| View previous topic :: View next topic |
| Author |
Message |
ada1016
How do I cheat?
![]() Reputation: 0
Joined: 17 May 2016
Posts: 7
|
 Posted: Tue May 17, 2016 8:21 am Post subject: IDA + CE + android? |
 |
|
So I am not totally new to IDA, but relative new on CE.
Already fascinated by what CE can do.
I saw similar posts asking the pointer/address found is not the address on IDA, because windows 0x40000 (or something)
My puzzle is
Can anyway share on android (or bluestacks) how do I map the address found on CE with the IDA opcode?
For there are quite a few game strip out the header file in the so. My naive thought is once I can map the CE code with IDA, I can break and trace from IDA even though the method name does not mean anything to human.
Please educate me?
|
|
| Back to top |
|
 |
ada1016
How do I cheat?
![]() Reputation: 0
Joined: 17 May 2016
Posts: 7
|
| Posted: Tue May 17, 2016 9:08 pm Post subject: |
|
|
| Please... I hope there is android guru who can share hacking scenarios around IDA+CE
|
|
| Back to top |
|
|
atom0s
Moderator
 Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Tue May 17, 2016 11:20 pm Post subject: |
|
|
IDA bases things at a specific point. You can find what that base is by scrolling all the way up to the top of the main window and checking the default information printout like this:
So you know that from this that IDA is using 0x10000000 as a base address for the image it loaded.
Then in Cheat Engine you'd take the address you found and subtract its base to get an offset you can use in IDA. With the offset you'd do:
(Imagebase From IDA) + Offset = Address within IDA
For example, I have this block of code in a game:
| Code: | 03D4AFE0 - 8B 44 24 0C - mov eax,[esp+0C]
03D4AFE4 - 56 - push esi
03D4AFE5 - 57 - push edi
03D4AFE6 - 66 8B 48 04 - mov cx,[eax+04]
03D4AFEA - 8D 70 04 - lea esi,[eax+04]
03D4AFED - 8B C1 - mov eax,ecx
03D4AFEF - 83 E0 3F - and eax,3F { 63 }
03D4AFF2 - 83 E8 02 - sub eax,02 { 2 }
03D4AFF5 - 0F84 D1000000 - je 03D4B0CC
03D4AFFB - 48 - dec eax
03D4AFFC - 74 2A - je 03D4B028
|
The base address where this code was loaded at is at:
03CB0000
So I would do:
03D4AFE0 - 03CB0000
So the offset is:
9AFE0
Inside of IDA I would then do:
10000000 + 9AFE0
Another thing you can do is use array of bytes to scan for the code in IDA. So with the above code, I could take the bytes of the opcodes such as:
8B 44 24 0C 56 57 66 8B 48 04 8D 70 04 8B C1 83 E0 3F 83 E8 02
Then in IDA in the main window (IDA View) hit ALT+B to open the byte scanning window. Paste in the code and search. It should find the same function within IDA. (Assuming that code is not generated at runtime or protected in some manner.)
One last thing you could do as well is rebase the image in IDA. Load up the file you are analyzing then while the IDA View window is active, choose:
Edit -> Segments -> Rebase Program...
Enter the base address where the image is loaded in Cheat Engine and let IDA reanalyze the file. This will let it mimic what you see in Cheat Engine.
_________________
- Retired. |
|
| Back to top |
|
|
ada1016
How do I cheat?
![]() Reputation: 0
Joined: 17 May 2016
Posts: 7
|
| Posted: Wed May 18, 2016 7:53 pm Post subject: |
|
|
wow!!!! I wasn't expect such great response in such educational detail. !!
I can't wait to try it
Can understand and image what to do mostly. only this
"The base address where this code was loaded at is at:
03CB0000 "
Can I know how do you know its base is loaded at 03CB0000 ?
Sincerely
|
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
