Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Crashing using compare command ASM (cmp [rbp+rcx])

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Discussions
View previous topic :: View next topic  
Author Message
embas10
How do I cheat?
Reputation: 0

Joined: 26 Nov 2024
Posts: 4

PostPosted: Thu Nov 28, 2024 12:16 pm    Post subject: Crashing using compare command ASM (cmp [rbp+rcx]) Reply with quote

So recently im trying to split between team 1 & team 2 for damage multiplier using scan commonalities. Ended up only got 2 register, RSP and Base Address (probably because using emulator). Scanning the RSP got nothing, so i use the Base Address instead. According to the instruction that im debugging, i believe the Base Address must be [rbp+rcx], and scan then i found the differences between them.

I seperate them with cmp command, and here how it looks:
Code:

[ENABLE]
aobScanRegion(INJECT_Damage, 7FF000000000, 7FFFFFFFFFFFFFFF, 29 FE 48 63 F6 89 D9 83 C1 20 89 74 0D 00 90 48 89 35)
alloc(newmem,$1000,INJECT_Damage)
label(code)
label(return)
label(team2)

alloc(Team1DamageMultiplier,10,INJECT_Damage)
Team1DamageMultiplier:
  dd (float)1

alloc(Team2DamageMultiplier,10,INJECT_Damage)
Team2DamageMultiplier:
  dd (float)1

newmem:
  cmp [rbp+rcx+4AC],1
  jne team2
  cvtsi2ss xmm7,edi
  mulss xmm7,[Team1DamageMultiplier]
  cvttss2si edi,xmm7
  jmp code

team2:
  cvtsi2ss xmm7,edi
  mulss xmm7,[Team2DamageMultiplier]
  cvttss2si edi,xmm7

code:
  sub esi,edi
  movsxd  rsi,esi
  jmp return

INJECT_Damage:
  jmp newmem

return:
registersymbol(Team1DamageMultiplier)
registersymbol(Team2DamageMultiplier)
registersymbol(INJECT_Damage)

[DISABLE]
INJECT_Damage:
  db 29 FE 48 63 F6 89 D9 83 C1 20 89 74 0D 00 90 48 89 35

unregistersymbol(*)
dealloc(*)


And, it crashed the game just when anyone about to hit someone. couldn't barely think any solution so ended up add dword ptr and qword ptr on cmp command but didn't work.
And here how the memory viewer looks like around the substraction and writing health value.

Code:

7FF659BC97E6 - 48 98                 - cdqe
7FF659BC97E8 - 48 89 05 31A6E6BB     - mov [pcsx2-qt.exe+2C83E20],rax
7FF659BC97EF - 48 63 D2              - movsxd  rdx,edx
7FF659BC97F2 - 48 89 15 17A6E6BB     - mov [pcsx2-qt.exe+2C83E10],rdx
7FF659BC97F9 - 29 FE                 - sub esi,edi //Script start and replace here
7FF659BC97FB - 48 63 F6              - movsxd  rsi,esi //And replace here
7FF659BC97FE - 89 D9                 - mov ecx,ebx
7FF659BC9800 - 83 C1 20              - add ecx,20
7FF659BC9803 - 89 74 0D 00           - mov [rbp+rcx+00],esi //Instruction to write the health value
7FF659BC9807 - 90                    - nop
7FF659BC9808 - 48 89 35 31A4E6BB     - mov [pcsx2-qt.exe+2C83C40],rsi
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 147

Joined: 06 Jul 2014
Posts: 4548

PostPosted: Thu Nov 28, 2024 12:57 pm    Post subject: Reply with quote

Hard to say why it crashes. Maybe `[rbp+rcx+4AC]` accesses unmapped memory. Maybe xmm7 held an important value you didn't back up. Maybe there was a branch into the middle of the injection point (i.e. something jumps to `movsxd rsi,esi`).

I'd set a breakpoint at the jump to the code injection and step through it to see what happens. Enable the script, go to INJECT_Damage in the disassembler, set a breakpoint on the `jmp`, attack something, "step into" until you get through your code or something bad happens. You can suspend the game using the pause button in the "Advanced Options" window (bottom left main window) if something could cause your code injection to run between enabling the script and setting the breakpoint.
If that doesn't yield anything interesting, try enabling Memory Viewer -> Debug -> Break on unexpected exceptions -> Always. The debugger might need to be attached first (try to set a breakpoint anywhere).

embas10 wrote:
According to the instruction that im debugging, i believe the Base Address must be [rbp+rcx]...
If it's an emulator, one of rbp or rcx is probably the base of the entire emulated memory space and the other is the offset into that memory space (i.e. an address in the emulated architecture). It's hard to determine the base address of whatever structure that value is in. You could try a lower base address (e.g. rbp+rcx-100) and see what happens.

embas10 wrote:
Code:
alloc(Team1DamageMultiplier,10,INJECT_Damage)
If you're storing a float, allocate 4 bytes of memory.
Allocating weird amounts of memory could lead to unaligned memory accesses. This isn't really a problem most of the time on x86 / x86-64 architectures, but you shouldn't do that regardless.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
embas10
How do I cheat?
Reputation: 0

Joined: 26 Nov 2024
Posts: 4

PostPosted: Fri Nov 29, 2024 4:31 am    Post subject: Reply with quote

ParkourPenguin wrote:
I'd set a breakpoint at the jump to the code injection and step through it to see what happens. Enable the script, go to INJECT_Damage in the disassembler, set a breakpoint on the `jmp`, attack something, "step into" until you get through your code or something bad happens. You can suspend the game using the pause button in the "Advanced Options" window (bottom left main window) if something could cause your code injection to run between enabling the script and setting the breakpoint.

Ok, this breakpoint thing kinda new to me, so i set a breakpoint on INJECT_Damage, attack another player and the game freeze/suspended. Back to CE dissambler, i choose "step into" and it lead me to the "cmp" command that i write on "newmem"
Code:
7FF7FFFF0000 - 83 BC 29 AC040000 01  - cmp dword ptr [rcx+rbp+000004AC],01
And "step into" again, it crashed the game.

So i tried another one but without "cmp", and the script just run fine. while breakpointing, all "step into" from "jmp newmem" to the end of my script code goes well. And when i choose "step out" the game become unfreeze from the breakpointing state.


ParkourPenguin wrote:
Hard to say why it crashes. Maybe `[rbp+rcx+4AC]` accesses unmapped memory. Maybe xmm7 held an important value you didn't back up. Maybe there was a branch into the middle of the injection point (i.e. something jumps to `movsxd rsi,esi`).

I'm not quite sure with your first and third statement. And well the script goes fine with xmm7 (if without using cmp command), but to make sure i've also tried xmm8/9, got the same results as xmm7.


ParkourPenguin wrote:
If it's an emulator, one of rbp or rcx is probably the base of the entire emulated memory space and the other is the offset into that memory space (i.e. an address in the emulated architecture). It's hard to determine the base address of whatever structure that value is in. You could try a lower base address (e.g. rbp+rcx-100) and see what happens.

You right, the rbp holding the base address of entire emulated thing. And the rcx is the offset to every player stats. And rbp & rcx always change every time the emulator restarted.


ParkourPenguin wrote:
Code:
alloc(Team1DamageMultiplier,10,INJECT_Damage)
If you're storing a float, allocate 4 bytes of memory.
Allocating weird amounts of memory could lead to unaligned memory accesses. This isn't really a problem most of the time on x86 / x86-64 architectures, but you shouldn't do that regardless.

This is new to me, thanks for reminding.

Update:
Ok, So i just solved it just right now, here the conclusion. During debugging the sub command with breakpoint, i figure out that rcx was different with the one from the write instruction. Here's how it looks:
Code:

7FF659BC97F9 - 29 FE                 - sub esi,edi //(RCX:5)(RBX:70C300)
7FF659BC97FB - 48 63 F6              - movsxd  rsi,esi //(RCX:5)(RBX:70C300)
7FF659BC97FE - 89 D9                 - mov ecx,ebx //(RCX:5)(RBX:70C300)
7FF659BC9800 - 83 C1 20              - add ecx,20 //(RCX:70C300)(RBX:70C300)
7FF659BC9803 - 89 74 0D 00           - mov [rbp+rcx+00],esi //(RCX:70C320)(RBX:70C300)

so instead [rbp+rcx+4AC], i replace it with [rbp+rbx+4CC], and it work really well. this breakpoint stuff new to me and seems usefull for finding out corresponding value, tysm ParkourPenguin.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Discussions All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites