View previous topic :: View next topic |
Do you think, this is an advanced method? |
Yes |
|
50% |
[ 1 ] |
No |
|
50% |
[ 1 ] |
Leave me alone |
|
0% |
[ 0 ] |
|
Total Votes : 2 |
|
Author |
Message |
Zec Newbie cheater Reputation: 0
Joined: 02 Jul 2016 Posts: 17
|
Posted: Tue Aug 22, 2017 2:31 pm Post subject: [SOLVED] Get pointer from x64 r13 register / game crashes |
|
|
Hi game manipulators,
could you please help me with this small issue.
I often pick pointers by injecting a tiny AA construct like this:
Code: |
[ENABLE]
aobscan...
alloc(newmem...
alloc(_PointerBaseExample,4)
registersymbol(_PointerBaseExample)
label(code)
label(return)
newmem:
mov [_PointerBaseExample],rax
code:
... original ...
jmp return
aobLocation:
jmp newmem
return:
registersymbol(aobLocation)
[DISABLE]
aobLocation:
db ...
unregistersymbol(_PointerBaseExample)
unregistersymbol(aobLocation)
dealloc(newmem)
|
Now for the first time I need to get the base address from r13.
This code...
Code: |
[ENABLE]
aobscanmodule(aob_getPlZ,TheForest.RectT<int>::Height+17788D,F3 41 0F 11 5D 14)
alloc(newmem,$1024) // here an additional argument was needed (see next post)
alloc(_PlZ,8)
registersymbol(_PlZ)
label(code)
label(return)
registersymbol(aob_getPlZ)
newmem:
mov [_PlZ],r13
code:
movss [r13+14],xmm3
jmp return
aob_getPlZ:
jmp code // this made no sense, since the mov unter newmem will not be executed (see next post)
nop
return:
[DISABLE]
aob_getPlZ:
movss [r13+14],xmm3
unregistersymbol(_PlZ)
dealloc(_PlZ,4)
unregistersymbol(aob_getPlZ)
dealloc(newmem)
|
... crashes the game.
When I take a look in the disassembler then the symbol is working and is in the right place.
(I am trying to get the players coordinate base from the gravity function.)
Thanks for reading and sharing your wisdom.
Last edited by Zec on Wed Aug 23, 2017 3:57 pm; edited 1 time in total |
|
Back to top |
|
|
STN I post too much Reputation: 42
Joined: 09 Nov 2005 Posts: 2672
|
Posted: Wed Aug 23, 2017 5:56 am Post subject: |
|
|
alloc(newmem,$1024)
to
alloc(newmem,$1024,aob_getPlZ)
aob_getPlZ:
jmp code
nop
to
aob_getPlZ:
jmp newmem
nop
I don't see anything else immediately wrong with it
_________________
|
|
Back to top |
|
|
Zec Newbie cheater Reputation: 0
Joined: 02 Jul 2016 Posts: 17
|
Posted: Wed Aug 23, 2017 3:55 pm Post subject: Thank you! |
|
|
That helped. So maybe the allocated memory was too far away from the original opcodes?
Thanks, learned the third argument for alloc().
|
|
Back to top |
|
|
|