Page 1 of 1

[SOLVED] Sneaky Hidden Pointer?

Posted: Sat Jul 15, 2017 10:52 pm
by 3oddbits
This coding has the real address static while the AoB changes with every load of the game. :!:
Also, AutoAssemble fails to build this code. A nop attempt under Advanced Options throws a warning about 'doesn't contain what it should'
Is it really a sneaky hidden pointer put where it should not be?

All the info I have read on Assembly doesn't mention this as 'proper code'.
What is the proper way to pull the value from 'game.exe+5DBAC8' into that line of code?
If I want to change 'sub' to 'add', or even better, have the result 'no change', how?

On every attempt I have made, the failure(s) have suggested that 'game.exe+5DBAC8' needs to go away for AutoAssemble to work.

Problem Line of Code :

Code: Select all

game.exe+F456E - 29 04 FD C8 BA 6B 01     - sub [edi*8+game.exe+5DBAC8],eax
Address referred to ???

Code: Select all

game.exe+5DBAC7 - 00 00                 - add [eax],al
game.exe+5DBAC9 - 00 F0                 - add al,dh
Thank you for your time.

Re: [HELP] Sneaky Hidden Pointer?

Posted: Sun Jul 16, 2017 1:27 am
by Squall8
Use wildcards in your aob for the bytes that change. Example below.

Youre going to need to make your signature more unique as well. Use readmem in your script to get a read off of the bytes that change. You can set it up like this:

Code: Select all

aobscan/module(aobname,29 04 FD * * * * xx xx xx xx xx xx....)


  jmp return  //Your code goes here. //Simply putting a "jmp return" here will stop the instruction from executing.

  readmem(aobname,7) //Parameter:  --(address/symbol,number of bytes to read)
  jmp return

  jmp newmem



That is the most simplest way to write it out. There is a bit more for the parameters for readmem, I suggest reading up on it.

Re: [HELP] Sneaky Hidden Pointer?

Posted: Mon Jul 17, 2017 1:44 am
by 3oddbits

Thanks! :D
It worked. Two lines of mutating AoB no longer cause 'can't find it' problems.
Used nop instead to match bit count for the line. Tested with three reboots.