 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
riverwest
Newbie cheater
![]() Reputation: 0
Joined: 05 May 2019
Posts: 14
|
 Posted: Wed May 08, 2019 7:18 pm Post subject: What is the mov opcode for floats? |
 |
|
I found a value and want to save it in a global label in a script. The value that I'd like to save has a sample value of -900.71, so I'm assuming it is a float. I see this value (-900.71) in the disassembler.
The following code compiles, but I cannot activate my script, so something is wrong. I'm either thinking it is the opcode or my alloc statement. Any ideas here?
| Code: |
[ENABLE]
assert(address,bytes)
alloc(newmem,$1000,"Cry3DEngine.dll"+30F461)
label(code)
label(return)
globalalloc(_height8,8)
newmem:
code:
movups [_height8],xmm0
movups [Cry3DEngine.dll+775908],xmm0
jmp return
address:
jmp newmem
nop
nop
return:
|
|
|
| Back to top |
|
 |
TheyCallMeTim13
Wiki Contributor
 Reputation: 51
Joined: 24 Feb 2017
Posts: 976
Location: Pluto
|
| Posted: Wed May 08, 2019 7:50 pm Post subject: |
|
|
MOVUPS - Move Unaligned Packed Single-Precision Floating-Point Values
https://www.felixcloutier.com/x86/movups
It's a packed instruction, so it works on 16 (0x10) bytes at a time.
Not sure if it's the size, or that you never placed the "_height8" label to tell is where is was. But try this:
| Code: | [ENABLE]
assert(address,bytes)
alloc(newmem,$1000,"Cry3DEngine.dll"+30F461)
label(code)
label(return)
globalalloc(_height8, 10)
_height8:
dd 0
dd 0
dd 0
dd 0
newmem:
code:
movups [_height8],xmm0
movups [Cry3DEngine.dll+775908],xmm0
jmp return
address:
jmp newmem
nop
nop
return: |
_________________
|
|
| Back to top |
|
|
riverwest
Newbie cheater
![]() Reputation: 0
Joined: 05 May 2019
Posts: 14
|
| Posted: Wed May 08, 2019 8:02 pm Post subject: |
|
|
Thanks, I was mistaking the bytes in the globalalloc to be decimal, but it's in hex. ah.
The script still does not activate after your suggested changes. Do you have any other ideas? It executes only if I comment out this line
| Code: |
// movups [_height8],xmm0
|
---
edit:
It looks like if I change globalalloc to alloc, then the script runs. But how can I access this address outside in my cheat table if I'm not globally allocating it? Hm.
edit 2:
Is this in the right direction? I can't seem to store the value but I feel this is kinda close..
| Code: |
[ENABLE]
assert(address,bytes)
//alloc(v_height,0x10)
alloc(newmem,$1000,"Cry3DEngine.dll"+30F461)
//registersymbol(v_height)
label(code)
label(return)
newmem:
code:
//movups [v_height],xmm0
movups [Cry3DEngine.dll+775908],xmm0
jmp return
address:
jmp newmem
nop
nop
return:
[DISABLE]
address:
db bytes
// movups [Cry3DEngine.dll+775908],xmm0
dealloc(newmem)
//dealloc(v_height)
|
|
|
| Back to top |
|
|
TheyCallMeTim13
Wiki Contributor
Reputation: 51
Joined: 24 Feb 2017
Posts: 976
Location: Pluto
|
| Posted: Wed May 08, 2019 8:22 pm Post subject: |
|
|
| riverwest wrote: | Thanks, I was mistaking the bytes in the globalalloc to be decimal, but it's in hex. ah.
The script still does not activate after your suggested changes. Do you have any other ideas? It executes only if I comment out this line
| Code: |
// movups [_height8],xmm0
|
---
edit:
It looks like if I change globalalloc to alloc, then the script runs. But how can I access this address outside in my cheat table if I'm not globally allocating it? Hm. |
It's probably the size change so you'd need to restart the game and CE, as the memory was already allocated and won't deallocate with out a restart. but "globalAlloc" just allocates and registers the symbol.
So just use this:
| Code: |
...
alloc(_height8, 10)
registerSymbol(_height8)
...
[DISABLE]
...
dealloc(_height8)
unregisterSymbol(_height8) |
https://wiki.cheatengine.org/index.php?title=Auto_Assembler:Commands
_________________
|
|
| Back to top |
|
|
riverwest
Newbie cheater
![]() Reputation: 0
Joined: 05 May 2019
Posts: 14
|
| Posted: Wed May 08, 2019 8:51 pm Post subject: |
|
|
That fixed it. I had to reset the memory of the game.
Okay now, I don't know if you'll know this, if not I have a lot of research to do. But I'm trying to manipulate this value, and have the player warp. I'm thinking I can pass the values like so:
xmm0 > _height8 > [Cry3DEngine.dll+755908]
However... that doesn't work, as the code is not injectable.
| Code: |
code:
movups [_height8],xmm0
movups [Cry3DEngine.dll+775908],[_height8] //<<<
jmp return
|
I don't know if it's because I can't move values from a non-register into the .dll but I don't know how to confirm that.
|
|
| Back to top |
|
|
TheyCallMeTim13
Wiki Contributor
Reputation: 51
Joined: 24 Feb 2017
Posts: 976
Location: Pluto
|
|
| Back to top |
|
|
riverwest
Newbie cheater
![]() Reputation: 0
Joined: 05 May 2019
Posts: 14
|
| Posted: Thu May 09, 2019 9:44 pm Post subject: |
|
|
| TheyCallMeTim13 wrote: | Yeah you can't move a memory address to a memory address, you need to move the first address to a registry then move that to the second address.
With the code you posted you're moving the value of XMM0 to the address at "_height8", and the original code sets the value at "Cry3DEngine.dll+775908" so you can just use that.
if you're trying to move the value from "_height8" to "Cry3DEngine.dll+775908", try this:
| Code: |
movups xmm0,[_height8]
movups [Cry3DEngine.dll+775908],xmm0 |
As far as find out how each instruction works.
... |
You've been very helpful Tim, I appreciate you sharing your knowledge with me. Is this the point where people go off on their own? I feel assembly knowledge is so foreign to many. I'm stuck at pulling out my values from the xmm registers.
I've found the three values I'm looking for; X Y and Z.
X is at 7FFCB996CBF0
Y is at 7FFCB996CBF0 + 4
Z is at 7FFCB996CBF0 + 8
(what's odd I notice is that X and Y are both written to address 7FFCB996CBF0, while Z is written to 7FFCB996CBF0 + 8 -- so I'll have to figure out how that all is set up later I'm sure too)
Using the handy page you sent me, there is a extractps opcode that pulls single-precision floating point values from xmm registers just what I need!.
Pulling out X works fine
| Code: |
extractps [x2],xmm0,0
|
But Y does not work
| Code: |
extractps [y2],xmm0,16
|
The auto assembler code looks basically like this (all labels/symbols are defined already above)
| Code: |
code:
extractps [x2],xmm0,0
extractps [y2],xmm0,32
//extractps [z2],xmm0,8
jmp original
original:
movsd [rdx],xmm0
movss [rsp+08],xmm5
jmp return
|
I'll continue to look around in case this is too specific knowledge for people to have, but please chime in if you'd like to attempt this feat!
|
|
| Back to top |
|
|
TheyCallMeTim13
Wiki Contributor
Reputation: 51
Joined: 24 Feb 2017
Posts: 976
Location: Pluto
|
| Posted: Thu May 09, 2019 10:27 pm Post subject: |
|
|
I'd do it this way, then you can access it with the symbol and offset; i.e. "fltCoordValue+0" to read the X coord. value.
| Code: | [ENABLE]
assert(address,bytes)
//alloc(v_height,0x10)
alloc(newmem,$1000,"Cry3DEngine.dll"+30F461)
//registersymbol(v_height)
label(code)
label(return)
label(fltCoordValue)
registerSymbol(fltCoordValue)
newmem:
movaps [fltCoordValue],xmm0
code:
movups [Cry3DEngine.dll+775908],xmm0
jmp return
align 10 CC
ptrCoordBase:
dq 0
fltCoordValue:
dd 0 // fltCoordValue+0 = X
dd 0 // fltCoordValue+4 = Y
dd 0 // fltCoordValue+8 = Z
dd 0
address:
jmp newmem
nop
nop
return:
[DISABLE]
address:
db bytes
// movups [Cry3DEngine.dll+775908],xmm0
unregisterSymbol(fltCoordValue)
dealloc(newmem)
//dealloc(v_height) |
_________________
|
|
| Back to top |
|
|
riverwest
Newbie cheater
![]() Reputation: 0
Joined: 05 May 2019
Posts: 14
|
| Posted: Fri May 10, 2019 9:29 am Post subject: |
|
|
| TheyCallMeTim13 wrote: | I'd do it this way, then you can access it with the symbol and offset; i.e. "fltCoordValue+0" to read the X coord. value.
| Code: | [ENABLE]
assert(address,bytes)
//alloc(v_height,0x10)
alloc(newmem,$1000,"Cry3DEngine.dll"+30F461)
//registersymbol(v_height)
label(code)
label(return)
label(fltCoordValue)
registerSymbol(fltCoordValue)
newmem:
movaps [fltCoordValue],xmm0
code:
movups [Cry3DEngine.dll+775908],xmm0
jmp return
align 10 CC
ptrCoordBase:
dq 0
fltCoordValue:
dd 0 // fltCoordValue+0 = X
dd 0 // fltCoordValue+4 = Y
dd 0 // fltCoordValue+8 = Z
dd 0
address:
jmp newmem
nop
nop
return:
[DISABLE]
address:
db bytes
// movups [Cry3DEngine.dll+775908],xmm0
unregisterSymbol(fltCoordValue)
dealloc(newmem)
//dealloc(v_height) |
|
Is it a typo that you included the following code in code instead of newmem?
| Code: |
align 10 CC
ptrCoordBase:
dq 0
fltCoordValue:
dd 0 // fltCoordValue+0 = X
dd 0 // fltCoordValue+4 = Y
dd 0 // fltCoordValue+8 = Z
dd 0
|
I understand what you are doing with fltCoordValue, but with ptrCoordBase you are not ever setting that, and the align 10 CC command only is supposed to take one parameter.
Are you getting around using alloc and using align in some way instead? I understand that align is padding effectively NOPS, but why "10 CC"?
|
|
| Back to top |
|
|
TheyCallMeTim13
Wiki Contributor
Reputation: 51
Joined: 24 Feb 2017
Posts: 976
Location: Pluto
|
| Posted: Fri May 10, 2019 1:00 pm Post subject: |
|
|
Yeah, the "ptrCoordBase" should've been removed. I tend to store the address, but I didn't know if it was x64 or x32 to store the address properly.
| Code: | [ENABLE]
assert(address,bytes)
//alloc(v_height,0x10)
alloc(newmem,$1000,"Cry3DEngine.dll"+30F461)
//registersymbol(v_height)
label(code)
label(return)
label(fltCoordValue)
registerSymbol(fltCoordValue)
newmem:
movaps [fltCoordValue],xmm0
code:
movups [Cry3DEngine.dll+775908],xmm0
jmp return
align 10 CC
fltCoordValue:
dd 0 // fltCoordValue+0 = X
dd 0 // fltCoordValue+4 = Y
dd 0 // fltCoordValue+8 = Z
dd 0
address:
jmp newmem
nop
nop
return:
[DISABLE]
address:
db bytes
// movups [Cry3DEngine.dll+775908],xmm0
unregisterSymbol(fltCoordValue)
dealloc(newmem)
//dealloc(v_height) |
As for "align" it takes 2 parameters, the second is optional. The first tells it what to align to, and the second tells is what byte to pad with (default is "00"). So "align 10 CC" will just look better if you view the injected code.
Example:
| Code: |
mov [ecx+10],eax
align 10
mov [ecx+10],eax
align 10 CC
mov [ecx+10],eax |
| Code: | memTestValues - 89 41 10 - mov [ecx+10],eax
003D0003 - 00 00 - add [eax],al
003D0005 - 00 00 - add [eax],al
003D0007 - 00 00 - add [eax],al
003D0009 - 00 00 - add [eax],al
003D000B - 00 00 - add [eax],al
003D000D - 00 00 - add [eax],al
003D000F - 00 89 4110CCCC - add [ecx-3333EFBF],cl
003D0015 - CC - int 3
003D0016 - CC - int 3
003D0017 - CC - int 3
003D0018 - CC - int 3
003D0019 - CC - int 3
003D001A - CC - int 3
003D001B - CC - int 3
003D001C - CC - int 3
003D001D - CC - int 3
003D001E - CC - int 3
003D001F - CC - int 3
003D0020 - 89 41 10 - mov [ecx+10],eax
|
_________________
|
|
| Back to top |
|
|
riverwest
Newbie cheater
![]() Reputation: 0
Joined: 05 May 2019
Posts: 14
|
| Posted: Fri May 10, 2019 2:17 pm Post subject: |
|
|
Got it. You are using align because you don't know how large the addresses are, so you create a space of memory separated by "CC"'s so that you'll know what the values are and will be able to properly allocate memory accordingly to hold these values.
I'm going to try and pull these values out tonight. My goal is to write something that can propel me in the air - but I eventually want to write something that will let me teleport.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
