Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


[6.3+ bug] Extra nop padding after jmp in x64 target

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
Gniarf
Grandmaster Cheater Supreme
Reputation: 43

Joined: 12 Mar 2012
Posts: 1285
PostPosted: Thu Jan 23, 2014 12:47 pm    Post subject: [6.3+ bug] Extra nop padding after jmp in x64 target Reply with quote
In a 64bit target CE adds extra nops after a jmp AOBRelativeLabel even if the target is close enough for a 32bit jump.

Memory before modification:
Code:
bf4.exe+1B7A20 - 48 89 05 81DEEC01     - mov [bf4.exe+20858A8],rax
bf4.exe+1B7A27 - 80 78 31 00           - cmp byte ptr [rax+31],00
bf4.exe+1B7A2B - 75 79                 - jne bf4.exe+1B7AA6
bf4.exe+1B7A2D - 48 8B 03              - mov rax,[rbx]      <-hack point
bf4.exe+1B7A30 - 48 8B CB              - mov rcx,rbx
bf4.exe+1B7A33 - 44 0F29 4C 24 30      - movaps [rsp+30],xmm9
bf4.exe+1B7A39 - FF 50 08              - call qword ptr [rax+08]
bf4.exe+1B7A3C - 48 8B 03              - mov rax,[rbx]
bf4.exe+1B7A3F - 48 8B CB              - mov rcx,rbx
bf4.exe+1B7A42 - 44 0F28 C8            - movaps xmm9,xmm0

Patch applied:
Code:
[enable]
aobscanmodule(HealthHook_AOB,bf4.exe,44 0F 29 4C 24 30 FF 50 08 48 8B 03)
registersymbol(HealthHook_AOB)
aobscanmodule(CodeCave,bf4.exe,C3 CC 48 8D 05 * * * * 48 89 05 * * * * C3 CC 48 8D 05 * * * * 48 89 05 * * * * C3 CC 48 8D 05 * * * * 48 89 05 * * * * C3 00 00)

label(HealthHook)

HealthHook_AOB-6: //=bf4.exe+1B7A2D
jmp HealthHook    //=target: bf4.exe+17C9542
nop

CodeCave+34:
HealthHook:

[disable]
unregistersymbol(HealthHook_AOB)

HealthHook_AOB-6:
mov rax,qword [rbx]
mov rcx,rbx

Resulting memory:
Code:
bf4.exe+1B7A2B - 75 79                 - jne bf4.exe+1B7AA6
bf4.exe+1B7A2D - E9 101B6101           - jmp bf4.exe+17C9542
bf4.exe+1B7A32 - 90                    - nop
bf4.exe+1B7A33 - 90                    - nop   <-those nops shouldn't be there
bf4.exe+1B7A34 - 90                    - nop
bf4.exe+1B7A35 - 90                    - nop
bf4.exe+1B7A36 - 90                    - nop
bf4.exe+1B7A37 - 90                    - nop
bf4.exe+1B7A38 - 90                    - nop
bf4.exe+1B7A39 - 90                    - nop
bf4.exe+1B7A3A - 90                    - nop
bf4.exe+1B7A3B - 90                    - nop
bf4.exe+1B7A3C - 48 8B 03              - mov rax,[rbx]
bf4.exe+1B7A3F - 48 8B CB              - mov rcx,rbx
bf4.exe+1B7A42 - 44 0F28 C8            - movaps xmm9,xmm0
Seen on a CE between r2270 and r2286.
The problem doesn't happen if I replace jmp HealthHook by jmp bf4.exe+17C9542 so it's probably CE reserving bytes for a jmp [&DestAddr] because it doesn't know where CodeCave* will be.

Workaround:
Code:
HealthHook_AOB-6:
jmp HealthHook
nop

HealthHook_AOB:
db 44 0F 29 4C 24 30 FF 50 08 48 8B 03 //this will overwrite the superfluous nops



*BTW: the codecave scan tool doesn't accept 64bit addresses. Actually it's be handy if it could understand symbols too.
_________________
DO NOT PM me if you want help on making/fixing/using a hack.
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 471

Joined: 09 May 2003
Posts: 25823
Location: The netherlands
PostPosted: Thu Jan 23, 2014 1:42 pm    Post subject: Reply with quote
Not really a bug.
At the time jmp HealthHook is assembled, HealthHook has not yet been defined.
so it allocates the max possible size and reassembles it when everything else has been assembled

If you code it like this, you won't have that problem:
Code:

aobscanmodule(HealthHook_AOB,bf4.exe,44 0F 29 4C 24 30 FF 50 08 48 8B 03)
registersymbol(HealthHook_AOB)
aobscanmodule(CodeCave,bf4.exe,C3 CC 48 8D 05 * * * * 48 89 05 * * * * C3 CC 48 8D 05 * * * * 48 89 05 * * * * C3 CC 48 8D 05 * * * * 48 89 05 * * * * C3 00 00)

label(HealthHook)
CodeCave+34: //set the write pointer to CodeCave+34
HealthHook:  //Set HealthHook to the value of the current write pointer (CodeCave+34)

HealthHook_AOB-6: //=bf4.exe+1B7A2D (Set the write pointer to HealthHook_AOB-6)
jmp HealthHook    //=target: bf4.exe+17C9542  (Write jmp HealthHook to the current write pointer and increase it by the assembled size)
nop





alternatively, jmp CodeCave+34 would have been acceptable as well, as that is a known location as well
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Gniarf
Grandmaster Cheater Supreme
Reputation: 43

Joined: 12 Mar 2012
Posts: 1285
PostPosted: Thu Jan 23, 2014 2:21 pm    Post subject: Reply with quote
Ah, so the order in which you define the labels DOES matter after all. Ok I'll keep that in mind, thanks for the explanation.
_________________
DO NOT PM me if you want help on making/fixing/using a hack.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites