Solved A question about Registers.

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

iDrknight

Newbie
Silenced
Jun 24, 2017
2
11
0
Hello. First, sorry for my bad english.
I started learn c++ a little while ago, and a doubt has arisen today. Is It possible to get the address of a register (EAX, EBX, ECX etc) from an address with c++?

For example, I have this code:

https://i.imgur.com/evFLoIL.png

and I need to get the address of EBX, using only the address (0x0E0E73B7)
Thank you for your attention.
 

Traxin

Escobar Tier VIP
Dank Tier Donator
Aug 3, 2015
1,041
25,378
154
Most straightforward way of doing this is, that i can think of, is hooking the instruction, detouring it to a small code cave that basically just drops the memory of that register into a little memory region of your choosing.
Here's an ugly ass snippet of shitcode that basically does just this, i was using it to get the d3d device pointer at runtime.

C++:
void * d3dHook::GetFunctionThisPtr(void * pFunc)
{
	//this is where we'll save the pointer, create code cave
	void * pLoc = VirtualAlloc(nullptr, 0x100, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
	ZeroMemory(pLoc, 0x100);

	//this is where code will go
	uintptr_t pFuncLoc = (uintptr_t)pLoc + sizeof(uintptr_t);

	//build cave
	BYTE buff[] = { 0x89, 0x0D };
	pMem.WriteBytes(pFuncLoc, buff, 2);
	pMem.WriteValue<uintptr_t>(pFuncLoc + 2, RC<uintptr_t>(pLoc));  // mov [thisPtr], ecx

	BYTE buff1[] = { 0x6A, 0x18, 0xB8, 0x0A, 0x61, 0xF7, 0x62, 0xE9 };
	pMem.WriteBytes(pFuncLoc + 2 + sizeof(uintptr_t), buff1, 8);

	//calculate jmp back
	uintptr_t jmpBack = (uintptr_t)pFunc - (pFuncLoc + 2 + sizeof(uintptr_t) + 8) + 3;
	pMem.WriteValue<uintptr_t>(pFuncLoc + 2 + sizeof(uintptr_t) + 8, jmpBack);

	//hook
	pMem.Hook(pFunc, (void*)pFuncLoc, JMP, 7);

	//wait til space is filled
	while (*(uintptr_t*)pLoc == 0);

	//read it
	uintptr_t thisPtr = *(uintptr_t*)pLoc;
	
	//clean up
	BYTE ogBytes[] = { 0x6A, 0x18, 					// push 18
		0xB8, 0x0A, 0x61, 0xF7, 0x62 };				// mov eax, d3d8.dll+7610A

	pMem.WriteBytes((uintptr_t)pFunc, ogBytes, 7); //unhook

	VirtualFree(pLoc, 0x100, MEM_RELEASE);

	return RC<void*>(thisPtr);
}

Basically, allocate space.
Leave enough space for the data in the register, write the code.
Code writes to the space we left,
Waits until it's populated and then cleans everything back up before returning the data held within the register.
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,074
78,998
2,371
The CPU doesn't just pull EBX outta it's ass, it's gotta come from somewhere right? Fastest way out is hooking as Traxin indicated but this always seems like using a crutch in lieu of real reversing :(
 

iDrknight

Newbie
Silenced
Jun 24, 2017
2
11
0
Most straightforward way of doing this is, that i can think of, is hooking the instruction, detouring it to a small code cave that basically just drops the memory of that register into a little memory region of your choosing.
Here's an ugly ass snippet of shitcode that basically does just this, i was using it to get the d3d device pointer at runtime.

C++:
void * d3dHook::GetFunctionThisPtr(void * pFunc)
{
	//this is where we'll save the pointer, create code cave
	void * pLoc = VirtualAlloc(nullptr, 0x100, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
	ZeroMemory(pLoc, 0x100);

	//this is where code will go
	uintptr_t pFuncLoc = (uintptr_t)pLoc + sizeof(uintptr_t);

	//build cave
	BYTE buff[] = { 0x89, 0x0D };
	pMem.WriteBytes(pFuncLoc, buff, 2);
	pMem.WriteValue<uintptr_t>(pFuncLoc + 2, RC<uintptr_t>(pLoc));  // mov [thisPtr], ecx

	BYTE buff1[] = { 0x6A, 0x18, 0xB8, 0x0A, 0x61, 0xF7, 0x62, 0xE9 };
	pMem.WriteBytes(pFuncLoc + 2 + sizeof(uintptr_t), buff1, 8);

	//calculate jmp back
	uintptr_t jmpBack = (uintptr_t)pFunc - (pFuncLoc + 2 + sizeof(uintptr_t) + 8) + 3;
	pMem.WriteValue<uintptr_t>(pFuncLoc + 2 + sizeof(uintptr_t) + 8, jmpBack);

	//hook
	pMem.Hook(pFunc, (void*)pFuncLoc, JMP, 7);

	//wait til space is filled
	while (*(uintptr_t*)pLoc == 0);

	//read it
	uintptr_t thisPtr = *(uintptr_t*)pLoc;
	
	//clean up
	BYTE ogBytes[] = { 0x6A, 0x18, 					// push 18
		0xB8, 0x0A, 0x61, 0xF7, 0x62 };				// mov eax, d3d8.dll+7610A

	pMem.WriteBytes((uintptr_t)pFunc, ogBytes, 7); //unhook

	VirtualFree(pLoc, 0x100, MEM_RELEASE);

	return RC<void*>(thisPtr);
}

Basically, allocate space.
Leave enough space for the data in the register, write the code.
Code writes to the space we left,
Waits until it's populated and then cleans everything back up before returning the data held within the register.
I get it. I'll try tonight when I'm home. thanks for answering;


Nevermind I think I got it
This I already know, I wanna do this with c++

Rake;49986 said:
The CPU doesn't just pull EBX outta it's ass, it's gotta come from somewhere right? Fastest way out is hooking as Traxin indicated but this always seems like using a crutch in lieu of real reversing :(
I thought so too, I'll try :)
thx
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods