Additional Info
|
Ive spent about 4-6 hours over the past day trying to wrap my head around this. I have been unable to find any tutorials or information on this topic.
I was hoping that maybe someone would be able to set me in the right direction. What I have so far: http://imageshack.us/photo/my-images/12/21902800.jpg/ Questions: 1) Line 9-11. This is obviously the previous code but what happens to it after I place my code in newmem? Is it overwritten? 2) Line 16-19 whats going on here? (I have a basic understanding of assembler and I am currently working of learning x86 assembler) ----------------------------- Additional question: 1) Is cheat engine the best program for this? If not, what would your recommend? Picture is also attached, just in case the imageshack one is too hard to read. any help would be appreciated |
Additional Info
|
I am far from a pro with CEs auto assemble, but heres a try
Code: [Select] 0656518f: ok so start with Q2. The above snippet is lines 16-20. The number 0656518f is the address of the original code in memory. When the auto assembler executes, the code at that address will be replaced with jmp newmem nop. Q1: now that the code at 0656518f has been changed, it will jmp to the codecave newmem and run whats there. in the code written so far the only names that are important are returnhere: and newmem:. you dont need the originalcode and exit labels. I think they may be messing you up. Newmem is completely free unused memory, filled only with what you put in there. The point is you can make as much code in there as you want instead of working within the byte space provided by the original thread. I use this AoB tool to make all the AoBs I post. Try the online version if you dont feel like downloading it. |
Additional Info
|
Thanks Kolonel ^^ +karma
You wouldnt happen to know of any good x86 assembler manuals, teaching guides, etc? |
Additional Info
|
Unfortunately I dont really know any books since I generally prefer to learn by just using the reference. so here is that http://download.intel.com/design/intarch/manuals/24319101.pdf
and also this http://download.intel.com/products/processor/manual/325462.pdf This document contains the following: Volume 1: Describes the architecture and programming environment of processors supporting IA-32 and Intel 64 Architectures. Volume 2: Includes the full Instruction Set Reference, A-Z, in one volume. Describes the format of the instruction and provides reference pages for instructions. Volume 3: Includes the full System Programming Guide, Parts 1, 2, and 3, in one volume. Describes the operating-system support environment of Intel 64 and IA-32 Architectures, including: memory management, protection, task management, interrupt and exception handling, multi-processor support, thermal and power management features, debugging, performance monitoring, system management mode, VMX instructions, and Intel I use this AoB tool to make all the AoBs I post. Try the online version if you dont feel like downloading it. |
Additional Info
|
You can also check out the attached book, "The Art of Assembly Language" (or just Google it). I've been studying malware analysis when I have the time and have acquired a few books on Assembly, C, C++...
|
Additional Info
|
Kolonel:
Thanks, I read through about 200 pages. Its a good reference source since its made, unassumingly, by the creators of this version of assembly. Also I used to know C really well but I haven't touched it in about 4 years since I left the Computer science major. Liked C a lot better than Java actually, lol. Gates: Omg I love this book. The author makes it fun to read. Still on the Forward tho XD ------------------ I recomend anyone learning assembly check out this tutorial on the CE official forum: http://forum.cheatengine.org/viewtopic.php?t=95363 Its a good birds eye view on what to expect. Few errors like INC and DEC is not increase and decrease, its increment and decrement. Another thing I noticed was that with Intel based assembler languages - It reads from right to left ex. Code: [Select] MOV [ebx+8],ecx This states that ecx will be put in register ebx offset 8.I may write a guide when im done learning this. |