Memory scanning, code injection, debugger internals and other gamemodding related discussion
bachou
Expert Cheater
Posts: 160 Joined: Wed Mar 08, 2017 3:18 pm
Reputation: 1
Post
by bachou » Thu Feb 18, 2021 12:42 pm
i'm just trying to create a 2 bytes pointer for EXP but this looks very different form the tutorial, i don't know what the offset is, could anyone tell me what to do ?
first result
Code: Select all
1A2372D201D - 45 8B 2C 04 - mov r13d,[r12+rax]
1A2372D201D:
1A2372D2013 - 49 83 E4 FC - and r12,-04
1A2372D2017 - 0F84 F76C1F04 - je 1A23B4C8D14
1A2372D201D - 45 8B 2C 04 - mov r13d,[r12+rax] <<
1A2372D2021 - 49 8B 87 10030000 - mov rax,[r15+00000310]
1A2372D2028 - 41 BC 04000000 - mov r12d,00000004
RAX=000000212B791CFC
RBX=00000000081C3900
RCX=00000000081C3900
RDX=0000000000000000
RSI=000001A085F4E6F0
RDI=000001A085F4E660
RSP=000001A2320FFDA0
RBP=00000000081C3900
RIP=000001A2372D2021
R8=000001A23630C690
R9=000001A23339C880
R10=000001A0BED70000
R11=000001A0BED70000
R12=0000018046970000
R13=0000000000000000
R14=000001A1B20C0000
R15=000001A23339C0B0
First seen:19:33:40
Last seen:19:33:40
second results
Code: Select all
1A2372D21F2 - 45 89 2C 04 - mov [r12+rax],r13d
1A2372D21F2:
1A2372D21E8 - 49 83 E4 FC - and r12,-04
1A2372D21EC - 0F84 646B1F04 - je 1A23B4C8D56
1A2372D21F2 - 45 89 2C 04 - mov [r12+rax],r13d <<
1A2372D21F6 - 49 8B 87 F8000000 - mov rax,[r15+000000F8]
1A2372D21FD - 49 89 87 10030000 - mov [r15+00000310],rax
RAX=000000212B791CFC
RBX=00000000081C3918
RCX=00000000081C3918
RDX=0000000000000000
RSI=000001A085F4E6F0
RDI=000001A085F4E660
RSP=000001A2320FFDA0
RBP=00000000081C3918
RIP=000001A2372D21F6
R8=000001A23630C690
R9=000001A23339C880
R10=000001A0BED70000
R11=0000018046970000
R12=0000018046970000
R13=00000000000000C8
R14=000001A1B20C0000
R15=000001A23339C0B0
First seen:19:33:40
Last seen:19:33:40
sbryzl
Expert Cheater
Posts: 148 Joined: Sat Mar 04, 2017 4:47 am
Reputation: 98
Post
by sbryzl » Thu Feb 18, 2021 2:23 pm
Looks like the offset is 212B791CFC. 18046970000 is likely a base address.
bachou
Expert Cheater
Posts: 160 Joined: Wed Mar 08, 2017 3:18 pm
Reputation: 1
Post
by bachou » Thu Feb 18, 2021 2:50 pm
isn't that too long for an offset ? do i still proceed like in the tutorial or there's something different here ?
sbryzl
Expert Cheater
Posts: 148 Joined: Sat Mar 04, 2017 4:47 am
Reputation: 98
Post
by sbryzl » Thu Feb 18, 2021 3:41 pm
It's an unusual offset but whatever works. I would suspect there is another base address and offset which is closer to that memory space. It looks like an emulator so that base address could be for the everything. There could be other base addresses for each memory space.
GreenHouse
Expert Cheater
Posts: 852 Joined: Fri Oct 12, 2018 10:25 pm
Reputation: 896
Post
by GreenHouse » Thu Feb 18, 2021 3:51 pm
I rarely find these, but if you want to mov the address into an alloc, you could take the first example you showed and do:
Code: Select all
mov r13d,[r12+rax]
add rax,r12
mov [yourAlloc],rax
mov rax,[r15+00000310]
Users browsing this forum: No registered users