Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


readmem inconsistent? behavior inside "code cave"

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Lua Scripting
View previous topic :: View next topic  
Author Message
peddroelm
Advanced Cheater
Reputation: 0

Joined: 03 Oct 2014
Posts: 84

PostPosted: Mon Dec 05, 2022 4:49 am    Post subject: readmem inconsistent? behavior inside "code cave" Reply with quote

Code:

...
newmem:
code:
bytes_save_CmpCtC:
 readmem(AOB_LOG_Cmp_SkillCritChance_SkillPrecisionRoll+5f,5)
  // E8 1b4DAB00  Call 7FFB574A0430
...




Code:
[DISABLE]
...
AOB_LOG_Cmp_SkillCritChance_SkillPrecisionRoll+5f:
readmem(bytes_save_CmpCtC,5)
...


Disabling works great it brings back:
Call 7FFB574A0430 instead of the injection JMP to newmem = code = bytes_save_CmpCtc

WHEN THE SCRIPT IS ACTIVE , inside the "code cave"
while de opcodes are the same: E8 1b4DAB00
The instruction appears decoded AS ?!!?!? CALL 7FFB52E94D20 ??!?!? NOT TO any actual function

Which obviously crashes the app on the spot ..

How to fix it ? (other then making a AOB signature symbol for
the start of the 7FFB574A0430 function and calling for that symbol ? )


Are the opcodes involved for some sort of 'short' / relative address call ? How can I generate the full actual function address of the function call overwritten by the jmp to codecave instruction to call from the code cave ?


EDIT: digging around gives a hint from ParkourPenguin :

"The E8 CALL opcode uses a rel32 displacement from RIP (address of next instruction).

Take the address of the call instruction and add 5 to it. This is the address of the next instruction and where it will be jumping from.
Subtract that value from the address you're jumping to.
Write the resulting signed little-endian 32-bit integer to the rel32 displacement in the call instruction.
"

Hmm: Address In call - AddressIPAfterCall :

7ffb574a0430 – 7ffb569EB715 = AB4D1B
My opcode is E8 (short call?) 1b 4D AB 00 IT Matches ..Explains the predicament, How do I fix it ?

Return label has jmp to 7ffb569EB715 (can I / do I have to / how do I use this ?)

?!?! long call return+ 0xAB4D1B ?!?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Mon Dec 05, 2022 5:29 am    Post subject: Reply with quote

try using reassemble(address) instead of readbytes
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
peddroelm
Advanced Cheater
Reputation: 0

Joined: 03 Oct 2014
Posts: 84

PostPosted: Mon Dec 05, 2022 5:49 am    Post subject: Reply with quote

this (AOB_symbol call) worked

Code:
...
newmem:
bytes_save_CmpCtC:
 readmem(AOB_LOG_Cmp_SkillCritChance_SkillPrecisionRoll+5f,5) // CALL Function by quite Possibly changing address


code:

call AOB_BM_f_getCanSkillCrit // call 7FFB574A0430  via AOB_symbol
...
....
  jmp return

AOB_LOG_Cmp_SkillCritChance_SkillPrecisionRoll+5f:
  jmp code // NOT NEWMEM cuz we store bytes_save_CmpCtC there
return:
registersymbol(AOB_LOG_Cmp_SkillCritChance_SkillPrecisionRoll)

[DISABLE]

AOB_LOG_Cmp_SkillCritChance_SkillPrecisionRoll+5f:
readmem(bytes_save_CmpCtC,5)
....




Sample output of the lua function called by the script
Code:
DEBUG log CtC [al:0][ax:0][eax:0][rax0]
DEBUG log CtC [AoESA:2bd56b1a330][DiceRoll:56][CtC:2][targetCharde815d20]
DEBUG log CtC [al:0][ax:0][eax:0][rax0]
DEBUG log CtC [AoESA:2bd56b1a330][DiceRoll:56][CtC:2][targetCharde815a80]



will try the reassemble(address) instruction

EDIT:

Yup reassemble worked great

Code:

...
newmem:
bytes_save_CmpCtC:
 readmem(AOB_LOG_Cmp_SkillCritChance_SkillPrecisionRoll+5f,5) // CALL Function by quite Possibly changing address


code:
//call AOB_BM_f_getCanSkillCrit // call 7FFB574A0430  via AOB_symbol
reassemble(AOB_LOG_Cmp_SkillCritChance_SkillPrecisionRoll+5f)
...


script output
Code:
************************************************************************
DEBUG: LogActiveSkillExecutionStart [ActiveSkill:2bcdc800110] [NodeSkillTarget:2bd56a042c0] [SkillSimulation.Simulation:2bd56a3d480] 
 ** SKILL:[AS_Skill_Combat_Competence_LongShot_B] started execution by ENTITY:[CHAR_NAME_AS_M_ELF] **
Actions to be performed: [RangeAction] [OrientateTowardAction] [DamageAction]
Target List IS UPDATED LATER..
************************************************************************
 
DEBUG log CtC [al:0][ax:0][eax:0][rax0]
DEBUG log CtC [AoESA:2bd56a45dd0][DiceRoll:10][CtC:10][targetChar2bc51ff17e0]
DEBUG log CtC [al:0][ax:0][eax:0][rax0]
DEBUG log CtC [AoESA:2bd56a45dd0][DiceRoll:10][CtC:10][targetChar2bc51ff17e0]
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Lua Scripting All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites