1

I have been doing pointer scans on a game when new versions come out as the structure changes to update memory structure offsets. I decided to attempt to use signature scanning to attempt to make my offsets more durable to changes.

When pointer scanning in the current game version 0x1034EF8 is the offset I am trying to get. I attached a debugger and funtions that read from this address and came up with a pattern that is unique. When I do the pattern scan this pattern is found and returned as expected.

Where I am stuck at is turning this assembly instruction memory address 461EE300 into this offset 0x1034EF8. Cheat engine is able to do such a thing so it must be possible, the following was copy and pasted from cheat engine and it is showing me game_x64.exe + 1034EF8 for the 461EE300 address.

How can I go about turning 461EE300 into game_x64.exe + 1034EF8 and extracting 1034EF8?

//90 - nop
//48 83 43 50 F8 - add qword ptr[rbx + 50],-08
//48 8B 0D 461EE300 - mov rcx,[game_x64.exe + 1034EF8]
//4C 8B 05 471EE300 - mov r8,[game_x64.exe + 1034F00]
//49 3B C8 - cmp rcx, r8
public static readonly Pattern MyPattern = new Pattern(new byte[]
{
0x90,
0x48, 0x83, 0x43, 0x50, 0xF8,
0x48, 0x8B, 0x0D, 0x00, 0x00, 0x00, 0x00,
0x4C, 0x8B, 0x05, 0x00, 0x00, 0x00, 0x00,
0x49, 0x3B, 0xC8
}, "xxxxxxxxx????xxx????xxx");
Improve this question
2
  • Please note [game_x64.exe + 1034F00] reffers to module base of the executable + 0x1034F00. Basically you can subtract this base from anything to get a relative offset. Commented Feb 9, 2017 at 6:33
  • Thank you so is 461EE300 equal to the base of the executible + 0x1034F00? I'm a little lost with this, although learning quickly :-) Commented Feb 9, 2017 at 13:55

3 Answers 3

Reset to default
2

lets have a look how Cheat Engine calculates its offsets:

4C 8B 05 471EE300 translates to mov r8,QWORD PTR [rip+0xe31e47]

As you can see, the value depends on rip (the instruction pointer). You can see the actual bytes of the offset in the instructions bytes. Since Cheat Engine knows where this instruction actually is in memory, they use the image base as the relative offset instead.

So they might convert it in a way like this:

(instruction_address - image_base + offset) + image_base = instruction_address + offset

so is 461EE300 equal to the base of the executible + 0x1034F00?

Yes

Improve this answer
1
  • That looks to be exactly what I was trying to figure out, I will check this tonight and mark it as answer if ends up working which it looks like it will... or if not I'm probably screwing something else up lol. Thank you very much! Commented Feb 9, 2017 at 14:41
1

It's way simpler than you'd think. 461EE300 is the relative offset to your variable. The relative offset needs to be added to the rip-register. And you already have the value of the rip-register. It's the address of the pattern you found.

So simply add the address of your pattern with 461EE300 and you have your variable.

Improve this answer
0

After some more digging and using a few new ideas from Nodwald, thank you here is the solution.

//Match the pattern finding its location relative to the module start address
var matches = MemoryTool.FindPatterns(MemoryTool.GetProcessId(), MemoryTool.Pattern);
Process proc = Process.GetProcessesByName("ProcessName")[0];
IntPtr startOffset = proc.MainModule.BaseAddress;
var processStart = startOffset.ToInt64(); ;
//use the match plus the offset to the memory location to read the address I was trying to translate
var memoryValueOffset = matches[0] + 9;
//Read the value of the memory address
var memoryValue = _poeInterface.Memory.ReadInt(processStart + memoryValueOffset);
//Find the offset memory address of the next assembly function
var nextInstructionOffset = matches[0] + 13;
//find the full address value of that address in memory
var nextAddressFull = nextInstructionOffset + processStart;
//add the next address full value to the relative offset address value from earlier
var nextAddressPlusOffset = nextAddressFull + memoryValue;
//Win... this is our offset in memory
var fullMemoryOffset = nextAddressPlusOffset;
//This is the origional offset we were looking for - 0x1034EF8
var relativeOffset = fullMemoryOffset - processStart;
Improve this answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.