| View previous topic :: View next topic |
| Author |
Message |
IchigoBankai
Grandmaster Cheater
![]() Reputation: 0
Joined: 03 Mar 2007
Posts: 533
|
 Posted: Wed Oct 22, 2008 8:23 pm Post subject: ASM Question |
 |
|
Say i have a adress, I want put the value FF in edx.
Problem is , well I'll show it (not real address , an example)
| Code: | 0044916D:
mov edx,[ebx+0c] |
If i were to put that in script it would look like that
| Code: | [enable]
0044916D:
mov edx,[ebx+0c] ,ff
[disable] |
or
| Code: | [enable]
0044916D:
mov edx,ff ,[ebx+0c]
[disable] |
But cheatengine won't let me. How can i fix it so the value FF gets put into edx[/code]
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 470
Joined: 09 May 2003
Posts: 25807
Location: The netherlands
|
| Posted: Wed Oct 22, 2008 8:30 pm Post subject: |
|
|
if mov edx,ff wasn't bigger than mov edx,[ebx+0c] you could just replace it like that. Problem is, it is...
To get by that :
go to that addres and use template->code injection
now at the newmem part write:
mov edx,ff
and comment out the mov edx,[ebx+0c] line in the originalcode part (put // in front of it)
that can be injected.
(and if you want it in a cheat table add a [enable] [disable] to it, and optionally a dealloc(code) in the disable part)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Labyrnth
Moderator
![]() Reputation: 10
Joined: 28 Nov 2006
Posts: 6301
|
| Posted: Wed Oct 22, 2008 8:59 pm Post subject: |
|
|
What DB is saying.
| Code: |
[ENABLE]
alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(exit)
44916D:
jmp newmem
nop
returnhere:
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
mov edx,ff
originalcode:
//mov edx,[ebx+0c]
exit:
jmp returnhere
[DISABLE]
44916D:
mov edx,[ebx+0c]
dealloc(newmem)
|
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25807
Location: The netherlands
|
| Posted: Thu Oct 23, 2008 7:43 am Post subject: |
|
|
kinda, but to prevent confusion I didn't give an example because that would show up different than on his system
e.g:
originalcode:
//mov edx,[ebx+0c]
will have some additional instructions after it, which he should not comment out
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Labyrnth
Moderator
![]() Reputation: 10
Joined: 28 Nov 2006
Posts: 6301
|
| Posted: Thu Oct 23, 2008 10:50 am Post subject: |
|
|
| I see what you mean, it does have more in most cases with it.
|
|
| Back to top |
|
|
Psy
Grandmaster Cheater Supreme
![]() Reputation: 1
Joined: 27 Mar 2008
Posts: 1366
|
| Posted: Thu Oct 23, 2008 12:25 pm Post subject: |
|
|
If the line directly above what he posted contains another move into [ebx+0c], then he could overwrite at that point, and NOP out any remainer, avoiding a code-cave that way... Maybe... maybe not 
|
|
| Back to top |
|
|
Recifense
I post too much
 Reputation: 166
Joined: 17 Mar 2008
Posts: 3688
Location: Pernambuco - Brazil
|
| Posted: Fri Oct 24, 2008 5:29 am Post subject: |
|
|
In this example, I can see a problem. IchigoBankai should take care with instruction size:
The following instruction is 3 bytes long:
| Code: |
mov edx,[ebx+0c] // 8b 53 0c
|
and the other is 5 bytes long
| Code: |
mov edx,ff // ba ff 00 00 00
|
So the application will eventually crash.
Cheers.
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
