| View previous topic :: View next topic |
| Author |
Message |
pox911
Grandmaster Cheater
 Reputation: 28
Joined: 29 Nov 2008
Posts: 918
|
 Posted: Wed Jul 24, 2013 6:46 pm Post subject: Asm only crashing on pointer compare? |
 |
|
This is driving me nuts. I'm probably over looking something but im having trouble with a compare.
Basicly i have my value at X and the compare is at [X+8]+10. What i did was push ecx, store [x+8] in ecx, then compare [ecx+10] to my value.
Whats wierd is that it causes a crash. I have the pop where it needs to be.
if i have it as "cmp ecx,5" it wont crash but "cmp [ecx+10],5" causes a crash. Any idea as to what im over looking?
|
|
| Back to top |
|
 |
daspamer
Grandmaster Cheater Supreme
 Reputation: 54
Joined: 13 Sep 2011
Posts: 1588
|
| Posted: Wed Jul 24, 2013 6:55 pm Post subject: |
|
|
Sometimes the pointer does not exist?
I faced this issue.
So basically before touching the pointer, check if its valid.
| Code: | cmp [ecx+10],000000
je PointerNotExist |
_________________
I'm rusty and getting older, help me re-learn lua. |
|
| Back to top |
|
|
pox911
Grandmaster Cheater
Reputation: 28
Joined: 29 Nov 2008
Posts: 918
|
| Posted: Wed Jul 24, 2013 6:59 pm Post subject: |
|
|
still crashes
Edit: This is the asm i have for what doesnt crash.
| Code: | AmmoMem:
push ecx
mov ecx,[esi+8]
mov [ADat],ecx
cmp exc,5
jne Fail
pop ecx
mov [esi],ecx
mov edx,[eax+04]
jmp AmmoReturn
Fail:
pop ecx
mov [esi],ecx
mov edx,[eax+04]
jmp AmmoReturn
ADat: |
the second i change that ecx to the [ecx] it causes the crash.
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Wed Jul 24, 2013 7:09 pm Post subject: |
|
|
Same line of thought than DaSpamer, just handles more cases than just null pointers.
| Code: | pushad
mov ecx,dword [esi+8]
lea ecx,[ecx+10]
push ecx //ecx will be overwritten by IsBadReadPtr
push 4
push ecx
call IsBadReadPtr
pop ecx //restore saved ecx
test eax,eax
jne BadPointer
//if you reach there, then your crash is NOT caused by reading stuff at the wrong address
cmp dword [ecx],5
//.....
BadPointer:
popad
mov [esi],ecx
mov edx,[eax+04]
jmp AmmoReturn |
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
pox911
Grandmaster Cheater
Reputation: 28
Joined: 29 Nov 2008
Posts: 918
|
| Posted: Wed Jul 24, 2013 7:38 pm Post subject: |
|
|
unless i did something wrong, it still crashed the game.
I'm still learning assembly so i still dont understand the lea command and how Test compares to the cmp command.
Edit: As a cheap work around i currently have an aob for where the pointer points to and if the address matches up it will do its jump.
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Wed Jul 24, 2013 7:48 pm Post subject: |
|
|
Does my script still crash if you comment the cmp dword [ecx],5 .
As for lea and test:
lea ecx,[ecx+10] is like add ecx,10 or ecx=ecx+10.
test eax,eax is like cmp eax,0 except that I don't think ja/jb/jl/jg won't work after a test. Compilers (almost?) always use test eax,eax to see if eax is 0.
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
pox911
Grandmaster Cheater
Reputation: 28
Joined: 29 Nov 2008
Posts: 918
|
| Posted: Thu Jul 25, 2013 10:24 am Post subject: |
|
|
I could have just messed up the scirpt after the compare.
Im trying to understand the call IsBadReadPtr better. I thinki understand the push ad since i have to use the same thing when using the function for button presses. Im guessing the push 4 is the length and one of the push ecx is to tell the function what value to check?
|
|
| Back to top |
|
|
mgr.inz.Player
I post too much
 Reputation: 222
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Thu Jul 25, 2013 12:33 pm Post subject: |
|
|
| Code: | push size // the size of the memory block, in bytes
push pointer // a pointer to the first byte of the memory block.
call isbadreadptr |
result is inside EAX
If EAX == 0 , process has read access to all bytes in the specified memory range
try this
| Code: | (...)
AmmoMem:
pushad
lea eax,[esi+8]
push 00000004
push eax
call isbadreadptr
test eax,eax
jnz originalcode
mov ebx,[esi+8]
lea eax,[ebx+10]
push 00000004
push eax
call isbadreadptr
test eax,eax
jnz originalcode
cmp [ebx+10],05
jne originalcode
// found it
// do whatever you want
originalcode:
popad
// and your original code here
(...) |
_________________
|
|
| Back to top |
|
|
pox911
Grandmaster Cheater
Reputation: 28
Joined: 29 Nov 2008
Posts: 918
|
| Posted: Mon Jul 29, 2013 7:22 pm Post subject: |
|
|
I still dont fully understand.
i think i understand the lea now but why are you running it twice? It works when done that way but failed if only seen once. why is that?
Edit: This value effects a lot(health, ammo, the works). If im comparing 2 values before a jump, what is the best way to do that?
Curently its just a jne to the next compare, if it passes then it checks the next one and if that fails it goes to default code.
|
|
| Back to top |
|
|
mgr.inz.Player
I post too much
Reputation: 222
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Tue Jul 30, 2013 2:53 am Post subject: |
|
|
| pox911 wrote: | | but why are you running it twice? |
If you post screenshot of Memory Viewer (or highlight code with pressed SHIFT key, code surrounding your hackpoint and then press ctrl+c - that is, copy disassembled output as text and paste here) I can make more accurate AA script.
_________________
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
