 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
bismult
Cheater
![]() Reputation: 0
Joined: 09 Mar 2022
Posts: 27
|
 Posted: Sun Jan 14, 2024 7:35 pm Post subject: Stopping an Address from being written to |
 |
|
How would you stop an instruction from writing to one address out of many listed under the "Find out what addresses this instruction accesses" menu?
For further clarity: This instruction (movdqu [rcx],xmm0) is constantly writing to hundreds of addresses, so I want it to stop writing to one out of those hundreds.
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 470
Joined: 09 May 2003
Posts: 25778
Location: The netherlands
|
| Posted: Sun Jan 14, 2024 7:57 pm Post subject: |
|
|
check if rcx is the specific address (cmp rcx,[addressthatholdstheaddresstoskip] ) and if so skip the write (je after)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
bismult
Cheater
![]() Reputation: 0
Joined: 09 Mar 2022
Posts: 27
|
| Posted: Sun Jan 14, 2024 8:41 pm Post subject: |
|
|
| Dark Byte wrote: | | check if rcx is the specific address (cmp rcx,[addressthatholdstheaddresstoskip] ) and if so skip the write (je after) |
Doesn't seem to be working for me. Is the original code still being executed despite the je?
| Code: | [ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048,7FF8D1645C49)
label(returnhere)
label(originalcode)
label(exit)
newmem: //this is allocated memory, you have read,write,execute access
cmp rcx,[7FF8D4014700]
je returnhere
originalcode:
mov [rcx+r9*2],ax
exit:
jmp returnhere
7FF8D1645C49:
jmp newmem
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
7FF8D1645C49:
mov [rcx+r9*2],ax
//Alt: db 66 42 89 04 49 |
[/code]
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4695
|
| Posted: Mon Jan 15, 2024 1:51 am Post subject: |
|
|
Edit: removing the square brackets won't work- I forgot there is no `cmp r/m64,imm64` instruction
If 7FF8D4014700 is the actual address you're checking and not a pointer to the address to check, remove the square brackets.
Such a script probably won't work the next time you launch the game- memory is randomly allocated.
And I'd use `je exit` instead of `je returnhere`, but either works.
_________________
I don't know where I'm going, but I'll figure it out when I get there.
Last edited by ParkourPenguin on Mon Jan 15, 2024 12:46 pm; edited 1 time in total |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25778
Location: The netherlands
|
| Posted: Mon Jan 15, 2024 2:11 am Post subject: |
|
|
cmp reg,imm64 doesn't exist he has to alloc some memory first
so
| Code: |
alloc(addresstoskip,8)
addresstoskip:
dq 7FF8D4014700
...
cmp rcx,[addresstoskip]
je exit
|
also je has a limited range. Best to use je exit
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
bismult
Cheater
![]() Reputation: 0
Joined: 09 Mar 2022
Posts: 27
|
| Posted: Mon Jan 15, 2024 7:15 pm Post subject: |
|
|
| Dark Byte wrote: | cmp reg,imm64 doesn't exist he has to alloc some memory first
so
| Code: |
alloc(addresstoskip,8)
addresstoskip:
dq 7FF8D4014700
...
cmp rcx,[addresstoskip]
je exit
|
also je has a limited range. Best to use je exit |
This worked perfectly!
|
|
| Back to top |
|
|
icebox616
How do I cheat?
![]() Reputation: 0
Joined: 28 Sep 2024
Posts: 6
|
| Posted: Sun Sep 29, 2024 11:36 am Post subject: |
|
|
Sorry to bump this
I'm having the same issue.
I have this code: mov [eax+08],ecx at libIGMath.dll+231A3
that keeps writing to 008C7764. I also can't nop it out because the same code writes to many other addresses.
This is the code I came up with while following this and many other threads and tutorials and trying to pierce this together but without success. It just keeps on writing but through my newly allocated address.
It's been driving me nuts for the past few days. Any help would be immensely appreciated.
| Code: |
[ENABLE]
alloc(newmem,2048,libIGMath.dll+231A3)
alloc(addresstoskip,8)
registersymbol(newmem)
registersymbol(addresstoskip)
addresstoskip:
dq 008C7764
newmem: //this is allocated memory, you have read,write,execute access
cmp [eax+08],addresstoskip
je exit
mov [eax+08],ecx //OG code, disabling stops writing to ALL addresses making the game go haywire
ret 0004 //OG code, without it game crashes
jmp return // without it game crashes
libIGMath.dll+231A3:
jmp newmem
nop
return:
[DISABLE]
libIGMath.dll+231A3:
mov [eax+08],ecx
ret 0004
dealloc(newmem)
dealloc(addresstoskip)
unregistersymbol(newmem)
unregistersymbol(addresstoskip)
|
Also tried variations such as
[eax+08],[addresstoskip]
[eax+08] addresstoskip and even
[eax+08], 008C7764
eax+08,[addresstoskip]
out of desperation.
I also just want to exclude 008C7764 from being written into like OP.
can confirm
EAX=008C775C
so EAX+08 (008C775C + 08 = 008C7764)
So at least that checks out
Last edited by icebox616 on Sun Sep 29, 2024 1:16 pm; edited 1 time in total |
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4695
|
| Posted: Sun Sep 29, 2024 1:09 pm Post subject: |
|
|
`eax+08` is an address. `[eax+08]` is the value at that address.
Likewise, `addresstoskip` is the address of some memory CE allocated (i.e. not 008C7764). `[addresstoskip]` is the value at that address- in this case, that value is the address of something else (i.e. 008C7764).
`je exit` - there is no exit label in that script
`ret 0004` - this instruction is a little weird to have in an injection point, but you can make it work
You don't need the third parameter to alloc in 32-bit processes
If you don't want to do an aobscan, use the "Full Injection" template instead. Also don't remove the comment at the bottom of that template- that information is important
Given that's 32-bit code, you can compare `eax` against a 32-bit value directly
| Code: | define(address,libIGMath.dll+231A3)
define(bytes,89 48 08 C2 04 00)
[ENABLE]
assert(address,bytes)
alloc(newmem,2048)
label(exit)
newmem:
cmp eax,008C775C
je exit
mov [eax+08],ecx
exit:
ret 0004
address:
jmp newmem
nop
[DISABLE]
address:
db bytes
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: libIGMath.dll+231A3
...
} |
If you want a memory record to change the address from the address list:
| Code: | define(address,libIGMath.dll+231A3)
define(bytes,89 48 08 C2 04 00)
[ENABLE]
assert(address,bytes)
alloc(newmem,2048)
alloc(addresstoskip,4)
label(exit)
addresstoskip:
dd 008C775C
newmem:
cmp [addresstoskip],eax
je exit
mov [eax+08],ecx
exit:
ret 0004
address:
jmp newmem
nop
registersymbol(addresstoskip)
[DISABLE]
address:
db bytes
unregistersymbol(addresstoskip)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: libIGMath.dll+231A3
...
} |
Add address manually, address = addresstoskip, click + drag the new memrec onto the script memrec, right click script memrec -> Group config -> Hide children when deactivated
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
icebox616
How do I cheat?
![]() Reputation: 0
Joined: 28 Sep 2024
Posts: 6
|
| Posted: Sun Sep 29, 2024 3:47 pm Post subject: |
|
|
| ParkourPenguin wrote: | `eax+08` is an address. `[eax+08]` is the value at that address.
Likewise, `addresstoskip` is the address of some memory CE allocated (i.e. not 008C7764). `[addresstoskip]` is the value at that address- in this case, that value is the address of something else (i.e. 008C7764).
`je exit` - there is no exit label in that script
`ret 0004` - this instruction is a little weird to have in an injection point, but you can make it work
You don't need the third parameter to alloc in 32-bit processes
If you don't want to do an aobscan, use the "Full Injection" template instead. Also don't remove the comment at the bottom of that template- that information is important
Given that's 32-bit code, you can compare `eax` against a 32-bit value directly
| Code: | define(address,libIGMath.dll+231A3)
define(bytes,89 48 08 C2 04 00)
[ENABLE]
assert(address,bytes)
alloc(newmem,2048)
label(exit)
newmem:
cmp eax,008C775C
je exit
mov [eax+08],ecx
exit:
ret 0004
address:
jmp newmem
nop
[DISABLE]
address:
db bytes
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: libIGMath.dll+231A3
...
} |
If you want a memory record to change the address from the address list:
| Code: | define(address,libIGMath.dll+231A3)
define(bytes,89 48 08 C2 04 00)
[ENABLE]
assert(address,bytes)
alloc(newmem,2048)
alloc(addresstoskip,4)
label(exit)
addresstoskip:
dd 008C775C
newmem:
cmp [addresstoskip],eax
je exit
mov [eax+08],ecx
exit:
ret 0004
address:
jmp newmem
nop
registersymbol(addresstoskip)
[DISABLE]
address:
db bytes
unregistersymbol(addresstoskip)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: libIGMath.dll+231A3
...
} |
Add address manually, address = addresstoskip, click + drag the new memrec onto the script memrec, right click script memrec -> Group config -> Hide children when deactivated |
Thank you! Worked wonderfully.
I have a somewhat different question about which I'm struggling to find information.
Connecting also somewhat to this scenario.
Still taking the address from before "008C7764".
Instead of isolating it so it stays set to my value.
I would like to take whatever value it's normally being written to it (17.398754, 156.0927124 etc..) and apply a custom offset to it.
For example 30.
So that 30 will always be added to the received value.
So instead of resulting in 17.398754 or 156.0927124 it will result in 47.398754, 186.0927124 etc.
I figured I need to do this before the value reaches the address or otherwise I'm going to have the same old problem where the value flickers.
But I still need to take into account that the code is writing to many other addresses as well. But I want the increase to only be written for "008C7764".
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4695
|
| Posted: Sun Sep 29, 2024 7:40 pm Post subject: |
|
|
That might be a little dangerous- e.g. if a value is written to every frame even if it doesn't change.
In the instruction `mov [eax+08],ecx`, is the value being moved a float?
If so, this is fine:
| Code: | alloc(addval,4)
...
addval:
dd (float)30
newmem:
cmp eax,008C775C
jne exit
// backup xmm0
sub esp,10
movups [esp],xmm0
movd xmm0,ecx
addss xmm0,[addval]
movd ecx,xmm0
// restore xmm0
movups xmm0,[esp]
add esp,10
exit:
mov [eax+08],ecx
ret 0004 |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
icebox616
How do I cheat?
![]() Reputation: 0
Joined: 28 Sep 2024
Posts: 6
|
| Posted: Sun Sep 29, 2024 9:47 pm Post subject: |
|
|
| ParkourPenguin wrote: | | In the instruction `mov [eax+08],ecx`, is the value being moved a float? |
So from my understanding you're asking about "ecx"(?)
In the tab of the `mov [eax+08],ecx` instruction it says ECX=4215D9D0.
But weirdly enough when I go to that address it shows only `??`
The target address 008C7764 is definitely a float though.
Here's all the values of the instruction:
| Code: |
libIGMath.dll+231A3:
0322319D - 89 50 04 - mov [eax+04],edx
032231A0 - 8B 49 08 - mov ecx,[ecx+08]
032231A3 - 89 48 08 - mov [eax+08],ecx <<
032231A6 - C2 0400 - ret 0004
032231A9 - CC - int 3
EAX=008C775C
EBX=007BFB1C
ECX=4215D9D0
EDX=448194C6
ESI=008C775C
EDI=008C7750
ESP=0019F57C
EBP=00000000
EIP=032231A6 |
I tried the code:
| Code: | define(address,libIGMath.dll+231A3)
define(bytes,89 48 08 C2 04 00)
[ENABLE]
assert(address,bytes)
alloc(addval,4)
alloc(newmem,2048)
label(exit)
addval:
dd (float)30
newmem:
cmp eax,008C775C
jne exit
// backup xmm0
sub esp,10
movups [esp],xmm0
movd xmm0,ecx
addss xmm0,[addval]
movd ecx,xmm0
// restore xmm0
movups xmm0,[esp]
add esp,10
exit:
mov [eax+08],ecx
ret 0004
address:
jmp newmem
nop
[DISABLE]
address:
db bytes
dealloc(newmem)
dealloc(addval)
|
And while it seems to be doing something, the value within the 008C7764 address is flickering fast inbetween very different much bigger numbers than what it should be at 37.4628+30.
There are no other instructions writing at this address.
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4695
|
| Posted: Sun Sep 29, 2024 11:23 pm Post subject: |
|
|
| icebox616 wrote: | | In the tab of the `mov [eax+08],ecx` instruction it says ECX=4215D9D0. |
Yes, that's a float. 0x4215D9D0 when interpreted as a float is 37.46270752.
| icebox616 wrote: | | ...the value within the 008C7764 address is flickering fast inbetween very different much bigger numbers than what it should be at 37.4628+30 |
How big are you talking about? If it's less than a few million, that's what I thought might happen.
That code might run even if the value doesn't change. In that case, the game should read the value, not modify it at all, then write it back; however, if your code injection always adds 30 to the value, then the value will change even when it wasn't suppose to.
Say that happens 60 times per second. In one second:
| Code: | 37.46270752 + 30 = 67.46270752
67.46270752 + 30 = 97.46270752
...
1807.462708 + 30 = 1837.462708 |
Maybe skip adding 30 if the value is left unmodified (i.e. [eax+08] == ecx).
Instead of adding a constant value every time it's written to (even if it doesn't change), you could multiply the difference by some amount
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
icebox616
How do I cheat?
![]() Reputation: 0
Joined: 28 Sep 2024
Posts: 6
|
| Posted: Mon Sep 30, 2024 8:01 am Post subject: |
|
|
| ParkourPenguin wrote: | | icebox616 wrote: | | In the tab of the `mov [eax+08],ecx` instruction it says ECX=4215D9D0. |
Yes, that's a float. 0x4215D9D0 when interpreted as a float is 37.46270752.
| icebox616 wrote: | | ...the value within the 008C7764 address is flickering fast inbetween very different much bigger numbers than what it should be at 37.4628+30 |
How big are you talking about? If it's less than a few million, that's what I thought might happen.
That code might run even if the value doesn't change. In that case, the game should read the value, not modify it at all, then write it back; however, if your code injection always adds 30 to the value, then the value will change even when it wasn't suppose to.
Say that happens 60 times per second. In one second:
| Code: | 37.46270752 + 30 = 67.46270752
67.46270752 + 30 = 97.46270752
...
1807.462708 + 30 = 1837.462708 |
Maybe skip adding 30 if the value is left unmodified (i.e. [eax+08] == ecx).
Instead of adding a constant value every time it's written to (even if it doesn't change), you could multiply the difference by some amount |
Just tried with the added condition route, experimented with several variations, this is the closest I got but still not quite there:
| Code: | define(address,libIGMath.dll+231A3)
define(bytes,89 48 08 C2 04 00)
[ENABLE]
assert(address,bytes)
alloc(addval,4)
alloc(newmem,2048)
label(exit)
label(trueexit)
addval:
dd (float)30
newmem:
cmp eax,008C775C//if true
jne exit// go to exit and write to 008C7764 normally
cmp [eax+08],ecx
jne trueexit
// backup xmm0
sub esp,10
movups [esp],xmm0
//we get our updated ecx
movd xmm0,ecx
addss xmm0,[addval]
movd ecx,xmm0
// restore xmm0
movups xmm0,[esp]
add esp,10
exit://this never happens again after 1 time(?)
mov [eax+08],ecx
ret 0004
trueexit:
ret 0004
address:
jmp newmem
nop
[DISABLE]
address:
db bytes
dealloc(newmem)
dealloc(addval) |
What happens with this iteration is that the 008C7764 gets correctly increased and set by 30 but then it never gets updated again.
It does however if I disable and re-enable the script. (But again only once)
My assumptions as per why this could be happening:
• either ecx stops being updated (shouldn't be the case)
• `exit` never happens again (how would that even be possible because of `cmp eax,008C775C` up above)
• `trueexit` always happens (unlikely? again just because of `cmp eax,008C775C`in the first place)
Also another funny thing, if I activate/deactivate the script while looking at "find out what writes to this address" (008C7764) the game crashes.
Only when I make the switch though. If I have the script enabled and look there is nothing writing to the address. So makes me think even more that has something to do with `exit` just not happening after 1 time.
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4695
|
| Posted: Mon Sep 30, 2024 10:24 am Post subject: |
|
|
`jne trueexit` - `jne` means "jump if not equal"- i.e. jump if [eax+08] is not equal to ecx. That code adds 30 to the value if they are equal: that's the opposite of what I suggested. Since you're also skipping the write if they're different, the game won't be able to set any new value even if it wanted to.
You could try `je exit` instead (it doesn't matter whether or not the write is executed if they're already the same), but something is weird. If that code you just posted only adds 30 to the value once, then that means [eax+08] was equal to ecx only once too. Changing it also changed the value being written to it- some kind of recurrence relation perhaps.
What are the semantics of that value? Is it money? Health? Position / velocity? How does the game change it if you change it manually in the address list? What are you trying to do to it?
You could go to newmem (follow the jmp at libIGMath.dll+231A3) and set a breakpoint on the instruction after `cmp eax,008C775C` / `jne exit` to see what's going on.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
icebox616
How do I cheat?
![]() Reputation: 0
Joined: 28 Sep 2024
Posts: 6
|
| Posted: Tue Oct 01, 2024 9:01 am Post subject: |
|
|
| ParkourPenguin wrote: | `jne trueexit` - `jne` means "jump if not equal"- i.e. jump if [eax+08] is not equal to ecx. That code adds 30 to the value if they are equal: that's the opposite of what I suggested. Since you're also skipping the write if they're different, the game won't be able to set any new value even if it wanted to.
You could try `je exit` instead (it doesn't matter whether or not the write is executed if they're already the same), but something is weird. If that code you just posted only adds 30 to the value once, then that means [eax+08] was equal to ecx only once too. Changing it also changed the value being written to it- some kind of recurrence relation perhaps.
What are the semantics of that value? Is it money? Health? Position / velocity? How does the game change it if you change it manually in the address list? What are you trying to do to it?
You could go to newmem (follow the jmp at libIGMath.dll+231A3) and set a breakpoint on the instruction after `cmp eax,008C775C` / `jne exit` to see what's going on. |
Indeed it seems the address might be using itself to calculate it's new value.
That would make sense. given it's the camera's focus point.
What I'm trying to do is simply apply an offset to the focus of the camera. So for example instead of the character always appearing centered. I want to have the camera to focus on a point that is higher.
je didn't work and after many different tests this is where I'm at:
first of all I tried doing the injection a little above as to get rid of ret 004 and also include the line above as I thought that would help give me more leeway on what I can do.
| Code: |
define(address,"libIGMath.dll"+231A0)
define(bytes,8B 49 08 89 48 08)
[ENABLE]
assert(address,bytes)
alloc(addval,4)
alloc(offsetmem,2048)
alloc(targetaddress,4)
alloc(buffedaddress,4)
label(write)
registersymbol(buffedaddress)
addval:
dd (float)30
targetaddress:
dd 008C7764
offsetmem:
cmp eax,008C775C//we cool to modify/write?
je write//yes
//no, business as usual then
mov ecx,[ecx+08]
mov [eax+08],ecx
jmp return
write:
mov ecx,[ecx+08]
//cmp [eax+08],ecx//doesn't help. jne instead just freezes the targetaddress at whatever value it was, not updating anymore. Meaning if I go up some stairs the camera will stay stuck looking downwards.
//je return
//if I increase ecx HERE targetaddress goes haywire up no matter what.
//Probably because it's increasing every frame `cmp eax,008C775C` is true.
//which happens more than once.
//increase exc
// backup xmm0
//sub esp,10
//movups [esp],xmm0
//we get our increased ecx
//movd xmm0,ecx
//addss xmm0,[addval]
//movd ecx,xmm0
// restore xmm0
//movups xmm0,[esp]
//add esp,10
//IMPORTANT NOTE: if I increase esx HERE my custom buffedaddress which is set from exc DIRECTLY (see below) ALSO goes haywire. (but with an offset)
mov [eax+08],ecx//targetaddress (008C7764) gets set.
//mov [eax+08],(float)30// this works in freezing the targetaddress without game going haywire
//INCREASE ecx. tried increasing ecx afterwards to see if it has any impact.
//it doesn't. Game functions as usual.
// backup xmm0
sub esp,10
movups [esp],xmm0
//we get our increased ecx
movd xmm0,ecx
addss xmm0,[addval]
movd ecx,xmm0
// restore xmm0
movups xmm0,[esp]
add esp,10
//tried assigning the increased ecx to my own buffedaddress. It works.
//I now have a new address that is always and constantly +30 above targetaddress.
mov [buffedaddress],ecx
jmp return
address:
jmp offsetmem
nop
return:
[DISABLE]
address:
db bytes
// mov ecx,[ecx+08]
// mov [eax+08],ecx
unregistersymbol(storageaddress)
dealloc(offsetmem)
dealloc(addval)
dealloc(addresstoskip)
dealloc(offsetmem)
dealloc(buffedaddress)
{
// ORIGINAL CODE - INJECTION POINT: 032B31A0
032B318C: CC - int 3
032B318D: CC - int 3
032B318E: CC - int 3
032B318F: CC - int 3
032B3190: 8B C1 - mov eax,ecx
032B3192: 8B 4C 24 04 - mov ecx,[esp+04]
032B3196: 8B 11 - mov edx,[ecx]
032B3198: 89 10 - mov [eax],edx
032B319A: 8B 51 04 - mov edx,[ecx+04]
032B319D: 89 50 04 - mov [eax+04],edx
// ---------- INJECTING HERE ----------
032B31A0: 8B 49 08 - mov ecx,[ecx+08]
// ---------- DONE INJECTING ----------
032B31A3: 89 48 08 - mov [eax+08],ecx
032B31A6: C2 04 00 - ret 0004
032B31A9: CC - int 3
032B31AA: CC - int 3
032B31AB: CC - int 3
032B31AC: CC - int 3
032B31AD: CC - int 3
032B31AE: CC - int 3
032B31AF: CC - int 3
032B31B0: 8B 54 24 08 - mov edx,[esp+08]
}
|
So at this point I figured what if instead of trying to change 008C7764 I just look at what code is accessing it and redirect it towards my new buffedaddress? Wouldn't that be easier at this point?
So in "find out what accesses this address" I have:
| Code: |
mov ecx,[ecx+08]//reading
mov [eax+08],ecx//writing
fld dword ptr [ecx+08]//reading
fsub dword ptr [eax+08]//reading
|
So of course the 2 "new" lines reading are also writing to countless others each. Presumably making the various calculations they need to based off the value of my target address of interest (008C7764)
in
fld dword ptr [ecx+08]
ECX=008C775C
while in
fsub dword ptr [eax+08]
EAX=008C775C
so as before eax+08 would check out to 008C7764
I tried replacing fsub dword ptr [eax+08] with fsub dword ptr [buffedaddress]. As you can see above I did register buffedaddress as a symbol in the previous code. Which I keep enabled so that my buffed address keeps getting updated.
but it won't let me compile.
How would I go about this?
Do you think doing it this way would actually be easier? I don't care that I have to do 2 more injections. to modify the other 2 accessing codes.
Edit: just realized `mov ecx,[ecx+08]` is the line above the one writing to the 008C7764. So it makes sense the increase goes haywire if we increase 008C7764. Because it basically references itself. So like you said a recurrence relation, if that's what you meant by it.
I have no idea how to go about this.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
