View previous topic :: View next topic |
Author |
Message |
escameno Newbie cheater Reputation: 0
Joined: 01 Oct 2019 Posts: 10
|
Posted: Wed Aug 26, 2020 7:24 pm Post subject: [C++] Making a standalone exe to resolve memory address |
|
|
Hi, everyone.
I'm trying to make a standalone executable in order to attach to the target process, do an AOB scan and access the resulting address.
For example: let's say the AOB scan returns the address of the following instruction in memory:
Code: | movzx eax, word ptr [eax + OFFSET] |
Now, in order to resolve the address accessed by this instruction, I need to retrieve EAX value. I can only do that by attaching a debugger, setting a breakpoint to the instruction address and reading EAX, right?
Is there a better way to do this?
Currently, i have a program which attaches to the process, reads its memory (using ReadProcessMemory), and does the AOB scan, returning the instruction address.
I'm just curious to know if creating a custom debugger is the best way of doing it. If it is, is there any resource where i can learn how to create one (via Windows API or even VEH)?
|
|
Back to top |
|
|
atom0s Moderator Reputation: 198
Joined: 25 Jan 2006 Posts: 8516 Location: 127.0.0.1
|
Posted: Wed Aug 26, 2020 7:46 pm Post subject: |
|
|
You do not need to use any means of debugging to do this. You can just inject a code-cave to jump to another location in memory, store EAX's value in a location you create and jump back.
You can also see if EAX is set in a static manner somewhere else like:
mov eax, [theapp.exe+1234ABC]
or similar style things and read the pointer that way.
_________________
- Retired. |
|
Back to top |
|
|
escameno Newbie cheater Reputation: 0
Joined: 01 Oct 2019 Posts: 10
|
Posted: Thu Aug 27, 2020 8:11 pm Post subject: |
|
|
atom0s wrote: | You do not need to use any means of debugging to do this. You can just inject a code-cave to jump to another location in memory, store EAX's value in a location you create and jump back.
You can also see if EAX is set in a static manner somewhere else like:
mov eax, [theapp.exe+1234ABC]
or similar style things and read the pointer that way. |
Well, i don't think EAX is being loaded statically. I can do a little more research into this, but i liked the code cave solution. Had never heard this term before, and now after some tries i'm struggling a bit.
I can't find a suitable address, both in terms of space and proximity, to jump to.
I have some problems:
- tried using the JMP relative instruction, but i think the addresses i got are a bit too far.
- tried using the JMP far, but i don't quite understand its syntax, and i think i got it wrong because the game keeps on crashing when the modified code is executed.
- i thought about using the base of the module, which has a lot of zeroed-out memory, as the codecave. I managed to write to this memory location without trouble, but is it a good address?
- i read about VirtualAllocEx. Maybe using it with the CALL instruction is the way to go?
|
|
Back to top |
|
|
escameno Newbie cheater Reputation: 0
Joined: 01 Oct 2019 Posts: 10
|
Posted: Sat Aug 29, 2020 3:21 pm Post subject: |
|
|
Just to update, i finally got my codecave to work using jumps. I think there was some errors in my address calculations.
I didn't try with VirtualAllocEx just yet, but i think it's not difficult to make it work. Is it?
But thanks atom0s for pointing me out in the right direction!
|
|
Back to top |
|
|
atom0s Moderator Reputation: 198
Joined: 25 Jan 2006 Posts: 8516 Location: 127.0.0.1
|
Posted: Sun Aug 30, 2020 6:00 pm Post subject: |
|
|
VirtualAllocEx is only needed if you are doing things externally and need to allocate some memory in the remote process for your code cave.
_________________
- Retired. |
|
Back to top |
|
|
|