Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


AOB Scan but inject at other place

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
CodeKiller
Advanced Cheater
Reputation: 0

Joined: 30 Jun 2009
Posts: 87

PostPosted: Tue Mar 28, 2023 3:13 am    Post subject: AOB Scan but inject at other place Reply with quote

Hello,

I don't know how I can search for that on the forum (aobscan give way too miuch result).

What I am trying to do is :
scan for bytes XX XX XX
then instead of injecting at the found address (which is not interesting in fact, it is just to have unique bytes) I would inject at a further place like 10 bytes after.

Is there a "simple" way to achieve that ?

Real case:
Code:
2AD2400AF7C - 48 8B F1              - mov rsi,rcx
2AD2400AF7F - 48 63 86 98000000     - movsxd  rax,dword ptr [rsi+00000098]
2AD2400AF86 - 48 63 8E 9C000000     - movsxd  rcx,dword ptr [rsi+0000009C]
2AD2400AF8D - 3B C1                 - cmp eax,ecx
2AD2400AF8F - 7E 22                 - jle 2AD2400AFB3
2AD2400AF91 - 48 63 86 9C000000     - movsxd  rax,dword ptr [rsi+0000009C] <--- to be replaced by the jmp injection
2AD2400AF98 - FF C0                 - inc eax
2AD2400AF9A - 89 86 9C000000        - mov [rsi+0000009C],eax


The code I want to replace is not the first line (from the aob scan to make it unique), I want to replace the one marked at the end.

If I say it with words, it sounds easy : get the address add 21 bytes replace by the injection.
But doing that in asm...

Instead I tried that (not working anyway even if the value was retrieved correctly) :
Code:
newmem:
push ecx
movsxd  rcx,dword ptr [rsi+00000098] <--- The value will be 0, but outside the jmp it works fine as it is the original line of code visible above, I just changed the rax to rcx...
mov  [rsi+0000009C], ecx
pop ecx

code:
  mov rsi,rcx
  movsxd  rax,dword ptr [rsi+00000098]
  jmp return


But when I am in the jmp the value retrieve in rcx is 0 and when it goes out, the same line of code retrieve the real value... It's a copy-paste... I don't understand why it does not work...
It's not a big deal as this version won't work anyway for what I want to achieve, but I ma still curious to know why the value is not retrieve.

Thanks.
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 147

Joined: 06 Jul 2014
Posts: 4523

PostPosted: Tue Mar 28, 2023 10:47 am    Post subject: Reply with quote

You can adjust the address you're injecting at by adding or subtracting from the symbolname.
Code:
aobscan(INJECT,...)
...
INJECT+A:
  jmp wherever
Use the AOBScan template and it will do all this for you...

CodeKiller wrote:
Code:
2AD2400AF7C - 48 8B F1              - mov rsi,rcx
2AD2400AF7F - 48 63 86 98000000     - movsxd  rax,dword ptr [rsi+00000098]
...

The first line, `mov rsi,rcx`, moves rcx into rsi. You don't execute that in your code injection. [rsi+98] accesses a completely different address.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites