View previous topic :: View next topic |
Author |
Message |
sir-gunny Advanced Cheater Reputation: 0
Joined: 15 Mar 2012 Posts: 80
|
Posted: Thu Dec 02, 2021 10:35 am Post subject: How can I get the address of a call at Auto Assembler? |
|
|
Hi.
Is there an easier way to do something like this?
Code: | [ENABLE]
aobscan(memTestMemory,E8 ?? ?? ?? ?? 83 C4 10 85 C0 75 ?? 39 1B C6 43 ?? ?? 39 36 8B 46 ?? 83 EC ?? 50)
registerSymbol(memTestMemory)
LuaCall(registerSymbol("memTestMemory2",string.format("0x%08X",getAddressSafe("[memTestMemory+1]+5")+getAddressSafe("memTestMemory")-0x100000000)))
//[memTestMemory+1]: --How can i get the called address in ASM? All the ASM-Code at the called address is not unique.
memTestMemory2: --04B9F268:
db c3
[DISABLE]
memTestMemory2: --04B9F268:
db 55
unregisterSymbol(memTestMemory2)
unregisterSymbol(memTestMemory) |
The original ASM:
Code: | 0A530BF4 - E8 6FE666FA - call 04B9F268
0A530BF9 - 83 C4 10 - add esp,10 { 16 }
0A530BFC - 85 C0 - test eax,eax
0A530BFE - 75 21 - jne 0A530C21
0A530C00 - 39 1B - cmp [ebx],ebx
0A530C02 - C6 43 28 00 - mov byte ptr [ebx+28],00 { 0 }
0A530C06 - 39 36 - cmp [esi],esi
0A530C08 - 8B 46 0C - mov eax,[esi+0C]
0A530C0B - 83 EC 08 - sub esp,08 { 8 }
0A530C0E - 50 - push eax
|
EDIT: nop the call is not an option, the function is called multiple times from somewhere else.
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4300
|
Posted: Thu Dec 02, 2021 1:16 pm Post subject: |
|
|
Code: | [ENABLE]
{$lua}
if syntaxcheck then return 'define(memTestMemory,0)' end
local results = AOBScan('E8 ?? ?? ?? ?? 83 C4 10 85 C0 75 ?? 39 1B C6 43 ?? ?? 39 36 8B 46 ?? 83 EC ?? 50', '+X-C-W')
assert(results, 'No results found')
local caller = getAddress(results[0])
results.destroy()
-- NOTE: the operand to the CALL (E8) instruction is a signed 32-bit displacement from EIP (next instruction)
local moffs = (readInteger(caller + 1) + caller + 5) & 0xFFFFFFFF
assert(readBytes(moffs, 1) == 0x55, 'No results found')
return ('define(memTestMemory,%08X)'):format(moffs)
{$asm}
registerSymbol(memTestMemory)
memTestMemory:
db c3
[DISABLE]
memTestMemory:
db 55
unregisterSymbol(memTestMemory)
|
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
Csimbi I post too much Reputation: 94
Joined: 14 Jul 2007 Posts: 3110
|
Posted: Thu Dec 02, 2021 2:05 pm Post subject: |
|
|
Why do you need it the address itself?
Is that because you'd like to call it from a different location?
|
|
Back to top |
|
|
sir-gunny Advanced Cheater Reputation: 0
Joined: 15 Mar 2012 Posts: 80
|
Posted: Fri Dec 03, 2021 4:19 am Post subject: |
|
|
@ParkourPenguin:
Thanks, I'll test it when I'm at home.
@Csimbi:
No, the function is called by many other functions. I would like the function to never be executed. I think I have two options. Nop all calls if i found all or force a return at the first line of the called code. The second seems easier to me.
|
|
Back to top |
|
|
panraven Grandmaster Cheater Reputation: 55
Joined: 01 Oct 2008 Posts: 942
|
Posted: Fri Dec 03, 2021 4:34 am Post subject: |
|
|
CE 7.1+ has pointer typecast, which can make the call target address from caller's ip relative offset (the 4 bytes after E8 ). (LONG) is for signed 4bytes integer
Code: |
[ENABLE]
unregisterSymbol(memTestMemory)
aobscan(memTestMemory,E8 ?? ?? ?? ?? 83 ...)
registerSymbol(memTestMemory)
/// -- ip offset -- -- ip base --
(LONG)[memTestMemory+1]+memTestMemory+5:
db c3
[DISABLE]
(LONG)[memTestMemory+1]+memTestMemory+5:
db 55
|
It will syntaxcheck error as the scan is not done during checking. but should work on actual execution.
_________________
- Retarded. |
|
Back to top |
|
|
sir-gunny Advanced Cheater Reputation: 0
Joined: 15 Mar 2012 Posts: 80
|
Posted: Fri Dec 03, 2021 12:33 pm Post subject: |
|
|
@ParkourPenguin:
It works fine. I just had to include writable memory to the scan. THX
@panraven:
I still use CE 6.8.3 (Never change a winning team ). But this is a good argument for the latest CE.
|
|
Back to top |
|
|
Csimbi I post too much Reputation: 94
Joined: 14 Jul 2007 Posts: 3110
|
Posted: Sat Dec 04, 2021 12:00 pm Post subject: |
|
|
sir-gunny wrote: |
@Csimbi:
No, the function is called by many other functions. I would like the function to never be executed. I think I have two options. Nop all calls if i found all or force a return at the first line of the called code. The second seems easier to me. |
Indeed.
That is the most reliable choice, too.
sir-gunny wrote: |
@panraven:
I still use CE 6.8.3 (Never change a winning team ). But this is a good argument for the latest CE. |
Actually, use 7.2 instead of 7.3.
7.3 has many issues.
7.4 was supposed to come in November - it never did.
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25296 Location: The netherlands
|
Posted: Sat Dec 04, 2021 1:03 pm Post subject: |
|
|
Csimbi wrote: |
7.4 was supposed to come in November - it never did. |
i don't recall ever saying November.
I did tell someone in December, but not november
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Csimbi I post too much Reputation: 94
Joined: 14 Jul 2007 Posts: 3110
|
Posted: Sat Dec 04, 2021 6:25 pm Post subject: |
|
|
Dark Byte wrote: |
i don't recall ever saying November.
I did tell someone in December, but not november |
I stand corrected!
I must have misinterpreted something.
Maybe that was for the 7.3.x public release.
Anyway, I am sorry about that!
|
|
Back to top |
|
|
|