| View previous topic :: View next topic |
| Author |
Message |
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
 Posted: Mon Sep 17, 2007 3:42 pm Post subject: A few questions |
 |
|
Been wondering some of these for a long time.
1) Why are values in Flash applets stored 8 times their value in memory than you would expect ? ie. if a certain variable, let's say time was 2 seconds. The value stored in memory would be 16. Why is it multiplied by 8 ? I assume it's the way Flash "executes" the ActionScript but I'd like to know for sure if possible.
2) What is the memory type "double" in Cheat Engine ? I understand if a address is of type "1 byte" then it can hold 2^8 = 256 different values but what does "double" mean ? A dword/2 words/32 bits can hold 4294967296 different values, haven't tested whether "double" can take all those yet.
3) I was reading up on some basic reversing recently and came across the term memory segment involving memory pointers. Is that the same as the "base address" you find in CE when finding pointers ?
4) Again whilst I was reading about reversing, I started extending my knowledge a little on registers. I had previously understood the general concept.. move stuff into registers for operating for faster access times, etc. but then I came across 32, 16 and 8 bit registers. Got a little confused at this point. So let's take for example a 32 bit register, EAX. Now then would I be correct in saying that within that there is 16 bits which are allocated another name ? Otherwise it would be nice if someone could explain how the 16 bit register relates to the 32 bit one relatively. Then reading on some more I read about 8 bit registers. I "think" I kind of understand this. Would I be right in saying that the 16 bit register contains a "higher" and "lower" part (AH and AL) ? Therefore changing the what is stored in either would change what is stored in AX and therefore EAX ?
I expect I've got something very, very wrong along the way but what I've learnt has been all information I had to search for. I'm really looking for someone here who can help me out so I can start moving on by getting to grips with the basics well. Yes, I've already looked on google. I'm mostly looking for clarification for these points but any extra info. would be awesome.
|
|
| Back to top |
|
 |
appalsap
Moderator
 Reputation: 0
Joined: 27 Apr 2006
Posts: 6753
Location: Pakistan
|
| Posted: Mon Sep 17, 2007 3:48 pm Post subject: |
|
|
2) "double" is an 8 byte floating point type
4) yes
|
|
| Back to top |
|
|
atom0s
Moderator
 Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Mon Sep 17, 2007 5:10 pm Post subject: |
|
|
1.) This is only in Flash 9 from what I recall. (Maybe 8, not sure.) My guess is to prevent hacking / and such or something to do with x64 systems. Dunno.
2.) As appal said, 8 byte float value.
3.) Not sure what it was that you read to refer to, but, pointers are addresses that point to another block of memory. Usually used while a game uses code shifting or DMA. You usually need to find the base address of the memory block the pointer is found out to make a cheat.
Base + Offset = Address
Address - Base = Offset
And so on.
4.) I have a few ASM tutorials that someone posted a while back on another site that I kept somewhere, when I find em I'll upload them for ya.
Edit:: Ok found them here ya go:
http://home.comcast.net/~wiccaan/downloads/asm/asmd1.txt
http://home.comcast.net/~wiccaan/downloads/asm/asmd2.txt
http://home.comcast.net/~wiccaan/downloads/asm/asmd3.txt
|
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Tue Sep 18, 2007 8:59 am Post subject: |
|
|
| appalsap wrote: | | 2) "double" is an 8 byte floating point type |
Thanks. And how many bytes/bits would float itself be ?
What would the other half of EAX (not AX) called then ? Or does it not have a name ?
| Wiccaan wrote: | | 1.) This is only in Flash 9 from what I recall. (Maybe 8, not sure.) My guess is to prevent hacking / and such or something to do with x64 systems. Dunno. |
Don't think it's to prevent hacking, it'd be really ineffective. Instead values could be encrypted or there are lots of ways to make it look randomized when they are not.
| Quote: | | 2.) As appal said, 8 byte float value. |
Okay so a possible example could be:
1180591620717.41130342 ?
| Quote: | 3.) Not sure what it was that you read to refer to, but, pointers are addresses that point to another block of memory. Usually used while a game uses code shifting or DMA. You usually need to find the base address of the memory block the pointer is found out to make a cheat.
Base + Offset = Address
Address - Base = Offset
And so on. |
Is it not more base + offset = static address of the value ? This is exactly what I read:
| Code: | A segment is a piece in memory where instructions (CS), data (DS), the stack (SS) or just an extra segment (ES) are stored. Every segment is divided in 'offsets'. In 32-bits applications (Windows 95/98/ME/2000), these offsets are numbered from 00000000 to FFFFFFFF. 65536 pieces of memory thus 65536 memory addresses per segment. The standard notation for segments and offsets is:
SEGMENT : OFFSET = Together, they point to a specific place (address) in memory.
See it like this:
A segment is a page in a book : An offset is a specific line at that page.
|
It seemed to be similar to my perception of a memory pointer so I made a connection.
Thanks, those will be very useful I'm sure, I'll read over them when I'm free. They look interesting at a first glance anyway.
|
|
| Back to top |
|
|
kittonkicker
I post too much
 Reputation: 1
Joined: 19 Apr 2006
Posts: 2171
|
| Posted: Tue Sep 18, 2007 10:43 am Post subject: |
|
|
| Slugsnack wrote: | | Thanks. And how many bytes/bits would float itself be ? |
A Float is also 8 bytes.
| Slugsnack wrote: | Okay so a possible example could be:
1180591620717.41130342 ? |
I'm not sure if a float can be that big, but an example would be 4192.34 (precision is up to the user, I'm not sure what the limitation is).
| Slugsnack wrote: | | Is it not more base + offset = static address of the value ? This is exactly what I read: |
Base = Static address in the code which never changes.
Offset = The amount to offset the value of the base by.
Example:
Base = 007c1245 = 3e2b232f (base of the dynamic memory the pointer points to).
Offset = 3fc.
Base + Offset = 3e2b272b.
Please note these are only examples and relate to nothing.
_________________
All gone  |
|
| Back to top |
|
|
appalsap
Moderator
Reputation: 0
Joined: 27 Apr 2006
Posts: 6753
Location: Pakistan
|
| Posted: Tue Sep 18, 2007 11:36 am Post subject: |
|
|
| kittonkicker wrote: | | Slugsnack wrote: | | Thanks. And how many bytes/bits would float itself be ? |
A Float is also 8 bytes |
no, it is 4 bytes; that is why double is called double, it is "double" the size of float!
|
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Tue Sep 18, 2007 11:43 am Post subject: |
|
|
| kittenkicker wrote: | | Base = Static address in the code which never changes. |
The base can change in some cases like code shifting. Since the base is the start address of a module (dll in most cases) which stands for Dynamic Link Library, the address does not always remain the same when it is loaded. But it's easy to get the address if you require it.
|
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Tue Sep 18, 2007 12:19 pm Post subject: |
|
|
| kittonkicker wrote: | | Slugsnack wrote: | | Thanks. And how many bytes/bits would float itself be ? |
A Float is also 8 bytes.
| Slugsnack wrote: | Okay so a possible example could be:
1180591620717.41130342 ? |
I'm not sure if a float can be that big, but an example would be 4192.34 (precision is up to the user, I'm not sure what the limitation is). |
If a float was 8 bytes then I would assume it could hold 2^8*8 (8 bits in a byte and 8 bytes) which is 18446744073709551616. Actually I was also wondering how the decimal point is represented in binary.
| Quote: | | Slugsnack wrote: | | Is it not more base + offset = static address of the value ? This is exactly what I read: |
Base = Static address in the code which never changes.
Offset = The amount to offset the value of the base by.
Example:
Base = 007c1245 = 3e2b232f (base of the dynamic memory the pointer points to).
Offset = 3fc.
Base + Offset = 3e2b272b.
Please note these are only examples and relate to nothing. |
Thanks. I think I'm okay finding pointers, multiple level pointers too but mainly wanted to clarify whether this base was the same as a memory segment. I saw it being used in a similar context.
| appalsap wrote: | | kittonkicker wrote: | | Slugsnack wrote: | | Thanks. And how many bytes/bits would float itself be ? |
A Float is also 8 bytes |
no, it is 4 bytes; that is why double is called double, it is "double" the size of float! |
Ahh that would explain a lot. I was curious why 2 of the same memory types would be included :p On that subject, I never quite understood why it is generally better to scan under 4 byte if you don't know the memory type to start off with (at least that's what the CE tutorial says).
| Wiccaan wrote: | | kittenkicker wrote: | | Base = Static address in the code which never changes. |
The base can change in some cases like code shifting. Since the base is the start address of a module (dll in most cases) which stands for Dynamic Link Library, the address does not always remain the same when it is loaded. But it's easy to get the address if you require it. |
Is code shifting is the same as dynamic memory allocation ?
Thanks for all your answers guys, you're really helpful 
|
|
| Back to top |
|
|
appalsap
Moderator
Reputation: 0
Joined: 27 Apr 2006
Posts: 6753
Location: Pakistan
|
| Posted: Tue Sep 18, 2007 12:35 pm Post subject: |
|
|
| Slugsnack wrote: | | I never quite understood why it is generally better to scan under 4 byte if you don't know the memory type to start off with (at least that's what the CE tutorial says). |
because that's the size of an integer and the size of a pointer (32-bit)
|
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Tue Sep 18, 2007 12:49 pm Post subject: |
|
|
Wouldn't an integer over 4294967296 exceed 4 bytes ? By the way thanks for the quick replies. I'm learning a lot today Repped ya 
|
|
| Back to top |
|
|
appalsap
Moderator
Reputation: 0
Joined: 27 Apr 2006
Posts: 6753
Location: Pakistan
|
| Posted: Tue Sep 18, 2007 12:56 pm Post subject: |
|
|
| yes, that is what the "long long" type is for.
|
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Tue Sep 18, 2007 1:41 pm Post subject: |
|
|
| Slugsnack wrote: | | Is code shifting is the same as dynamic memory allocation ? |
Looking at the Wikipedia and Dictionary.com definition of the word acronym DMA, they say:
| Quote: | | In computer science, dynamic memory allocation is the allocation of memory storage for use in a computer program during the runtime of that program. |
Code shifting is a form of DMA. I say this because you use a module, as I said above, for the base address to find the pointers and memory locations inside the process. When the program is started, a DLL is given a memory block to hold its info. At runtime the section of memory given to the DLL can change. Sometimes it will remain the same until the system is restarted, or another form of alteration to the system has been done.
Pure DMA is something that games use to prevent hacking which is memory thats constantly changing location. So you have a pointer at 1 location which might change a few seconds later. Just like in the CEF tutorial program how the pointer changes on Step 8 I think it was.
I, myself, don't consider code shifting full DMA, but, instead I think of it as a sub-category inside the many types of DMA that can be done.
|
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Tue Sep 18, 2007 1:42 pm Post subject: |
|
|
Haven't noticed one called "long long"  Guess I'll keep an eye out next time.
Just a few of the unanswered questions in case you missed them or anyone else would like to answer them:
| Quote: | | Why are values in Flash applets stored 8 times their value in memory than you would expect ? ie. if a certain variable, let's say time was 2 seconds. The value stored in memory would be 16. Why is it multiplied by 8 ? I assume it's the way Flash "executes" the ActionScript but I'd like to know for sure if possible. |
| Quote: | | What would the other half of EAX (not AX) called then ? Or does it not have a name ? (In fact, what is even the point in the 32 bit register being split up into so many little bits ?) |
| Quote: | | Actually I was also wondering how the decimal point is represented in binary (in a floating point value). |
| Quote: | | Code shifting is a form of DMA. I say this because you use a module, as I said above, for the base address to find the pointers and memory locations inside the process. When the program is started, a DLL is given a memory block to hold its info. At runtime the section of memory given to the DLL can change. Sometimes it will remain the same until the system is restarted, or another form of alteration to the system has been done. |
What's the purpose of code shifting ?
| Quote: | | Pure DMA is something that games use to prevent hacking which is memory thats constantly changing location. So you have a pointer at 1 location which might change a few seconds later. Just like in the CEF tutorial program how the pointer changes on Step 8 I think it was. |
Correct me if I'm wrong but the tutorial step 8 is merely using a multiple level pointer (4 if I remember correctly). Also I thought DMA was to save on memory rather than to stop hackers. The impression I used to have was that instead of allocating set sizes in memory, the size is dependent of the size of the function or whatever so that the memory is kind of "defragmented".
| Quote: | | I, myself, don't consider code shifting full DMA, but, instead I think of it as a sub-category inside the many types of DMA that can be done. |
Thanks, I've been trying to search for what code shifting actually means recently. Wikipedia let me down T_T
http://en.wikipedia.org/wiki/Code_shifting
Last edited by Slugsnack on Tue Sep 18, 2007 1:48 pm; edited 1 time in total |
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Tue Sep 18, 2007 1:55 pm Post subject: |
|
|
I learnt these 9 32 bit (4 byte) registers:
EAX: Extended Accumulator Register
EBX: Extended Base Register
ECX: Extended Counter Register
EDX: Extended Data Register
ESI: Extended Source Index
EDI: Extended Destination Index
EBP: Extended Base Pointer
ESP: Extended Stack Pointer
EIP: Extended Instruction Pointer
Then these 16 bit (2 byte) ones:
AX
BX
CX
DX
SI
DI
BP
SP
IP
Then the first 4 are split into their high and low part (byte).
My understanding of it is that for the first four registers, the whole thing is called for example, EAX. Then half of that (how do we know which half btw ?) is called AX then the AX is split into two halves, AL and AH. I'm confused as to why they are given different names at all. They seem to be sometimes treated as separate registers. Also if EAX is split into two halves of which one is AX, then what is the other half called ?
Thanks for the link, was just what I was looking for.
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
