| View previous topic :: View next topic |
| Author |
Message |
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
 Posted: Sun Sep 21, 2008 1:46 pm Post subject: Getting Eax At a location??? |
 |
|
I have tryed using a codecave to do this but it gives a different value.
I just need a method to do this doesn't matter if its with ce or coding.
What Ive tryed.
At the place insert a jump to a codecave.
then use mov [wherethebytesarelocated],eax
all the instructions that were erased by the jump
jmp back to the code.
What i got outa this was very different that what the pointer scan gave. |
|
| Back to top |
|
 |
HalfPrime
Grandmaster Cheater
![]() Reputation: 0
Joined: 12 Mar 2008
Posts: 532
Location: Right there...On your monitor
|
| Posted: Sun Sep 21, 2008 3:18 pm Post subject: |
|
|
open up memory viewin in CE, select line and hit F5(toggle breakpoint) get that peice of code executed and look on the right of the memory viewer. it will have all the registers, etc.
_________________
|
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Mon Sep 22, 2008 3:36 am Post subject: |
|
|
You somehow fucked up on your codecave then because the only instructions to codecave are JMP(s) (depending on how many bytes you feel like overwriting for near or far).
What do you mean [wherethebytesarelocated] ? The contents of those square brackets should be a pointer to a 4 byte buffer that you have.
There was a similar question asked further down the page already :
http://forum.cheatengine.org/viewtopic.php?t=287482 |
|
| Back to top |
|
|
pkedpker
Master Cheater
![]() Reputation: 1
Joined: 11 Oct 2006
Posts: 412
|
| Posted: Tue Sep 23, 2008 12:58 am Post subject: |
|
|
do a memcpy or WPM (writeprocessmemory).
change
addressToCodeCave = (DWORD)codeCave;
ADDRESS BEOFRE Where codecave is now
DWORD OriAddress = 0xADDRESS_ORIGINAL;
| Code: |
void __declspec( naked ) codeCave(void) {
__asm {
PUSHAD
PUSHFD
PUSH EAX//here is your EAX...
call DeTour //call a detour function to get values
POPFD //fix registers
POPAD //fix registers
call OriAddress //go back to the original function
}
}
int WINAPI DeTour(int EAXX) { //the detour
printf("MY EAX IS = %d\n", EAXX);
}
|
it will work 100%..
if it doesn't then you gotta use VirtualProtect() .
_________________
|
|
| Back to top |
|
|
Symbol
I'm a spammer
![]() Reputation: 0
Joined: 18 Apr 2007
Posts: 5094
Location: Israel.
|
| Posted: Tue Sep 23, 2008 6:10 am Post subject: |
|
|
| You should return to the original address, not call it. |
|
| Back to top |
|
|
rapion124
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 25 Mar 2007
Posts: 1095
|
| Posted: Tue Sep 23, 2008 12:34 pm Post subject: |
|
|
| Code: |
void __declspec(naked) GetEaxDetour(void)
{
__asm
{
mov [1337C0DE], eax //Replace with allocated memory
retn
}
}
OriginalAddress: call dword ptr [&GetEaxDetour]
//This only works if there's only 1 call. The previous value will be //overwritten in the next call.
|
|
|
| Back to top |
|
|
&Vage
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 25 Jul 2008
Posts: 1053
|
| Posted: Tue Sep 23, 2008 2:24 pm Post subject: |
|
|
lolwat db ?
| Code: |
push eax
mov eax, address
mov [lolwat], eax
pop eax |
|
|
| Back to top |
|
|
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
| Posted: Tue Sep 23, 2008 4:48 pm Post subject: |
|
|
| rapion124 wrote: | | Code: |
void __declspec(naked) GetEaxDetour(void)
{
__asm
{
mov [1337C0DE], eax //Replace with allocated memory
retn
}
}
OriginalAddress: call dword ptr [&GetEaxDetour]
//This only works if there's only 1 call. The previous value will be //overwritten in the next call.
|
|
I though u need to push eax or it fcks up the entire code... |
|
| Back to top |
|
|
sponge
I'm a spammer
 Reputation: 1
Joined: 07 Nov 2006
Posts: 6009
|
| Posted: Tue Sep 23, 2008 4:54 pm Post subject: |
|
|
| dnsi0 wrote: | | rapion124 wrote: | | Code: |
void __declspec(naked) GetEaxDetour(void)
{
__asm
{
mov [1337C0DE], eax //Replace with allocated memory
retn
}
}
OriginalAddress: call dword ptr [&GetEaxDetour]
//This only works if there's only 1 call. The previous value will be //overwritten in the next call.
|
|
I though u need to push eax or it fcks up the entire code... |
He's not even modifying eax. 
_________________
|
|
| Back to top |
|
|
Noz3001
I'm a spammer
 Reputation: 26
Joined: 29 May 2006
Posts: 6220
Location: /dev/null
|
| Posted: Tue Sep 23, 2008 5:16 pm Post subject: |
|
|
| pkedpker wrote: | do a memcpy or WPM (writeprocessmemory).
change
addressToCodeCave = (DWORD)codeCave;
ADDRESS BEOFRE Where codecave is now
DWORD OriAddress = 0xADDRESS_ORIGINAL;
| Code: |
void __declspec( naked ) codeCave(void) {
__asm {
PUSHAD
PUSHFD
PUSH EAX//here is your EAX...
call DeTour //call a detour function to get values
POPFD //fix registers
POPAD //fix registers
call OriAddress //go back to the original function
}
}
int WINAPI DeTour(int EAXX) { //the detour
printf("MY EAX IS = %d\n", EAXX);
}
|
it will work 100%..
if it doesn't then you gotta use VirtualProtect() . |
If you think about it, using call would probably make it end up in a mega loop. |
|
| Back to top |
|
|
pkedpker
Master Cheater
![]() Reputation: 1
Joined: 11 Oct 2006
Posts: 412
|
| Posted: Tue Sep 23, 2008 5:24 pm Post subject: |
|
|
| noz3001 wrote: | | pkedpker wrote: | do a memcpy or WPM (writeprocessmemory).
change
addressToCodeCave = (DWORD)codeCave;
ADDRESS BEOFRE Where codecave is now
DWORD OriAddress = 0xADDRESS_ORIGINAL;
| Code: |
void __declspec( naked ) codeCave(void) {
__asm {
PUSHAD
PUSHFD
PUSH EAX//here is your EAX...
call DeTour //call a detour function to get values
POPFD //fix registers
POPAD //fix registers
call OriAddress //go back to the original function
}
}
int WINAPI DeTour(int EAXX) { //the detour
printf("MY EAX IS = %d\n", EAXX);
}
|
it will work 100%..
if it doesn't then you gotta use VirtualProtect() . |
If you think about it, using call would probably make it end up in a mega loop. |
No a codecave is a simple interception of data it could be used to create packet hacks to have access to recv packet buffer and such.. there is no loops.
Well yah I guess a BETTER way would be using a JMP instead of a CALL..
But I never had problems so I don't know..
as long as DeTour() doesn't have any while(1)'s or for( ;; ) 's it should be okay..
_________________
|
|
| Back to top |
|
|
sponge
I'm a spammer
Reputation: 1
Joined: 07 Nov 2006
Posts: 6009
|
| Posted: Tue Sep 23, 2008 5:34 pm Post subject: |
|
|
noz is right. calling the original function would go to your hook which would call the original function etc etc. popfd does not fix registers. it restores the EFLAGS DWORD. Only pushf is needed. pushfd pushes flags that aren't affected in usermode. also to get eax you dont need to call another function just put it in a local/global variable.
| _void_ wrote: | lolwat db ?
| Code: |
push eax
mov eax, address
mov [lolwat], eax
pop eax |
|
basically you're putting a imm32 representing an address into lolwat. useless much? and lolwat is a byte. eax wont fit.
_________________
Last edited by sponge on Tue Sep 23, 2008 7:24 pm; edited 1 time in total |
|
| Back to top |
|
|
rapion124
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 25 Mar 2007
Posts: 1095
|
| Posted: Tue Sep 23, 2008 7:04 pm Post subject: |
|
|
| You do not need to preserve registers! You may use 'call' because you are not accessing the stack, so it won't fuck up the stack. My code works perfectly fine. All it does it move eax into [address]. I used 'call' because it's simpler than a call as the return address is on the stack so I don't need to do a jmp at the end. In the case of most hooks, using a jmp is the best, but because we only want to read a value, this is fine. |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
