View previous topic :: View next topic |
Author |
Message |
Hpoonis How do I cheat? Reputation: 0
Joined: 30 Jan 2018 Posts: 2 Location: Currently Slovakia
|
Posted: Tue Jan 30, 2018 4:44 am Post subject: CE 6.7 64-Bit Tutorial - STEP 6 |
|
|
Now then, I worked through this a few times and up to this point don't think I had much of a problem...or maybe I was asleep/in another dimension/dead but I get to this point:
I find my value and select "Find out what ACCESSES this address" which is different from the previous step 5 tutorial using "Find out what writes to this address".
The tutorial text states, "Change the value again, and a item will show in the list. Double click that item. "
However, I always get 4 items!
What am I missing here? Maybe I am tired and cannot think clearly. |
|
Back to top |
|
|
FreeER Grandmaster Cheater Supreme Reputation: 53
Joined: 09 Aug 2013 Posts: 1091
|
Posted: Tue Jan 30, 2018 9:49 am Post subject: |
|
|
You were told to find what writes to the address but you found what accesses the address, which also shows instructions that read from the address. The second one in the list 10002CADC - 89 02 - mov [rdx], eax is the one that writes to it (mov destination, source. with [] = "[memory value at address]", without = "value") |
|
Back to top |
|
|
Hpoonis How do I cheat? Reputation: 0
Joined: 30 Jan 2018 Posts: 2 Location: Currently Slovakia
|
Posted: Wed Jan 31, 2018 4:15 am Post subject: |
|
|
AH. Thanks. I was tired and should have known better.
However...
I cut/paste the text from the TUTORIAL itself.
"First find the address of the value. When you've found it use the function to find out what accesses this address."
You will notice that it does indeed state "what accesses" and not what writes.
Maybe the author should correct their mistake.
M |
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 465
Joined: 09 May 2003 Posts: 25570 Location: The netherlands
|
Posted: Wed Jan 31, 2018 4:36 am Post subject: |
|
|
Nope, find what accesses is what you should use as a pointer may not be written.
But the tutorial is designed for 32-bit, and you've targeted the 64-bit one, so somethings are not 100% correct and thus a bit more challenging
In your case there's not just one, but multiple. To have an easy time, just pick the writer instruction, but if you wish to understand what happens instead of blindly following a track, pick the read instruction:
Note the "more info" screen text that states that "registers shown are AFTER the instruction has been executed"
that means that EAX(RAX) has been overwritten by the value in [RAX]
all you know is that mov eax,[rax] accessed 1294d10
which is enough. As that means that the value between [] ended up at 1294d10
so that means that RAX used to have the value 1294d10
since you can rewrite mov eax,[rax] into mov eax,[rax+0000000000000000] that means the pointer had the VALUE 1294d10 and the used offset is 0
that's all you need for that pointer step. So do a 8 byte hexadecimal scan for 1294d10 and use that result with offset 0 and then continue on till a base pointer _________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
|