Problem scan or something

FlipCarloz · Post by **FlipCarloz** » Fri Jun 22, 2018 6:36 pm

I do not know if I'm right or wrong but I can not find the value opcode?

Am I missing something?

but I can change the value.

now, I already tried with pointer but every time I change the map the address changes

there is. one more thing. Why does the scan put me in VCRUNTIME140 and not in game memory?

the game is Fictorum Observer

Code:

VCRUNTIME140.memcpy+110 - 4C 8B 02 - mov r8,[rdx]

VCRUNTIME140.memcpy+113 - 0FB7 4A 08 - movzx ecx,word ptr [rdx+08]

VCRUNTIME140.memcpy+117 - 44 0FB6 4A 0A - movzx r9d,byte ptr [rdx+0A]

VCRUNTIME140.memcpy+11C - 4C 89 00 - mov [rax],r8

VCRUNTIME140.memcpy+11F - 66 89 48 08 - mov [rax+08],cx

VCRUNTIME140.memcpy+123 - 44 88 48 0A - mov [rax+0A],r9l

VCRUNTIME140.memcpy+127 - 49 8B CB - mov rcx,r11

VCRUNTIME140.memcpy+12A - C3 - ret

VCRUNTIME140.memcpy+12B - 8B 0A - mov ecx,[rdx]

VCRUNTIME140.memcpy+12D - 89 08 - mov [rax],ecx <--- THIS

VCRUNTIME140.memcpy+12F - C3 - ret

VCRUNTIME140.memcpy+130 - 8B 0A - mov ecx,[rdx]

VCRUNTIME140.memcpy+132 - 44 0FB6 42 04 - movzx r8d,byte ptr [rdx+04]

VCRUNTIME140.memcpy+137 - 89 08 - mov [rax],ecx

VCRUNTIME140.memcpy+139 - 44 88 40 04 - mov [rax+04],r8l

VCRUNTIME140.memcpy+13D - C3 - ret

VCRUNTIME140.memcpy+13E - 66 90 - nop

VCRUNTIME140.memcpy+140 - 8B 0A - mov ecx,[rdx]

VCRUNTIME140.memcpy+142 - 44 0FB7 42 04 - movzx r8d,word ptr [rdx+04]

VCRUNTIME140.memcpy+147 - 89 08 - mov [rax],ecx

VCRUNTIME140.memcpy+149 - 66 44 89 40 04 - mov [rax+04],r8w

VCRUNTIME140.memcpy+14E - C3 - ret

[URL='https://ibb.co/kLAs9o']image[/URL]

FreeER · Post by **FreeER** » Fri Jun 22, 2018 7:00 pm

[quote]Why does the scan put me in VCRUNTIME140 and not in game memory?[/quote]

Because the game developer used the memcpy function which comes from the c standard library / runtime and you're running on windows with the (Microsoft) Visual C Runtime version 14.0 (iirc maybe it's 1.40) aka msvc 14.0

This is a pretty generic function that's likely used for many other things all the time, you're almost certainly better off finding out what code is calling it for the value you want (conditional breakpoints can be helpful with that) and hook that code instead.

FlipCarloz · Post by **FlipCarloz** » Fri Jun 22, 2018 7:11 pm

Thanks for the reply. I was wondering why I was using a windows dll and not from outside.

And with regard to conditional breakpoints it seems like the game crashes. Any solution ?

FreeER · Post by **FreeER** » Fri Jun 22, 2018 7:38 pm

maybe hook the code and do the check in assembly, with a nop that is skipped when you don't care, then set a bpt on the nop? Since the normal conditions use lua and that can be slower /shrug

FlipCarloz · Post by **FlipCarloz** » Fri Jun 22, 2018 8:04 pm

hm i see. Thank you.

koderkrazy · Post by **koderkrazy** » Sat Jun 23, 2018 10:09 am

[QUOTE="FlipCarloz, post: 49959, member: 18627"]

I already tried with pointer but every time I change the map the address changes [/QUOTE]

Since this is memcpy function, you might wanna investigate pointer in rdx here, since it is the source of data.

May be it is constant across the maps...

[QUOTE]VCRUNTIME140.memcpy+12B - 8B 0A - mov ecx,[[COLOR=rgb(235, 107, 86)][B][U]rdx[/U][/B][/COLOR]] [COLOR=rgb(184, 49, 47)]<--- value coming from here[/COLOR]

VCRUNTIME140.memcpy+12D - 89 08 - mov [rax],ecx <--- THIS

VCRUNTIME140.memcpy+12F - C3 - ret[/QUOTE]

FlipCarloz · Post by **FlipCarloz** » Sat Jun 23, 2018 10:15 am

[QUOTE="koderkrazy, post: 50006, member: 18664"]Since this is memcpy function, you might wanna investigate pointer in rdx here, since it is the source of data.

May be it is constant across the maps...[/QUOTE]

hey. Thanks for the reply. I got a trainer. It works fine with pointeiros

FearLess Cheat Engine