Page 1 of 1
Using only address bytes from mov aob
Posted: Fri Jan 21, 2022 5:58 am
by gibberishh
I want to use the hardcoded address from a mov instruction so that I can build my own instructions around it.
Program's code:
Code: Select all
A1 D43BFC01 mov eax,[Testgame.exe+BC3BD4] // [Testgame.exe+BC3BD4] changes with every update
I want to extract only D43BFC01 from this and inject that into my code.
My intended code:
I tried using things like readmem and reassemble, but they don't work. I'm not sure, but I think they expect to have complete instructions stored within them.
What I tried (heavily edited for readability, there's other code around it and all of it works properly as long as I use the hardcoded address):
Code: Select all
aobscanmodule(findAdr,$process,A1 ?? ?? ?? ?? 53 56 57 8B)
alloc(foundAdr,4)
foundAdr:
readmem(findAdr+1,4)
...
...
newmem:
db C7 05 // I got these bytes from memory view of actual working code
readmem(foundAdr,4)
db 50 C3 00 00
Any help will be greatly appreciated. I would prefer asm code, but feel free to point me to lua code if that is the only way. Thanks in advance.
Re: Using only address bytes from mov aob
Posted: Fri Jan 21, 2022 6:19 am
by ShyTwig16
gibberishh wrote: ↑Fri Jan 21, 2022 5:58 am
I want to use the hardcoded address from a mov instruction so that I can build my own instructions around it.
Program's code:
Code: Select all
A1 D43BFC01 mov eax,[Testgame.exe+BC3BD4] // [Testgame.exe+BC3BD4] changes with every update
I want to extract only D43BFC01 from this and inject that into my code.
My intended code:
I tried using things like readmem and reassemble, but they don't work. I'm not sure, but I think they expect to have complete instructions stored within them.
What I tried (heavily edited for readability, there's other code around it and all of it works properly as long as I use the hardcoded address):
Code: Select all
aobscanmodule(findAdr,$process,A1 ?? ?? ?? ?? 53 56 57 8B)
alloc(foundAdr,4)
foundAdr:
readmem(findAdr+1,4)
...
...
newmem:
db C7 05 // I got these bytes from memory view of actual working code
readmem(foundAdr,4)
db 50 C3 00 00
Any help will be greatly appreciated. I would prefer asm code, but feel free to point me to lua code if that is the only way. Thanks in advance.
It has to do with how the instruction bytes are stored vs. how a value is stored. If you look at the bytes and the addresses offset you will notice the bytes are backwards. The first byte for the address is 0xD4 and the last two digits for the offset are 0xD4, and the next byte is 0x3B and the second from the last digits are 0x3B. If you look at the address for "Testgame.exe+BC3BD4" it'll be 0x01FC3BD4. So you need to reverse the bytes order. Or you can use Lua and
readInteger, but for that you would also need to use Lua for the aob scan or seperate things out so the first part can run and complete before using the "findAdr" symbol, plus you would need to register that symbol so you could use it in the second script where you use lua to read the integer value. And know that either of these options will only work in a 32 bit process, in a 64 bit process it's a little for complicated.
Re: Using only address bytes from mov aob
Posted: Fri Jan 21, 2022 7:50 am
by gibberishh
ShyTwig16 wrote: ↑Fri Jan 21, 2022 6:19 am
It has to do with how the instruction bytes are stored vs. how a value is stored. If you look at the bytes and the addresses offset you will notice the bytes are backwards.
Thanks... but I'm actually trying to use the backwards (or reversed) bytes. To avoid any issues with the reversal, I'm using
db instead of
mov to spit out the bytes (instead of opcode) in the allocated memory region. The opcode was for reference only. If you look at the code I tried using:
Code: Select all
// scanned aob = A1 D4 3B FC 01 53 56 57 8B
newmem: // expected output = C7 05 D4 3B FC 01 50 C3 00 00
db C7 05
readmem(foundAdr,4)
db 50 C3 00 00
: Got it working!
Instead of using
foundAdr, I'm using
readmem(findAdr+1,4) in my code block. foundAdr isn't required at all!
Working code:
Code: Select all
aobscanmodule(findAdr,$process,A1 ?? ?? ?? ?? 53 56 57 8B)
// alloc(foundAdr,4) // Not required because I'm using the bytes within ENABLE
// foundAdr: // Not required because I'm using the bytes within ENABLE
// readmem(findAdr+1,4) // Not required because I'm using the bytes within ENABLE
...
...
newmem:
db C7 05
readmem(findAdr+1,4)
db 50 C3 00 00