Page 1 of 1
Can you please check my pointer script why it's crashing
Posted: Sun Nov 07, 2021 1:22 pm
by Blackrosemmt
Can you guys please check my pointer script why it's crashing ? I added invalid to filter invalid pointers
Code: Select all
[ENABLE]
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
label(invalid)
globalalloc(_health,4)
newmem:
push eax
mov eax,["game.exe"+00C23CA0] // main pointer
test eax,eax
je invalid
mov eax , [eax+0] // first offset 0
test eax,eax
je invalid
mov eax , [eax+40] // second offset 40
test eax,eax
je invalid
mov eax , [eax+4]
test eax,eax
je invalid
mov eax , [eax+FC]
test eax,eax
je invalid
mov eax , [eax+3C]
test eax,eax
je invalid
lea eax,[eax+44]
test eax,eax
je invalid
mov [_health],eax
pop eax
jmp returnhere
invalid:
pop eax
jmp returnhere
originalcode:
mov ecx,[esi+44]
mov [esi+000000C4],ecx
exit:
jmp returnhere
"game.exe"+2CA201:
jmp newmem
nop 4
returnhere:
Re: Can you please check my pointer script why it's crashing
Posted: Sun Nov 07, 2021 3:42 pm
by GreenHouse
A test won't filter out invalid pointers. There's no way of doing that in ASM.
So, in that script you move [eax] inside eax, lets say that it's a 1, and you test it. That will already return as true, so you'll go next and try to access inside it, but it's not a pointer, so it will crash.
Re: Can you please check my pointer script why it's crashing
Posted: Sun Nov 07, 2021 5:03 pm
by Blackrosemmt
moving [eax] inside eax will test the register / pointer is not null/invalid so if null then will jump to invalid address otherwise it will continue to next function
Re: Can you please check my pointer script why it's crashing
Posted: Sun Nov 07, 2021 5:11 pm
by aSwedishMagyar
If you already know the base, why not just make a pointer record with it? There's also no reason to do it the way you have with assembly since you can accomplish the same thing using lua with the ability to check if the pointer is valid at each stage as well.
Also, you completely ignored what Greenhouse said. Test will only satisfy the jump if equal when the argument is 0, if it is non-zero it will not work.
Re: Can you please check my pointer script why it's crashing
Posted: Sun Nov 07, 2021 8:36 pm
by GreenHouse
Blackrosemmt wrote: ↑Sun Nov 07, 2021 5:03 pm
moving [eax] inside eax will test the register / pointer is not null/invalid so if null then will jump to invalid address otherwise it will continue to next function
A mov doesn't test the register. Trying to access something that doesn't exist, will always crash the game. If you do mov eax,[eax] and inside [eax] there's a 0x1, the next test won't say that it's invalid, because it's not a 0. So on the next mov, it'll try to access something inside 0x1, which is not a pointer, so there's nothing to check and it will crash.
Re: Can you please check my pointer script why it's crashing
Posted: Sun Nov 07, 2021 9:11 pm
by Blackrosemmt
actually I was doing the same instructions as I saw in another website to check if the pointer is valid, here the link:
[Link]
the main thing I want to do is reaching the value by making pointer from script because I couldn't make compare through these offsets below, if you have any other method can you please suggest.
["game.exe"+00C23CA0]
0
40
4
FC
3C
44
Re: Can you please check my pointer script why it's crashing
Posted: Sun Nov 07, 2021 9:19 pm
by LeFiXER
Find the most top-level in the pointer chain where the pointer is passed to the register then pull it using AOB injection:
Code: Select all
[ENABLE]
aobscan(aobPointer, [aob])
alloc(newmem,$1000,aobPointer)
alloc(myPointer,8) // Use 4 if it's 32-bit
label(code)
label(return)
newmem:
mov [myPointer],eax // or whichever register the pointer is held in
code:
// original instructions
jmp return
aobPointer:
jmp newmem
nop 3
return:
registersymbol(aobPointer)
registersymbol(myPointer)
[DISABLE]
aobPointer:
db // original bytes (will be the same as the aob)
unregistersymbol(aobPointer)
unregistersymbol(myPointer)
dealloc(newmem)
dealloc(myPointer)
Re: Can you please check my pointer script why it's crashing
Posted: Mon Nov 29, 2021 1:21 pm
by ShyTwig16
While
test ?,? can kind of work to test pointers, all you really tend to do is test for zero. And with a lot of games this will work, but as it's been pointed out it's not actually testing the pointer. To test the pointer you need to use
[Link].
Code: Select all
push 4 // The size of the memory block, in bytes. If this parameter is zero, the return value is zero.
// So 32 bit process is 4 bytes, and 64 bit process is 8 bytes.
push ecx // A pointer to the first byte of the memory block.
call isbadreadptr
cmp eax,0 // EAX is the return
// If the calling process has read access to all bytes in the specified memory range, the return value is zero.
// If the calling process does not have read access to all bytes in the specified memory range, the return value is nonzero.
jne badpointer_lbl
Re: Can you please check my pointer script why it's crashing
Posted: Tue Nov 30, 2021 1:29 pm
by Eric
or:
Code: Select all
[ENABLE]
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
label(invalid)
globalalloc(_health,4)
newmem:
push eax
{$try}
mov eax,["game.exe"+00C23CA0] // main pointer
test eax,eax
je invalid
mov eax , [eax+0] // first offset 0
test eax,eax
je invalid
mov eax , [eax+40] // second offset 40
test eax,eax
je invalid
mov eax , [eax+4]
test eax,eax
je invalid
mov eax , [eax+FC]
test eax,eax
je invalid
mov eax , [eax+3C]
test eax,eax
je invalid
lea eax,[eax+44]
test eax,eax
je invalid
mov [_health],eax
pop eax
jmp returnhere
{$except}
invalid:
pop eax
jmp returnhere
originalcode:
mov ecx,[esi+44]
mov [esi+000000C4],ecx
exit:
jmp returnhere
"game.exe"+2CA201:
jmp newmem
nop 4
returnhere:
Also, you're sure that the value of ecx isn't used further down the code ? As originalcode is never executed
Re: Can you please check my pointer script why it's crashing
Posted: Thu Sep 14, 2023 4:36 am
by guy960915
mov [_health],eax
pop eax
jmp returnhere <-- Change this to jmp originalcode
invalid:
pop eax
jmp returnhere <--- Remove this
originalcode:
mov ecx,[esi+44]
mov [esi+000000C4],ecx
//================================================
-Best is this:-
Change All "je invalid" to "je originalcode"
Remove "label(invalid)" no longer needed
mov [_health],eax
<-- remove "jmp returnhere"
originalcode:
pop eax <-- move here pop eax here
mov ecx,[esi+44]
mov [esi+000000C4],ecx