| View previous topic :: View next topic |
| Author |
Message |
Zanko
Cheater
![]() Reputation: 0
Joined: 28 May 2014
Posts: 40
|
 Posted: Sun Jul 03, 2016 2:12 am Post subject: Cheat engine .text vs .data section |
 |
|
Hi, is it possible to know where the .data section start exactly?
In the attached you can see that I navigated to corresponding section of byte array, one in disassembled view and another one in memory region view.
http://prnt.sc/bo5ld5
1 ) I know for sure that those byte represent character structure, HP, MP etc. So what does the dissembled view tell us? What are those corresponding instruction? Does cheat engine just simply try to translate the OP code even though those op code might not be executed?
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 458
Joined: 09 May 2003
Posts: 25295
Location: The netherlands
|
| Posted: Sun Jul 03, 2016 2:29 am Post subject: |
|
|
you could try parsing the PE header which is likely at ffx.exe+200
the disassembler view just interprets data as it sees it, it doesn't care if it's executable or not (data can contain jit'ed or decoded code)
also, not all code in .text is valid code. it also contains class tables and other data
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Zanko
Cheater
![]() Reputation: 0
Joined: 28 May 2014
Posts: 40
|
| Posted: Sun Jul 03, 2016 3:03 am Post subject: |
|
|
Thank you for answering!
Out of curiosity, does that mean sometimes assembly instruction is wrong? For example what if the byte array is like this
00 01 02 03 04 05 06 07 08 09
What if the first 3 byte are instruction 00 01 02
the next two by is data 03 04
and the rest is instruction 05 06 07 08 09
Since cheat engine intepret data as it sees it, does that mean it possible that cheat engine thinks that
first 3 byte is instruction 00 01 02
next 3 byte is instruction 03 04 05
and the rest is instruction 06 07 08 09
what would happen in this case? The real instruction is "splitted" unintentionally. Is this possible?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 458
Joined: 09 May 2003
Posts: 25295
Location: The netherlands
|
| Posted: Sun Jul 03, 2016 4:07 am Post subject: |
|
|
it is possible
e.g:
| Code: |
mov eax,ecx
mov dx,[somedata]
jmp short done
somedata:
db 03 04
done:
sub edx,eax
call 12345678
|
the somedata will be interpreted as an instruction by the disassembler.
it can cause some issues with the disassembler as the instruction in data may be interpreted as a 3 byte or larger instruction.
just go to the address of done to get a proper disassembly after that code, or use the left/right keyboard keys to shift the address by only 1 byte
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Zanko
Cheater
![]() Reputation: 0
Joined: 28 May 2014
Posts: 40
|
| Posted: Sun Jul 03, 2016 4:57 pm Post subject: |
|
|
| Hi, this is very interesting! If I may asked, obviously it is very difficult to spot this kind of error given that there are millons of instruction. If i was debugging arond 52th millions instruction, how can I be sure that the previous 52 millions instruction is reliably interpreted?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 458
Joined: 09 May 2003
Posts: 25295
Location: The netherlands
|
| Posted: Sun Jul 03, 2016 5:31 pm Post subject: |
|
|
you don't
but you can get a valid instruction point from eip when debugging, which will align you properly
also, if you get experienced in reading disassembly, you'll quickly recognize when the code is wrong
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
