Cheat Engine

Hatschi · Posted: Sat Oct 31, 2015 2:27 pm Post subject: Calculating MOV/CMP in 64bit

Hey,

I'm curious how CE knows what bytes to write to resolve this [newmem+100]. Please take a look at the following pictures:

So here we have [newmem+100]. The 64bit address cannot be written directly because a 64bit address is 8 byte long, but we have only 4. So the address is written as EF 00 00 00.

Now I try to imagine the logic why its EF 00 00 00. The [newmem+100] is at address 7FF76B74000A + 0x3 = 7FF76B74000D

7FF76B740100 (which is the newmem+100) - 7FF76B74000D = F3

F3 is not EF. So how do I get to EF? Well I can subtract 0x4 so

7FF76B740100 - 7FF76B74000D - 0x4 = EF

Great but lets check out how it works on CMP DWORD PTR for example:

Its again EF 00 00 00 but this time at address 7FF76B74000A + 0x2 = 7FF76B74000C

If I take the logic above I would get to:

7FF76B740100 - 7FF76B74000C - 0x4 = F0

Now instead of 0x4 I would have to subtract 0x5. However is the calculation really that different? How does CE calculates the address in 64bit ? How does CE knows it has to write EF 00 00 00 at point X to get to point Z.

I hope it clears what Im asking for.

mgr.inz.Player · Posted: Sat Oct 31, 2015 2:53 pm Post subject:

It is RIP relative addressing.

Hatschi · Posted: Sat Oct 31, 2015 2:58 pm Post subject:

So:
[target address] - [instruction length] = Remaining length in bytes

mgr.inz.Player · Posted: Sat Oct 31, 2015 3:04 pm Post subject:

[address of instruction] + [instruction size] + [RIP offset] = [target address]

Or

[address of next instruction] + [RIP offset] = [target address]

Zanzer · Posted: Sat Oct 31, 2015 3:11 pm Post subject:

variable_address - instruction_address - instruction_length = byte_offset
7FF76B740100 - 7FF76B74000A - 7 = EF