Cheat Engine

[fffffaaaaa]

I have been looking at the following piece of a function and compare it with the bytes in the dll, the early bytes are pretty much the same between the dll and memory. But the last sentence that pushes a non-local address is given as "6A FF 68 77 C5 32 10" in the dll, same opcode but different address. All the non-local function calls are different in the dll too.

Could anyone help to explain how such non-local addresses are stored in a dll, and how they get converted when loaded into memory? Much appreciated!!!

Game.GAME::ControllerCombat::KillMe - 55 - push ebp
Game.GAME::ControllerCombat::KillMe+1- 8B EC - mov ebp,esp
Game.GAME::ControllerCombat::KillMe+3- 64 A1 00000000 - mov eax,fs:[00000000]
Game.GAME::ControllerCombat::KillMe+9- 6A FF - push -01
Game.GAME::ControllerCombat::KillMe+B- 68 77C5BC00 - push Game.GAME::WeaponArmor_Offhand::GetLeftHandType+10777

[Dark Byte]

are you sure this is dll memory and not jit'ed code (c#) ?

anyhow, assuming dll, then it's done using the relocation table.
that is a table with addresses that need to be changed when the dll is loaded at an address it wasn't programmed for.
so when windows loads the dll, it parses that list and appplies the difference of the new address and the expected address to that address's value

[fffffaaaaa]

Thanks, the one I looked at is not a c# one, doesnt have the c# header.

I found the relocation table at the end of the dll, but there are so many offset words, how can I pinpoint which one is used one a particular call is made? E.g. for the push in my dll, "6A FF 68 77 C5 32 10", is it possible to find the offset from 32 10?

[hhhuut]

In the memory viewer, go to view -> show symbols and make sure it's not checked.
Instead of "Game.GAME::WeaponArmor_Offhand::GetLeftHandType+10777" you should get same static "Something.dll+Offset".
Use that to calculate the address.

[fffffaaaaa]

Thanks! I'll dig into it.