[HELP] Different Register Values

[soft17]

Hey,

can please someone help me and tell me, why if i click "Find out what access this adress" there is R14 value as you see on image, but if dissasemble memory and set breakpoint there, R14 value not match and is different?

i want get that value ending "320" from the left window (its Unity Character object class address) :/
but i get constantly changing R14 from the right window

Code: Select all

mov [unitycharacter], r14

[yaodm2020]

My suggestion is that you set the breakpoint at the beginning of this call and see if it triggers. If it is not triggered, put the breakpoint on the opcode in front of mov rbx,[r14], and see if it can be triggered. If it is triggered, use F8 to see which register is assigned to r14.

[Marc]

It is likely that this Code is used to access multiple adresses. So you‘d have to a) find out how to filter for your address or b) make a conditional brake & trace to see where the writing code has been called from

[soft17]

It is likely that this Code is used to access multiple adresses. So you‘d have to a) find out how to filter for your address or b) make a conditional brake & trace to see where the writing code has been called from

its multiple accesses becouse its Game.Character class where is stored all things about character (health, stamina, items, buffs, etc...) i want use this class as starting point to pointer adress and then from there set offsets to values i want.

but i dont know how to filter that specific address (27067749320) i found this address first time with activated mono features, dissect mono, search for that class, select instances of this class and found the right one (with amount gold i have i check one by one), then in memory viewer i select tools - dissect data/structures and put address there and i get structure this class with pointers, but after restart this base address changed, so i want do aobscan and find it again, but cannot copy address from register if there is many other addresses and i dont know which one is right one :/

[yaodm2020]

Use conditional breakpoint, rbx == 0x858 and r14 == 0xE******

[yaodm2020]

Look up for the calling, See which register is assigned to this call.

[yaodm2020]

Then use the register compare method

[Marc]

There are several possibilities:

• Rightclick on the code, use "find out what this code accesses", then compare the memory regions of these addresses either in dissect data or with "find commonalities"
• as suggested, make a conditional break & trace to see from there the code has been executed
• take the correct address of your value, add it to the table and press F5 on it to see which codes access this address. Most likely you'll find several codes which are constantly reading your address. Check out if there is a code which only accesses your address. Make a code injection to steal the address and you'll always have the right address

[soft17]

thanks for help guys, i tryed, but its impossible to Use conditional breakpoint, becouse there is no register match only that one address i want

i found another place for inject but i have problem with code:

Code: Select all

[ENABLE]

aobscanmodule(character,GameAssembly.dll,85 C0 0F 85 1E 01 00 00 C7) // should be unique
alloc(newmem,$1000,character)

label(code)
label(return)
label(characterread)
registersymbol(characterread)

newmem:

code:
  //test eax,eax
  //jne GameAssembly.dll+3ED8C9
  readmem(character,8)
  jmp return

characterread:
  readmem(character,8)

character:
  jmp newmem
  nop 3
return:
registersymbol(character)

[DISABLE]

character:
  readmem(characterread,8)
  //db 85 C0 0F 85 1E 01 00 00

unregistersymbol(*)
dealloc(*)

i want to replace commented lines and store original code with readmem() its 8 bytes but as you see on image, the "jne" gives me a different jump inside inject as original one

original:

Code: Select all

85 C0 -> test eax,eax
0F 85 1E 01 00 00 -> jne GameAssembly.dll+3ED8C9

injected:

Code: Select all

85 C0 -> test eax,eax
0F 85 1E 01 00 00 -> jne 7FFE77D20126

does someone know how to fix it? i want read original code becouse if it changed i want restore the right one and not give there static "db 85 C0 0F 85 1E 01 00 00"

[soft17]

i search with google about it and its something need reassembly() but i dont know how to use that command right, my attempts ends with crashes :/

[Messy6666]

reassemble() won't help you there
because the jne will just jump to an offset from it's current address ( - or + ).
that's also why using it in the newmem with readmem() will crash when eax is not zero.

What you could do is find another injection point or make the test yourself
like:

Code: Select all

newmem:

code:
  //test eax,eax
  //jne GameAssembly.dll+3ED8C9
//  readmem(character,8)
  test eax, eax
  jne @f
  jmp return
@@:
  jmp return + < offset where orginal jne pointed to >
or
  jmp < address where orginal jne pointed to >

the restoring of the original code in your characterread can remain unchanged

[Messy6666]

to make life easier i would go for a "better" injection point
but ofcourse i don't know the game

a) - is EAX containing a return value like true/false or does it contains a pointer
-- if it should contain a pointer, better use a injection point at where the JNE is pointing to
b) - is there a call before the testing of EAX?
-- if so look at that function

[soft17]

thank you for help,

that reassemble works, i replaced in "code:" from :

Code: Select all

readmem(character,8)

to

Code: Select all

reassemble(character) restore me original (0-2 byte )->  test eax,eax
reassemble (character+2) restore me original (3-8 byte) -> jne GameAssembly.dll+3ED8C9

but into future you recommend me find better injection point? maybe mov is best and skip call-s and jmp-s ?

[Messy6666]

oh interesting... always good to learn things! I still think it won't always works... depending where the "newmem" is allocated (because the offset could be to high) but that's just theoretical.

injection points.. well not better... what's better, it will ofc depends on the game/code.
I meant just an easier one. Calls and uncondiitional jumps are normally no problem