 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Csimbi
I post too much
 Reputation: 94
Joined: 14 Jul 2007
Posts: 3108
|
 Posted: Thu Aug 10, 2017 3:37 am Post subject: Compensating for SpeedHack |
 |
|
Hi there,
there are some apps/games that dial home periodically for sending or receiving status reports or just for a heartbeat.
When I enable speedhack, all timers will be adjusted, including the HTTP timeouts and the heartbeat timers - meaning that HTTP requests time out too fast and heartbeats will occur too fast, possibly resulting in a DoS attack.
I was wondering if there's a way to query the current speed setting (as a float or a double) from the auto-assembler and applying those to specific parts or the code.
You know, to slow down the frequency of the heartbeat and to give more time for the HTTP timeout.
Consider this pseudo AA script:
| Code: | hook:
xmm0 = call gettimer // get time since app was started
xmm1 = dPrevious // load last update's timestamp
xmm1 -= xmm0 // calculate time since last update
xmm2 = 10000 // load the constant heartbeat period
xmm3 = call GetCESpeedSetting // get CE's speedhack setting
xmm2 *= xmm3 // mod the heartbeat period with the speedhack setting
cmp xmm1, xmm2
...
jmp return
|
Has anyone done something like this?
Thanks!
|
|
| Back to top |
|
 |
ParkourPenguin
I post too much
 Reputation: 140
Joined: 06 Jul 2014
Posts: 4289
|
| Posted: Thu Aug 10, 2017 8:58 am Post subject: |
|
|
http://forum.cheatengine.org/viewtopic.php?p=5728390#5728390
Alternatively, have CE write the current speed setting to some registered symbol and read from it wherever.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 458
Joined: 09 May 2003
Posts: 25287
Location: The netherlands
|
| Posted: Thu Aug 10, 2017 10:12 am Post subject: |
|
|
find the routines you do not wish to speed up and replace them with the original call address (check the speedhack dll exports)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Csimbi
I post too much
Reputation: 94
Joined: 14 Jul 2007
Posts: 3108
|
| Posted: Thu Aug 10, 2017 11:45 am Post subject: |
|
|
Thanks - not sure how to apply that linked code to my case though...
Is there a function I need to find or value in CE?
How do I have CE write the speed setting to a registered address (that would be the best!).
| Dark Byte wrote: | | find the routines you do not wish to speed up and replace them with the original call address (check the speedhack dll exports) |
Thanks!
While that should be 100% reliable, but I have no clue as to how to do that from an AA script. 
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 140
Joined: 06 Jul 2014
Posts: 4289
|
| Posted: Thu Aug 10, 2017 12:46 pm Post subject: |
|
|
| Csimbi wrote: | Thanks - not sure how to apply that linked code to my case though...
Is there a function I need to find or value in CE? |
| Code: | {$lua}
function getSpeedhackDword()
return byteTableToDword(floatToByteTable(speedhack_getSpeed()))
end
{$asm}
loadlibrary(luaclient-i386.dll)
luacall(openLuaServer('CELUASERVER'))
CELUA_ServerName:
db 'CELUASERVER',0
globalalloc(newmem,2048)
globalalloc(funcName,256)
globalalloc(getSpeedhackDwordRef,4)
funcName:
db 'getSpeedhackDword',0
newmem:
mov eax,[getSpeedhackDwordRef]
test eax,eax
jnz short @f
push funcName
call CELUA_GetFunctionReferenceFromName
mov [getSpeedhackDwordRef],eax
@@:
push 1
push 0
push 0
push eax
call CELUA_ExecuteFunctionByReference
// eax now contains speedhack as a float. example:
push eax
fld [esp]
add esp,4
// speedhack now in st(0); do whatever with it |
| Csimbi wrote: | | How do I have CE write the speed setting to a registered address (that would be the best!). |
Lua script:
| Code: | autoAssemble('globalalloc(CESpeedHack,4)')
local t = createTimer()
t.Interval = 100
t.OnTimer = function(t)
writeFloat(getAddress('CESpeedHack'), speedhack_getSpeed())
end |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
Csimbi
I post too much
Reputation: 94
Joined: 14 Jul 2007
Posts: 3108
|
| Posted: Wed Jan 22, 2020 12:21 pm Post subject: |
|
|
Hi guys,
an adaptation of that script ParkourPenguin posted above worked fabulously up until now.
The game has been replaced with an x64 build.
I did change the DLL name in the loadlibrary call to luaclient-x86_64.dll and I change 'important' registers to qwords.
When I run a trace on this, things are looking good until:
call CELUA_GetFunctionReferenceFromName
After that, RAX is zero and for that reason, obviously it crashes here:
call CELUA_ExecuteFunctionByReference
| Code: | //////////////////////////////////////////////////////////////////////////////
// The following code READS speedhack setting
//////////////////////////////////////////////////////////////////////////////
// See if we have the reference initialized already
mov rax,[pGetSpeedhackDwordRef]
test rax,rax
jnz short @f
// If not, get it.
push sFuncNameGetSpeedhack
call CELUA_GetFunctionReferenceFromName
mov [pGetSpeedhackDwordRef],rax
// We have the function reference, let's continue
@@:
push 1 // Pass Boolean to run in seperate thread.
push 0 // Pass Address of param list
push 0 // Pass Number of params
push rax // Pass function reference
call CELUA_ExecuteFunctionByReference
// EAX now contains speedhack as a float.
mov dword ptr [fCurrentSpeedHackSpeed],eax
//////////////////////////////////////////////////////////////////////////////
// End of speedhack setting READS
//////////////////////////////////////////////////////////////////////////////
|
Is this a problem with different calling conventions in x64?
Thank you!
Last edited by Csimbi on Wed Jan 22, 2020 1:18 pm; edited 1 time in total |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 458
Joined: 09 May 2003
Posts: 25287
Location: The netherlands
|
| Posted: Wed Jan 22, 2020 12:33 pm Post subject: |
|
|
yes, 64-bit uses different calling mechanisms (param1 = rcx, 2=rdx, 3=r8, 4=r9)
if you do the lua template on a 64-bit target you will see this:
| Code: |
mov ecx,[addresswithluafunctionidstored]
test ecx,ecx
jne short hasrefid
mov rcx,addresswithluafunctionname
call CELUA_GetFunctionReferenceFromName //Basically calls createRef(functionname) and returns the value
mov [addresswithluafunctionidstored],eax
mov ecx,eax
hasrefid:
mov edx,numberofparameterstopass
mov r8,addresswithparameterlist //could be the stack. e.g lea r8,[rsp+8]
mov [r8],param1
mov [r8+8],param2
mov [r8+c],param3
//...
mov r9,0 //0=no async, 1=async. Use async if you do not wish to update the GUI. Faster
call CELUA_ExecuteFunctionByReference
When done RAX will contain the result of the lua function
And as per 64-bit calling convention, RCX, RDX, R8, R9, R10, R11 may have been altered. So save/restore them beforehand
|
so it looks like the original code used the same template but now just needs an update to 64 bit
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Csimbi
I post too much
Reputation: 94
Joined: 14 Jul 2007
Posts: 3108
|
| Posted: Wed Jan 22, 2020 1:17 pm Post subject: |
|
|
That fixed it, thanks!
One question: do I need to set R8 to zero when I have 0 parms (that is, edx==0)?
Here's the x64 code, for reference:
| Code: | //////////////////////////////////////////////////////////////////////////////
// The following code READS speedhack setting; x64 version
//////////////////////////////////////////////////////////////////////////////
// See if we have the reference initialized already
push rax
push rbx
push rcx
push rdx
push r8
push r9
push r10
push r11
mov ecx,[pGetSpeedhackDwordRef] // Get RefID
test ecx,ecx
jnz short @f
// If not, get it.
mov rcx,sFuncNameGetSpeedhack
call CELUA_GetFunctionReferenceFromName
mov [pGetSpeedhackDwordRef],eax // Store RefID
mov ecx,eax // Use the RefID we just stored
// We have the function reference, let's continue
@@:
// ECX already contains RefID
mov edx,0 // Pass Number of params
mov r8,0 // Pass Address of param list
mov r9,1 // Pass Boolean to run in seperate thread.
call CELUA_ExecuteFunctionByReference
// EAX now contains speedhack as a float.
mov dword ptr [fCurrentSpeedHackSpeed],eax
pop r11
pop r10
pop r9
pop r8
pop rdx
pop rcx
pop rbx
pop rax
//////////////////////////////////////////////////////////////////////////////
// End of speedhack setting READS; x64
//////////////////////////////////////////////////////////////////////////////
|
Note to self: state of RBX needs to be stored, else crash.
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 458
Joined: 09 May 2003
Posts: 25287
Location: The netherlands
|
| Posted: Wed Jan 22, 2020 1:20 pm Post subject: |
|
|
if paramcount is 0, then r8 can be 0 as it's not accessed anyhow
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Csimbi
I post too much
Reputation: 94
Joined: 14 Jul 2007
Posts: 3108
|
| Posted: Wed Jan 22, 2020 1:27 pm Post subject: |
|
|
Can or must? 
+1 Q:
Is the return value 4 or 8 bytes?
| Code: | | add rsp,4 // Throw away the return value; we don't care. |
or
| Code: | | add rsp,8 // Throw away the return value; we don't care. |
Thanks!
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 458
Joined: 09 May 2003
Posts: 25287
Location: The netherlands
|
| Posted: Wed Jan 22, 2020 1:41 pm Post subject: |
|
|
no add rsp,xxx because the result is not pushed on the stack, it is returned in rax
at most you need an add rsp,20 or rsp,28 (depending on the location of the function) and at the end an sub rsp,sameamount
but not needed if the function has done it for you, and watch alignment
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Csimbi
I post too much
Reputation: 94
Joined: 14 Jul 2007
Posts: 3108
|
| Posted: Wed Jan 22, 2020 3:21 pm Post subject: |
|
|
| Great, thank you, much appreciated!
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
