'm assuming the code is something like

justa_dude · Posted: Sat May 31, 2014 11:36 pm Post subject:

Set a breakpoint, then use the stack trace in the debugger to see where the function was called from.

The0neThe0nly · Posted: Sat May 31, 2014 11:53 pm Post subject:

I've tried this, but the function I get is rather large and I can't find any jump. I tried scanning for any opcodes that had an eax in it but I didn't find anything that jumped to eax.

Polynomial · Posted: Sun Jun 01, 2014 6:38 am Post subject:

Do you know for sure that it's a jump? Could be a call. Check the stack to see if there's a return address somewhere near the top.

You could also load the binary into IDA and check the call site to see if it can find any xrefs, as often the indirect calls can be spotted by constant refs in .data which are then used in other code.

For example, I've seen this "trick" a few times:

Dark Byte · Posted: Sun Jun 01, 2014 8:19 am Post subject:

I'm on a mobile phone so can't post a full example but look into this feature if you're on a 32 bit os: