Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


[ASM] How to check if a pointer or address is valid?

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
Dr.Disrespect
Grandmaster Cheater
Reputation: 3

Joined: 17 Feb 2016
Posts: 526

PostPosted: Tue Nov 28, 2017 11:15 am    Post subject: [ASM] How to check if a pointer or address is valid? Reply with quote

I have read this post from DB: http://forum.cheatengine.org/viewtopic.php?t=511049

But it seems it doesn't work. EAX always return 00, so the condition is always met even when the address is "?? ?? ??"", which means it's not valid.

Is it because the game is 64-bit? I don't know what the problem is.

Thanks in advance.

BTW, I have to use "pushfq" instead of "pushfd", and "pushad" cannot be used because of the AMD cpu or 64-bit (I assume).

Here is what my code look like:
Code:

pushfq
push rax
push rcx
push r8
push r9
push 4  //size in bytes of pointer
xor rax,rax
lea eax,[rbx+0c]
push eax
call isbadreadptr
cmp eax,0   <-----------------eax is always 0 even when the address is clearly invalid: "?? ?? ?? ??"
jne originalcode //invalid memory

_________________
**************

A simple example is better then ten links. Very Happy
Back to top
View user's profile Send private message
Hatschi
Master Cheater
Reputation: 2

Joined: 28 Jan 2010
Posts: 326

PostPosted: Tue Nov 28, 2017 1:15 pm    Post subject: Reply with quote

Code:
lea eax,[rbx+0c]
push eax


Do you know 100% for sure that whats stored inside [rbx+0C] does not exceed 32bit range? Because even if there is 0,1% chance it does you have to rax otherwise whats stored inside rbx+0c gets cut off.

Code:
lea rax,[rbx+C]


//edit: Also pushing size of pointer needs to be fixed then. I think you cannot copy&paste the script of Dark byte as his script is for a 32bit target but yours is obviously 64bit.
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 70

Joined: 06 Jul 2014
Posts: 2316

PostPosted: Tue Nov 28, 2017 1:26 pm    Post subject: Reply with quote

That's not how calling conventions work in x64.
Code:
globalalloc(foo,4096)
createthread(foo)

foo:
  push rbp
  mov rbp,rsp
  and spl,F0   // align stack on 16-byte boundary
  sub rsp,20   // give stack space for callees

  lea rcx,[foo+100]  // rcx = 1st parameter
  mov edx,4          // rdx = 2nd parameter
  call isBadReadPtr
  mov [foo+800],eax  // [foo+800] is 0

  xor rcx,rcx
  mov edx,4
  call isBadReadPtr
  mov [foo+804],eax  // [foo+804] is nonzero

  mov rsp,rbp
  pop rbp
  ret

See this MSDN page for more information.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Dr.Disrespect
Grandmaster Cheater
Reputation: 3

Joined: 17 Feb 2016
Posts: 526

PostPosted: Tue Nov 28, 2017 2:04 pm    Post subject: Reply with quote

ParkourPenguin wrote:
That's not how calling conventions work in x64.
Code:
globalalloc(foo,4096)
createthread(foo)

foo:
  push rbp
  mov rbp,rsp
  and spl,F0   // align stack on 16-byte boundary
  sub rsp,20   // give stack space for callees

  lea rcx,[foo+100]  // rcx = 1st parameter
  mov edx,4          // rdx = 2nd parameter
  call isBadReadPtr
  mov [foo+800],eax  // [foo+800] is 0

  xor rcx,rcx
  mov edx,4
  call isBadReadPtr
  mov [foo+804],eax  // [foo+804] is nonzero

  mov rsp,rbp
  pop rbp
  ret

See this MSDN page for more information.


@Hatschi
Thanks for the reply.
Yes, I'm sure the value in [rbx+0C] does not exceed 32 bit, even if it does, I only need the 32-bit of it.

@Penguin
Thanks for the help. But I don't quite understand your example. Sad Especially this:
Code:
and spl,F0

and:
1. does [foo+804] have the result of the check?
2. why clear the value in rcx before moving 4 to edx? Are you just trying to show different results from two different 1st parameters?
3. why move 4 to edx before the routine call? and why use rcx? Are these mandatory?

I will try to read what's in the link you provided.

_________________
**************

A simple example is better then ten links. Very Happy
Back to top
View user's profile Send private message
OldCheatEngineUser
Whateven rank
Reputation: 17

Joined: 01 Feb 2016
Posts: 1493

PostPosted: Tue Nov 28, 2017 2:30 pm    Post subject: This post has 1 review(s) Reply with quote

Dr.Disrespect wrote:
Especially this:
Code:
and spl,F0


bpl, spl, dil, and sil are available in 64-bit mode using REX opcode prefix, simply {and - spl (F0)} means bitwise-and the lower 8-bit of SP register with value of "F0".

_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Back to top
View user's profile Send private message Visit poster's website
Dr.Disrespect
Grandmaster Cheater
Reputation: 3

Joined: 17 Feb 2016
Posts: 526

PostPosted: Tue Nov 28, 2017 5:33 pm    Post subject: This post has 1 review(s) Reply with quote

OldCheatEngineUser wrote:
Dr.Disrespect wrote:
Especially this:
Code:
and spl,F0


bpl, spl, dil, and sil are available in 64-bit mode using REX opcode prefix, simply {and - spl (F0)} means bitwise-and the lower 8-bit of SP register with value of "F0".


Thanks for the explanation.

_________________
**************

A simple example is better then ten links. Very Happy
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 70

Joined: 06 Jul 2014
Posts: 2316

PostPosted: Tue Nov 28, 2017 7:42 pm    Post subject: Reply with quote

Dr.Disrespect wrote:
Thanks for the help. But I don't quite understand your example. Sad Especially this:
Code:
and spl,F0

and:
1. does [foo+804] have the result of the check?
2. why clear the value in rcx before moving 4 to edx? Are you just trying to show different results from two different 1st parameters?
3. why move 4 to edx before the routine call? Is it mandatory?

The and instruction performs a bitwise-AND operation on the source and destination operands and stores the result in the destination operand. In this case, the destination operand is spl (the least significant byte of rsp) and the source is 0xF0. So, that instruction sets the lower nibble of rsp to 0, which effectively reduces the value of rsp until it is aligned on a 16-byte boundary.

If you already know the stack is aligned, you don't need to do this.

Other questions:
  1. Yes. Functions return values in rax, and that code is moving the result into [foo+800] and [foo+804].
  2. There are two separate calls to isBadReadPtr in that example. The first one passes an address that is readable (foo+100) while the second one passes an address that is not (0).
  3. rcx and rdx are parameters. Look at the documentation of the isBadReadPtr function (link) for information on what those parameters are.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Dr.Disrespect
Grandmaster Cheater
Reputation: 3

Joined: 17 Feb 2016
Posts: 526

PostPosted: Sun Dec 03, 2017 11:42 am    Post subject: Reply with quote

Oops, I totally forgot about this post.

Thanks for the detailed explanations, Penguin. Smile

_________________
**************

A simple example is better then ten links. Very Happy
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites