Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


how to get base address of pointer from AOB signature ?

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Lua Scripting
View previous topic :: View next topic  
Author Message
Twistedfate
Expert Cheater
Reputation: 1

Joined: 11 Mar 2016
Posts: 231

PostPosted: Sat Apr 22, 2017 6:56 am    Post subject: how to get base address of pointer from AOB signature ? Reply with quote

The Idea in the picture .
My base address pointer is [game.exe+85B0CC] its stored inside this signature :
A1 4CB4C500 .

The question is >
is that possible to get the pointer base address from the signature in the picture ... How can I calculate module offset ?
Code:
[game.exe+85B0CC]  →   4CB4C500     how to get    85B0CC from  4CB4C500 .   

-and how to but it into my pointer ? if that is possible .
- the pointer changes every time so I need to read original bytes after scanning on
Code:
A1 ?CB?C500



pointer question.jpg
 Description:
 Filesize:  66.3 KB
 Viewed:  12421 Time(s)

pointer question.jpg


Back to top
View user's profile Send private message
mgr.inz.Player
I post too much
Reputation: 218

Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00

PostPosted: Sat Apr 22, 2017 8:31 am    Post subject: This post has 1 review(s) Reply with quote

If it is 32bit process this should do the trick, AA script:

Code:
[ENABLE]
aobscan(theAob,A1 ?C B? C5 00 E8 ?? ?? 5? 00 C3 6A 04)
label(pointerBase)
registersymbol(pointerBase)

[theAob+1]:
pointerBase:

[DISABLE]
unregistersymbol(pointerBase)



And use pointerBase symbol as base.

_________________
Back to top
View user's profile Send private message MSN Messenger
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Sat Apr 22, 2017 8:48 am    Post subject: This post has 1 review(s) Reply with quote

The opcode A1 addresses a memory location using an offset relative to a segment base (in the majority of contemporary cases, 0). Therefore, if you know that address must be in the module game.exe, subtract the address game.exe was loaded at from that dword to get the offset.

Basic algebra:
Code:
seg + moffs32 = game.exe + module_offset

seg = 0

module_offset = moffs32 - game.exe


That specific example you posted isn't possible, because that would imply game.exe was loaded at a granularity of 4.


Using mgr.inz.Player's solution would be easier than calculating the module offset. It's how I (and perhaps most people) would get an address hardcoded into an instruction.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Twistedfate
Expert Cheater
Reputation: 1

Joined: 11 Mar 2016
Posts: 231

PostPosted: Sat Apr 22, 2017 9:55 am    Post subject: Reply with quote

mgr.inz.Player

Thnx in advance . but its 64 bit >> I get error not all code injectable
and do u have any script contain full example of your trick ?
Back to top
View user's profile Send private message
panraven
Grandmaster Cheater
Reputation: 54

Joined: 01 Oct 2008
Posts: 941

PostPosted: Sat Apr 22, 2017 10:09 am    Post subject: Reply with quote

Given mgr.inz.Player's code , OP want the offset value as pointerBase - module_base .
ie.
Code:

[theAob+1]-moduleAddr:   // *
offsetValue:

however the * will not evaluated if moduleAddr is a Label or Symbolic address , but it does work if moduleAddr is a hexadecimal number.
The module address can be evaluated/known before hand by Lua eg.
Code:

 {$lua}
local xbase = readInteger(process)and GetAddress(process)
return xbase and string.format("define(moduleAddr,%X)",xbase)
{$asm}

[ENABLE]
aobscanmodule(theAob,$process,a1 ?? ?? ?? ?? 8b ?? ?? 57)
// another aob pattern for my own test, but not matter here

label(pointerBase)
registersymbol(pointerBase)
label(offsetValue)
registersymbol(offsetValue)


[theAob+1]:
pointerBase:    // eg.   41a3a4 in my test

[theAob+1]-moduleAddr:
offsetValue:    // give   1a3a4 in my test

[DISABLE]
unregistersymbol(pointerBase)
unregistersymbol(offsetValue)




for 64 bit case, it may need to read the RIP address offset as 4 bytes (signed/unsigned?) integer, pure AA symbolic address operation may not be enough at the moment.
Here a custom lookup function is made to read some Lua expression as symbolic address :
Code:

{$lua}
if _myLookup then
  unregisterSymbolLookupCallback(_myLookup)
end

_myLookup = registerSymbolLookupCallback(function(s)
  local LUA_expr = s:match"^%s*%(%?%s*([^?]-)%s*%?%)%s*$"
  if LUA_expr then
    local ok,try = pcall(load,'return '..LUA_expr,'_',nil,_G)
    if ok then ok, try = pcall(try) end
    if ok then
      local t = type(try)
      if t=='number' then
        return try
      elseif t == 'string' then
        return readInteger(try)and GetAddress(try)
      end
    end
  end
end, slFailure)
{$asm}



{$lua}
local xbase = readInteger(process)and GetAddress(process)
return xbase and string.format("define(moduleAddr,%X)",xbase)
{$asm}


[ENABLE]
aobscanmodule(theAob,$process,48 8d 15 ?? ?? ?? ?? e8)
// at cheatengine-x86_64.exe+3b6d

label(pointerBase)
registersymbol(pointerBase)
label(offsetValue)
registersymbol(offsetValue)

(?readInteger(GetAddress'theAob'+3)+GetAddress'theAob'+7?):
pointerBase:

(?readInteger(GetAddress'theAob'+3)+GetAddress'theAob'+7-tonumber('moduleAddr',16)?):
offsetValue:

[DISABLE]
unregistersymbol(pointerBase)
unregistersymbol(offsetValue)

The lua expression is awfully look, but if understand the concept, it is fairly easy to express the want address .

_________________
- Retarded.
Back to top
View user's profile Send private message
Twistedfate
Expert Cheater
Reputation: 1

Joined: 11 Mar 2016
Posts: 231

PostPosted: Sat Apr 22, 2017 12:56 pm    Post subject: Reply with quote

mgr.inz.Player ParkourPenguin mr panraven
thank you all I got it ^^
Back to top
View user's profile Send private message
xxhehe
Expert Cheater
Reputation: 0

Joined: 11 Mar 2015
Posts: 136

PostPosted: Wed Oct 03, 2018 6:39 am    Post subject: Reply with quote

panraven wrote:
Given mgr.inz.Player's code , OP want the offset value as pointerBase - module_base .
ie.
Code:

[theAob+1]-moduleAddr:   // *
offsetValue:

however the * will not evaluated if moduleAddr is a Label or Symbolic address , but it does work if moduleAddr is a hexadecimal number.
The module address can be evaluated/known before hand by Lua eg.
Code:

 {$lua}
local xbase = readInteger(process)and GetAddress(process)
return xbase and string.format("define(moduleAddr,%X)",xbase)
{$asm}

[ENABLE]
aobscanmodule(theAob,$process,a1 ?? ?? ?? ?? 8b ?? ?? 57)
// another aob pattern for my own test, but not matter here

label(pointerBase)
registersymbol(pointerBase)
label(offsetValue)
registersymbol(offsetValue)


[theAob+1]:
pointerBase:    // eg.   41a3a4 in my test

[theAob+1]-moduleAddr:
offsetValue:    // give   1a3a4 in my test

[DISABLE]
unregistersymbol(pointerBase)
unregistersymbol(offsetValue)




for 64 bit case, it may need to read the RIP address offset as 4 bytes (signed/unsigned?) integer, pure AA symbolic address operation may not be enough at the moment.
Here a custom lookup function is made to read some Lua expression as symbolic address :
Code:

{$lua}
if _myLookup then
  unregisterSymbolLookupCallback(_myLookup)
end

_myLookup = registerSymbolLookupCallback(function(s)
  local LUA_expr = s:match"^%s*%(%?%s*([^?]-)%s*%?%)%s*$"
  if LUA_expr then
    local ok,try = pcall(load,'return '..LUA_expr,'_',nil,_G)
    if ok then ok, try = pcall(try) end
    if ok then
      local t = type(try)
      if t=='number' then
        return try
      elseif t == 'string' then
        return readInteger(try)and GetAddress(try)
      end
    end
  end
end, slFailure)
{$asm}



{$lua}
local xbase = readInteger(process)and GetAddress(process)
return xbase and string.format("define(moduleAddr,%X)",xbase)
{$asm}


[ENABLE]
aobscanmodule(theAob,$process,48 8d 15 ?? ?? ?? ?? e8)
// at cheatengine-x86_64.exe+3b6d

label(pointerBase)
registersymbol(pointerBase)
label(offsetValue)
registersymbol(offsetValue)

(?readInteger(GetAddress'theAob'+3)+GetAddress'theAob'+7?):
pointerBase:

(?readInteger(GetAddress'theAob'+3)+GetAddress'theAob'+7-tonumber('moduleAddr',16)?):
offsetValue:

[DISABLE]
unregistersymbol(pointerBase)
unregistersymbol(offsetValue)

The lua expression is awfully look, but if understand the concept, it is fairly easy to express the want address .



CE6.8.1 X64
x64 process

file-->Assign to current cheat table



20181003203357.png
 Description:
 Filesize:  14.59 KB
 Viewed:  5640 Time(s)

20181003203357.png


Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Lua Scripting All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites