Tutorial Manually Resolve Relative Addresses as Operands

Hexui Undetected CSGO Cheats PUBG Accounts

Rake

I'm not your friend
Administrator
Jan 21, 2014
13,337
79,068
2,487
How long you been coding/hacking?
7 years
Manually resolving relative addresses is a common problem for noobs, especially when doing detours & pattern scanning hooks, so I wanted to make an official thread about it.

Assembly instructions are called operations, opcodes = operation codes. Operands are the arguments to these operations. These are often relative offsets not absolute addresses because typically a relative offset consumes less space than an absolute address, so this is done for efficiency.

Let's look at a the E8 move operation with a call to an address, via an operand which is a relative offset from EIP (current instruction address):

Cheat engine making your life easy by resolving it for you and showing you the offset relative to the module base address. Notice BB1ED has no relation to 83220000
1613609501373.png


Disabling this feature:
1613609511025.png


Normal output gives you the absolute address still:
1613609516460.png


Look up the instruction on a site like felixcloutier.com/x86/:
1613609522092.png


The operand is a WORD, not a DWORD, so you only look at the lower 16 bits (the 'w' in 'cw' = word). Notice how there are 4 zeroes which represent the high 16 bits

The next instruction = 4B8F6A

Relative offset in big endian = 8322

Relative offset in little endian = 2283

4B8F6A(next instruction) + 2283 (relative offset in little endian) = 4BB1ED (target of call)

4BB1ED = ModBaseAddr + BB1ED

Make sense now?

So just manually resolve it yourself based on EIP (current address of execution)

Want to do some of this calculation yourself? Source Code - How to resolve E8 call address
 
Last edited:
Community Mods