 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
shoesrunning
How do I cheat?
![]() Reputation: 1
Joined: 03 Mar 2016
Posts: 5
|
 Posted: Sat Oct 15, 2016 4:25 am Post subject: Back trace from outside the original modules address space. |
 |
|
I'm trying learn how to find the module address of call by back tracing from an instruction that reads from the modules address space.
I wrote the program.
| Code: |
#include <Windows.h>
#include <iostream>
double SomeFunction(double arg)
{
std::cout << "This is in SomeFunction." << arg << std::endl;
return arg;
}
void SomeOtherFunction()
{
std::cout << "This is in SomeOtherFunction." << std::endl;
}
int main()
{
for(;;)
{
Sleep(2000);
SomeFunction(1234);
Sleep(2000);
SomeOtherFunction();
}
return 0;
}
|
I know that the string "This is in SomeFunction." is inside SomeFunction so I want to use cheat engine to find the start of SomeFunction call in assembly.
When I the run the program then attach CE to the process I first find the address of the string in the modules memory.
(simple.exe+A4000 = 4A4000)
I then add this address to the address list and select "Find out what accesses this address".
I get two results:
7FF84388DF92 - 41 0FBE 0F - movsx ecx,byte ptr [r15] (executes 1 per)
7FF843860104 - 41 8A 06 - mov al,[r14] (executes 23 per since the str length is 24)
I've tried selecting the
7FF84388DF92 - 41 0FBE 0F - movsx ecx,byte ptr [r15]
call which is outside my modules address space in (msvcrt.ftell+1D2) and selecting "Break and Trace Instructions" with the Stop Condition "R15==0x00000000004A4000" so that I only get trace the calls related to my string and tried looking through the Stack View to see if I can find the "original function" call inside my module's (simple.exe) address space.
I see that the Stack View goes back to my module's (simple.exe) address space but I'm not sure how to find the address of call that references the string (simple.exe+A4000).
By using Memory Viewer->View->Referenced Strings selecting "This is in SomeOtherFunction." I can find
simple.exe+150B - 48 8D 15 EE2A0A00 - lea rdx,[simple.exe+A4000]
and I can see the call starts from
simple.exe+1500 - 56 - push rsi
but I want to learn how find this by back tracing from results of "Find out what accesses this address" since there isn't a string to reference in all cases.
|
|
| Back to top |
|
 |
ulysse31
Master Cheater
![]() Reputation: 2
Joined: 19 Mar 2015
Posts: 324
Location: Paris
|
| Posted: Mon Oct 17, 2016 7:08 am Post subject: |
|
|
Once you selected :
7FF84388DF92 - 41 0FBE 0F - movsx ecx,byte ptr [r15]
shouldn't you manually backtrace it ? i find it more reliable.
Look at the full stack (because if you check the return call stack, sometimes CE is wrong). When you see a value in the stack that is in an executable part of the memory, go there in disasembly window and see if thats where your main module called mscvrt.
That's how I would do it
Edit :
I was bored so i did it.
i had theses instructions reading the string :
| Code: | movsx ecx,byte ptr [eax]
mov eax,[ecx]
movzx eax,byte ptr [eax] |
I broke on all of them, also a quick look at their address told me the last 2 instructions were from a loaded DLL while the first instruction was in the main module, this means we can rule the fisrt instruction out (as our "cout <<" will execute from a dll).
So then i broke on each of the dll and looked at the return stack (wins time if CE does no mistake), the second instruction got me nothing but the last :
movzx eax,byte ptr [eax]
got me to where the refereced string window would. It was the second return address from the stack.
But i use another compiler (you obv dont use msvc) and i compiled it in 32 bit unlike you
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
