| View previous topic :: View next topic |
| Author |
Message |
tux
How do I cheat?
![]() Reputation: 0
Joined: 10 Oct 2019
Posts: 2
|
 Posted: Thu Oct 10, 2019 12:39 pm Post subject: Restore the working process state of the disassembled code |
 |
|
Hi all. First of all, sorry for my bad English 
My goal is to reverse engineer the logic of some function. First, I found the function I needed. Then I did a lot of work to investigate the logic of the function. I created many comments in the disassembled code. I dissected several data structures and defined them. Finally I saved a cheat tables for target binary in order to continue my work later. After a while I loaded saved cheat tables and I received a valid state of my "addresslist" and everything was fine with my defined data structures, but I lost all my work I did with the disassembled code. Of course I understand that each time when I run the executable, the process memory regions have different allocation addresses, but relative offset of the function in the .text segment should be constant.
Can someone explain me how can I achieve my goal. I need some ability to save my current state of job to be able restore it in the future. Because it is difficult to achieve the goal by "one session". Maybe there is some kind of documentation link?
Thank you in advance.
|
|
| Back to top |
|
 |
OldCheatEngineUser
Whateven rank
 Reputation: 20
Joined: 01 Feb 2016
Posts: 1587
|
| Posted: Thu Oct 10, 2019 1:20 pm Post subject: Re: Restore the working process state of the disassembled co |
|
|
| tux wrote: | Of course I understand that each time when I run the executable, the process memory regions have different allocation addresses, but relative offset of the function in the .text segment should be constant.
Can someone explain me how can I achieve my goal. |
rva dont change, but image base address can change (aka hinstance) .. and what cause that is image relocation.
a nice trick is to remove the relocation flag from characteristics of nt header by XORing it by 1 or subtracting 1 from it (in case u wanna do it manually using a hex editor .. and its 2-byte value), and there is no need to remove the relocation section (.reloc) .. there is a good tool called "CFF explorer" and its free.
another fact (using CE) you can always jump to the desired code even if the image is relocatable, goto disassembly window hit CTRL-G and type "your-module-name.exe+XXXXX" where xxxxx is the offset from image base.
also you didnt mention if its clean binary or byte-code, if its byte-code then these lil things wont help. (and the only option is to decompile those byte-code instructions and modify the code)
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
| STN wrote: | | i am a sweetheart. |
|
|
| Back to top |
|
|
tux
How do I cheat?
![]() Reputation: 0
Joined: 10 Oct 2019
Posts: 2
|
| Posted: Thu Oct 10, 2019 1:50 pm Post subject: |
|
|
Thank you very much for help
I have another question. When I find some instruction and open it in the Memory Viewer window I do not see the Module name where this instruction comes from. Do I have an ability to find which module contains this instruction?
Upd:
I think this is due to JIT compilation.
Of course the Memory Viewer -> View -> Show Module addresses is activated
|
|
| Back to top |
|
|
OldCheatEngineUser
Whateven rank
Reputation: 20
Joined: 01 Feb 2016
Posts: 1587
|
| Posted: Fri Oct 11, 2019 1:42 am Post subject: |
|
|
JIT-compile is for byte code, you can find a decompiler or if you wish you use CE's AA (auto assembler) to find the code using a script.
| Code: | [enable]
aobscan(somename,module-name.exe,00 11 22 33 44 55 66 77 88 99)
registersymbol(somename)
// somename is any symbol you wanna give
// module-name.exe is the process name
// 00 11 22 ... are the byte of the instructions
[disable]
unregistersymbol(somename) |
then enable it, goto disassembly view CTRL-G and type "somename" and i think its also possible to find a pointer to your desired function. (you can try)
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
| STN wrote: | | i am a sweetheart. |
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
