|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
Menoetius Cheater Reputation: 0
Joined: 01 Jul 2018 Posts: 29
|
Posted: Sat Aug 11, 2018 5:34 pm Post subject: Mov |
|
|
I'm a bit confused about why some mov commands work and others do not with an initialized space in memory. I'm attempting to mov a value from the esp-stack into a space in memory and I dont know if that's the wrong thing to attempt.
Code: |
globalalloc(_cmp0,$4)
//...
mov edx,[ESP+0C]//works
mov _cmp0,[ESP+0C]//!work
mov _cmp0,esp //!work
mov _cmp0,[esp] //!work
mov [_cmp0],esp//WORKS
|
I might be missing something basic, but can someone explain to me why they work or do not work, and what I can attempt to make it function? I need the equivalent of "mov var,[ESP+##]" to view the variable in other scripts and was hoping to get some assistance. Thank you kindly for reading.
_________________
Big Gun
#1
Shoot the Hell Outta You |
|
Back to top |
|
|
TheyCallMeTim13 Wiki Contributor Reputation: 50
Joined: 24 Feb 2017 Posts: 976 Location: Pluto
|
Posted: Sat Aug 11, 2018 5:52 pm Post subject: Re: Mov |
|
|
Menoetius wrote: | I'm a bit confused about why some mov commands work and others do not with an initialized space in memory. I'm attempting to mov a value from the esp-stack into a space in memory and I dont know if that's the wrong thing to attempt.
Code: |
globalalloc(_cmp0,$4)
//...
mov edx,[ESP+0C]//works
mov _cmp0,[ESP+0C]//!work
mov _cmp0,esp //!work
mov _cmp0,[esp] //!work
mov [_cmp0],esp//WORKS
|
I might be missing something basic, but can someone explain to me why they work or do not work, and what I can attempt to make it function? I need the equivalent of "mov var,[ESP+##]" to view the variable in other scripts and was hoping to get some assistance. Thank you kindly for reading. |
Pay more attention to the "[]' brackets, they denote reading a value or it's address.
With "mov edx,[ESP+0C]" your moving the value at the address of "ESP+C" into EDX.
With "_cmp0,[ESP+0C]" you're trying to set the address of the symbol "_comp0" to the value at the address of "ESP+C"; and you can't do it that way, the symbols address is set when it is allocated.
With "mov _cmp0,esp"; basically doing the same as before except with the address of ESP, instead of the value at the address.
With "mov [_cmp0],esp" your setting the value of "_comp0" to the address of ESP.
Try something like this.
Code: | push eax
mov eax,[ESP+C]
mov [_comp0],eax
pop eax |
http://www.felixcloutier.com/x86/MOV.html
_________________
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4300
|
Posted: Sat Aug 11, 2018 5:54 pm Post subject: |
|
|
"mov" instructions move some source value into a destination. The source value can be stored in an address, in a register, or as an immediate, while the destination can only be an address or a register:
Code: | // mov destination,source
mov [addr],eax // address, register
mov [addr],5 // address, immediate
mov eax,[addr] // register, address
mov ecx,ebx // register, register
mov edx,7 // register, immediate |
For various reasons, you can't directly move the value at one address to another address. Also, it doesn't make sense to move any value into an immediate:
Code: | // these will fail
mov [addr1],[addr2] // can't directly move the value at one address to another address
mov 123,eax // doesn't make sense; 123 doesn't specify a memory location |
The latter reason is why your examples fail. _cmp0 is an integer that represents some location in memory. In order to clearly state it's a location in memory, you have to wrap it in square brackets:
Code: | _cmp0 - an integer value
[_cmp0] - a memory location |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
Menoetius Cheater Reputation: 0
Joined: 01 Jul 2018 Posts: 29
|
Posted: Sun Aug 12, 2018 3:46 am Post subject: |
|
|
The way I'm discerning values is by viewing a certain offset in the stack. If I use something like "pop eax" will that load it into the esp stack, and shift all values down by 4, requiring me to change the offset by 4 upon loading it into the value from the esp-stack?
Code: |
push eax //eax-->esp+00, esp+00->>esp+04, etc
mov eax,[ESP+C] //[ESP+0C] could now be [ESP+10]??
mov [var],eax //eax holds possibly [ESP+10] instead of [ESP+0C]
pop eax //eax<--esp+00, esp+00<--esp+04, etc
|
I do not know if it works akin to fld where the stack is fix-sized and it may accidentally shove off and lose pertinent values and/or change where the value is in the stack.
Thank you kindly so much for assisting me.
_________________
Big Gun
#1
Shoot the Hell Outta You |
|
Back to top |
|
|
TheyCallMeTim13 Wiki Contributor Reputation: 50
Joined: 24 Feb 2017 Posts: 976 Location: Pluto
|
Posted: Sun Aug 12, 2018 7:14 am Post subject: |
|
|
Yes, the PUSH, pushes the value on the stack so you would need to adjust the offset for ESP, sorry didn't think about that. But you seem to have it figured out. You can also set a breakpoint and follow it and see exactly how this affects the stack, but you seem to already understand.
_________________
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4300
|
Posted: Sun Aug 12, 2018 8:13 am Post subject: |
|
|
ESP will decrease by 4 in x86 (8 in x64) for every value pushed onto it. Adjust addresses accordingly.
The thread stack doesn't work like the FPU stack. The thread stack is stored in memory and will always "grow" downward. If there's an overflow, Windows will generate an exception.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|