Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


[C++] Making a standalone exe to resolve memory address

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming
View previous topic :: View next topic  
Author Message
escameno
Newbie cheater
Reputation: 0

Joined: 01 Oct 2019
Posts: 10

PostPosted: Wed Aug 26, 2020 7:24 pm    Post subject: [C++] Making a standalone exe to resolve memory address Reply with quote

Hi, everyone.

I'm trying to make a standalone executable in order to attach to the target process, do an AOB scan and access the resulting address.

For example: let's say the AOB scan returns the address of the following instruction in memory:

Code:
movzx eax, word ptr [eax + OFFSET]


Now, in order to resolve the address accessed by this instruction, I need to retrieve EAX value. I can only do that by attaching a debugger, setting a breakpoint to the instruction address and reading EAX, right?

Is there a better way to do this?

Currently, i have a program which attaches to the process, reads its memory (using ReadProcessMemory), and does the AOB scan, returning the instruction address.

I'm just curious to know if creating a custom debugger is the best way of doing it. If it is, is there any resource where i can learn how to create one (via Windows API or even VEH)?
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 160

Joined: 25 Jan 2006
Posts: 8160
Location: 127.0.0.1

PostPosted: Wed Aug 26, 2020 7:46 pm    Post subject: Reply with quote

You do not need to use any means of debugging to do this. You can just inject a code-cave to jump to another location in memory, store EAX's value in a location you create and jump back.

You can also see if EAX is set in a static manner somewhere else like:
mov eax, [theapp.exe+1234ABC]

or similar style things and read the pointer that way.

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
escameno
Newbie cheater
Reputation: 0

Joined: 01 Oct 2019
Posts: 10

PostPosted: Thu Aug 27, 2020 8:11 pm    Post subject: Reply with quote

atom0s wrote:
You do not need to use any means of debugging to do this. You can just inject a code-cave to jump to another location in memory, store EAX's value in a location you create and jump back.

You can also see if EAX is set in a static manner somewhere else like:
mov eax, [theapp.exe+1234ABC]

or similar style things and read the pointer that way.


Well, i don't think EAX is being loaded statically. I can do a little more research into this, but i liked the code cave solution. Had never heard this term before, and now after some tries i'm struggling a bit.

I can't find a suitable address, both in terms of space and proximity, to jump to.

I have some problems:
- tried using the JMP relative instruction, but i think the addresses i got are a bit too far.
- tried using the JMP far, but i don't quite understand its syntax, and i think i got it wrong because the game keeps on crashing when the modified code is executed.
- i thought about using the base of the module, which has a lot of zeroed-out memory, as the codecave. I managed to write to this memory location without trouble, but is it a good address?
- i read about VirtualAllocEx. Maybe using it with the CALL instruction is the way to go?
Back to top
View user's profile Send private message
escameno
Newbie cheater
Reputation: 0

Joined: 01 Oct 2019
Posts: 10

PostPosted: Sat Aug 29, 2020 3:21 pm    Post subject: Reply with quote

Just to update, i finally got my codecave to work using jumps. I think there was some errors in my address calculations.

I didn't try with VirtualAllocEx just yet, but i think it's not difficult to make it work. Is it?

But thanks atom0s for pointing me out in the right direction!
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 160

Joined: 25 Jan 2006
Posts: 8160
Location: 127.0.0.1

PostPosted: Sun Aug 30, 2020 6:00 pm    Post subject: Reply with quote

VirtualAllocEx is only needed if you are doing things externally and need to allocate some memory in the remote process for your code cave.
_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites