| View previous topic :: View next topic |
| Author |
Message |
SomeoneElse123
Newbie cheater
![]() Reputation: 0
Joined: 30 Dec 2018
Posts: 11
|
 Posted: Sun Dec 30, 2018 3:43 am Post subject: Changed opcode problem |
 |
|
Hello, I'm new here, but I have one question. I have a new version of a game and one useful opcode changed a little bit. This is the opcode:
jmp dword ptr [eax*4+RussianVanity.exe+112078] . Its presentation in hex values is FF 24 85 78 20 51 00.
You can see that this opcode is a pointer and I cannot search for it since the address was changed. eax from register is 0, so the pointing address is 00512078. It points to an another pointer which points to an address of array of bytes that follow after the 51 00 from the opcode. Can anyone help me? Thanks
|
|
| Back to top |
|
 |
OldCheatEngineUser
Whateven rank
 Reputation: 20
Joined: 01 Feb 2016
Posts: 1586
|
| Posted: Sun Dec 30, 2018 4:09 am Post subject: |
|
|
its very difficult to find it with few amount of bytes, it might be a disp jump in this version instead of indirect.
you can try, but ... lets hope you find it.
value type: array of byte
scan/memory options: non-writeable (writable)
| Code: | FF 24 ** ** 5* 00
FF *4 ** ** 5* 00
FF 2* ** ** 5* 00
FF 24 ** ** ** 00
FF ** ** ** ** 00
E9 ** 0*
E9 ** *0 |
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
| STN wrote: | | i am a sweetheart. |
|
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25857
Location: The netherlands
|
| Posted: Sun Dec 30, 2018 5:09 am Post subject: |
|
|
Also include instructions of opcodes before and after it in your aob and wildcard out the parts that can change ( FF 24 85 ** ** ** ** )
then if you want to do an injection at that point then use reassemble to build the correct instruction
e.g:
| Code: |
aobscan(aobresult,11 22 ** 44 55 ff 24 85 ** ** ** ** 66 77 8* 99 aa)
newmem:
//do stuff
originalcode:
reassemble(aobresult+5)
jmp returnhere //not really needed as the original instruction is a jmp, but just as an example in case it isn't
aobresult+5: jmp newmem
returnhere:
|
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
OldCheatEngineUser
Whateven rank
Reputation: 20
Joined: 01 Feb 2016
Posts: 1586
|
| Posted: Sun Dec 30, 2018 5:31 am Post subject: |
|
|
| OldCheatEngineUser wrote: | its very difficult to find it with few amount of bytes, it might be a disp jump in this version instead of indirect.
you can try, but ... lets hope you find it.
value type: array of byte
scan/memory options: non-writeable (writable)
| Code: | FF 24 ** ** 5* 00
FF *4 ** ** 5* 00
FF 2* ** ** 5* 00
FF 24 ** ** ** 00
FF ** ** ** ** 00
E9 ** 0*
E9 ** *0 |
|
i forgot to add 85 after FF 24, sorry.
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
| STN wrote: | | i am a sweetheart. |
|
|
| Back to top |
|
|
SomeoneElse123
Newbie cheater
![]() Reputation: 0
Joined: 30 Dec 2018
Posts: 11
|
| Posted: Sun Dec 30, 2018 6:29 am Post subject: |
|
|
Well, using some bytes from opcodes next to it and some of the following one gave me only one result, so I probably found it. But I have another problem. Changing it didn't do the function I wanted (well, it didn't do anything)
In the old version, I changed the code to E9 F1 01 00 00 90 90 (assembly is jmp RussianVanity.exe+11205D )
I found this address and edited the opcode, but nothing happened
And basically this only disables traffic. If you have any other idea how to disable it, let me know. I'm asking because I have no idea what to search for. And yes, I have an option when I can disable it for a race, so I guess we have to start there. Btw I tried to do a scan for an unknown initial value and then changed/unchanged. But I ended up with 500 results (they all changed when I disabled it and changed back when I enabled it). I'll appreciate any info that will help me to find the switcher.
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
