- How long you been coding/hacking?
- 7 years
Manually resolving relative addresses is a common problem for noobs, especially when doing detours & pattern scanning hooks, so I wanted to make an official thread about it.
Assembly instructions are called operations, opcodes = operation codes. Operands are the arguments to these operations. These are often relative offsets not absolute addresses because typically a relative offset consumes less space than an absolute address, so this is done for efficiency.
Let's look at a the E8 move operation with a call to an address, via an operand which is a relative offset from EIP (current instruction address):
Cheat engine making your life easy by resolving it for you and showing you the offset relative to the module base address. Notice BB1ED has no relation to 83220000
Disabling this feature:
Normal output gives you the absolute address still:
Look up the instruction on a site like felixcloutier.com/x86/:
The operand is a WORD, not a DWORD, so you only look at the lower 16 bits (the 'w' in 'cw' = word). Notice how there are 4 zeroes which represent the high 16 bits
The next instruction = 4B8F6A
Relative offset in big endian = 8322
Relative offset in little endian = 2283
4B8F6A(next instruction) + 2283 (relative offset in little endian) = 4BB1ED (target of call)
4BB1ED = ModBaseAddr + BB1ED
Make sense now?
So just manually resolve it yourself based on EIP (current address of execution)
Want to do some of this calculation yourself? Source Code - How to resolve E8 call address
Assembly instructions are called operations, opcodes = operation codes. Operands are the arguments to these operations. These are often relative offsets not absolute addresses because typically a relative offset consumes less space than an absolute address, so this is done for efficiency.
Let's look at a the E8 move operation with a call to an address, via an operand which is a relative offset from EIP (current instruction address):
Cheat engine making your life easy by resolving it for you and showing you the offset relative to the module base address. Notice BB1ED has no relation to 83220000
Disabling this feature:
Normal output gives you the absolute address still:
Look up the instruction on a site like felixcloutier.com/x86/:
The operand is a WORD, not a DWORD, so you only look at the lower 16 bits (the 'w' in 'cw' = word). Notice how there are 4 zeroes which represent the high 16 bits
The next instruction = 4B8F6A
Relative offset in big endian = 8322
Relative offset in little endian = 2283
4B8F6A(next instruction) + 2283 (relative offset in little endian) = 4BB1ED (target of call)
4BB1ED = ModBaseAddr + BB1ED
Make sense now?
So just manually resolve it yourself based on EIP (current address of execution)
Want to do some of this calculation yourself? Source Code - How to resolve E8 call address
Last edited:
