| View previous topic :: View next topic |
| Author |
Message |
podstanar
Advanced Cheater
 Reputation: 4
Joined: 02 May 2012
Posts: 82
Location: Flatland
|
 Posted: Sun Oct 31, 2021 8:42 am Post subject: What part of code is generating these NOPs? |
 |
|
Today, while making some cheats, i've encountered a really weird issue, and can't figure it out.
When i enable this script:
| Code: |
{$STRICT}
// --- check CE version ---
{$lua}
if(getCEVersion() < 7.3) then
ShowMessage('CE >= v7.3 is required to use this script.')
end
{$asm}
define(orig_god_bytes, orig_bytes)
[ENABLE]
aobscanmodule(god_hook, Game.exe, 48 89 ? ? ? 57 48 83 EC ? 48 8B ? 48 8B ? E8 ? ? ? ? 48 8B)
allocnx(vars, 32)
allocnx(orig_bytes, 32)
alloc(main, 256, god_hook)
registersymbol(vars)
registersymbol(orig_bytes)
registersymbol(god_hook)
registersymbol(godmode)
label(godmode)
label(god_patch)
label(ret_god_hook)
// --- setup variables ---
vars:
godmode:
dd 0
// --- save original bytes ---
orig_bytes:
orig_god_bytes:
readmem(god_hook, 5)
// --- injection ---
god_hook:
jmp god_patch
ret_god_hook:
// --- cave ---
main:
god_patch:
cmp [godmode], 1
je @f
readmem(god_hook, 5)
jmp ret_god_hook
@@:
ret
[DISABLE]
god_hook:
readmem(orig_god_bytes, 5)
dealloc(*)
unregistersymbol(*)
|
instead of patching only 5 bytes (required for this JMP):
| Code: |
before injection:
7FF7EBF5D870 - 48 89 5C 24 08 - mov [rsp+08],rbx
after injection:
7FF7EBF5D870 - E9 8B279CFF - jmp 7FF7EB920000
|
CE patches 14 bytes, by inserting this weird 9-byte long NOP slide after the jump:
| Code: |
7FF7EBF5D870 - E9 8B279CFF - jmp 7FF7EB920000
7FF7EBF5D875 - 66 0F1F 84 00 00000000 - nop word ptr [rax+rax+00000000]
|
which obviously messes up everything, and crashes the game. Also, the label ret_god_hook inside the allocated code cave points exactly after that NOP slide, at 7FF7EBF5D87E . What is going on here exactly?
_________________
Singularity is nearer. |
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 470
Joined: 09 May 2003
Posts: 25793
Location: The netherlands
|
| Posted: Sun Oct 31, 2021 9:01 am Post subject: |
|
|
do jmp main instead of jmp god_patch as the location of god_patch is unknown at the time the jmp is assembled, but main should be known
or move the god_hook code under main
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Csimbi
I post too much
 Reputation: 97
Joined: 14 Jul 2007
Posts: 3324
|
| Posted: Sun Oct 31, 2021 11:33 am Post subject: |
|
|
| In addition to what DB said, you should expect this more and more in x64 titles.
|
|
| Back to top |
|
|
podstanar
Advanced Cheater
Reputation: 4
Joined: 02 May 2012
Posts: 82
Location: Flatland
|
| Posted: Mon Nov 01, 2021 7:18 am Post subject: |
|
|
| Dark Byte wrote: | | or move the god_hook code under main |
Thanks, this did it. I had no idea AA scripts are parsed in such way, that the order of things could matter. Is there some documentation where i can read what gets parsed when/in which order?
_________________
Singularity is nearer. |
|
| Back to top |
|
|
STN
I post too much
 Reputation: 43
Joined: 09 Nov 2005
Posts: 2676
|
| Posted: Mon Nov 01, 2021 2:01 pm Post subject: |
|
|
| podstanar wrote: | | Dark Byte wrote: | | or move the god_hook code under main |
Thanks, this did it. I had no idea AA scripts are parsed in such way, that the order of things could matter. Is there some documentation where i can read what gets parsed when/in which order? |
no but you can look in the source code.
_________________
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
