Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Need help with movups hack

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
Trisolaris
Newbie cheater
Reputation: 0

Joined: 10 Mar 2019
Posts: 20
PostPosted: Tue Dec 03, 2024 4:39 pm    Post subject: Need help with movups hack Reply with quote
Hi,
I am working on following instruction: movups [rcx+00003C68],xmm0
I want to replace the transferred value with 4.0.
As proof of concept, i did the following:
- confirmed that the instruction writes only to one address
- NOPed the instruction, displayed the target address as DF address, and overwrote it with 4.0 (00 00 00 00 00 00 10 40 is shown in byte). This produced the desired effect.

Now I'd like to inject an auto assemble script so that the instruction writes a 4.0 every time it is executed.

Here's what I have so far. This script crashes the app Sad
Can any of you cheat engineers help me out?

Code:
[ENABLE]
aobscanmodule(MyFA,MyGame.exe,0F 11 81 68 3C 00 00) // Unique signature of the instruction
alloc(newmem,$1000,"MyGame.exe"+38EBC3) // Allocate memory for our custom code

label(myValue)
label(return)
registersymbol(MyFA)

newmem:
  // Load the value 4.0 into xmm0
  movsd xmm0, [myValue]         // Load 4.0 (double) into xmm0

  // Execute the original instruction (move xmm0 to [rcx+00003C68])
  movups [rcx+00003C68], xmm0   // Write the value in xmm0 to the target address

  jmp return                    // Jump to return (skip original code)

myValue:
  dq 4.0                        // Define the double-precision value 4.0 (00 00 00 00 00 00 10 40)

MyFA:
  jmp newmem                    // Redirect execution to our custom code
  nop                           // Padding for alignment
return:

[DISABLE]
MyFA:
  db 0F 11 81 68 3C 00 00       // Restore the original instruction
unregistersymbol(MyFA)
dealloc(newmem)
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 152

Joined: 06 Jul 2014
Posts: 4695
PostPosted: Tue Dec 03, 2024 5:36 pm    Post subject: Reply with quote
`movups` - move unaligned packed singles

This moves 4 floats at a time. Which of the four is the one you want to modify?
Check the "more info" window of "find out what instructions access / write to this address". In particular the value of `rcx` and the address you're watching.

Also, is the value a float or a double?
_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Trisolaris
Newbie cheater
Reputation: 0

Joined: 10 Mar 2019
Posts: 20
PostPosted: Wed Dec 04, 2024 4:12 am    Post subject: Reply with quote
ParkourPenguin wrote:
`movups` - move unaligned packed singles

This moves 4 floats at a time. Which of the four is the one you want to modify?
Check the "more info" window of "find out what instructions access / write to this address". In particular the value of `rcx` and the address you're watching.

Also, is the value a float or a double?


Thanks for pointing that out. The xmm0 floats look like this: 0.00 _ -1.48 _ 36893488147419103000.00 _ -1.08.

I get the desired results when I NOP the instruction and overwrite the second value with 2.2.

So I'm looking for an assemby script that only changes the second value, while leaving the other values as they are (the first one is variable, the other 2 seem static).
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 152

Joined: 06 Jul 2014
Posts: 4695
PostPosted: Wed Dec 04, 2024 12:49 pm    Post subject: Reply with quote
The simplest thing to do would be to let the packed write happen then overwrite the second value in memory afterwards.
Code:
...
newmem:
  movups [rcx+00003C68], xmm0
  mov [rcx+00003C6C],(float)2.2
  jmp return
...

To overwrite the second value in the xmm register:
Code:
...
newmem:
  insertps xmm0,[myValue],10
  movups [rcx+00003C68], xmm0
  jmp return

myValue:
  dd (float)2.2
...
`insertps` was introduced in SSE4.1. If that isn't available for whatever reason, you could do some magic with `shufps`, but you're better off just doing the simpler version above.
_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites