Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


How to interpret instruction's bytes to get adresses ?

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
wayden
Cheater
Reputation: 0

Joined: 09 Dec 2020
Posts: 27
PostPosted: Fri Jul 14, 2023 7:48 am    Post subject: How to interpret instruction's bytes to get adresses ? Reply with quote
Hi,
I was wondering if it's possible from bytes to retrieve accessed adresses at specific intruction and how to do that ?

here is the assembly code in memory viewer

Code:

48 B8 B0B23965AF010000 - mov rax,000001AF6539B2B0
48 8B 00              - mov rax,[rax]
48 8B C8              - mov rcx,rax
33 D2                 - xor edx,edx
83 38 00              - cmp dword ptr [rax],00
48 8D 64 24 00        - lea rsp,[rsp+00]
90                    - nop
49 BB 105CB6DFAF010000 - mov r11,UI_PlayerHud:ToggleExtraPowerMode
41 FF D3              - call r11



The interesting line is this one :

Code:

48 B8 B0B23965AF010000 - mov rax,000001AF6539B2B0


i am 80% sure at this adresses 000001AF6539B2B0 is a pointer to a class Called UI_PlayerHud and that's why it's put in rcx before calling UI_PlayerHud:ToggleExtraPowerMode
probably a this. .

So i got 3 problem:

-i don't want to inject anything here nor do i want to breakpoint and see what's in rcx then research what accesses the adress, etc... Because those instruction are never executed

-i would prefer to get the adresses from those bytes : 48 B8 B0B23965AF010000 directly if possible so even after restarting i could go to the adresses of those instruction
and get the new bytes corresponding and retrieve the pointer

-i don't know how to interpret bytes, i guess this 48 B8 indicates a mov but this B0B23965AF010000 doesn't look like this 000001AF6539B2B0


Writing that i realise i could prob just copy the 10 bytes from this specific adresse into a "variable" and inject those bytes into one of my script to get a pointer to UI_PlayerHud
and now im realising this B0B23965AF010000 does look like this 000001AF6539B2B0 same bytes but reversed order

Aight this post kinda useless then but if there is more optimized solution i would be glad to know yours
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 152

Joined: 06 Jul 2014
Posts: 4702
PostPosted: Fri Jul 14, 2023 11:17 am    Post subject: This post has 1 review(s) Reply with quote
wayden wrote:
-i don't know how to interpret bytes, i guess this 48 B8 indicates a mov but this B0B23965AF010000 doesn't look like this 000001AF6539B2B0
Little endian: the bytes are in reverse order (least significant bytes first)
Code:
000001AF6539B2B0         - 8-byte (pointer)
00 00 01 AF 65 39 B2 B0  - bytes (big endian)
B0 B2 39 65 AF 01 00 00  - bytes (little endian)
B0B23965AF010000         - bytes (little endian, compressed)


Use an aobscan to get an address near there, and readPointer to get the value
Lua code:
Code:
local result = AOBScan('48 B8 ?? ?? ?? ?? ?? ?? 00 00 48 8B 00 48 8B C8 33 D2', '+X') -- make sure this is unique
assert(result, 'no results found')
if result.Count > 1 then
  result.destroy()
  error'Multiple results found'
end

local addr = getAddress(result[0])
result.destroy()

local ptr = readPointer(addr + 2)
registerSymbol('playerHUD', ptr, true)

print(('%08X'):format(readPointer(ptr))) -- should be UI_PlayerHud

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
wayden
Cheater
Reputation: 0

Joined: 09 Dec 2020
Posts: 27
PostPosted: Fri Jul 14, 2023 11:24 am    Post subject: Reply with quote
It worked and i didn't had to rev the bytes

did it in assembly

if anyone is interested here is my code
Code:

  mov rax, [GameHandler:ToggleGodMode+9b]   //copy the bytes directly from the adress
  shr rax,10                                //bitshiftright to remove the 2bytes 48 B8 corresponding to mov
  mov rax,[rax]                            //moving the adress rax point to into rax
  mov qword [UIPlayerHud], rax             //moving rax into my pointer


thanks for your answer im not really familiar with lua but i guess it's better for a game wich doesn't have symbols i'll try that method if i encounter such game

what's the point of this line ? just printing it to verify ?
Quote:
print(('%08X'):format(readPointer(ptr))[/code]


Last edited by wayden on Fri Jul 14, 2023 6:35 pm; edited 2 times in total
Back to top
View user's profile Send private message
LeFiXER
Grandmaster Cheater Supreme
Reputation: 20

Joined: 02 Sep 2011
Posts: 1069
Location: 0x90
PostPosted: Fri Jul 14, 2023 12:05 pm    Post subject: Reply with quote
wayden wrote:
It worked and i didn't had to rev the bytes

did it in assembly

if anyone is interested here is my code
Code:

  mov rax, [GameHandler:ToggleGodMode+9b]
  shr rax,10
  mov rax,[rax]
  mov qword [UIPlayerHud], rax


thanks for your answer im not really familiar with lua but i guess it's better for a game wich doesn't have symbols i'll try that method if i encounter such game

what's the point of this line ? just printing it to verify ?
Quote:
print(('%08X'):format(readPointer(ptr))[/code]


Precisely, things need verification Smile
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites