I have 3 characters. They all have a set amount of movement points per turn. I scan for what accesses. I select an instruction that writes 1 to 1 when movement points are added or removed. Show in disassembler. Scan for what addresses this instruction accesses. and there are 3, as you'd expect, for my 3 characters.
Now I want to use the fact that this instruction is used on these 3 addresses to my advantage. I want to be able to write a code that saves the base address of all 3 characters from this instruction into memory so that I can register them as variables, call them in the table and nest offsets underneath it.
Here is an example code to show you what I'm trying and failing to do:
In this case, whenever the instruction fires, the RAX register contains the base address of the currently controlled character. When I end the turn and the instruction fires, I want CE to save the remaining addresses into [ptr+8] and [ptr+10].
Code: Select all
[ENABLE] aobscan(baseptr,48 8B C8 48 8B 45 E8 89 88 48 01 00 00) alloc(newmem,$100,baseptr) label(code) label(return) label(ptr) newmem: push rbx mov rbx,ptr mov [ptr],rax code: mov [rax+00000148],ecx pop rbx jmp return ptr: dq 0 dq 0 dq 0 baseptr+07: jmp newmem nop return: registersymbol(baseptr) registersymbol(ptr) [DISABLE] baseptr+07: db 89 88 48 01 00 00 unregistersymbol(baseptr) unregistersymbol(ptr) dealloc(newmem)
Currently this script only updates [ptr], (the first dq 0), whenever the instruction fires.
Any ideas on how to modify this script so that instead of overwriting the first dq 0, it overflows to the next dq? So that essentially I'd only need to call [ptr+08] from the table.
I managed to somehow pull this off once before but I just cant remember, and it's late, and I'm getting frustrated at my stupidity and it's time to ask for help.
Also if anyone has other suggestions on more efficient ways to save base addresses as variables via injection/aob feel free to share your dirty little secrets ;D