| View previous topic :: View next topic |
| Author |
Message |
Artykalamata
Cheater
![]() Reputation: 0
Joined: 21 Mar 2016
Posts: 32
Location: Germany
|
 Posted: Mon Aug 15, 2016 7:18 pm Post subject: copy the base address of a structure |
 |
|
So i want to get the base address of my player structure. The problem is, i can't find a piece of code thats only accessing one address. For example they write crit, crit dmg and speed.
I wrote this little script to filter out all wrong addresses, but it seems like i did something wrong cause its not activating at all.
| Code: | [ENABLE]
aobscanmodule(getPlayer,portal_knights_x64.exe,F3 0F 11 77 08 E8)
alloc(newmem,$1000,"portal_knights_x64.exe"+47BB5D)
globalalloc(_player,4)
label(code)
label(return)
label(copy)
newmem:
copy:
cmp [rdi+00],C0B4FE61 //rdi+00 is only C0B4FE61 when the address is the correct one
jne code
mov [_player],rdi
jmp code
code:
movss [rdi+08],xmm6
jmp return
getPlayer:
jmp copy
return:
registersymbol(getPlayer)
[DISABLE]
getPlayer:
db F3 0F 11 77 08
unregistersymbol(getPlayer)
dealloc(_player)
dealloc(newmem) |
|
|
| Back to top |
|
 |
h3x1c
Master Cheater
 Reputation: 17
Joined: 27 Apr 2013
Posts: 306
|
| Posted: Mon Aug 15, 2016 9:14 pm Post subject: |
|
|
Try this:
| Code: | [ENABLE]
aobscanmodule(getPlayer,portal_knights_x64.exe,F3 0F 11 77 08 E8)
alloc(newmem,$1000,"portal_knights_x64.exe"+47BB5D)
globalalloc(_player,4,"portal_knights_x64.exe"+47BB5D)
label(code)
label(return)
label(copy)
newmem:
copy:
cmp [rdi],C0B4FE61 //rdi+00 is only C0B4FE61 when the address is the correct one
jne code
mov [_player],rdi
jmp code
code:
movss [rdi+08],xmm6
jmp return
getPlayer:
jmp copy
return:
registersymbol(getPlayer)
[DISABLE]
getPlayer:
db F3 0F 11 77 08
unregistersymbol(_player)
unregistersymbol(getPlayer)
dealloc(_player)
dealloc(newmem)
|
[RDI+00] is [RDI], so I just consolidated that. The primary thing I did with your script was add the same location to allocate memory near for your globalalloc. I've been having issues with scripts not enabling lately if I don't add that in with globalalloc. Lastly, globalalloc registers a symbol, so I added unregistersymbol(_player) to the disable section of the script.
_________________
|
|
| Back to top |
|
|
Artykalamata
Cheater
![]() Reputation: 0
Joined: 21 Mar 2016
Posts: 32
Location: Germany
|
| Posted: Tue Aug 16, 2016 4:27 am Post subject: |
|
|
| h3x1c wrote: | Try this:
[RDI+00] is [RDI], so I just consolidated that. The primary thing I did with your script was add the same location to allocate memory near for your globalalloc. I've been having issues with scripts not enabling lately if I don't add that in with globalalloc. Lastly, globalalloc registers a symbol, so I added unregistersymbol(_player) to the disable section of the script. |
Thx that worked, but now ive got another problem.
When I activate my script 7FF66D7D0028 gets written in my _player. (This address increases by 10 every time I activate my script.)
But I have no idea where that address comes from. When I look up which addresses get changed by this code it gives me this list:
edit: cant post pictures
It shows, that only addresses between
1CEEE0894A8 and 1CEEE08AAE8
are getting changed.
|
|
| Back to top |
|
|
PinPoint
Expert Cheater
 Reputation: 10
Joined: 07 Apr 2016
Posts: 223
Location: Scotland
|
| Posted: Tue Aug 16, 2016 4:52 am Post subject: |
|
|
did you add _player as a pointer with offset 8 to your table?
7FF66D7D0028 might be the the value of the RIP register, where it is in dissassembler. if you were to look for it in the dissassembler when the script is active it should take you to your code.
edit...
was thinking h3x1c, since they are 64 bit instructions, they can only access memory thats so far either side of the instruction you are injeting on (cant remember, might be 1GB either side)...so you would use something like this to get around it:
| Code: |
push rax
mov rax,_player
[rax],rdi
pop rax
jmp code |
then you could leave it as globalalloc(_player,4) im sure.
..an afterthought for someone to answer  , should 64bit instructions that are being copied have 8bytes allocated, as in...globalalloc(_player,8 )?
Last edited by PinPoint on Tue Aug 16, 2016 5:12 am; edited 3 times in total |
|
| Back to top |
|
|
Artykalamata
Cheater
![]() Reputation: 0
Joined: 21 Mar 2016
Posts: 32
Location: Germany
|
| Posted: Tue Aug 16, 2016 5:05 am Post subject: |
|
|
| PinPoint wrote: | | did you add _player as a pointer with offset 8 to your table? |
Yes
| PinPoint wrote: | | 7FF66D7D0028 might be the the value of the RIP register, where it is in dissassembler. if you were to look for it in the dissassembler when the script is active it should take you to your code. |
You are right. Its taking me to my code. But what did i wrong in my script?
|
|
| Back to top |
|
|
PinPoint
Expert Cheater
Reputation: 10
Joined: 07 Apr 2016
Posts: 223
Location: Scotland
|
| Posted: Tue Aug 16, 2016 5:20 am Post subject: |
|
|
are you looking up which addresses this instruction accesses?
movss [rdi+08],xmm6
if so, that isnt the instruction writing to [_player].
in your code it is this one: mov [_player],rdi
the address of _player is/was/can be 7FF66D7D0028 as it is the allocated memory for _player. when you use the instruction: mov [_player],rdi, the value of that address (_player==7FF66D7D0028) becomes what ever rdi is (C0B4FE61).
it sounds like its working fine since you havent mentioned anything about the values and your only concerned about where that address came from.
|
|
| Back to top |
|
|
Artykalamata
Cheater
![]() Reputation: 0
Joined: 21 Mar 2016
Posts: 32
Location: Germany
|
| Posted: Tue Aug 16, 2016 5:41 am Post subject: |
|
|
Thank you I get it now. 
| Code: |
copy:
cmp [rdi],C0B4FE61 //something is wrong here
jne code
mov [_player],rdi //so thats unreachable code
jmp code
|
can i only compare: cmp "byte hex","byte hex"
or can i compare: cmp "array of bytes hex","array of bytes hex"
|
|
| Back to top |
|
|
PinPoint
Expert Cheater
Reputation: 10
Joined: 07 Apr 2016
Posts: 223
Location: Scotland
|
| Posted: Tue Aug 16, 2016 5:45 am Post subject: |
|
|
using the example above:
the hex value is C0B4FE61
the aob is 61 FE B4 C0 which is just the hex value reversed into bytes.
the int value is 3233087073, which you could use in the cmp like "#3233087073"
lets say it was 8bytes since its a 64bit register, it would be like this
hex value: 00000000C0B4FE61
aob: 61 FE B4 C0 00 00 00 00
so if you want to use an aob as your compare, convert it to hex.
there might be another way but I have never needed to use it so also unsure if there is.
edit..shouldve added this before.
as i understand it...say you were comparing to [eax] and the aob from [eax] was something like 00 01 02 03 04 05 06 07 08 09, you would do something like:
| Quote: | cmp [eax],03020100
jne original
cmp [eax+4],07060504
jne original
cmp word ptr [eax+8],0908 //word ptr since its only 2 bytes worth now
jne original
//changed code here |
Last edited by PinPoint on Tue Aug 16, 2016 5:41 pm; edited 1 time in total |
|
| Back to top |
|
|
Artykalamata
Cheater
![]() Reputation: 0
Joined: 21 Mar 2016
Posts: 32
Location: Germany
|
| Posted: Tue Aug 16, 2016 4:48 pm Post subject: |
|
|
Im so retarded! 
I added _player to my Address list instead of [_player].
So h3x1c correction works fine.
Thank you for your effort PinPoint i learned something.
|
|
| Back to top |
|
|
h3x1c
Master Cheater
Reputation: 17
Joined: 27 Apr 2013
Posts: 306
|
| Posted: Tue Aug 16, 2016 5:00 pm Post subject: |
|
|
| Artykalamata wrote: | Im so retarded!
I added _player to my Address list instead of [_player].
So h3x1c correction works fine.
Thank you for your effort PinPoint i learned something. |
There is one change I think should be made that PinPoint noted (good spot, man) which I should have caught before.
| Code: | | globalalloc(_player,8,"portal_knights_x64.exe"+47BB5D) |
Use 8 if you're seeing 64-bit registers! 4 might well work just fine because of where CE allocates memory for the variable or because of values only using up to 32 bits, but to make sure you're on the safe side, allocate 8 bytes when dealing with 64-bit registers or values. 
_________________
|
|
| Back to top |
|
|
PinPoint
Expert Cheater
Reputation: 10
Joined: 07 Apr 2016
Posts: 223
Location: Scotland
|
| Posted: Tue Aug 16, 2016 5:03 pm Post subject: |
|
|
| Artykalamata wrote: | Im so retarded!
I added _player to my Address list instead of [_player].
So h3x1c correction works fine.
Thank you for your effort PinPoint i learned something. |
no probs. That was my first thought and suggestion mind you...
I personally would check the pointerbox instead of using []
|
|
| Back to top |
|
|
Artykalamata
Cheater
![]() Reputation: 0
Joined: 21 Mar 2016
Posts: 32
Location: Germany
|
| Posted: Tue Aug 16, 2016 5:04 pm Post subject: |
|
|
| h3x1c wrote: |
Use 8 if you're seeing 64-bit registers! 4 might well work just fine because of where CE allocates memory for the variable or because of values only using up to 32 bits, but to make sure you're on the safe side, allocate 8 bytes when dealing with 64-bit registers or values.
|
Yes I already changed that.
| PinPoint wrote: |
no probs. That was my first thought and suggestion mind you...
I personally would check the pointerbox instead of using [] |
"as a pointer" <- Jep now I understand what you mean.
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
