| View previous topic :: View next topic |
| Author |
Message |
wazlord
Expert Cheater
![]() Reputation: 4
Joined: 17 Sep 2012
Posts: 208
|
 Posted: Wed May 06, 2015 9:10 am Post subject: Write to location 00004080 caused an access violation. |
 |
|
Hi,
I am not able to locate why the code would cause the game to crash when i press the hotkey that i set to change the EnVar to 1.
It seems that when i try to write a 1 to any of the declared EnVars the game would crash out.
It was working fine but suddenly start crashing the game...
Anyone could help me with what i am doing wrong?
ps: It doesnt crash when enabling the script.
It only crash when i go and enable any of the EnVariables... 
thanks
| Code: |
[ENABLE]
aobscan(getDust,48 8B C1 F3 0F 10 40 38 F3 0F 5A C0 F2 0F 5A C0 48 83 C4 08)
alloc(newmemD,$2048,getDust)
label(getDustR)
label(getBoostC)
label(_getEnCheck)
label(_getBoost)
label(_getBoostR)
label(EnBoost)
newmemD:
_getEnCheck: //check if any cheat EnVar is 1b
cmp byte ptr [EnBoost],1
je _getBoost
_getBoostR:
movss xmm0,[rax+38]
jmp getDustR
_getBoost:
cmp dword ptr [r8+434],(float)1 //434 //compare if the value is float 1
jne getBoostC
cmp byte ptr [r8+B00],1 //B00 //compare if the value is 1
jne getBoostC
getBoostC:
jmp _getBoostR
EnBoost:
dw 0
getDust+3:
jmp _getEnCheck
getDustR:
registersymbol(getDust)
registersymbol(EnBoost)
[DISABLE]
getDust+3:
db F3 0F 10 40 38
unregistersymbol(getDust)
unregistersymbol(EnBoost)
dealloc(newmemD)
|
Last edited by wazlord on Wed May 06, 2015 8:59 pm; edited 4 times in total |
|
| Back to top |
|
 |
Geri
Moderator
![]() Reputation: 111
Joined: 05 Feb 2010
Posts: 5627
|
| Posted: Wed May 06, 2015 10:30 am Post subject: |
|
|
Your script is long and I am lazy to check everything since you didn't put in any comments, but I have noticed that you have used a jmp to make the hook and you are using a ret, so unless the original code would end the function anyway, it's obvious why would this cause a crash.
_________________
|
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25846
Location: The netherlands
|
| Posted: Wed May 06, 2015 10:33 am Post subject: |
|
|
You use ret without a call
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
wazlord
Expert Cheater
![]() Reputation: 4
Joined: 17 Sep 2012
Posts: 208
|
| Posted: Wed May 06, 2015 9:03 pm Post subject: |
|
|
| Geri wrote: | | Your script is long and I am lazy to check everything since you didn't put in any comments, but I have noticed that you have used a jmp to make the hook and you are using a ret, so unless the original code would end the function anyway, it's obvious why would this cause a crash. |
| Dark Byte wrote: | | You use ret without a call |
Thanks 
Made some changes to the code and the actual cause of the crash is pointing to this part of the code...
| Code: |
cmp dword ptr [r8+434],(float)1 //434 //compare if the value is float 1
jne getBoostC
cmp byte ptr [r8+B00],1 //B00 //compare if the value is 1
jne getBoostC
|
am i doing something wrong with comparison code?
seems if i remove this line the crash went away
I tried comparing to rbp register and it still crashes
|
|
| Back to top |
|
|
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Wed May 06, 2015 9:12 pm Post subject: |
|
|
Looks like the original code is:
movss xmm0,[rax+38]
Are you sure you shouldn't be using:
cmp dword ptr [rax+434],(float)1
cmp byte ptr [rax+B00],1
You're probably crashing because 'r8' isn't a pointer.
Note: Although the current code will work because you're comparing equality,
you cannot compare greater than/less than with floats using CMP.
|
|
| Back to top |
|
|
wazlord
Expert Cheater
![]() Reputation: 4
Joined: 17 Sep 2012
Posts: 208
|
| Posted: Wed May 06, 2015 9:19 pm Post subject: |
|
|
| Zanzer wrote: | Looks like the original code is:
movss xmm0,[rax+38]
|
Yup thats the original code, which seems to be a generic function used for doing everything in the game
| Zanzer wrote: |
Are you sure you shouldn't be using:
cmp dword ptr [rax+434],(float)1
cmp byte ptr [rax+B00],1
You're probably crashing because 'r8' isn't a pointer.
|
Well i would need to check if i could use rax, but from what i checked, r8 is a pointer and seems to have the values i am checking when i was tracing the register values
changing to rbp instead of r8 also causing the crash
i am not sure what happen, as the code was working at one point.
But the thing is the crash happens before coming to the code above as it didnt trip the breakpoints i set the jmp code from the EnCheck, will try and look into it.
| Zanzer wrote: |
Note: Although the current code will work because you're comparing equality,
you cannot compare greater than/less than with floats using CMP. |
I just want to check if the value is equal float 1, i dont care of the greater/less, not sure if this is the cause as well.
maybe ill try and use the other comparison method for the float and see if it solve the problem
This is from the error log, R8/RBP is the pointers as far as i have checked
| Code: |
Read from location 00000435 caused an access violation.
Context:
RDI: 0x20498888 RSI: 0x2470b100 RAX: 0x2470b100
RBX: 0x00000001 RCX: 0x2470b100 RDX: 0x0000421e
RIP: 0x13d60021 RBP: 0x0029e890 SegCs: 0x00000033
EFlags: 0x00010246 RSP: 0x0029e850 SegSs: 0x0000002b
R8: 0x0029e5d0 R9: 0x00000001 R10: 0x00000000
R11: 0x137dd150 R12: 0x21c279c0 R13: 0x2e908400
R14: 0x4a12c700 R15: 0x23492600
|
|
|
| Back to top |
|
|
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Wed May 06, 2015 9:42 pm Post subject: |
|
|
Those appear to be local temporary addresses and certainly not something that is going to have an offset of 434 and B00.
What makes you think those are the correct pointers and offsets for the values you're trying to use?
If you simply remove the +434 and +B00, does your script no longer crash?
According to your error log, it almost appears like it is trying to read [r9+434]
Since the error said it tried to read 00000435, which is r9+434.
Curious if CE has a bug that wrote the wrong opcode?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25846
Location: The netherlands
|
| Posted: Thu May 07, 2015 3:19 am Post subject: |
|
|
It's possible r8 is part of a previous function call from a different location and the function you're in only takes 2 parameters
So, if the function is called from a different location where r8 isn't setup, then r8 will be wrong{you could use RSP instead)
As for ce assembler errors, ce might have issues with the Rex prefix, but that would cause r8 to turn into rax, not r9
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
wazlord
Expert Cheater
![]() Reputation: 4
Joined: 17 Sep 2012
Posts: 208
|
| Posted: Thu May 07, 2015 8:34 am Post subject: |
|
|
| Zanzer wrote: | Those appear to be local temporary addresses and certainly not something that is going to have an offset of 434 and B00.
What makes you think those are the correct pointers and offsets for the values you're trying to use?
If you simply remove the +434 and +B00, does your script no longer crash?
|
hmm, i guess the issue is really due to R8.
when i change the address to RBP, it no longer crash.
It seems there are times when R8 do not have those addresses. Hence causing the crash when it hit into that point which isn't meeting my criteria 
guess should have checked this rather than made that assumption.
When i tested earlier i always get the exact amount of register count when checking against R8 offsets, hence using it as hack point.
will have to find another unique combinations then
thx all for helping 
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
