Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Cheat Engine Forum Index
PostGo back to topic
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4691
PostPosted: Mon Jun 20, 2016 9:50 pm    Post subject:
In a 32-bit process, you can use the near jump (5 bytes) no problem regardless of where the memory is allocated because every address is within 2GB of every other address in a 4GB address space.

In a 64-bit process, however, the virtual address space is much greater than 4GB, so you won't always be able to use the near jump. That's what the third parameter to alloc is for: the computer will try to allocate that memory within 2GB of that address.

In order to jump to a memory location further than 2GB away, you'll need to store the address you want to go to in some r/m64 and use that instead. The 14 byte jump in this case refers to storing the address you want to jump to just after the jmp instruction. This subsequently overrides any instructions in the way and forms all the "garbage" disassembly you see. 6 byte jmp + 8 bytes for the address = 14 bytes overridden.

Thus, when doing a code injection using a 14-byte jump, the only noticeable difference to you is that you'll need to override nearly 3x more instructions. Using the OP as an example, here's how you'd explicitly use a 14-byte jmp:
Code:
[ENABLE]
aobscanmodule(aob_highlight,witcher3.exe,48 8B 39 8B 41 08 45 33 E4 48 8D 0C 80 4C 8B F2) // should be unique
alloc(newmem,$1000,"witcher3.exe"+9AF4EE)
alloc(pointer_highlight,8)

label(return)

registersymbol(pointer_highlight)
registersymbol(aob_highlight)

newmem:
  mov [pointer_highlight],rcx
  mov rdi,[rcx]
  mov eax,[rcx+08]
  xor r12d,r12d
  lea rcx,[rax+rax*4]
  mov r14,rdx
  jmp return

aob_highlight:
  db FF 25 00 00 00 00
  dq newmem
  nop
  nop
return:

[DISABLE]
aob_highlight:
  db 48 8B 39 8B 41 08 45 33 E4 48 8D 0C 80 4C 8B F2

dealloc(newmem)
dealloc(pointer_highlight)
unregistersymbol(pointer_highlight)
unregistersymbol(aob_highlight)

CE automatically does this when it goes to assemble the instruction "jmp newmem" if newmem is further than 2GB away. However, something obviously isn't working perfectly right now, so do this in order to avoid any ambiguity.

For more technical information, refer to the Intel Software Developer's Manual Volume 2A section 2.2.1.6 "RIP-relative addressing", as well as the documentation on the JMP instruction within said manual (or any other valid x64 reference of your choice).
_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Post reviews:   Approve 1
Author Review
++METHOS
Review: Approve
Post reference:
ReviewPosted: Tue Jun 21, 2016 4:56 am

Back to top
View user's profile Send private message
Display:  
Cheat Engine Forum Index


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites