View previous topic :: View next topic |
Author |
Message |
BufferOverflow How do I cheat? Reputation: 0
Joined: 18 Jan 2015 Posts: 6
|
Posted: Tue May 23, 2017 10:48 am Post subject: (C#/ASM) Save value from codecave |
|
|
Hello,
Lets say i've made a detour to my codecave and i want to extract the value inside the rax register before returning. How would i do something like this? Do i need to save the address stored in rax to somewhere and then read from that address in c#? |
|
Back to top |
|
|
atom0s Moderator Reputation: 199
Joined: 25 Jan 2006 Posts: 8518 Location: 127.0.0.1
|
Posted: Tue May 23, 2017 8:55 pm Post subject: |
|
|
Move the value into another location before your cave returns back to the original code. Anytime the code cave is called it will update that second location with the value. This is commonly done in tables that offer the ability to edit values live while still using a cave to obtain and set the value in the first place. _________________
- Retired. |
|
Back to top |
|
|
BufferOverflow How do I cheat? Reputation: 0
Joined: 18 Jan 2015 Posts: 6
|
Posted: Wed May 24, 2017 4:45 am Post subject: |
|
|
atom0s wrote: | Move the value into another location before your cave returns back to the original code. Anytime the code cave is called it will update that second location with the value. This is commonly done in tables that offer the ability to edit values live while still using a cave to obtain and set the value in the first place. |
My assembly is quite awful, is the table you are talking about a "Lookup table", i googled a bit but i couldn't really figure out how to make one of these tables and get the address to it. |
|
Back to top |
|
|
atom0s Moderator Reputation: 199
Joined: 25 Jan 2006 Posts: 8518 Location: 127.0.0.1
|
Posted: Wed May 24, 2017 1:24 pm Post subject: |
|
|
I was referring to cheat tables that had been posted on this site in the past. They do what you are referring to fairly often to display values and such in the table as well as trainers etc. Basically what you would be doing is allocating a second location of memory which you would have the known address to. Inside of your cave, move the value you want to view into that second memory location then you can display it since you know the address to read consistently.
Here is an example of using a second memory location to check for a flag in Minesweeper:
Code: | [ENABLE]
alloc(TimeFlag,4)
alloc(cave,256)
registersymbol(TimeFlag)
label(back)
// Our Time Cave
cave:
cmp [TimeFlag],1
jne back
inc [0100579C]
jmp back
// Create Cave And Jump For Main Time Inc
1002FF5:
jmp cave
nop
back:
// Disable Initial Time Tick
1003830:
nop
nop
nop
nop
nop
nop
[DISABLE]
// Restore Main Time Tick
1002FF5:
inc [0100579C]
// Restore Initial Time Tick
1003830:
inc [0100579C]
// Remove Our Defines
dealloc(cave)
dealloc(TimeCave)
unregistersymbol(TimeFlag) |
You can then create a new address to your table with the address of: TimeFlag
This will allow you to toggle the cheat by editing this second memory location.
Here is another example for Pinball on WinXP, this stores the score value into the second memory location and can be visible on the table by adding a new pointer with the address pPointer.
Code: | [ENABLE]
alloc(cave,256)
alloc(pPointer,4)
label(back)
registersymbol(pPointer)
cave:
lea eax,[ecx+52]
add [eax], esi
mov [pPointer],eax
jmp back
1017579:
jmp cave
back:
[DISABLE]
1017579:
lea eax [ecx+52]
add [eax],esi
dealloc(cave)
dealloc(pPointer)
unregistersymbol(pPointer) |
_________________
- Retired. |
|
Back to top |
|
|
BufferOverflow How do I cheat? Reputation: 0
Joined: 18 Jan 2015 Posts: 6
|
Posted: Thu May 25, 2017 4:34 am Post subject: |
|
|
Thank you that cleared things up a lot!
EDIT: Nevermind i solved it! Thank you for your help!
One last question i bumped into if you don't mind
If i want to mov rcx to a 64-bit address, do i have to mov the addres into rax before?
If i do for example:
Code: | mov 23A1B670000, rcx |
it will overflow and add "random" instructions to the addresses afterwards.
Would something like this work better? (i'm not able to access my desktop at the moment to test it):
Code: | mov rax, 23A1B670000
mov rax, rcx
|
Or would it just overwrite rax instead of moving the value to the address inside rax? |
|
Back to top |
|
|
atom0s Moderator Reputation: 199
Joined: 25 Jan 2006 Posts: 8518 Location: 127.0.0.1
|
Posted: Sun May 28, 2017 6:27 pm Post subject: |
|
|
Addresses should be embraced with [ ] otherwise it is going to try and use that as a value. _________________
- Retired. |
|
Back to top |
|
|
|