View previous topic :: View next topic |
Author |
Message |
mr.moon Newbie cheater Reputation: 0
Joined: 27 Aug 2016 Posts: 12
|
Posted: Sun Mar 26, 2017 5:25 am Post subject: get aob of addresses |
|
|
is it possible to get pattern of address like this one
htt ps://i.imgur.co m/cqTdF7z.png
every time restart the game and try to scan the old pattern i found it's changed to other pattern is there a way to get a working pattern for it ?
|
|
Back to top |
|
|
sbryzl Master Cheater Reputation: 6
Joined: 25 Jul 2016 Posts: 252
|
Posted: Sun Mar 26, 2017 3:41 pm Post subject: |
|
|
Do you mean aob pattern?
If so then you can keep restarting and creating an auto assembler aob template each time then compare the assembly instructions at the bottom of the logs to see which values are consistent. Then you can use wild cards to make a custom aob that only includes consistent values.
So say you have array of bytes like
F3 0F 11 5D 58
and only F3 0F and 58 show up each time and the 5 of the 4th value always shows but not the D. So your custom aob would look like
F3 0F ? 5? 58
A wildcard surrounded by spaces will wildcard a whole byte while a wildcard next to a number will only wildcard that nibble.
|
|
Back to top |
|
|
mr.moon Newbie cheater Reputation: 0
Joined: 27 Aug 2016 Posts: 12
|
Posted: Mon Mar 27, 2017 11:10 am Post subject: |
|
|
sbryzl wrote: | Do you mean aob pattern?
If so then you can keep restarting and creating an auto assembler aob template each time then compare the assembly instructions at the bottom of the logs to see which values are consistent. Then you can use wild cards to make a custom aob that only includes consistent values.
So say you have array of bytes like
F3 0F 11 5D 58
and only F3 0F and 58 show up each time and the 5 of the 4th value always shows but not the D. So your custom aob would look like
F3 0F ? 5? 58
A wildcard surrounded by spaces will wildcard a whole byte while a wildcard next to a number will only wildcard that nibble. |
i undersrand this point but when the opcode be like that
mov eax,[client.exe+16a2b90]
and trying to goto client.exe+16a2b90 to get the pattern of it
the problem is client.exe+16a2b90 pattern full bytes are changing when restart the game or start new game
|
|
Back to top |
|
|
sbryzl Master Cheater Reputation: 6
Joined: 25 Jul 2016 Posts: 252
|
Posted: Mon Mar 27, 2017 11:53 am Post subject: |
|
|
[client.exe+16a2b90] is a pointer to a pointer or to data or to a codebase depending on how it is used. You could post your auto generated table along with a description of what you want to do with the value stored there and you might be able to get a solution.
|
|
Back to top |
|
|
FreeER Grandmaster Cheater Supreme Reputation: 53
Joined: 09 Aug 2013 Posts: 1091
|
Posted: Mon Mar 27, 2017 12:02 pm Post subject: |
|
|
mr.moon wrote: | the problem is client.exe+16a2b90 pattern full bytes are changing when restart the game or start new game |
That's why you use wildcards, so that the parts that change don't matter, you'll often need larger aob strings however so that there are enough unique bytes for CE to find only the 1 result you care about.
For instance if you had the instruction
Code: | Tutorial-i386.exe+14D917 - B9 00006000 - mov ecx,Tutorial-i386.exe+200000 { [0054D8B0] } |
And you found that the 00006000 bytes were changing (because it's an address of a location in memory which is loaded in different places each time the game runs, or more technically in this case an offset based on the location the module "Tutorial-i386.exe" is loaded at in memory) you'd want an aob string like (yes that's 4 wildcard bytes the same as B9 * * * *, any non-hex character is a wildcard, each two characters or separator (space,comma,dash-) will create a byte). Of course, that leaves you with nothing more than the aob string since everything else is a wildcard and can be anything at all. That's not nearly unique enough to guarantee finding the result you want. So you'd need to look at more of the code and do the same thing eg.
Code: | Tutorial-i386.exe+14D917 - B9 00006000 - mov ecx,Tutorial-i386.exe+200000 { [0054D8B0] }
Tutorial-i386.exe+14D91C - BA 04006000 - mov edx,Tutorial-i386.exe+200004 { [00000000] }
Tutorial-i386.exe+14D921 - B8 30875900 - mov eax,Tutorial-i386.exe+198730 { [00400000] }
Tutorial-i386.exe+14D926 - E8 65FFFFFF - call Tutorial-i386.exe+14D890
Tutorial-i386.exe+14D92B - E8 70FFFFFF - call Tutorial-i386.exe+14D8A0
Tutorial-i386.exe+14D930 - B8 10875900 - mov eax,Tutorial-i386.exe+198710 { [0054E000] }
Tutorial-i386.exe+14D935 - E8 1657ECFF - call Tutorial-i386.exe+13050
|
you might use
Code: | b9 ?-* K?,Z? ba *?,*,?,* b8 z h k _ E8 &-(,)-# E8 !!-@@-#,$ |
Though just for the sake of readability hopefully something more like
Code: | B9 * * * * BA * * * * B8 * * * * E8 * * * * E8 * * * * |
or
Code: | B9 ?? ?? ?? ?? BA ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? |
Though you could have fun creating something like
Code: | B9 googling BA Horowitz B8 insultin E8 humuns__ E8 knowhows | (https://lotsofwords.com/-a-b-c-d-e-f _might_ help with that lol)
|
|
Back to top |
|
|
mr.moon Newbie cheater Reputation: 0
Joined: 27 Aug 2016 Posts: 12
|
Posted: Mon Mar 27, 2017 2:01 pm Post subject: |
|
|
Here what i meant
ht tps://i.imgur.co m/DLs29kc.png
|
|
Back to top |
|
|
sbryzl Master Cheater Reputation: 6
Joined: 25 Jul 2016 Posts: 252
|
Posted: Mon Mar 27, 2017 2:29 pm Post subject: |
|
|
There is not enough information here. I can see that your pointer is changing and you are implying the value it is pointing to is also changing so I am not sure which of those is giving you the issue.
The first situation can be solved with wildcards and the second situation is normal for variable data.
|
|
Back to top |
|
|
|