|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
M-Z Advanced Cheater Reputation: 1
Joined: 08 Nov 2014 Posts: 77 Location: Poland
|
Posted: Sat Jan 28, 2023 2:30 pm Post subject: globalAlloc in Windows 10 |
|
|
After upgrading from Win7 to Win10, some entries in my CE table stopped working.
I have discovered what was causing the problem - globalalloc function didn't exactly work. Alloc may have been done, but registering as global variable wasn't (or other way around).
This is the code that was enabled first - so globalallocs were indeed "turn on".
Code: | [ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
globalalloc(THREAD_AASM,384)
globalalloc(THREAD_AASM2,384)
globalalloc(THREAD_AASM3,384)
globalalloc(lastDateTriggered,4)
globalalloc(OneDayCheatTriggered,4)
globalalloc(ZeroingProvinceCheatTriggered,4)
globalalloc(doEnd,4)
globalalloc(mustend,4)
globalalloc(loanSize,4)
globalalloc(newBaseForNation,8)
globalalloc(provincePTR,8)
globalalloc(selectedArmyPTR,8)
lastDateTriggered:
dd 029C77F8
OneDayCheatTriggered:
dd 0
ZeroingProvinceCheatTriggered:
dd 0
LoanSize:
dd #1000 |
and this is the code which refuses to inject.
Code: | [ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem2,512,eu4.exe+CF3FC5)
label(returnhere)
label(originalcode)
label(exit)
//registerSymbol(newBaseForNation)
newmem2: //this is allocated memory, you have read,write,execute access
//place your code here
originalcode:
mov [rdi+000004E8],rsi
mov [provincePTR],rsi
cmp rsi,0
je exit
push rax
push rbx
mov bx,[rsi+464]
movzx rbx,bx
shl rbx,3 // ebx = numOfNation*8
// mov eax,eu4.exe+1850F90 1.28.3 //eu4.exe+18C2A70 (1.28.2) (countryDatabase)
//mov rax,[eu4.exe+00000000023F0158] // 1.32.2
// mov rax,[eu4.exe+000000000241E958] // 1.33.3
mov rax,[eu4.exe+00000000023AB9B0] // 1.34.5.6
mov rax,[rax+118]
add rax,rbx // eax = [[BASE]+4]+numOfNation*8
mov rax,[rax]
mov [newBaseForNation],rax // BaseForNation = [[[BASE]+4]+NumOfNation*4]
pop rbx
pop rax
exit:
jmp returnhere
eu4.exe+CF3FC5:
// - 48 89 B7 E8040000 - 1.34.5.6
jmp newmem2
nop
nop
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
/*eu4.exe+CB46E5:
// - 48 89 B7 98040000 - 1.33.3
mov [rdi+00000498],rsi*/
eu4.exe+CF3FC5:
// - 48 89 B7 E8040000 - 1.34.5.6
mov [rdi+000004E8],rsi
|
If I comment out lines :
mov [provincePTR],rsi
and
mov [newBaseForNation],rax // BaseForNation = [[[BASE]+4]+NumOfNation*4]
AA script starts working again (i.e. is being injected). The script has not been changed since my migration from Win7, so I assume CE must work differently on Win10. Is that the case and how to work around this issue?
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 138
Joined: 06 Jul 2014 Posts: 4275
|
Posted: Sat Jan 28, 2023 3:27 pm Post subject: |
|
|
globalalloc works fine. The problem is there's no guarantee the allocated address is within 2 GiB of the instruction accessing it. See RIP-relative addressing
Either put the alloc in the script initializing it and register the symbol yourself or address the symbol indirectly.
Code: | mov rax,provincePTR
mov [rax],rsi |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
M-Z Advanced Cheater Reputation: 1
Joined: 08 Nov 2014 Posts: 77 Location: Poland
|
Posted: Sat Jan 28, 2023 4:49 pm Post subject: |
|
|
Thanks. It seems to help.
Is Windows 10 differs somewhat in that aspect from Win7 or was it just coincidence that Win7 used "lower" addresses?
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 138
Joined: 06 Jul 2014 Posts: 4275
|
Posted: Sat Jan 28, 2023 7:58 pm Post subject: |
|
|
It's a coincidence Windows 7 happened to allocate the two memory regions close enough to each other. This could've easily been a problem in Windows 7 too.
Maybe they tweaked with the memory allocator slightly; I don't know.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
M-Z Advanced Cheater Reputation: 1
Joined: 08 Nov 2014 Posts: 77 Location: Poland
|
Posted: Sun Jan 29, 2023 12:54 pm Post subject: |
|
|
I think they did. I see regularly now "big" 64-bit addresses (like 7FF6C6488000). In Win7 they were also 64-bit, but tended to lower "spectrum" of addresses (sometimes below 2^32).
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|