Pointers through scripts

[Classicus]

edit: ShyTwig16 has provided a working solution a few posts down. Thanks again ShyTwig16!

Hi,

I tried my best to see if this was answered somewhere, but couldn't find it in regards to my specific situation. Sometimes I use scripts for finding pointers. Below is an example of one that commonly works:

Code: Select all

newmem:
mov [p_minute],rax

code:
  movss xmm0,[rax+30]
  jmp return

In above example, I can add address p_minute with pointer offset 30. However, I have come across a code that I can't figure out. Below is what I have:

Code: Select all

newmem:
mov [p_clevel],rax

code:
  movss xmm0,[rax+r8*4+00000424]
  jmp return

Because its not a simple rax, and instead "rax+r8*4+00000424", I haven't been able to get this to work. I have address p_clevel added with pointer offset 424 but it doesn't point to the right address. I've tried a few things and trying to move different registers into p_clevel or using different offsets, but I can't figure this one out. Does anyone know how to do this one? Let me know if I need to explain it better. Thanks in advance!

[GreenHouse]

This should work already. And in case you want to make a group with multiple addresses, just remove the 424 from the first mov.

Code: Select all

newmem:
  push rdi
  mov rdi,[rax+r8*4+00000424]
  mov [p_clevel],rdi
  pop rdi

code:
  movss xmm0,[rax+r8*4+00000424]
  jmp return

[Classicus]

Thanks Greenhouse, although at first I thought it was working since the value of the address seemed proper. But then realized the address is not correct so no luck doing it that way. I also tried removing the 424, but no luck with that either.

[TimFun13]

Try LEA (load effective address) instead of MOV.

Code: Select all

newmem:
  push rdi
  lea rdi,[rax+r8*4+00000424]
  mov [p_clevel],rdi
  pop rdi

code:
  movss xmm0,[rax+r8*4+00000424]
  jmp return

[Classicus]

Thanks ShyTwig16! Using LEA worked! I'm going to edit my main post to mention a working solution has been provided by you.

[GreenHouse]

Try LEA (load effective address) instead of MOV.

Why does LEA work instead of MOV? I've always used MOV to do that.

[Classicus]

Try LEA (load effective address) instead of MOV.

Why does LEA work instead of MOV? I've always used MOV to do that.

I'm curious about this too. I suspect the "r8" has something to do with it. If it were something like [rax+rbx*4+00000424], then I think mov would work. But I'm not entirely sure.

[TimFun13]

Try LEA (load effective address) instead of MOV.

Why does LEA work instead of MOV? I've always used MOV to do that.

MOV moves the value at that address to the operand, where as LEA sets the operand to the address.
mov rax,rbx+rcx*4+18
While this isn't proper ASM, it would in theory work the same as this.
lea rax,[rbx+rcx*4+18]

[GreenHouse]

MOV moves the value at that address to the operand, where as LEA sets the operand to the address.
mov rax,rbx+rcx*4+18
While this isn't proper ASM, it would in theory work the same as this.
lea rax,[rbx+rcx*4+18]

Ok I see why now. I've always done the mov to an alloc directly. Just "mov [alloc],rax", but as you're moving the [rbx+rcx*4+18] to another register, you need to move the address itself, to the register to then mov it to the alloc. I didn't think about that.

[jmark81976]

Try LEA (load effective address) instead of MOV.

Code: Select all

newmem:
  push rdi
  lea rdi,[rax+r8*4+00000424]
  mov [p_clevel],rdi
  pop rdi

code:
  movss xmm0,[rax+r8*4+00000424]
  jmp return

How about this?

Code: Select all

alloc(newmem,$1000)
globalalloc(hp,8)

hp:
dq (float)0

label(code)
label(return)

newmem:
mov [hp],rax

code:
movss [rax+14],xmm5
jmp return
Top

Is this the same process or is it different? I've try your example but it wouldn't work.