 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Zaladine
Expert Cheater
 Reputation: 3
Joined: 14 Oct 2012
Posts: 130
Location: Djokdja, Indonesia
|
 Posted: Wed Sep 09, 2015 8:20 pm Post subject: Code Injection Q: rax becomes eax when code injected. |
 |
|
While trying to inject a code, i wrote in my script:
| Code: | | cmp rax,(float)16.6 |
But when the code was injected, it didn't do as expected. I browse to the injection address and found that the above code become:
So the rax has somehow converted to eax, and the code injection purpose didn't work.
How to solve this?
Thanks very much in advance.
Here's the complete code btw:
| Code: | [ENABLE]
alloc(newmem,2048,"game.exe"+4E11C6)
label(sethigh)
label(setlow)
label(returnhere)
label(originalcode)
label(exit)
newmem:
mov rax,[rcx+30]
mov rax,[rax+258]
cmp rax,(float)16.6
jbe setlow
sethigh:
mov [rcx+00000584],(float)1.125
jmp originalcode
setlow:
mov [rcx+00000584],(float)0.25
originalcode:
mulss xmm0,[rcx+00000584]
exit:
jmp returnhere
"game.exe"+4E11C6:
jmp newmem
nop
nop
nop
returnhere:
[DISABLE]
dealloc(newmem)
"game.exe"+4E11C6:
mulss xmm0,[rcx+00000584] |
_________________
... to boldly go where no eagle has gone before ...
Last edited by Zaladine on Thu Sep 10, 2015 9:38 am; edited 1 time in total |
|
| Back to top |
|
 |
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Wed Sep 09, 2015 9:12 pm Post subject: |
|
|
EAX is the correct form of the register when comparing 4 bytes (a float).
Using CMP on a float, however, is incorrect. You should instead use FCOMIP or COMISS.
|
|
| Back to top |
|
|
Zaladine
Expert Cheater
Reputation: 3
Joined: 14 Oct 2012
Posts: 130
Location: Djokdja, Indonesia
|
| Posted: Thu Sep 10, 2015 2:32 am Post subject: |
|
|
I was kind of avoided using them since while debugging the codes, there are lots of xmm(s) used.
Here's few command lines before the injection point:
| Code: | game.exe+4E118F - xorps xmm6,xmm6
game.exe+4E1192 - test rax,rax
game.exe+4E1195 - je game.exe+4E11A1
game.exe+4E1197 - movss xmm2,[rax+00000118]
game.exe+4E119F - jmp game.exe+4E11A4
game.exe+4E11A1 - movaps xmm2,xmm6
game.exe+4E11A4 - lea rdi,[rcx+00000598]
game.exe+4E11AB - movaps xmm0,xmm1
game.exe+4E11AE - mov [rsp+50],3F800000
game.exe+4E11B6 - mov [rsp+40],BF800000
game.exe+4E11BE - mulss xmm0,[game.exe+F170CC]
|
I don't quite understand yet about the xmm registers stacking so was a bit afraid to mess with them, thus i treated it as dword integer cmp.
_________________
... to boldly go where no eagle has gone before ... |
|
| Back to top |
|
|
mgr.inz.Player
I post too much
 Reputation: 218
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Thu Sep 10, 2015 9:05 am Post subject: |
|
|
Post more details. Dozen lines above and dozen line below injection point in one screenshot.
Maybe there is xmm register we can use.
_________________
|
|
| Back to top |
|
|
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Thu Sep 10, 2015 9:49 am Post subject: |
|
|
Looks like XMM6 is safe to use as long as you reset it again.
| Code: | [ENABLE]
alloc(newmem,2048,"game.exe"+4E11C6)
label(sethigh)
label(setlow)
label(returnhere)
label(originalcode)
label(exit)
label(myvar)
newmem:
mov rax,[rcx+30]
movss xmm6,[rax+258]
comiss xmm6,[myvar]
xorps xmm6,xmm6 // set it back to zero
jbe setlow
sethigh:
mov [rcx+00000584],(float)1.125
jmp originalcode
setlow:
mov [rcx+00000584],(float)0.25
originalcode:
mulss xmm0,[rcx+00000584]
exit:
jmp returnhere
myvar:
dd (float)16.6
"game.exe"+4E11C6:
jmp newmem
nop
nop
nop
returnhere:
[DISABLE]
dealloc(newmem)
"game.exe"+4E11C6:
mulss xmm0,[rcx+00000584] |
|
|
| Back to top |
|
|
Zaladine
Expert Cheater
Reputation: 3
Joined: 14 Oct 2012
Posts: 130
Location: Djokdja, Indonesia
|
| Posted: Thu Sep 10, 2015 10:01 am Post subject: |
|
|
@mgr.inz.Player:
Here they are, the whole function i suppose...
| Code: | game.exe+4E112E - CC - int 3
game.exe+4E112F - CC - int 3
game.exe+4E1130 - 48 89 5C 24 10 - mov [rsp+10],rbx
game.exe+4E1135 - 57 - push rdi
game.exe+4E1136 - 48 83 EC 30 - sub rsp,30
game.exe+4E113A - 48 8B 41 30 - mov rax,[rcx+30]
game.exe+4E113E - F3 0F10 0D 6262A300 - movss xmm1,[game.exe+F173A8]
game.exe+4E1146 - 0F29 74 24 20 - movaps [rsp+20],xmm6
game.exe+4E114B - 48 8B D9 - mov rbx,rcx
game.exe+4E114E - F3 0F10 80 58020000 - movss xmm0,[rax+00000258]
game.exe+4E1156 - F3 0F59 05 7E60A300 - mulss xmm0,[game.exe+F171DC]
game.exe+4E115E - 0F54 05 AB87A300 - andps xmm0,[game.exe+F19910]
game.exe+4E1165 - 0F2F C1 - comiss xmm0,xmm1
game.exe+4E1168 - 76 0A - jna game.exe+4E1174
game.exe+4E116A - F3 0F10 0D C259A300 - movss xmm1,[game.exe+F16B34]
game.exe+4E1172 - EB 14 - jmp game.exe+4E1188
game.exe+4E1174 - F3 0F5C C8 - subss xmm1,xmm0
game.exe+4E1178 - F3 0F59 0D 6859A300 - mulss xmm1,[game.exe+F16AE8]
game.exe+4E1180 - F3 0F58 0D AC59A300 - addss xmm1,[game.exe+F16B34]
game.exe+4E1188 - 48 8B 81 38080000 - mov rax,[rcx+00000838]
game.exe+4E118F - 0F57 F6 - xorps xmm6,xmm6
game.exe+4E1192 - 48 85 C0 - test rax,rax
game.exe+4E1195 - 74 0A - je game.exe+4E11A1
game.exe+4E1197 - F3 0F10 90 18010000 - movss xmm2,[rax+00000118]
game.exe+4E119F - EB 03 - jmp game.exe+4E11A4
game.exe+4E11A1 - 0F28 D6 - movaps xmm2,xmm6
game.exe+4E11A4 - 48 8D B9 98050000 - lea rdi,[rcx+00000598]
game.exe+4E11AB - 0F28 C1 - movaps xmm0,xmm1
game.exe+4E11AE - C7 44 24 50 0000803F - mov [rsp+50],3F800000
game.exe+4E11B6 - C7 44 24 40 000080BF - mov [rsp+40],BF800000
game.exe+4E11BE - F3 0F59 05 065FA300 - mulss xmm0,[game.exe+F170CC]
game.exe+4E11C6 - F3 0F59 81 84050000 - mulss xmm0,[rcx+00000584] // HERE'S THE INJECTION POINT
game.exe+4E11CE - F3 0F58 C1 - addss xmm0,xmm1
game.exe+4E11D2 - F3 0F59 C2 - mulss xmm0,xmm2
game.exe+4E11D6 - F3 0F58 07 - addss xmm0,[rdi]
game.exe+4E11DA - 0F2F 05 FF6DA300 - comiss xmm0,[game.exe+F17FE0]
game.exe+4E11E1 - F3 0F11 07 - movss [rdi],xmm0
game.exe+4E11E5 - 73 07 - jae game.exe+4E11EE
game.exe+4E11E7 - 48 8D 44 24 40 - lea rax,[rsp+40]
game.exe+4E11EC - EB 10 - jmp game.exe+4E11FE
game.exe+4E11EE - 0F2F 05 A35CA300 - comiss xmm0,[game.exe+F16E98]
game.exe+4E11F5 - 48 8D 44 24 50 - lea rax,[rsp+50]
game.exe+4E11FA - 48 0F46 C7 - cmovbe rax,rdi
game.exe+4E11FE - 8B 00 - mov eax,[rax]
game.exe+4E1200 - 48 8D 0D 21A6C700 - lea rcx,[game.exe+115B828]
game.exe+4E1207 - 89 07 - mov [rdi],eax
game.exe+4E1209 - E8 42B8BEFF - call game.exe+CCA50
game.exe+4E120E - 48 85 C0 - test rax,rax
game.exe+4E1211 - 74 07 - je game.exe+4E121A
game.exe+4E1213 - F3 0F10 48 38 - movss xmm1,[rax+38]
game.exe+4E1218 - EB 03 - jmp game.exe+4E121D
game.exe+4E121A - 0F28 CE - movaps xmm1,xmm6
game.exe+4E121D - F3 0F59 0D 4B5BA300 - mulss xmm1,[game.exe+F16D70]
game.exe+4E1225 - F3 0F10 07 - movss xmm0,[rdi]
game.exe+4E1229 - 0F54 05 E086A300 - andps xmm0,[game.exe+F19910]
game.exe+4E1230 - F3 0F58 0D 605CA300 - addss xmm1,[game.exe+F16E98]
game.exe+4E1238 - E8 C3A17400 - call game.exe+C2B400
game.exe+4E123D - F3 0F10 0F - movss xmm1,[rdi]
game.exe+4E1241 - 0F2E CE - ucomiss xmm1,xmm6
game.exe+4E1244 - 74 17 - je game.exe+4E125D
game.exe+4E1246 - 0F2F CE - comiss xmm1,xmm6
game.exe+4E1249 - 73 0A - jae game.exe+4E1255
game.exe+4E124B - F3 0F10 35 8D6DA300 - movss xmm6,[game.exe+F17FE0]
game.exe+4E1253 - EB 08 - jmp game.exe+4E125D
game.exe+4E1255 - F3 0F10 35 3B5CA300 - movss xmm6,[game.exe+F16E98]
game.exe+4E125D - F3 0F59 F0 - mulss xmm6,xmm0
game.exe+4E1261 - F3 0F11 B3 94050000 - movss [rbx+00000594],xmm6
game.exe+4E1269 - 48 8B 5C 24 48 - mov rbx,[rsp+48]
game.exe+4E126E - 0F28 74 24 20 - movaps xmm6,[rsp+20]
game.exe+4E1273 - 48 83 C4 30 - add rsp,30
game.exe+4E1277 - 5F - pop rdi
game.exe+4E1278 - C3 - ret
game.exe+4E1279 - CC - int 3
game.exe+4E127A - CC - int 3
|
Hope that suffice data...
Anyway, i've managed to make my injection work:
So there is this driving game in which players can use their mouse to act as steering wheel. The problem is in the sensitivity setting: the one i prefer (low sensitivity) is suitable for highway high speed running, but upon arriving at any town, the low sensitivity drives the car too slow to handle when driving in low speed (below 50kmh). It's just too hard to make a sharp-quick-turn with such low sensitivity setting, of which it would be quite tedious to set it back and forth for different ground...
So the goal of the injection is to detect: if my speed is above 60 kmh, then set the sensitivity to 1.125. Below that, set the senitivity to 0.125. To do this, i utilize 2 addresses in my table:
- Current speed, that is [rax+258]
- Mouse Sensitvity, that is [rcx+584]
And here's my new code injection which works quite well:
| Code: | [ENABLE]
alloc(newmem,2048,"game.exe"+4E11C6)
label(sethigh)
label(setlow)
label(returnhere)
label(originalcode)
label(exit)
newmem:
mov rax,[rcx+30]
cmp [rax+258],(float)16.6 // current speed
jbe sethigh
setlow:
mov [rcx+00000584],(float)0.125 // mouse set to low sensitivity
jmp originalcode
sethigh:
mov [rcx+00000584],(float)1.25 // mouse set to high sensitivity
jmp originalcode
originalcode:
mulss xmm0,[rcx+00000584]
exit:
jmp returnhere
"game.exe"+4E11C6:
jmp newmem
nop
nop
nop
returnhere:
[DISABLE]
dealloc(newmem)
"game.exe"+4E11C6:
mulss xmm0,[rcx+00000584] |
Still, i don't satisfy with the coding. It doesn't even feel intermediate at all, so if there are any better solution (preferably using the proper xmm registers comparison), i'll be very thankful to study something that i've been avoiding for quite a while.
Thanks in advance for any replies and advices, and pardon for my English.
EDIT:
@Zanzer: Thanks for posting the revision. I was writing above post when yours are posted. I just noticed it after the submission done...
Will try and look into it...
Any other alternatives is still very much welcome.
Thank you...
_________________
... to boldly go where no eagle has gone before ... |
|
| Back to top |
|
|
mgr.inz.Player
I post too much
Reputation: 218
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Thu Sep 10, 2015 1:06 pm Post subject: |
|
|
Looks like xmm3, xmm4 or xmm5 can be used too.
Also xmm7 through xmm15.
The best choice will be xmm6 as mentioned by Zanzer.
_________________
|
|
| Back to top |
|
|
panraven
Grandmaster Cheater
![]() Reputation: 55
Joined: 01 Oct 2008
Posts: 942
|
| Posted: Thu Sep 10, 2015 1:11 pm Post subject: |
|
|
or push/pop xmm in stack like these:
push
| Code: | sub esp,10
movdqu dqword [esp],xmm0 |
pop
| Code: | movdqu xmm0,dqword [esp]
add esp,10
|
_________________
- Retarded. |
|
| Back to top |
|
|
mgr.inz.Player
I post too much
Reputation: 218
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Thu Sep 10, 2015 1:12 pm Post subject: |
|
|
About "cmp [rax+258],(float)16.6 // current speed "
It is quite good when [rax+258] will not go below zero, or to big (more than dozen of digits), and won't be NaN.
What value it has when you drive a car in reverse gear?
_________________
|
|
| Back to top |
|
|
Zaladine
Expert Cheater
Reputation: 3
Joined: 14 Oct 2012
Posts: 130
Location: Djokdja, Indonesia
|
| Posted: Thu Sep 10, 2015 5:10 pm Post subject: |
|
|
| mgr.inz.Player wrote: | Looks like xmm3, xmm4 or xmm5 can be used too.
Also xmm7 through xmm15.
The best choice will be xmm6 as mentioned by Zanzer. |
I did try with xmm13 once, and the game crashed somehow. Too bad, i forgot to save the crashed injection so that i've no idea the cause of the crash. Should be bad coding i believe...
Could you please tell me, why xmm6 would be the best choice? Is it because this line?
Which set to 0.0, so there should be easy to return its state after using it?
So i guess that these xmm registers works like common ones (eax, ebx, rax, rbx, etc) that after usage should be returned to their previous state? There are no register stacking here, right? (e.g.: for the case of fst and fstp).
I get this assumption after studying the injection that @Zanzer provided which working smoothly, btw (Thanks, man). Please correct me on this. Thanks in advance...
| mgr.inz.Player wrote: | About "cmp [rax+258],(float)16.6 // current speed "
It is quite good when [rax+258] will not go below zero, or to big (more than dozen of digits), and won't be NaN.
What value it has when you drive a car in reverse gear? |
Excellent guess !!! The problem arise when i need to reverse the car, which the speed goes below 0.0, the mouse sensitivity value was set as if it is running high speed (set to low sensitivity) resulting it became hard to make a sharp turn when going reverse to park the car accordingly. I tottally forgot that negative floating numbers are even bigger than positive ones when converted to dword...
There is some calculation actually that convert the real current speed as the speed read on speed meter divides by 3.6. So, e.g.: 60 kmh should actually be 16.6667 in memory (as seen on my injection),
@panraven:
Thanks for pointing that out. Added to my cheating library and should be useful in future.
_________________
... to boldly go where no eagle has gone before ...
Last edited by Zaladine on Thu Sep 10, 2015 5:38 pm; edited 1 time in total |
|
| Back to top |
|
|
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Thu Sep 10, 2015 5:29 pm Post subject: |
 |
|
Yes, XMM6 is good because code above it sets it to 0.
That means you can simply set it to 0 when you're done using it.
You only really need to revert it to the original value is later instructions are trying to use it.
Otherwise, it would be safe to change the value and leave it.
60 kilometers per hour = 16.6667 meters per second.
So the value is stored as meters per second.
|
|
| Back to top |
|
|
gir489
Grandmaster Cheater
![]() Reputation: 14
Joined: 03 Jan 2012
Posts: 835
Location: Maryland, United States
|
| Posted: Thu Sep 10, 2015 5:55 pm Post subject: |
|
|
| You're moving a 4 byte value (4184CCCD) in to RAX, The assembler is optimizing it out. You're only setting the lower 32-bits anyway.
|
|
| Back to top |
|
|
Zaladine
Expert Cheater
Reputation: 3
Joined: 14 Oct 2012
Posts: 130
Location: Djokdja, Indonesia
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
