A little help, hint, or suggestion please?

[Valkyrr]

Ok, first I want to say thanks to everyone for the very educational posts in here. DABhand et. al.

Tools:
Cheat Engine (x.x version - can't remember)
TMK

Now, the question i have is this.

I have a game that uses DMA.

I found the memory address that writes the code I want to change and its something like this (I'm doing this from memory as I don't have my notes with me):

00c22848 - xx xx xx mov [esi+054h], eax (again I think this is similar to the actual code but not exact)

EAX in this case is 00000000. But I want it to be 00000001.

So I create a code cave (using Cheat Engine) and create:

00491919 - mov [esi+054h],00000001
xxxxxxxx - nop
xxxxxxxx - ret
xxxxxxxx - nop

However, when I go back to 00c22848 and change the mov stmt to:

00c22848 - call 00491919

I get the following msg in Cheat Engine:
(Paraphrasing here):

The NEW code is 5 bytes long, but the REPLACED code is only 3 bytes long. Do you want to replace the unused bytes with NOP. (Again, paraphrased)

Obviously I can't do the replacement because it will overwrite the code that exists in the 4th and subsequent bytes right? I think there's a jmp that comes right after the commands at 00c22848 that gets overwritten.

How can I get to my code cave and back?? Is this an advanced subject or am I missing something?

A lil help?

[TippeX]

you're replacing say...
mov [esi+054h], eax
with a call to your caved code right

mov [esi+54h], eax is indeed 3 bytes - you should have seen this in the disassembly
its 89 46 54

you need to grab the next line(s) too, and also copy that to your cave code
until you have 5 (or more bytes) to work in

say the code is

89 46 54 mov [esi+54], eax
33 c0 xor eax, eax
40 inc eax

you need 5 bytes to put in the call, so that will be in place of the 89 46 54 33 c0
it'll be come e8 xx xx xx xx (call to your cave)

your code will then have...
mov [esi+54], 1 (your replacment)
then the other copied lines (33 c0 in this example)
and then a ret...

makes sense?

[Valkyrr]

Yes thats exactly right. I did see it in the assembly, but didn't note it until I received the message.

Your solution makes perfect sense, i.e., it makes me realize how much a noob I am at code caving.

I cannot believe I didn't think of this

Thanks!!

[DABhand]

Guess I dont have to give an answer now :P

But yeah you always want to make sure that any destroyed opcodes are replaced in your code cave.

Always going to be 5 bytes, for a call or jmp so make sure you have everything covered.

[Valkyrr]

Thanks again guys!

Edit: Actually I was pretty stoked that I could pick it up again after not having done it for a year or so. Funny how some things come back to you, kind of like riding a bike I guess...