2017-08-18 22:42 CEST

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0000422Cheat Engine(No Category)public2015-12-21 10:47
Reporterpausebreak7 
Assigned ToDark Byte 
PrioritynormalSeverityminorReproducibilityhave not tried
StatusresolvedResolutionno change required 
Summary0000422: x64 auto assembler offset too big error
Descriptionx64 openprocess autoassembler copy memory

line 22 offset too big error message

call qword ptr [KERNELBASE.NlsUpdateLocale+AB0] { ->ntdll.ZwOpenProcess } <-error
Steps To Reproducealloc(create,1024)
registersymbol(create)
create:
//open process
sub rsp,68
xor r9d,r9d
movsxd rax,r8d
mov [rsp+30],00000030
mov [rsp+28],r9
mov [rsp+20],rax
mov [rsp+38],r9
test edx,edx
jne KERNELBASE.TlsGetValue+1D10
mov [rsp+48],r9d
mov [rsp+40],r9
mov [rsp+50],r9
mov [rsp+58],r9
mov edx,ecx
lea r9,[rsp+20]
lea r8,[rsp+30]
lea rcx,[rsp+00000088]
call qword ptr [KERNELBASE.NlsUpdateLocale+AB0] { ->ntdll.ZwOpenProcess }
test eax,eax
js KERNELBASE.GetSecurityDescriptorSacl+105
mov rax,[rsp+00000088]
add rsp,68
ret
TagsNo tags attached.
Attached Files

-Relationships
+Relationships

-Notes

~0000921

Dark Byte (developer)

Last edited: 2015-12-20 19:57

View 4 revisions

that is normal.
A memory distance from RIP to an address (data or code) can only be 2GB

You can solve this by either allocating create near the location of kernelbase, use a register with the address build up, or a local jump table


e.g:
alloc(create,1024,KERNELBASE)

or
mov rax,KERNELBASE.NlsUpdateLocale+AB0 //mov rax,imm64 is one of the very few instructions that support a direct 64 bit value
mov rax,[rax]
call rax

or

alloc(addresswithdestination,8) //make sure it's allocated near create, so if you do specify an preferred base for create, use the same address

addresswithdestination:
dq ntdll.ZwOpenProcess
...
call [addresswithdestination]




Also, check that "jne KERNELBASE.TlsGetValue+1D10" the assembler might not give a message, but there is a decent chance it's going to overflow and point to the wrong location

~0000922

pausebreak7 (reporter)

thank you ! db
+Notes

-Issue History
Date Modified Username Field Change
2015-12-18 04:15 pausebreak7 New Issue
2015-12-18 04:15 pausebreak7 File Added: offset too big error.png
2015-12-20 19:54 Dark Byte Note Added: 0000921
2015-12-20 19:55 Dark Byte Note Edited: 0000921 View Revisions
2015-12-20 19:56 Dark Byte Note Edited: 0000921 View Revisions
2015-12-20 19:57 Dark Byte Note Edited: 0000921 View Revisions
2015-12-21 06:21 pausebreak7 Note Added: 0000922
2015-12-21 10:47 Dark Byte Status new => resolved
2015-12-21 10:47 Dark Byte Resolution open => no change required
2015-12-21 10:47 Dark Byte Assigned To => Dark Byte
2016-06-05 15:18 Jptnuc Issue cloned: 0000477
+Issue History