 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Paprikaskrumpli
Cheater
![]() Reputation: 0
Joined: 19 Dec 2020
Posts: 29
|
 Posted: Mon Dec 28, 2020 8:40 am Post subject: How to find asm code? (Pointer/Offset?) |
 |
|
I have this assembly code:
319A35523A0 - 89 43 24 - mov [rbx+24],eax
What I'd like to do is overwrite it to something else in c++ with Write Process Memory. How can I find this memory address?
Is this always located on an offset from some module like:
something.exe/dll + 0x12345
Or a pointer path should exist?
(I'll try to jump to my asm code, execute, then jump back, just to make everything clear.)
For now, I've been finding it maually with searching for byte array. Is there a way to determine which module it is located in?
|
|
| Back to top |
|
 |
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4703
|
| Posted: Mon Dec 28, 2020 12:42 pm Post subject: |
|
|
In general, you scan through executable memory for that byte pattern. See CE's source for more information.
Some code (e.g. JIT-compiled code) will be dynamically allocated at runtime, and as such, won't be located in an exe/dll. If that code is part of an exe/dll, it almost certainly won't change locations between process instances, so you can use its offset from the start of the module to find it.
If it's not part of a module, you might find a pointer to it. That depends on how that memory was allocated.
CE will tell you if it's part of a module in the memory viewer. It should replace the address (i.e. "319A35523A0") with "something.exe+1234". I think there's an option in the view menu to toggle this.
If you want to be absolutely certain, look at the memory region information. (IIRC Memory Viewer -> View -> Memory Regions)
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
Paprikaskrumpli
Cheater
![]() Reputation: 0
Joined: 19 Dec 2020
Posts: 29
|
| Posted: Tue Dec 29, 2020 4:50 am Post subject: |
|
|
| ParkourPenguin wrote: | In general, you scan through executable memory for that byte pattern. See CE's source for more information.
Some code (e.g. JIT-compiled code) will be dynamically allocated at runtime, and as such, won't be located in an exe/dll. If that code is part of an exe/dll, it almost certainly won't change locations between process instances, so you can use its offset from the start of the module to find it.
If it's not part of a module, you might find a pointer to it. That depends on how that memory was allocated.
CE will tell you if it's part of a module in the memory viewer. It should replace the address (i.e. "319A35523A0") with "something.exe+1234". I think there's an option in the view menu to toggle this.
If you want to be absolutely certain, look at the memory region information. (IIRC Memory Viewer -> View -> Memory Regions) |
My aim is to find a variable, but pointer scans didn't work. I managed to do a code injection and copy the variable to an empty memory location at something.dll + ee0, so I reach this location after every restart.
As you can see in the picture, I have a reliable byte pattern to find the asm instruction where I'd like to place my jump (to my injected code to).
My problem is, that this instruction changes locations after every restart, and is not located in an exe/dll (like someting.exe/dll + 0x12345) - I think.
| ParkourPenguin wrote: | | (IIRC Memory Viewer -> View -> Memory Regions) |
-This setting is turned on, and somethimes show offsets like you mentioned, but not here
How do people usually find stuff like this? Are there pointers to instructions? Or some clever trick to find the address of the instruction is located on?
I want to do all this with a program of course. Like when you follow pointer paths previously found with the pointer scanner.
Or should I just scan the whole memory with this byte pattern? Seems little time consuming. CE does it fast of course (a second at most), but my program probably going to take a minute or so.
One more thing, this might be important: I have to "ignore" or "square in" the "Writable", "Executable", "CopyOnWrite" checkboxes in the scanner (see below), or else I can't find the given instructions (see below).
| Description: |
|
| Filesize: |
116.29 KB |
| Viewed: |
2881 Time(s) |
|
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4703
|
| Posted: Tue Dec 29, 2020 12:05 pm Post subject: |
|
|
| Paprikaskrumpli wrote: | | How do people usually find stuff like this? |
Again, by scanning through the process's memory for a byte pattern. You look through each executable region of memory and stop when you find a byte pattern that matches.
| Paprikaskrumpli wrote: | | Are there pointers to instructions? Or some clever trick to find the address of the instruction is located on? |
Again, maybe. That depends on how the memory was allocated and where that code came from. It's going to be harder for you to reverse engineer a memory allocator / JIT compiler than it would be to make a memory scanner.
If that code is being compiled from some intermediary bytecode, it's usually better to change the intermediary bytecode to suit your needs. e.g. for old flash games, I'd download an swf, modify it, then redirect network requests to the local modified copy. There are usually decompilers for these intermediary bytecode objects (e.g. flash = JPEXS, .NET = .NET Reflector, I'm sure there's stuff for Java, etc.)
| Paprikaskrumpli wrote: | | One more thing, this might be important: I have to "ignore" or "square in" the "Writable", "Executable", "CopyOnWrite" checkboxes in the scanner (see below), or else I can't find the given instructions (see below). |
Executable memory is rarely also writable. By default CE only scans through writable memory to cut down on false positives.
(The AA aobscan scans through everything- you can cut down on time significantly by only scanning through executable memory)
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
Paprikaskrumpli
Cheater
![]() Reputation: 0
Joined: 19 Dec 2020
Posts: 29
|
| Posted: Tue Dec 29, 2020 4:17 pm Post subject: |
|
|
Thank your for the answers!
| ParkourPenguin wrote: | | Paprikaskrumpli wrote: | | How do people usually find stuff like this? |
Again, by scanning through the process's memory for a byte pattern. You look through each executable region of memory and stop when you find a byte pattern that matches. |
I found some pointers to a memory region where the asm code above is located. My first approach was to start from the beginning and read all the bytes, one-by-one with read process memory, and compare them to an array of bytes (the pattern I'm looking for).
This took too long, so I started to read 4096 bytes at once, and compare the array to that. Worked like a champ! Can find the code immediately.
BUT... The game crashes after a while (I didn't modify any addresses yet, just did the process mentioned above). It usually takes about a minute, or some action that refreshes a lot of things (like loading new areas, jumping trough portals, etc..).
Any idea why that could be? It is possible, but I doubt that the game uses some kind of anticheat. If I do this in CE (scanning for this byte array) the game doesn't crash. I'm qurious if CE does array scanning something like that I did.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
