 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
CodeKiller
Advanced Cheater
![]() Reputation: 0
Joined: 30 Jun 2009
Posts: 87
|
 Posted: Tue Mar 28, 2023 3:13 am Post subject: AOB Scan but inject at other place |
 |
|
Hello,
I don't know how I can search for that on the forum (aobscan give way too miuch result).
What I am trying to do is :
scan for bytes XX XX XX
then instead of injecting at the found address (which is not interesting in fact, it is just to have unique bytes) I would inject at a further place like 10 bytes after.
Is there a "simple" way to achieve that ?
Real case:
| Code: | 2AD2400AF7C - 48 8B F1 - mov rsi,rcx
2AD2400AF7F - 48 63 86 98000000 - movsxd rax,dword ptr [rsi+00000098]
2AD2400AF86 - 48 63 8E 9C000000 - movsxd rcx,dword ptr [rsi+0000009C]
2AD2400AF8D - 3B C1 - cmp eax,ecx
2AD2400AF8F - 7E 22 - jle 2AD2400AFB3
2AD2400AF91 - 48 63 86 9C000000 - movsxd rax,dword ptr [rsi+0000009C] <--- to be replaced by the jmp injection
2AD2400AF98 - FF C0 - inc eax
2AD2400AF9A - 89 86 9C000000 - mov [rsi+0000009C],eax
|
The code I want to replace is not the first line (from the aob scan to make it unique), I want to replace the one marked at the end.
If I say it with words, it sounds easy : get the address add 21 bytes replace by the injection.
But doing that in asm...
Instead I tried that (not working anyway even if the value was retrieved correctly) :
| Code: | newmem:
push ecx
movsxd rcx,dword ptr [rsi+00000098] <--- The value will be 0, but outside the jmp it works fine as it is the original line of code visible above, I just changed the rax to rcx...
mov [rsi+0000009C], ecx
pop ecx
code:
mov rsi,rcx
movsxd rax,dword ptr [rsi+00000098]
jmp return |
But when I am in the jmp the value retrieve in rcx is 0 and when it goes out, the same line of code retrieve the real value... It's a copy-paste... I don't understand why it does not work...
It's not a big deal as this version won't work anyway for what I want to achieve, but I ma still curious to know why the value is not retrieve.
Thanks.
|
|
| Back to top |
|
 |
ParkourPenguin
I post too much
 Reputation: 140
Joined: 06 Jul 2014
Posts: 4289
|
| Posted: Tue Mar 28, 2023 10:47 am Post subject: |
|
|
You can adjust the address you're injecting at by adding or subtracting from the symbolname.
| Code: | aobscan(INJECT,...)
...
INJECT+A:
jmp wherever |
Use the AOBScan template and it will do all this for you...
| CodeKiller wrote: | | Code: | 2AD2400AF7C - 48 8B F1 - mov rsi,rcx
2AD2400AF7F - 48 63 86 98000000 - movsxd rax,dword ptr [rsi+00000098]
... |
|
The first line, `mov rsi,rcx`, moves rcx into rsi. You don't execute that in your code injection. [rsi+98] accesses a completely different address.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
