 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25831
Location: The netherlands
|
 Posted: Tue Jun 21, 2016 4:55 am Post subject: |
 |
|
hmm.
Disable kernelmode query memory regions.
find the address, and go to memoryview->view->memory regions
go to the address it is at, expand the window so the extra field shows everything, and take a screenshot of that.
Perhaps it gives a clue why aobscan won't find it without
(also, when you scan for an array using ce's gui, make sure you scan all memory. By default it skips non writable and copy-on-write memory)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
 |
NoMoreBSoD
Advanced Cheater
![]() Reputation: 3
Joined: 03 Sep 2013
Posts: 85
|
| Posted: Tue Jun 21, 2016 5:08 am Post subject: |
|
|
| Dark Byte wrote: | hmm.
Disable kernelmode query memory regions.
find the address, and go to memoryview->view->memory regions
go to the address it is at, expand the window so the extra field shows everything, and take a screenshot of that.
Perhaps it gives a clue why aobscan won't find it without
(also, when you scan for an array using ce's gui, make sure you scan all memory. By default it skips non writable and copy-on-write memory) |
There you go :
Yes, when I scanned for array of bytes I grey out the "writable" checkbox. Or did you mean the options in Settings -> Scan Settings -> "Scan the following memory region types" -> MEM_PRIVATE | MEM_IMAGE | MEM_MAPPED ?
EDIT : After writing my question, I realize that the problem might be that MEM_IMAGE should be checked, not just MEM_PRIVATE. I'm going to do that while using Windows memory query routines.
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25831
Location: The netherlands
|
| Posted: Tue Jun 21, 2016 5:21 am Post subject: |
|
|
yeah, mem_image should be on. (it's by default on, I should have noticed that in your screenshots)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
NoMoreBSoD
Advanced Cheater
![]() Reputation: 3
Joined: 03 Sep 2013
Posts: 85
|
| Posted: Tue Jun 21, 2016 5:29 am Post subject: |
|
|
So disabling kernelmode query memory regions and changing the scan settings to all 3 types also works! And now my vanilla code works without crashing the game 
| Dark Byte wrote: | | yeah, mem_image should be on. (it's by default on) |
I must have disabled it by mistake at the same time as MEM_MAPPED after using CE on an emulated DS game. Why doesn't it affect the kernel mode scan?
DarkIceCore, did you have the same scan settings?
|
|
| Back to top |
|
|
mgr.inz.Player
I post too much
 Reputation: 222
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Tue Jun 21, 2016 6:07 am Post subject: |
|
|
| Dark Byte wrote: | | I should have noticed that in your screenshots) |
Me too. 
| NoMoreBSoD wrote: | Here is what I have :
 |
Build 14251 is known to have bugs: it incorrectly recognize MEM_RESERVE state in some memory regions.
10240, 10586, are fine
14251 and few around it (don't remember exact numbers) are bugged
14279 and above are also fine
14342 is fine
_________________
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4717
|
| Posted: Tue Jun 21, 2016 8:30 am Post subject: |
|
|
| NoMoreBSoD wrote: | A 16 bytes jump isn't shown as such in memory viewer and looks like random garbage. "FF 25 00 00 00 00" is the 6 bytes code that initiates an 8 bytes jump and must be followed by an 8 bytes address. This makes 14 bytes, and my injection point needs to be at least that long without breaking any existing instruction.
I nop the extra bytes (after 14) from those instructions when creating my jump.
"db FF 25 00 00 00 00" means jump to, and "dq newmem" means get the address of newmem. |
That's correct, more or less. The "db FF 25 00 00 00 00" is the machine code of a valid instruction, and it will be shown as such in the disassembler. The dq newmem is data- it's not meant to be executed; however, CE doesn't know that for certain, so it still disassembles it as if it were executable.
If you take apart the bytes of that jmp instruction, it literally translates to "jump to the value at the address of the next instruction." The FF 25 means you're jumping to a value at a memory location relative to the next instruction, and the 0s are the displacement from said instruction. Since the address of the value you want to jump to is already right after this jmp, the displacement is 0.
You are correct about the NOPs. In the example, the last byte overridden by the 14-byte jump is 4C, the beginning of mov r14,rdx. There are two other bytes in that same instruction, so you need 2 NOP instructions to overwrite those bytes. This is so the label return represents the next instruction, lea r13,[rdi+rcx*4]. Otherwise, the instruction jmp return would try to jump into the middle of an instruction, probably crashing the game as a result.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
DarkIceCore
Expert Cheater
![]() Reputation: 0
Joined: 10 Jun 2012
Posts: 102
Location: Moscow
|
| Posted: Tue Jun 21, 2016 9:05 am Post subject: |
|
|
| NoMoreBSoD wrote: |
DarkIceCore, did you have the same scan settings? |
i not using kernel at all,
and i always scan all memory regions, no matter what i looking for.
(MEM_all)
but with VEH debugger i using Int3 Instructions, not hardware.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
