Cheat Engine

KevinD · Cheater Reputation: 0 Joined: 15 Apr 2020 Posts: 37

Good evening, I would like for example to recover the origin of RBP but I don't know how to do it (Instruction -1)
I tried to press STEP OUT, but it does not work. Because the code above or higher there is not the values of RBP. How to do it ?

ParkourPenguin · Posted: Wed Aug 31, 2022 1:19 am Post subject:

You can't go back in time. I think Intel might've had something like that a while ago, but even if they did, I'm sure it's been abandoned by now.

That looks like the start of a function. The return address should be [rsp]. Whatever called that function is the instruction before the one at the return address. Go to the return address and scroll up.

KevinD · Cheater Reputation: 0 Joined: 15 Apr 2020 Posts: 37

Yes but the problem is that even above I can't find RBP. isn't there a way to get the -1 instruction?

Dark Byte · Posted: Wed Aug 31, 2022 8:37 am Post subject:

The more important question is, why do you need to know RBP ?

is it because [RBP-XXX] or [RBP+xxx] accesses an address you're interested in?

If so, knowing the RBP origin won't help. It's a stack address. The best you can do is using a threadstack#-offset to get to this address, and it'll be highly volatile and only valid during this function

but to answer your question, push rbp doesn't change RBP, it just decreases RSP by 8 and stores it in the stack at thje new location of RSP . And before push RBP [RSP] contained the address of the instruction before the push RBP (so after push RBP, it's be at [RSP+8])

ParkourPenguin · Posted: Wed Aug 31, 2022 10:42 am Post subject:

RBP is probably being used as a general purpose register. There's no `enter` or `mov rbp,rsp` before it makes stack space for local variables.

To find the instruction that set RBP, you need to go to the caller and scroll up. The return address is on the stack as I said previously. You could also step over until `ret`, or set a break and trace to step over for a few hundred instructions.