 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
JürgenHook
How do I cheat?
![]() Reputation: 0
Joined: 25 Sep 2020
Posts: 3
|
 Posted: Fri Sep 25, 2020 10:13 am Post subject: moving labeladress into register |
 |
|
hey!
i am trying to use aobscanmodule to get the call address of a function
so something like
"call 12345678"
the label has the correct address but i am now trying to mov that label into a register
the idea is that i read the 4 bytes to obtain the function address offset + the adress of the label + 5 which should give me the address of the function
aob scanning the function itself doesnt work cuz the function is very small and with wildcards similiar to many other functions
|
|
| Back to top |
|
 |
panraven
Grandmaster Cheater
![]() Reputation: 62
Joined: 01 Oct 2008
Posts: 958
|
| Posted: Fri Sep 25, 2020 11:23 am Post subject: |
|
|
With ce 7.1+,
Memory Address can be type-casted with following prefix
| Code: |
unsigned: (BYTE), (WORD), (DWORD), (QWORD)/(UINT64),
singed: (CHAR), (SHORT),(LONG),(LONGLONG),(INT64)
|
(LONG) is relevant here to get the 4 bytes signed offset, eg.
| Code: |
aobscanmodule(aob, some.exe , e8 ?? ?? ?? ?? )
|
where aob is now the address of the instruction:
then
this aa lines can get the absolute call address of '12345678' into a symbol Target
| Code: |
unregistersymbol(Target)
label(Target)
aob+5+(LONG)[aob+1]:
Target:
registersymbol(Target)
...
newmem:
...
mov rax,Target
call rax
...
|
@"aob scanning the function itself doesnt work cuz the function is very small and with wildcards similiar to many other functions"
Then it may need to include more bytes into the aob line, may include both bytes BEFORE and AFTER and adjust the offset properly, eg.
| Code: |
//// offset ruler -> 00 01 02 03 04 05 06 07 08 09 0a 0b 0c
aobscanmodule(aob, some.exe , xx xx xx xx xx xx xx e8 ?? ?? ?? ?? yy yy yy yy yy)/// include more bytes
//// the call instruction now start at aob+07
unregistersymbol(Target)
label(Target)
aob+0c+(LONG)[aob+08]: /// note what has to be adjusted
Target:
registersymbol(Target)
|
ADDED:
The syntax check should always complain, as the aobscan symbol aob is not known during syntax checking <when pressing the [OK] button of the aa script windows>.
Press 'Yes' and test the script anyway. In case not activating due to error, check the error message by RIGHT-CLICKING the memory entry, the error message should in 1st line of the RIGHT-CLICK-MENU.
_________________
- Retarded. |
|
| Back to top |
|
|
JürgenHook
How do I cheat?
![]() Reputation: 0
Joined: 25 Sep 2020
Posts: 3
|
| Posted: Fri Sep 25, 2020 12:43 pm Post subject: |
|
|
hey thanks for the answer
regarding the part that aob scanning the fn directly, i have already taken up to 120 bytes but its still not enough, the main issue is that the function i am trying to get is "surrounded"(above and below) by functions that have the exact same opcodes and length the only difference being offsets and some addresses that will be turned into wildcards.
now ofc i could just remove some of the wildcards and that would indeed make the aob work, but only till next update and then i have to find the function again 
| Code: | unregistersymbol(Target)
label(Target)
aob+5+(LONG)[aob+1]:
Target:
registersymbol(Target) |
how exactly does this end up "inside" of Target?
|
|
| Back to top |
|
|
MMM-304
Expert Cheater
![]() Reputation: 0
Joined: 17 Aug 2020
Posts: 170
Location: Milkey Way
|
| Posted: Fri Sep 25, 2020 12:47 pm Post subject: |
|
|
First you need to inject it before call so that no byte of call instruction is used.
If INJECT is your aobscan
| Code: |
label(mylabel)
//allocatedMemory:
push eax
push ebx
mov eax,[mylabel]
mov ebx,INJECT+X+Y+1 //NOTE Write the sum of X,Y+1
add eax,ebx
//now eax has the address, do what you want
pop ebx
pop eax
mylabel:
readmem(INJECT+X,Y)
//X = BytesDistanceFromInjectionPointToCallInstruction+1
//Y = NUmberOfBytesOfCallInstruction-1 // in your case it is 4
|
|
|
| Back to top |
|
|
panraven
Grandmaster Cheater
![]() Reputation: 62
Joined: 01 Oct 2008
Posts: 958
|
| Posted: Fri Sep 25, 2020 1:05 pm Post subject: |
|
|
@'how exactly does this end up "inside" of Target?'
It is an AA feature, may be common for other line assembler, that if an undetermined label is following a determined address label, the former will set the same as later.
ie.
| Code: |
KNOWN_ADDRESS:
yet_to_assign_Label:
|
the yet_to_assign_Label is now the same as KNOWN_ADDRESS after these lines.
btw, the unregistersymbol and registersymbol command is not necessary if the symbol used only within the script (ie. local symbol vs registered symbol = global symbol )
_________________
- Retarded. |
|
| Back to top |
|
|
JürgenHook
How do I cheat?
![]() Reputation: 0
Joined: 25 Sep 2020
Posts: 3
|
| Posted: Fri Sep 25, 2020 1:07 pm Post subject: |
|
|
| panraven wrote: | @'how exactly does this end up "inside" of Target?'
It is an AA feature, may be common for other line assembler, that if an undetermined label is following a determined address label, the former will set the same as later.
ie.
| Code: |
KNOWN_ADDRESS:
yet_to_assign_Label:
|
the yet_to_assign_Label is now the same as KNOWN_ADDRESS after these lines.
btw, the unregistersymbol and registersymbol command is not necessary if the symbol used only within the script (ie. local symbol vs registered symbol = global symbol ) |
just gave it a try, works like a charm, thank you 
| Code: |
aobscanmodule(gameobject_setactive_call, GameAssembly.dll,E8 ? ? ? ? 8D 45 FA)
gameobject_setactive_call+5+(LONG)[gameobject_setactive_call+1]:
gameobject_setactive:
|
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
