peter4d5 Cheater Reputation: 0
Joined: 21 Dec 2010 Posts: 37
|
Posted: Mon Oct 15, 2012 10:03 am Post subject: [Help] Relative and Absolute Address in CE |
|
|
I'm learning how to patch exe file by Cheatengine,but don't know to
change between relative address and absolute address eg.
000100D5 : 682C0D4100 - PUSH 000410D2C
;
;
0001012C : 45 - inc ebp ; 'E'
0001012C = 000410D2C ... omg..
this came from old example,but how can i change setting in CE to get true address? or anyway to know..please.
_________________
my name is peter4d5 |
|
SteveAndrew Master Cheater Reputation: 30
Joined: 02 Sep 2012 Posts: 323
|
Posted: Fri Oct 26, 2012 9:15 am Post subject: Re: [Help] Relative and Absolute Address in CE |
|
|
peter4d5 wrote: | I'm learning how to patch exe file by Cheatengine,but don't know to
change between relative address and absolute address eg.
000100D5 : 682C0D4100 - PUSH 000410D2C
;
;
0001012C : 45 - inc ebp ; 'E'
0001012C = 000410D2C ... omg..
this came from old example,but how can i change setting in CE to get true address? or anyway to know..please. |
Oh okay I think I see what you mean! When you load your executable's exe file directly into CE instead of attaching to it while its actually running, the base address starts at 0 instead of wherever the image base normally gets loaded too...
For example, lets say you have an executable called "MyExe.exe"...
Now that relative address: 1012C, is located at "MyExe.exe"+1012C when the exe is actually running and your attached with CE...
"MyExe.exe"+1012C
In the memory viewer you can goto that address and CE will understand it
What it does is take the image base of "MyExe.exe" and add 1012C to it which takes you to the actual address... (while its running)
The thing is, the image base *could* possibly be different each time you run the exe, this is why we use the relative addressing to begin with...
But if you wanted to figure out the image base from your address, you just subtract the relative address from the actual address...
Like so: 410D2C - 1012C == 400C00, so your image base for that particular run was at 400C00... (Now that seems a little wierd to me as usually it would be 400000 flat, but like I said image bases don't have to always be the same so I guess it could've been like that)
To go the other way you just do the opposite:
400C00 + 1012C == 410D2C
which is the same as what cheat engine does when you specify the exe name and add an offset ex.
"MyExe.exe"+1012C would be the same if the exe was named "MyExe.exe"
Just going to the address of "MyExe.exe" in memory viewer will show you the image base so you can see if your doing your math right!
Hope that's what you meant and it helped!
_________________
|
|