problem finding offset for this multilevel pointers

Memory scanning, code injection, debugger internals and other gamemodding related discussion
Post Reply
bachou
Expert Cheater
Expert Cheater
Posts: 155
Joined: Wed Mar 08, 2017 3:18 pm
Reputation: 1

problem finding offset for this multilevel pointers

Post by bachou »

i'm just trying to create a 2 bytes pointer for EXP but this looks very different form the tutorial, i don't know what the offset is, could anyone tell me what to do ?

first result

Code: Select all

1A2372D201D - 45 8B 2C 04   - mov r13d,[r12+rax]


1A2372D201D:
1A2372D2013 - 49 83 E4 FC - and r12,-04
1A2372D2017 - 0F84 F76C1F04 - je 1A23B4C8D14
1A2372D201D - 45 8B 2C 04   - mov r13d,[r12+rax] <<
1A2372D2021 - 49 8B 87 10030000  - mov rax,[r15+00000310]
1A2372D2028 - 41 BC 04000000 - mov r12d,00000004

RAX=000000212B791CFC
RBX=00000000081C3900
RCX=00000000081C3900
RDX=0000000000000000
RSI=000001A085F4E6F0
RDI=000001A085F4E660
RSP=000001A2320FFDA0
RBP=00000000081C3900
RIP=000001A2372D2021
R8=000001A23630C690
R9=000001A23339C880
R10=000001A0BED70000
R11=000001A0BED70000
R12=0000018046970000
R13=0000000000000000
R14=000001A1B20C0000
R15=000001A23339C0B0


First seen:19:33:40
Last seen:19:33:40
second results

Code: Select all

1A2372D21F2 - 45 89 2C 04   - mov [r12+rax],r13d


1A2372D21F2:
1A2372D21E8 - 49 83 E4 FC - and r12,-04
1A2372D21EC - 0F84 646B1F04 - je 1A23B4C8D56
1A2372D21F2 - 45 89 2C 04   - mov [r12+rax],r13d <<
1A2372D21F6 - 49 8B 87 F8000000  - mov rax,[r15+000000F8]
1A2372D21FD - 49 89 87 10030000  - mov [r15+00000310],rax

RAX=000000212B791CFC
RBX=00000000081C3918
RCX=00000000081C3918
RDX=0000000000000000
RSI=000001A085F4E6F0
RDI=000001A085F4E660
RSP=000001A2320FFDA0
RBP=00000000081C3918
RIP=000001A2372D21F6
R8=000001A23630C690
R9=000001A23339C880
R10=000001A0BED70000
R11=0000018046970000
R12=0000018046970000
R13=00000000000000C8
R14=000001A1B20C0000
R15=000001A23339C0B0


First seen:19:33:40
Last seen:19:33:40

sbryzl
Expert Cheater
Expert Cheater
Posts: 143
Joined: Sat Mar 04, 2017 4:47 am
Reputation: 90

Re: problem finding offset for this multilevel pointers

Post by sbryzl »

Looks like the offset is 212B791CFC. 18046970000 is likely a base address.

bachou
Expert Cheater
Expert Cheater
Posts: 155
Joined: Wed Mar 08, 2017 3:18 pm
Reputation: 1

Re: problem finding offset for this multilevel pointers

Post by bachou »

isn't that too long for an offset ? do i still proceed like in the tutorial or there's something different here ?

sbryzl
Expert Cheater
Expert Cheater
Posts: 143
Joined: Sat Mar 04, 2017 4:47 am
Reputation: 90

Re: problem finding offset for this multilevel pointers

Post by sbryzl »

It's an unusual offset but whatever works. I would suspect there is another base address and offset which is closer to that memory space. It looks like an emulator so that base address could be for the everything. There could be other base addresses for each memory space.

GreenHouse
Expert Cheater
Expert Cheater
Posts: 857
Joined: Fri Oct 12, 2018 10:25 pm
Reputation: 889

Re: problem finding offset for this multilevel pointers

Post by GreenHouse »

I rarely find these, but if you want to mov the address into an alloc, you could take the first example you showed and do:

Code: Select all

mov r13d,[r12+rax]
add rax,r12
mov [yourAlloc],rax
mov rax,[r15+00000310]

Post Reply

Who is online

Users browsing this forum: No registered users