-2

I'm trying to work out a multi-level pointer to a variable, but on the 3rd level my offset is 'rcx + r9*8'.

Full instruction:

140BD82D4 - 4A 8B 04 C9   - mov rax,[rcx+r9*8]

I normally use the offset to deduct it in calculator from the address of the current pointer I'm on, but in that case I really don't know what that offset means.

I will appreciate any hint in the right direction.

Ron
  • 14,674
  • 4
  • 34
  • 47
MTM
  • 92
  • 1
  • 9
  • It's `rcx`, offset by `r9` times `8`. There's no ambiguity there. I don't understand what the problem is. – Silvio Mayolo Jan 18 '18 at 23:07
  • I think it's just my lack of basic knowledge on the subject. What is r9? – MTM Jan 18 '18 at 23:07
  • It's some temporary register, presumably. Depends on your architecture, I imagine. – Silvio Mayolo Jan 18 '18 at 23:08
  • Ok, I will try to ask from a different side - how would I then calculate the address of my next pointer as I can't just put r9*8 into my calculator to deduct it from my current address? – MTM Jan 18 '18 at 23:09
  • Figure out the value of `r9`, I guess? It's altogether unclear what you mean by "deduct from my current address" or what your end goal is, so that's about all the help I can provide. – Silvio Mayolo Jan 18 '18 at 23:10
  • I'm tracking an ingame value in Cheat Engine, the way I'm doing it is I'm checking what writes to it's current address and this way I get to a pointer of a pointer, but at this point my next pointer offset is the one I've mentioned. my Previous one was 0C so I took the address of the previous pointer, deducted 0C from it and found my way to the current one. – MTM Jan 18 '18 at 23:13

1 Answers1

0

It looks like you're manually reversing a pointer for an x64 process.

rcx+r9*8

When you see this type of operand you can assume that RCX is the address of an array, r9 is the index into the array and 8 is the size of each element. You can also assume that it's an array of pointers considering pointer size on x64 is 8 bytes. If you're reversing a game, and the pointer is for the member variable of a player object then RCX may be the entity list, which in this case is an array of player object pointers.

Sadly you will not be able to get the value of r9 unless you place a hook there or trace backwards in the code and find where r9 gets it's value. But because you probably just found the player array, the value of r9 probably doesn't matter anymore because you found something even better, the entity list.

If this is the case, find a pointer for RCX (the entity list) then you can loop through all the player objects like a boss. Could also be the virtual function table or other random array tho too

GuidedHacking
  • 3,628
  • 1
  • 9
  • 59