![]() So don't be fooled by it if you are not looking at the start of the image. Keep in mind, the base address show in the hex editor is not always the absolute image base, but instead it steps up with the page allocation you are currently viewing. The base will be at the top of the hex editor: If you know the module name as well, such as user32.dll, you can open the Memory View window click on the hex editor at the bottom and press CTRL+G, input the name of the module in the box and click ok. That will show you the base address of the modules and executable. In Cheat Engine, open the memory editor then choose: "The base address where this code was loaded at is at:Ĭan I know how do you know its base is loaded at 03CB0000 ? !!Ĭan understand and image what to do mostly. ![]() Wow!!!! I wasn't expect such great response in such educational detail. This will let it mimic what you see in Cheat Engine. Load up the file you are analyzing then while the IDA View window is active, choose:Įnter the base address where the image is loaded in Cheat Engine and let IDA reanalyze the file. Drag your finger on the table to aim your billiard cue, then drag your finger on the power meter to the left of the table to set the power. ![]() ![]() One last thing you could do as well is rebase the image in IDA. (Assuming that code is not generated at runtime or protected in some manner.) It should find the same function within IDA. Then in IDA in the main window (IDA View) hit ALT+B to open the byte scanning window. ![]() So with the above code, I could take the bytes of the opcodes such as:ĨB 44 24 0C 56 57 66 8B 48 04 8D 70 04 8B C1 83 E0 3F 83 E8 02 The base address where this code was loaded at is at:Īnother thing you can do is use array of bytes to scan for the code in IDA. (Imagebase From IDA) + Offset = Address within IDAįor example, I have this block of code in a game:Ġ3D4AFE0 - 8B 44 24 0C - mov eax, Then in Cheat Engine you'd take the address you found and subtract its base to get an offset you can use in IDA. So you know that from this that IDA is using 0x10000000 as a base address for the image it loaded. You can find what that base is by scrolling all the way up to the top of the main window and checking the default information printout like this: ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |