View previous topic :: View next topic |
Author |
Message |
mben Newbie cheater Reputation: 0
Joined: 20 Jan 2018 Posts: 14
|
Posted: Mon Feb 05, 2018 4:17 pm Post subject: no offset when search base pointer |
|
|
why when i search the offset of the pointer, return instructions without offset?
i am searching some base address from rise of tomb raider, and when i try to search the pointer came insdtructions like
mov ebx,[r9]<- wat offset i use? this ting keep me away from my goal. any idea?
thanks in advance
|
|
Back to top |
|
|
FreeER Grandmaster Cheater Supreme Reputation: 53
Joined: 09 Aug 2013 Posts: 1091
|
Posted: Mon Feb 05, 2018 4:27 pm Post subject: |
|
|
From tutorial step 6 wrote: | If the assembler instruction has a calculation (e.g: [esi+12]) at the end then type the value in that's at the end. else leave it 0. | just like in math [x] is the same as [x+0].
|
|
Back to top |
|
|
mben Newbie cheater Reputation: 0
Joined: 20 Jan 2018 Posts: 14
|
Posted: Mon Feb 05, 2018 4:56 pm Post subject: |
|
|
FreeER wrote: | From tutorial step 6 wrote: | If the assembler instruction has a calculation (e.g: [esi+12]) at the end then type the value in that's at the end. else leave it 0. | just like in math [x] is the same as [x+0]. |
ithanks by reply, but if i make that, that keep me searching in circles
|
|
Back to top |
|
|
FreeER Grandmaster Cheater Supreme Reputation: 53
Joined: 09 Aug 2013 Posts: 1091
|
Posted: Mon Feb 05, 2018 5:05 pm Post subject: |
|
|
perhaps look in the code above it and see if r9 is set with something like lea r9, [r8+14]
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 457
Joined: 09 May 2003 Posts: 25262 Location: The netherlands
|
Posted: Mon Feb 05, 2018 5:09 pm Post subject: |
|
|
mben wrote: | ithanks by reply, but if i make that, that keep me searching in circles |
don't mix up the VALUE of a pointer with the ADDRESS of a pointer
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
mben Newbie cheater Reputation: 0
Joined: 20 Jan 2018 Posts: 14
|
Posted: Mon Feb 05, 2018 5:23 pm Post subject: |
|
|
Dark Byte wrote: | mben wrote: | ithanks by reply, but if i make that, that keep me searching in circles |
don't mix up the VALUE of a pointer with the ADDRESS of a pointer |
thanks by answer @Dark Byte i mean, by example, the address with the value is AFDCC5
IF i make what acces to this address, the instruction return something like this mov r8,[r8] where r8 have this value AFDCC5 what i have to make in this case? thanks in advance by help a noob like me
|
|
Back to top |
|
|
FreeER Grandmaster Cheater Supreme Reputation: 53
Joined: 09 Aug 2013 Posts: 1091
|
Posted: Mon Feb 05, 2018 5:30 pm Post subject: |
|
|
in that case the original value of r8 is whatever address you are checking.
Eg. if you have the address 0xDEADBEEF and you find that instruction then the original value of r8 had to be 0xDEADBEEF or it could not have read from the address 0xDEADBEEF and therefore would not have shown up in the list (exceptions for instructions that affect multiple addresses like sse packed float/double moves but I'm not sure of any off the top of my head that'd actually use the same register like this). If there's an offset eg. mov r8, [r8+F] then it's the address minus the offset eg. 0xDEADBEEF - 0xF = 0xDEADBEE0.
If you're really feeling lazy you can open the disassembler for that instruction and set a breakpoint and see the value before the instruction is executed, but if it's an instruction that affects multiple addresses that's likely to break for something else so you'd need to set a conditional breakpoint at which point you could just do the calculation (by opening a calculator or using the lua engine window if nothing else).
edit: also, the more information window might show it properly in the "the address is probably..." part, not actually sure though
|
|
Back to top |
|
|
mben Newbie cheater Reputation: 0
Joined: 20 Jan 2018 Posts: 14
|
Posted: Mon Feb 05, 2018 5:34 pm Post subject: |
|
|
FreeER wrote: | in that case the original value of r8 is whatever address you are checking.
Eg. if you have the address 0xDEADBEEF and you find that instruction then the original value of r8 had to be 0xDEADBEEF or it could not have read from the address 0xDEADBEEF and therefore would not have shown up in the list (exceptions for instructions that affect multiple addresses like sse packed float/double moves but I'm not sure of any off the top of my head that'd actually use the same register like this). If there's an offset eg. mov r8, [r8+F] then it's the address minus the offset eg. 0xDEADBEEF - 0xF = 0xDEADBEE0.
If you're really feeling lazy you can open the disassembler for that instruction and set a breakpoint and see the value before the instruction is executed, but if it's an instruction that affects multiple addresses that's likely to break for something else so you'd need to set a conditional breakpoint at which point you could just do the calculation (by opening a calculator or using the lua engine window if nothing else). |
thanks by your help, i dont feel lazy maybe something lost sometimes :$ i will try looking more deep the in the assembly code, thanks a lot by help me
|
|
Back to top |
|
|
|