MantisBT - Cheat Engine
View Issue Details
0000422Cheat Engine(No Category)public2015-12-18 04:152015-12-21 10:47
Assigned ToDark Byte 
PrioritynormalSeverityminorReproducibilityhave not tried
StatusresolvedResolutionno change required 
PlatformOSOS Version
Summary0000422: x64 auto assembler offset too big error
Descriptionx64 openprocess autoassembler copy memory

line 22 offset too big error message

call qword ptr [KERNELBASE.NlsUpdateLocale+AB0] { ->ntdll.ZwOpenProcess } <-error
Steps To Reproducealloc(create,1024)
//open process
sub rsp,68
xor r9d,r9d
movsxd rax,r8d
mov [rsp+30],00000030
mov [rsp+28],r9
mov [rsp+20],rax
mov [rsp+38],r9
test edx,edx
jne KERNELBASE.TlsGetValue+1D10
mov [rsp+48],r9d
mov [rsp+40],r9
mov [rsp+50],r9
mov [rsp+58],r9
mov edx,ecx
lea r9,[rsp+20]
lea r8,[rsp+30]
lea rcx,[rsp+00000088]
call qword ptr [KERNELBASE.NlsUpdateLocale+AB0] { ->ntdll.ZwOpenProcess }
test eax,eax
js KERNELBASE.GetSecurityDescriptorSacl+105
mov rax,[rsp+00000088]
add rsp,68
TagsNo tags attached.
Attached Filespng offset too big error.png (70,073) 2015-12-18 04:15

Dark Byte   
2015-12-20 19:54   
(Last edited: 2015-12-20 19:57)
that is normal.
A memory distance from RIP to an address (data or code) can only be 2GB

You can solve this by either allocating create near the location of kernelbase, use a register with the address build up, or a local jump table


mov rax,KERNELBASE.NlsUpdateLocale+AB0 //mov rax,imm64 is one of the very few instructions that support a direct 64 bit value
mov rax,[rax]
call rax


alloc(addresswithdestination,8) //make sure it's allocated near create, so if you do specify an preferred base for create, use the same address

dq ntdll.ZwOpenProcess
call [addresswithdestination]

Also, check that "jne KERNELBASE.TlsGetValue+1D10" the assembler might not give a message, but there is a decent chance it's going to overflow and point to the wrong location

2015-12-21 06:21   
thank you ! db

Issue History
2015-12-18 04:15pausebreak7New Issue
2015-12-18 04:15pausebreak7File Added: offset too big error.png
2015-12-20 19:54Dark ByteNote Added: 0000921
2015-12-20 19:55Dark ByteNote Edited: 0000921bug_revision_view_page.php?bugnote_id=921#r142
2015-12-20 19:56Dark ByteNote Edited: 0000921bug_revision_view_page.php?bugnote_id=921#r143
2015-12-20 19:57Dark ByteNote Edited: 0000921bug_revision_view_page.php?bugnote_id=921#r144
2015-12-21 06:21pausebreak7Note Added: 0000922
2015-12-21 10:47Dark ByteStatusnew => resolved
2015-12-21 10:47Dark ByteResolutionopen => no change required
2015-12-21 10:47Dark ByteAssigned To => Dark Byte
2016-06-05 15:18JptnucIssue cloned: 0000477