Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Aob Injection's jump code is longer than it should be

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Discussions
View previous topic :: View next topic  
Author Message
Derxedon
How do I cheat?
Reputation: 0

Joined: 20 Dec 2017
Posts: 3

PostPosted: Wed Dec 20, 2017 3:26 am    Post subject: Aob Injection's jump code is longer than it should be Reply with quote

Hi!

Original code:
24F2D6CB538: 41 2B C3 - sub eax,r11d <--injection point
24F2D6CB53B: 4C 89 4D C8 - mov [rbp-38],r9

My problem is ,that when I do an AOB injection and turn the script on,the bytes of the jump to new memory location looks like this :
24F2D6CB538: FF25 00000000 0000220300000000 - jmp 03220000

Now I've seen quite a lot of videos about CE and I am pretty sure it shouldn't be that long,if anything,in this example the bytes for the newmem's address should be 00 00 22 03 if I am not mistaken.What's more ,CE only puts enough nops for the correct address(I guess,looks like this
instakill:
jmp newmem
nop
nop
) and as such some code after this instruction is just gone after I enable/disable the script.I chose the option follow on the jump,to see my code in newmem and the return address is in an equally f'd up form =/.

Is there some option that I should change or what's up with that =S.
The program I am doing this on is a browser based online game if it makes any difference,but I experience the same problem with single player games too.
Not sure if related,but I also noticed,that if I change a line of instruction in memory view after copying the original code, and then change it back by pasting in the original code,the bytes representing that code change compared to the original ,even though it's the very same code =S
Other than that,the flashing dbk64 loaded message is displayed every time I launch CE even though I only used it once,and my CE is on my D hard drive,not on C where windows is if that makes any difference.Oh and I already tried uninstalling than reinstalling CE,didn't help =( .

My rig:
Windows 7 Professional N, Service Pack 1
CPU: i7-4790k
MEM: 8gb
GPU:Nvidia Gforce GTX 970

Thank you for your help in advance,

Derxedon.

Here is my script just in case:
[ENABLE]

aobscan(instakill,41 2B C3 4C 89 4D C8)
alloc(newmem,$100)

label(cheat)
label(return)

newmem:

cheat:
cmp [rsi+r14-50],00
je envagyok
mov eax,0
mov [rbp-38],r9
jmp return

envagyok:
mov [rbp-38],r9
jmp return

instakill:
jmp newmem
nop
nop
return:
registersymbol(instakill)

[DISABLE]

instakill:
db 41 2B C3 4C 89 4D C8

unregistersymbol(instakill)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: 24F2D6CB538

24F2D6CB510: 41 F7 EB - imul r11d
24F2D6CB513: 41 C1 EB 1F - shr r11d,1F
24F2D6CB517: C1 FA 0C - sar edx,0C
24F2D6CB51A: 44 8D B7 D0 00 00 00 - lea r14d,[rdi+000000D0]
24F2D6CB521: 42 8D 04 1A - lea eax,[rdx+r11]
24F2D6CB525: 4C 8B D9 - mov r11,rcx
24F2D6CB528: 44 2B D8 - sub r11d,eax
24F2D6CB52B: 45 3B F0 - cmp r14d,r8d
24F2D6CB52E: 0F 83 47 05 00 00 - jae 24F2D6CBA7B
24F2D6CB534: 42 8B 04 36 - mov eax,[rsi+r14]
// ---------- INJECTING HERE ----------
24F2D6CB538: 41 2B C3 - sub eax,r11d
24F2D6CB53B: 4C 89 4D C8 - mov [rbp-38],r9
// ---------- DONE INJECTING ----------
24F2D6CB53F: 4C 89 65 C0 - mov [rbp-40],r12
24F2D6CB543: 4C 89 75 A8 - mov [rbp-58],r14
24F2D6CB547: 4C 89 5D D0 - mov [rbp-30],r11
24F2D6CB54B: 48 8B F3 - mov rsi,rbx
24F2D6CB54E: 48 8B D0 - mov rdx,rax
24F2D6CB551: 48 8B 45 E0 - mov rax,[rbp-20]
24F2D6CB555: 33 C9 - xor ecx,ecx
24F2D6CB557: E8 44 06 00 00 - call 24F2D6CBBA0
24F2D6CB55C: 48 8B 5D E8 - mov rbx,[rbp-18]
24F2D6CB560: 8B 43 08 - mov eax,[rbx+08]
}


Last edited by Derxedon on Wed Dec 20, 2017 11:07 am; edited 1 time in total
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Wed Dec 20, 2017 9:38 am    Post subject: Reply with quote

There is no jmp instruction that takes a rel64 displacement. The instruction being displayed by CE is a pseudoinstruction that is equivalent to this code:
Code:
instakill:
  jmp [jmptarget]   // jmp [r/m32]; uses RIP-relative addressing (i.e. rip+0)
jmptarget:
  dq newmem
  nop
  nop
return:

While this is slightly longer and slower than using "mov r64,imm64; jmp r64", it doesn't overwrite a register.

There is a jmp instruction that takes a rel32 (the type of instruction you probably expected), but that would require the destination to be within a 32-bit signed displacement of the jmp instruction. That is always true in a 32-bit program, but that doesn't have to be true in a 64 bit program since the address space is much larger.

You can pass a third parameter to alloc to specify that CE should allocate memory near an address. Let CE generate the AoB template for you and it'll take care of it.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Derxedon
How do I cheat?
Reputation: 0

Joined: 20 Dec 2017
Posts: 3

PostPosted: Wed Dec 20, 2017 10:43 am    Post subject: Reply with quote

Firstly, thank you for your answere,in case there's a misunderstanding,this:
24F2D6CB538: 41 2B C3 - sub eax,r11d
turnes to this:
24F2D6CB538: FF25 00000000 0000220300000000 - jmp 03220000
in memory view after I enable my script.
Now even if newmem would be on some 64bit address,which in my case it's not,03 22 00 00 is 4 bytes long,why would the byte code for it be 12 bytes ,00000000 0000220300000000 ? 4 bytes of 00 before and after the actual address?Zero extend to 8 bytes would still fly,that's 64 bit,but 12 bytes ?o.O
Also I did use CE's AOB template ,and as I stated in my 1st post,it only adds 2 nops after jmp newmem,which would be 100% good if in practice the bytes generated for jmp newmem were accurate .Alas they are not,hence when I activate this script or any script,aob or code injection,this stupid 12 byte long address overwrites a lot of code after the injection point,and it' just gone.
I did try the 3rd parameter and it didn't help =/.
Back to top
View user's profile Send private message
FreeER
Grandmaster Cheater Supreme
Reputation: 53

Joined: 09 Aug 2013
Posts: 1091

PostPosted: Wed Dec 20, 2017 3:55 pm    Post subject: Reply with quote

Code:
FF25 00000000 0000220300000000 - jmp 03220000
is a 4 byte relative jump using an absolute 8 byte memory address, aka FF25 = jmp opcode, 00000000 = 4 byte jmp offset (0), 0000220300000000 = 8 byte address (03220000) or in code something like
Code:
jmp [rip+0] // jmp using the 8 bytes after this instruction
db 0000220300000000 // 8 byte address

Very similar code is used for a call FF15 02000000 EB08 F0A9E98BFB7F0000 // (call strlen in x64 tutorial step 2),
2 byte call opcode, 4 byte offset from end of call, 2 byte opcode for jmp +8 (to avoid crash on return), 8 byte address. aka
Code:
call [rip+2]
jmp +8 // rip+0
db F0A9E98BFB7F0000 // rip+2, 8 byte address, to strlen


If you're willing to use a register then you can use
Code:
mov eax, 03220000
jmp eax
which may be a mere 7 bytes, though if it is a 64 bit address you'll need rax and it's still 12 bytes.

This is probably the simplest way to cover the majority of cases when dealing with x64 jumps/calls, even if it's not the best in every case. https://stackoverflow.com/a/26971091 lists a few opcodes for different jumps in x64, feel free to pick an appropriate one and change the script to use it (though I'm sure they're documented somewhere in here as well https://software.intel.com/en-us/articles/intel-sdm).

Also, often changing the alloc from alloc(newmem,$1000) to eg. alloc(newmem,$1000, "Tutorial-x86_64.exe"+2B227) or even alloc(newmem,$1000, SYMBOL_USED_BY_AOBSCAN) can solve the problem by having alloc return memory within a 32 bit offset of the given address.

The real issue is when CE doesn't properly handle that long jmp code, still treating it as if it'll be a 5 byte jump and therefore leaving partially overwritten instructions, not including all the overwritten instructions in the new code section and not rewriting them on disable. Or when someone removes the 3rd argument from the alloc because they don't know why it's there, causing the same Very Happy
Back to top
View user's profile Send private message
Derxedon
How do I cheat?
Reputation: 0

Joined: 20 Dec 2017
Posts: 3

PostPosted: Wed Dec 20, 2017 11:03 pm    Post subject: Reply with quote

Thanks for your answere.
So basicly,I should expect the script's jump to be 12 bytes and adjust my script accordingly,there is no option I have(n't) set,I am just stuck with it,even though I've never seen this behaviour in any tutorial vids.I mean that's what I was doing lacking any better options,it just sucks having to incorporate 4 lines of code into scripts,especially if there's an address in it that is calculated at every session,basicly changes every time -_- .

Edit: As a last resort I tried out installing a previous version, CE 6.6 ,and it works there, no BS 12 byte addressing when it's redundant >_<
Now I noticed,that if I use my script that I wrote on CE6.7 ,the addres is still messed up,but if I rewrite it in 6.6 using AOB injection template it works,so maybe the root of the problem is in the AOB injection template in these two versions. Is there a way to look at them and compare them?The cause of this could be in there.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Discussions All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites