| View previous topic :: View next topic |
| Author |
Message |
Noobrzor
Advanced Cheater
![]() Reputation: 0
Joined: 19 May 2014
Posts: 74
|
 Posted: Mon May 02, 2016 4:05 pm Post subject: How did this instruction access the address? |
 |
|
Greetings
I know address is accessed by [eax]. But how did this one get accessed? o.O
Neither rcx nor r8 is in brackets, meaning only registers are accessed, no? Not a memory address?
On the right I, just in case, tried "Find out what addresses this instruction accesses" and, no surprise, the list is empty. And the instruction is definitely in work plenty - game slowed down heavily after attaching the debugger.
How did CE detect it in such...one way way?
Best Regards
|
|
| Back to top |
|
 |
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4719
|
| Posted: Mon May 02, 2016 4:19 pm Post subject: |
|
|
It's the repe movsb instruction under that. I'm not sure why CE is detecting the previous instruction accessing it; that might be a bug.
Look at this reference for more information.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
Noobrzor
Advanced Cheater
![]() Reputation: 0
Joined: 19 May 2014
Posts: 74
|
| Posted: Mon May 02, 2016 4:30 pm Post subject: |
|
|
Well, 'Find out what addresses this instruction accesses; on repe movsb created even a bigger lag than previous, and still no addresses shown in debugger.
How so?
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Mon May 02, 2016 4:56 pm Post subject: |
|
|
| You can also try a different debugger and breakpoint method.
|
|
| Back to top |
|
|
Noobrzor
Advanced Cheater
![]() Reputation: 0
Joined: 19 May 2014
Posts: 74
|
| Posted: Tue May 03, 2016 6:42 am Post subject: |
|
|
Well, I tried to use a Windows debugger (previously I was using VEH) but...
using Windows debugger in the moment when the above noted instruction gets evoked the game crashes.
So there goes that.
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Tue May 03, 2016 7:11 am Post subject: |
|
|
I don't know if you removed items from your original post, but just guessing...
Some addresses are only accessed during certain times, such as during startup, when the target loads everything. An area of code may get executed constantly, causing your target to lag when you attach CE, but that doesn't necessarily mean that the address that you're targeting is being accessed during that time.
If you want to find a way to access the address via the target's own code, you can try hooking an instruction that is directly accessing one of the other values/offsets in the same data structure as the targeted address.
|
|
| Back to top |
|
|
Noobrzor
Advanced Cheater
![]() Reputation: 0
Joined: 19 May 2014
Posts: 74
|
| Posted: Tue May 03, 2016 10:26 am Post subject: |
|
|
| ++METHOS wrote: | I don't know if you removed items from your original post, but just guessing...
Some addresses are only accessed during certain times, such as during startup, when the target loads everything. An area of code may get executed constantly, causing your target to lag when you attach CE, but that doesn't necessarily mean that the address that you're targeting is being accessed during that time.
If you want to find a way to access the address via the target's own code, you can try hooking an instruction that is directly accessing one of the other values/offsets in the same data structure as the targeted address. |
Yes, I am aware of that. When I attach the veh debugger two instructions show up and are typical accesses, executed many times in the span of seconds. Then I do X, which makes the repe movsb show up. When I do the thing with windows debugger it crashes at the point when I do X.
I need to find the stack of this code that is being accessed in order to make it conditionally nop'ed. As in it's executed many times, but sometimes I want it to be noped.
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4719
|
| Posted: Tue May 03, 2016 10:48 am Post subject: |
|
|
| Quote: | | ...the stack of this code that is being accessed... |
This makes no sense. Do you mean you want to find out what addresses that repe movsb instruction accesses? If so, you'll have to do that yourself since you stated CE is bugging out a bit.
Set a breakpoint before the repe movsb, look at what the esi/edi registers will be to find out what addresses are being read from / written to, and look at what ecx will be to see how many addresses it's doing this for. Use Lua if you want to automate the process.
If you want that repe movsb instruction to not write to your address, you can't replace that instruction with NOPs without affecting other stuff too.
The easiest way I can think of would be to copy the value of that address before it executes and restore it after. You may need a reference to your address (i.e. a pointer or a registered symbol) if it starts at different addresses but still encompasses the address you're concerned with.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Tue May 03, 2016 12:17 pm Post subject: |
|
|
| Noobrzor wrote: | | Yes, I am aware of that. When I attach the veh debugger two instructions show up and are typical accesses, executed many times in the span of seconds. Then I do X, which makes the repe movsb show up. When I do the thing with windows debugger it crashes at the point when I do X. |
-In that case, your posts up to this point have been a bit misleading, including your topic title. Please try to be more specific with your posts so that the people that are trying to help you do not waste their time posting irrelevant replies.
| Noobrzor wrote: | | I need to find the stack of this code that is being accessed in order to make it conditionally nop'ed. As in it's executed many times, but sometimes I want it to be noped. |
-You need to set up conditional jumps inside of your script so that unwanted addresses are filtered out and only your targeted address(es) are nop'ed. You can do that by following the advice outlined in your previous thread.
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
