Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Confusion with virtual addresses and offsets

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
Chris12
Expert Cheater
Reputation: 1

Joined: 27 Apr 2012
Posts: 103
PostPosted: Tue Aug 27, 2013 2:25 pm    Post subject: Confusion with virtual addresses and offsets Reply with quote
I have a function that pushes the address of a string like this:

...
push offset someString
...

someString is inside .rdata
Now when I start the exe and look at the code with CE's disassembler it points to the correct string.

But when I try to follow the offset myself it doesn't work.
Here is what I've done:
I view the code in "offline" mode (without running the exe) by opening the file directly with CE.
I go to the code section where the push is located.

Here's a pic of the code:
http://i.imgur.com/h5fVHX6.png

But when I use go to address "CA5210" doesn't work and neither does "400+CA5210".
I always get into a unallocated region (only ??? everywhere).

Next thing I tried is to open the image in IDA.
It immediately shows the correct string. But the offset it displays doesn't work either when working with file-addresses.

".text:0000100D 68 10 52 8A 00 push offset szdel"

Then I used CE's search to find the string in the file. It finds the string, but at a completely different address.

I also noticed the opcode to be different. Normal pushes use 0x6A. This one uses 0x68.
How do I get the file offset from this "push offset" ?
Back to top
View user's profile Send private message
TsTg
Master Cheater
Reputation: 5

Joined: 12 Dec 2012
Posts: 340
Location: Somewhere....
PostPosted: Tue Aug 27, 2013 3:49 pm    Post subject: Reply with quote
Quote:
But when I use go to address "CA5210" doesn't work and neither does "400+CA5210".
I always get into a unallocated region (only ??? everywhere).


this CA5210 is the file offset of your string itself, if you want to reach the virtual address (while exe running), you have to add the image base to this(by default: it's 0xCA5210 + 0x400000 = 0x10A5210)


Quote:
How do I get the file offset from this "push offset" ?


same as above, check the image base, this one should be 0x40040D
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites