Public Group

How to get the addr of code buff in x64 platform!

This topic is 535 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

Recommended Posts

As the following picture shows , I can get the code buff with asm in x86 platform. Has anyone know how to do this in x64 platform???

bool CheckCodeSnipeCrc32()
{
codeBegin:
//OutputDebugString(L"test");
//OutputDebugString(L"test0");
//OutputDebugString(L"test1");
int a = 0;
a = a + 1;
a = a - 1;
codeEnd:
DWORD oldCrc32 = 0xbcf07446;
assert(oldCrc32 == curcrc32);
}

Edited by laiyierjiangsu

Share on other sites

There is no picture.

EDIT: It's edited in now, ignore my original post

Share on other sites
1 hour ago, Lactose said:

There is no picture.

Edit: Some code has now been edited in. This post can be ignored

Why? I have pasted the code screenshot, but it didn't show. So I add the code here!

Share on other sites
Just now, laiyierjiangsu said:

Why? I have pasted the code screenshot, but it didn't show. So I add the code here!

I mean my post could be ignored, since you edited it it. Sorry for the confusion

Share on other sites

VS doesn't support inline assembly in x64 builds.

For CRC checking a function body... Hmm...

Let me fiddle with it for a minute.

No, I can't come up with anything reliable. Even trying to grab the function pointer as a starting point I ended up staring at a jump table.

Edited by Khatharr

Share on other sites
21 minutes ago, Khatharr said:

Even trying to grab the function pointer as a starting point I ended up staring at a jump table.

Do you have edit-and-continue turned on and you're looking at the JMP thunk?

Share on other sites

Probably.
You'd also have to prevent inlining if it was done that way, and there's still the problem of finding the end address of the function.

The other thing that I was looking at was getting label addresses, but apparently that's not a thing (though gcc may offer it).

I guess one other option may be to just write your own sort of sub-loader. You could dump the module memory from a loaded/running version, then load that into an x-flagged page at runtime and jump in. You'd need to have some jumpout for CRC checking, though, and that would have to be a static address somehow because otherwise it would change the CRC of the module, though I suppose it wouldn't be too hard to compensate for that if you have the address as zero in the file and then when you load it you set it to the target address and then add that value to the checksum.

Still, though, if I were hacking that game I'd just overwrite the CRC function to indicate success.

Edited by Khatharr

Share on other sites
11 hours ago, Lactose said:

I mean my post could be ignored, since you edited it it. Sorry for the confusion

Thanks , Lactose ! My English is poor,

Share on other sites
4 hours ago, Khatharr said:

Probably.
You'd also have to prevent inlining if it was done that way, and there's still the problem of finding the end address of the function.

The other thing that I was looking at was getting label addresses, but apparently that's not a thing (though gcc may offer it).

I guess one other option may be to just write your own sort of sub-loader. You could dump the module memory from a loaded/running version, then load that into an x-flagged page at runtime and jump in. You'd need to have some jumpout for CRC checking, though, and that would have to be a static address somehow because otherwise it would change the CRC of the module, though I suppose it wouldn't be too hard to compensate for that if you have the address as zero in the file and then when you load it you set it to the target address and then add that value to the checksum.

Still, though, if I were hacking that game I'd just overwrite the CRC function to indicate success.

Thanks, I just use this methed to detect that if my core code is being debugging . If someone wants to hack , it's achieveable.

Share on other sites
58 minutes ago, laiyierjiangsu said:

I just use this methed to detect that if my core code is being debugging . If someone wants to hack , it's achieveable.

If you're looking for informational reasons, or for code to take special paths, most operating systems have code that politely indicates if  a debugger is attached. On windows those are IsDebuggerPresent() to see if the program was launched by a debugger, and CheckRemoteDebuggerPresent().

The programs are always hackable, and it is possible to attach debuggers without those flags getting set, but they can serve as good tools if you want to use different behavior while being debugged.

1. 1
2. 2
Rutin
21
3. 3
4. 4
A4L
15
5. 5
khawk
14

• 13
• 26
• 10
• 11
• 9
• Forum Statistics

• Total Topics
633737
• Total Posts
3013612
×