| View previous topic :: View next topic |
| Author |
Message |
quarkle
How do I cheat?
![]() Reputation: 0
Joined: 02 Apr 2022
Posts: 5
|
 Posted: Sat Apr 02, 2022 7:01 am Post subject: How to store Address into Symbol for recall. |
 |
|
Hi guys hopefully someone can help.
I am trying to grab a memory address (not its contents) and place it into a symbol so that I can later add that symbol to my address list + the offset to confirm everything is ok and further manipulate things.
When I add:
test+44 or [test] or [test]+44 to the address list it points to a different part in memory.
The code below only executes at the start of the game so each and every time I have to place a breakpoint to find what address is held in [rdx+44] it is that address that I need without having to use a breakpoint.
The game crashes quite often when a place a breakpoint so I would like to avoid doing it if I can find a workaround.
Here's my botched code which nearly works 
I am sure it's just a simple mistake or 2 I am making?
After more investigating, it would appear I may need to use lea op?
push rbx
lea rbx,[rdx+44]
mov [test],rbx
pop rbx
Its still not quite there though
| Code: | [ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048,"ABC-Win64-Shipping.exe"+10B6B7E) //this is where I place the breakpoint to get the new rdx+44 address
label(returnhere)
label(originalcode)
label(exit)
registersymbol(test)
alloc(test,$8)
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
originalcode:
mov [rdx+44],(float)1200.0 <<placing my float into rdx+44
movss xmm0,[rdx+44] <<moving the float into xmm0
mov [test],rdx <<trying to mov the rdx address into [test]
exit:
jmp returnhere
"ABC-Win64-Shipping.exe"+10B6B7E:
jmp newmem
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
dealloc(test)
"ABC-Win64-Shipping.exe"+10B6B7E:
movss xmm0,[rdx+44]
//Alt: db F3 0F 10 42 44 |
Last edited by quarkle on Sat Apr 02, 2022 11:59 am; edited 1 time in total |
|
| Back to top |
|
 |
TheyCallMeTim13
Wiki Contributor
 Reputation: 51
Joined: 24 Feb 2017
Posts: 976
Location: Pluto
|
| Posted: Sat Apr 02, 2022 11:55 am Post subject: |
|
|
"test" will point to the allocated memory where you store the base. So make the memory record a pointer with address "test" and one offset of "44", or make the address "[test]+44" with no offsets.
_________________
|
|
| Back to top |
|
|
quarkle
How do I cheat?
![]() Reputation: 0
Joined: 02 Apr 2022
Posts: 5
|
| Posted: Sat Apr 02, 2022 12:03 pm Post subject: |
|
|
| TheyCallMeTim13 wrote: | | "test" will point to the allocated memory where you store the base. So make the memory record a pointer with address "test" and one offset of "44", or make the address "[test]+44" with no offsets. |
Ah that would explain why the address is wrong.
Could you put me in the right direction to make the memory record a pointer with address.
I am still very new to scripting, I used every drop of energy hunting down the address's but I am lacking in the scripting department
I am so close to achieving what I need now I can almost taste it
cheers
|
|
| Back to top |
|
|
TheyCallMeTim13
Wiki Contributor
Reputation: 51
Joined: 24 Feb 2017
Posts: 976
Location: Pluto
|
| Posted: Sat Apr 02, 2022 12:04 pm Post subject: |
|
|
Use the "add address manually" button then check the "pointer" box, and set the address and offset.
_________________
|
|
| Back to top |
|
|
quarkle
How do I cheat?
![]() Reputation: 0
Joined: 02 Apr 2022
Posts: 5
|
| Posted: Sat Apr 02, 2022 12:53 pm Post subject: |
|
|
I've re-written the script, so hopefully now I am getting closer.
| Code: | [ENABLE]
alloc(newmem,2048,"ABC-Win64-Shipping.exe"+10B6B7E)
label(returnhere)
label(originalcode)
label(exit)
alloc(test,$8) //not sure about this I think I am allocating mem for float?
newmem:
originalcode:
push rbx //saving current state of rbx
mov [rdx+44],(float)1600.0 // placing my float value into rdx+44
movss xmm0,[rdx+44] // moving rdx+44 into xmm0
lea rbx,[rdx+44] // placing the address of rdx+44 into rbx
mov [test],rbx // placing that address into test
pop rbx // restore rbx
exit:
jmp returnhere
"ABC-Win64-Shipping.exe"+10B6B7E:
jmp newmem
returnhere:
[DISABLE]
dealloc(newmem)
dealloc(test)
"ABC-Win64-Shipping.exe"+10B6B7E:
movss xmm0,[rdx+44]
//Alt: db F3 0F 10 42 44 |
I've tried adding manually with a pointer but something is still wrong???
I can see my float which is correct but the rdx+44 register is giving a wrong address, probably as you said something to do with allocated memory.
Without the script I place a breakpoint @
"ABC-Win64-Shipping.exe"+10B6B7E
From there I can see the new address in rdx+44
If I manually add that to the address list everything is ok but I was hoping to automate that whole process. Getting the address is more important than the value in it.
Thanks for your help Tim it is appreciated.
I am not expecting for you to do my work for me but if there's anything you or anyone else can see in my script which is possibly screwing things up it would be appreciated.
|
|
| Back to top |
|
|
TheyCallMeTim13
Wiki Contributor
Reputation: 51
Joined: 24 Feb 2017
Posts: 976
Location: Pluto
|
| Posted: Sat Apr 02, 2022 1:09 pm Post subject: |
|
|
With LEA you're not just storing the base any more, you're storing the address. Make the offset zero, or just store the base like you had it.
_________________
|
|
| Back to top |
|
|
quarkle
How do I cheat?
![]() Reputation: 0
Joined: 02 Apr 2022
Posts: 5
|
| Posted: Sat Apr 02, 2022 1:40 pm Post subject: |
|
|
| TheyCallMeTim13 wrote: | | With LEA you're not just storing the base any more, you're storing the address. Make the offset zero, or just store the base like you had it. |
Thanks Tim,
yeah I've tried several ways with and without the offset.
With the script running, I think rdx+44 is in a different location. probably the allocated memory?
Its doing its job storing the float because when i browse the memory i can see it.
I am finding it hard to get my head around how i can record the original rdx+44 address, the moment the script runs it changes but without the script there is no way to get the address stored in rdx+44 without placing the breakpoint.
I would happily continue to use a breakpoint to extract the address, but as i said the game crashes quite often when i put one on.
i have about 20 more interesting address's to investigate, which adds around 4 hours using breakpoints.
I really appreciate the help you have given me, for now i stand defeated until i can somehow record the rdx+44 before the script does its thing.
cheers.
|
|
| Back to top |
|
|
TheyCallMeTim13
Wiki Contributor
Reputation: 51
Joined: 24 Feb 2017
Posts: 976
Location: Pluto
|
| Posted: Sat Apr 02, 2022 2:31 pm Post subject: |
|
|
Try the script like you had it before.
| Code: | [ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048,"ABC-Win64-Shipping.exe"+10B6B7E) //this is where I place the breakpoint to get the new rdx+44 address
label(returnhere)
label(originalcode)
label(exit)
alloc(test, 8, "ABC-Win64-Shipping.exe"+10B6B7E)
registersymbol(test)
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
originalcode:
mov [rdx+44],(float)1200.0 // placing my float into rdx+44
movss xmm0,[rdx+44] // moving the float into xmm0
mov [test],rdx // trying to mov the rdx address into [test]
exit:
jmp returnhere
"ABC-Win64-Shipping.exe"+10B6B7E:
jmp newmem
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
"ABC-Win64-Shipping.exe"+10B6B7E:
movss xmm0,[rdx+44]
//Alt: db F3 0F 10 42 44
unregistersymbol(test)
dealloc(newmem)
dealloc(test) |
Then make the memory record like before, and make sure to select type float.
_________________
|
|
| Back to top |
|
|
TsTg
Master Cheater
 Reputation: 5
Joined: 12 Dec 2012
Posts: 340
Location: Somewhere....
|
| Posted: Sat Apr 02, 2022 4:25 pm Post subject: |
|
|
please have a look at the attached pics
if the addresses keep changing mid game, this indicates the code is executed multiple time and/or its a shared code used for other stuff in the game.
| Description: |
| this shows the float value, with a offset added to the pointer first (ie: when used with mov rbx,rdx and ignoring the +44 part, which will be auto added in table |
|
| Filesize: |
57.31 KB |
| Viewed: |
2334 Time(s) |
|
| Description: |
| this will just display the address you stored in [test] |
|
| Filesize: |
55.73 KB |
| Viewed: |
2336 Time(s) |
|
| Description: |
| this shows the float value added to the address list, as a pointer but no offsets (ie: when used with lea rbx,[rdx+44] instruction |
|
| Filesize: |
53.46 KB |
| Viewed: |
2338 Time(s) |
|
Last edited by TsTg on Sat Apr 02, 2022 5:17 pm; edited 2 times in total |
|
| Back to top |
|
|
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4702
|
| Posted: Sat Apr 02, 2022 4:54 pm Post subject: |
|
|
In 2.jpg, you have 2 offsets: 0 and 44. Remove offset 0 so that you only have a single offset of 44.
Also, right click the instruction `movss xmm0,[rdx+44]` and select "Find out what addresses this instruction accesses". If anything other than the address you want appears, see step 9 of the CE tutorial.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
TsTg
Master Cheater
Reputation: 5
Joined: 12 Dec 2012
Posts: 340
Location: Somewhere....
|
| Posted: Sat Apr 02, 2022 5:10 pm Post subject: |
|
|
| ParkourPenguin wrote: | | In 2.jpg, you have 2 offsets: 0 and 44. Remove offset 0 so that you only have a single offset of 44 |
i fixed it so its more clear now, thanks.
|
|
| Back to top |
|
|
quarkle
How do I cheat?
![]() Reputation: 0
Joined: 02 Apr 2022
Posts: 5
|
| Posted: Sat Apr 02, 2022 5:23 pm Post subject: |
|
|
Really appreciate the help TSTG, the screen captures really have helped me finally understand things that probably seem obvious to regular users of cheat engine.
It didn't occur to me but it was a shared instruction.
As it turns out, it was accessing 2 address's
The second of which was the address that ended up in my table and looked wrong.
By stepping through the breakpoint I could also see that the first address was indeed appearing in the table for a short while but as i began to step through it suddenly changed to the second address. Without a breakpoint it was happening so fast I didn't catch it.
With your help and Tims I am finally back on track and will investigate a way to filter out the second address leaving me with the first.
Even without that at least now I can just right click "ABC-Win64-Shipping.exe"+10B6B7E and find out what this instruction access's without any need to place a breakpoint as it always reveals just 2 address which i can quickly add.
cheers
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
