Using only address bytes from mov aob

Anything Cheat Engine related, bugs, suggestions, helping others, etc..
Post Reply
User avatar
gibberishh
Table Makers
Table Makers
Posts: 331
Joined: Fri Jul 02, 2021 5:48 pm
Reputation: 226

Using only address bytes from mov aob

Post by gibberishh »

I want to use the hardcoded address from a mov instruction so that I can build my own instructions around it.

Program's code:

Code: Select all

A1 D43BFC01     mov eax,[Testgame.exe+BC3BD4] // [Testgame.exe+BC3BD4] changes with every update
I want to extract only D43BFC01 from this and inject that into my code.

My intended code:

Code: Select all

mov [Testgame.exe+BC3BD4],#50000
I tried using things like readmem and reassemble, but they don't work. I'm not sure, but I think they expect to have complete instructions stored within them.
What I tried (heavily edited for readability, there's other code around it and all of it works properly as long as I use the hardcoded address):

Code: Select all

aobscanmodule(findAdr,$process,A1 ?? ?? ?? ?? 53 56 57 8B)
alloc(foundAdr,4)

foundAdr:
  readmem(findAdr+1,4)
...
...
newmem:
  db C7 05     // I got these bytes from memory view of actual working code
  readmem(foundAdr,4)
  db 50 C3 00 00
Any help will be greatly appreciated. I would prefer asm code, but feel free to point me to lua code if that is the only way. Thanks in advance.
Top
ShyTwig16
Expert Cheater
Expert Cheater
Posts: 335
Joined: Thu Apr 06, 2017 7:14 pm
Reputation: 19

Re: Using only address bytes from mov aob

Post by ShyTwig16 »

gibberishh wrote:
Fri Jan 21, 2022 5:58 am
 I want to use the hardcoded address from a mov instruction so that I can build my own instructions around it.

Program's code:

Code: Select all

A1 D43BFC01     mov eax,[Testgame.exe+BC3BD4] // [Testgame.exe+BC3BD4] changes with every update
I want to extract only D43BFC01 from this and inject that into my code.

My intended code:

Code: Select all

mov [Testgame.exe+BC3BD4],#50000
I tried using things like readmem and reassemble, but they don't work. I'm not sure, but I think they expect to have complete instructions stored within them.
What I tried (heavily edited for readability, there's other code around it and all of it works properly as long as I use the hardcoded address):

Code: Select all

aobscanmodule(findAdr,$process,A1 ?? ?? ?? ?? 53 56 57 8B)
alloc(foundAdr,4)

foundAdr:
  readmem(findAdr+1,4)
...
...
newmem:
  db C7 05     // I got these bytes from memory view of actual working code
  readmem(foundAdr,4)
  db 50 C3 00 00
Any help will be greatly appreciated. I would prefer asm code, but feel free to point me to lua code if that is the only way. Thanks in advance.
It has to do with how the instruction bytes are stored vs. how a value is stored. If you look at the bytes and the addresses offset you will notice the bytes are backwards. The first byte for the address is 0xD4 and the last two digits for the offset are 0xD4, and the next byte is 0x3B and the second from the last digits are 0x3B. If you look at the address for "Testgame.exe+BC3BD4" it'll be 0x01FC3BD4. So you need to reverse the bytes order. Or you can use Lua and readInteger, but for that you would also need to use Lua for the aob scan or seperate things out so the first part can run and complete before using the "findAdr" symbol, plus you would need to register that symbol so you could use it in the second script where you use lua to read the integer value. And know that either of these options will only work in a 32 bit process, in a 64 bit process it's a little for complicated.
Top
User avatar
gibberishh
Table Makers
Table Makers
Posts: 331
Joined: Fri Jul 02, 2021 5:48 pm
Reputation: 226

Re: Using only address bytes from mov aob

Post by gibberishh »

ShyTwig16 wrote:
Fri Jan 21, 2022 6:19 am
 It has to do with how the instruction bytes are stored vs. how a value is stored. If you look at the bytes and the addresses offset you will notice the bytes are backwards.
Thanks... but I'm actually trying to use the backwards (or reversed) bytes. To avoid any issues with the reversal, I'm using db instead of mov to spit out the bytes (instead of opcode) in the allocated memory region. The opcode was for reference only. If you look at the code I tried using:

Code: Select all

        // scanned aob =        A1    D4 3B FC 01    53 56 57 8B
newmem: // expected output = C7 05    D4 3B FC 01    50 C3 00 00
  db C7 05
  readmem(foundAdr,4)
  db 50 C3 00 00
UPDATE: Got it working! :D Instead of using foundAdr, I'm using readmem(findAdr+1,4) in my code block. foundAdr isn't required at all!

Working code:

Code: Select all

aobscanmodule(findAdr,$process,A1 ?? ?? ?? ?? 53 56 57 8B)
// alloc(foundAdr,4)       // Not required because I'm using the bytes within ENABLE
// foundAdr:               // Not required because I'm using the bytes within ENABLE
//  readmem(findAdr+1,4)   // Not required because I'm using the bytes within ENABLE
...
...
newmem:
  db C7 05
  readmem(findAdr+1,4)
  db 50 C3 00 00
Top
Post Reply

Return to “Cheat Engine”

Who is online

Users browsing this forum: No registered users