| View previous topic :: View next topic |
| Author |
Message |
Tatsu808
Newbie cheater
![]() Reputation: 0
Joined: 15 Nov 2014
Posts: 20
|
|
| Back to top |
|
 |
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
 Posted: Fri Jan 29, 2016 11:50 pm Post subject: |
 |
|
The bytes are based on the offset of where the current instruction is in relation to the jump target.
It's FEEE500E bytes away.
If you try to use those bytes in some other location, it will jump to an entirely different address.
CE has the reassemble(addr) method, which will correct the offset in any injection script you use.
|
|
| Back to top |
|
|
Tatsu808
Newbie cheater
![]() Reputation: 0
Joined: 15 Nov 2014
Posts: 20
|
| Posted: Sat Jan 30, 2016 12:11 am Post subject: |
|
|
| So what if the jump target was at memory address 4383890000 for example? if the current instruction was at 7FF66C3BAFED, the jump target would be 7FB2E8B2AFED bytes away from it. Would that jmp not be possible since jmps are only 5 bytes long? Just wondering because I created an alloc method in C# and it seems to allocate the memory to an address very far from the instruction I'm interested in which is at 7FB2E8B2AFED. I may have to fix this method...
|
|
| Back to top |
|
|
atom0s
Moderator
 Reputation: 202
Joined: 25 Jan 2006
Posts: 8546
Location: 127.0.0.1
|
| Posted: Sat Jan 30, 2016 12:19 am Post subject: |
|
|
Jumps are not directly to an address, they are calculated.
jmp 7FF66B2A0000
While that says to jump to address 0x7FF66B2A0000, you'll see that the bytes do not match that.
E9 0E 50 EE FE
E9 is the opcode for JMP. While the other bit is the offset to jump to.
0xFEEE500E
This is calculated based on the current position and the position to jump to.
Jumps are calculated like this:
result = ((jumpTo - jumpFrom) - 5)
_________________
- Retired. |
|
| Back to top |
|
|
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Sat Jan 30, 2016 12:34 am Post subject: |
 |
|
You can set an address to the value of that destination address.
Then create an instruction which jumps to the value of that address.
CE sometimes will do this:
Bytes: FF 25 00 00 00 00
This translates to a jump which uses the next 8 bytes after the jump instruction as the address to which you want to jump.
So in your example, you would replace all of the following bytes:
FF 25 00 00 00 00 00 00 89 83 43 00 00 00
|
|
| Back to top |
|
|
hhhuut
Grandmaster Cheater
 Reputation: 6
Joined: 08 Feb 2015
Posts: 607
|
| Posted: Sat Jan 30, 2016 9:41 am Post subject: |
|
|
| Additionally, VirtualAlloc (and also the alloc of CE) has a parameter with which you can define near which position the new allocated space will be, so that you can be sure it's within 32bit address range and therefore near jumps will be sufficient ...
|
|
| Back to top |
|
|
Tatsu808
Newbie cheater
![]() Reputation: 0
Joined: 15 Nov 2014
Posts: 20
|
| Posted: Sat Jan 30, 2016 10:41 pm Post subject: |
|
|
Thanks for the help all, I was able to solve what I was trying to accomplish via C#.
| Quote: | Additionally, VirtualAlloc (and also the alloc of CE) has a parameter with which you can define near which position the new allocated space will be, so that you can be sure it's within 32bit address range and therefore near jumps will be sufficient ...
|
I went back and took a look at the parameter which defines the start address of the new allocated space, however, for some reason the closest address it could find to the target instruction was always over the 32 bit range.
| Quote: | You can set an address to the value of that destination address.
Then create an instruction which jumps to the value of that address.
CE sometimes will do this:
Bytes: FF 25 00 00 00 00
This translates to a jump which uses the next 8 bytes after the jump instruction as the address to which you want to jump.
So in your example, you would replace all of the following bytes:
FF 25 00 00 00 00 00 00 89 83 43 00 00 00 |
I used this solution to solve my "far jump problem" to be able to jmp from my target address to the destination address via the "FF 25 jmp". In the pictures below my destination address was allocated at "866D250000" and my target address at "7FF69977AFED". At the target address, I wrote 0xFF, 0x25, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x25, 0x6D, 0x86, 0x00, 0x00, 0x00 bytes to it, and did the appropriate noping for the 14 byte jmp to my destination address.
Good stuff!
| Description: |
|
| Filesize: |
116.62 KB |
| Viewed: |
20530 Time(s) |
|
|
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 465
Joined: 09 May 2003
Posts: 25548
Location: The netherlands
|
| Posted: Sun Jan 31, 2016 3:36 am Post subject: |
|
|
| Tatsu808 wrote: | Thanks for the help all, I was able to solve what I was trying to accomplish via C#.
| Quote: | Additionally, VirtualAlloc (and also the alloc of CE) has a parameter with which you can define near which position the new allocated space will be, so that you can be sure it's within 32bit address range and therefore near jumps will be sufficient ...
|
I went back and took a look at the parameter which defines the start address of the new allocated space, however, for some reason the closest address it could find to the target instruction was always over the 32 bit range.
|
The address provided must point to a currently non allocated block of memory and must be dividable by 65536
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Tatsu808
Newbie cheater
![]() Reputation: 0
Joined: 15 Nov 2014
Posts: 20
|
| Posted: Mon Feb 01, 2016 12:58 am Post subject: |
|
|
| Quote: | The address provided must point to a currently non allocated block of memory and must be dividable by 65536
|
Thanks for the reply. Yes, I made sure that the started address I specified for the VirtualAllocEx method was a non-allocated mem block and was divisible by 65536. I did this by finding a specified "starting address" close to my target address that was divisible by 65536 and then added 65536 or subtracted 65536 until an address was successfully allocated. For some reason the address that was allocated was over the 32 bit range, not sure why.
I'm sort of confused by this FF 25 jmp I attempted. The jmp to the destination address basically contains the same instructions as the original, but the game crashes... I'm not sure why. Could it be the "Call Fallout4.Scaleform::GFx::System::Init+1B1A8F1" giving problems? The address I place the JMP is at 7FF64240003F and when I jmp out of my code cave, I JMP to 7FF64240003F + 0x0F. I don't see any mistakes atm....
| Description: |
|
| Filesize: |
106.21 KB |
| Viewed: |
19734 Time(s) |
|
|
|
| Back to top |
|
|
panraven
Grandmaster Cheater
![]() Reputation: 59
Joined: 01 Oct 2008
Posts: 957
|
| Posted: Mon Feb 01, 2016 1:34 am Post subject: |
|
|
The original relative call +1b1a8f1 is not properly convert in the cave?
I guess the call need to make indirect manually, or something like ce reassemble function.
_________________
- Retarded. |
|
| Back to top |
|
|
Tatsu808
Newbie cheater
![]() Reputation: 0
Joined: 15 Nov 2014
Posts: 20
|
| Posted: Tue Feb 02, 2016 10:59 am Post subject: |
|
|
| As a work around, I placed the JMP high enough so that I wouldn't need to re-write the CALL in the code cave and was able to still edit the instruction I was interested in.
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
