MantisBT - Cheat Engine
View Issue Details
0000422Cheat Engine(No Category)public2015-12-18 04:152015-12-21 10:47
Reporterpausebreak7 
Assigned ToDark Byte 
PrioritynormalSeverityminorReproducibilityhave not tried
StatusresolvedResolutionno change required 
PlatformOSOS Version
Summary0000422: x64 auto assembler offset too big error
Descriptionx64 openprocess autoassembler copy memory

line 22 offset too big error message

call qword ptr [KERNELBASE.NlsUpdateLocale+AB0] { ->ntdll.ZwOpenProcess } <-error
Steps To Reproducealloc(create,1024)
registersymbol(create)
create:
//open process
sub rsp,68
xor r9d,r9d
movsxd rax,r8d
mov [rsp+30],00000030
mov [rsp+28],r9
mov [rsp+20],rax
mov [rsp+38],r9
test edx,edx
jne KERNELBASE.TlsGetValue+1D10
mov [rsp+48],r9d
mov [rsp+40],r9
mov [rsp+50],r9
mov [rsp+58],r9
mov edx,ecx
lea r9,[rsp+20]
lea r8,[rsp+30]
lea rcx,[rsp+00000088]
call qword ptr [KERNELBASE.NlsUpdateLocale+AB0] { ->ntdll.ZwOpenProcess }
test eax,eax
js KERNELBASE.GetSecurityDescriptorSacl+105
mov rax,[rsp+00000088]
add rsp,68
ret
TagsNo tags attached.
Attached Filespng offset too big error.png (70,073) 2015-12-18 04:15
http://cheatengine.org/mantis/file_download.php?file_id=165&type=bug
png

Notes
(0000921)
Dark Byte   
2015-12-20 19:54   
(Last edited: 2015-12-20 19:57)
that is normal.
A memory distance from RIP to an address (data or code) can only be 2GB

You can solve this by either allocating create near the location of kernelbase, use a register with the address build up, or a local jump table


e.g:
alloc(create,1024,KERNELBASE)

or
mov rax,KERNELBASE.NlsUpdateLocale+AB0 //mov rax,imm64 is one of the very few instructions that support a direct 64 bit value
mov rax,[rax]
call rax

or

alloc(addresswithdestination,8) //make sure it's allocated near create, so if you do specify an preferred base for create, use the same address

addresswithdestination:
dq ntdll.ZwOpenProcess
...
call [addresswithdestination]




Also, check that "jne KERNELBASE.TlsGetValue+1D10" the assembler might not give a message, but there is a decent chance it's going to overflow and point to the wrong location

(0000922)
pausebreak7   
2015-12-21 06:21   
thank you ! db

Issue History
2015-12-18 04:15pausebreak7New Issue
2015-12-18 04:15pausebreak7File Added: offset too big error.png
2015-12-20 19:54Dark ByteNote Added: 0000921
2015-12-20 19:55Dark ByteNote Edited: 0000921bug_revision_view_page.php?bugnote_id=921#r142
2015-12-20 19:56Dark ByteNote Edited: 0000921bug_revision_view_page.php?bugnote_id=921#r143
2015-12-20 19:57Dark ByteNote Edited: 0000921bug_revision_view_page.php?bugnote_id=921#r144
2015-12-21 06:21pausebreak7Note Added: 0000922
2015-12-21 10:47Dark ByteStatusnew => resolved
2015-12-21 10:47Dark ByteResolutionopen => no change required
2015-12-21 10:47Dark ByteAssigned To => Dark Byte
2016-06-05 15:18JptnucIssue cloned: 0000477