Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Need help with movups code injection
Goto page 1, 2  Next
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
Trisolaris
Newbie cheater
Reputation: 0

Joined: 10 Mar 2019
Posts: 18

PostPosted: Fri Aug 19, 2022 9:15 am    Post subject: Need help with movups code injection Reply with quote

Hello,
I've come across following instructions which I'd like to change in order to write custom values to [rdi-20].

Code:
MyGame.exe+35081D - 0F10 40 E0            - movups xmm0,[rax-20]
MyGame.exe+350821 - 0F11 47 E0            - movups [rdi-20],xmm0


rax-20 writes following values to the xmmo register: -0.40 _ 1.20
If I NOP the movups [rdi-20],xmm0 instruction and write my values into the 2 target addresses, they stick.
A lot of processes use the [rax-20] address, so setting my values there is not an option, as the values change all the time.

I'm new to code injection and am having a hard time grasping the movups instruction. Any help in setting up a script that writes 5.00_0.60 into xmm0 or [rdi-20] would be appreciated.
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Fri Aug 19, 2022 11:08 am    Post subject: Reply with quote

Highlight the instruction in the disassembler and use the "AOB Injection" template. You didn't specify what the other two values should be, so I'm guessing they're 0.
Code:
[ENABLE]
aobscanmodule(MyInjectionPoint,MyGame.exe,0F 10 40 E0 0F 11 47 E0) // should be unique
alloc(newmem,$1000,MyInjectionPoint)

label(myData)
label(return)
registersymbol(MyInjectionPoint)

newmem:
  movups xmm0,[myData]
  movups [rdi-20],xmm0
  jmp return

align 10 CC
myData:
  dd (float)5.0
  dd (float)0.6
  dd (float)0.0
  dd (float)0.0

MyInjectionPoint:
  jmp newmem
  nop 3
return:

[DISABLE]

MyInjectionPoint:
  db 0F 10 40 E0 0F 11 47 E0

unregistersymbol(MyInjectionPoint)
dealloc(newmem)

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Trisolaris
Newbie cheater
Reputation: 0

Joined: 10 Mar 2019
Posts: 18

PostPosted: Fri Aug 19, 2022 11:08 am    Post subject: Reply with quote

Here's what I have so far. This crashes the game though.

Code:
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048,"MyGame.exe"+350821)
label(returnhere)
label(originalcode)
label(exit)

alloc(our_address, 8, "MyGame.exe"+350821) //allocates new address(8-byte fp Quad Word / Qword)

our_address:
dd (float)8.0 //declares float data value
dd (float)0.6 //declares float data value

newmem:
movups xmm0, [our_address]
movups [rdi-20],xmm0

originalcode:
movups [rdi-20],xmm0

exit:
jmp returnhere

"MyGame.exe"+350821:
jmp newmem
nop
nop
nop
returnhere:

[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
dealloc(our_address)
"MyGame.exe"+350821:
movups [rdi-20],xmm0
Back to top
View user's profile Send private message
sbryzl
Master Cheater
Reputation: 6

Joined: 25 Jul 2016
Posts: 252

PostPosted: Fri Aug 19, 2022 2:28 pm    Post subject: Reply with quote

You probably just need to add some padding to our_address. movups will read 128 bits and you only have 64 there so the same instruction that is telling it to read is being read at the same time. I wouldn't be surprised if this would cause a crash.
Simply allocate more space.
Code:
alloc(our_address, 50, "MyGame.exe"+350821)
Back to top
View user's profile Send private message
Trisolaris
Newbie cheater
Reputation: 0

Joined: 10 Mar 2019
Posts: 18

PostPosted: Sat Aug 20, 2022 4:43 am    Post subject: Reply with quote

Thanks for your input guys!
Your replies have sparked several attempts and new questions.

@ParkourPenguin: why do you suggest to use the aob injection method? Is it in order to safeguard my code against changing pointer offsets after game updates? The offset is currently at +350821, but changes with game updates. Would the other method of code injection also work, or is aob injection the only way? The instructions get re-written to another location every time I re-spawn, so I have to inject the code each time anew. I thought going the code injection path would perhaps be faster compared to the aob injection.

What is the best injection point given the fact that the first of the following lines of original code is shared and crashes the game if I mess with it?

Code:
MyGame.exe+35081D - 0F 10 40 E0 - movups xmm0,[rax-20]
MyGame.exe+350821 - 0F 11 47 E0 - movups [rdi-20],xmm0


I reckon I'd let the first line execute and inject at the second line, by moving my own values into xmm0 and then executing the original line. I've tried this approach with code injection similar to what I've posted before, and also with the AoBInjection shown by @ParkourPenguin. So far, the game always crashed. NOPing the second line of code does not crash it though.
Back to top
View user's profile Send private message
sbryzl
Master Cheater
Reputation: 6

Joined: 25 Jul 2016
Posts: 252

PostPosted: Sat Aug 20, 2022 6:31 am    Post subject: Reply with quote

Quote:
why do you suggest to use the aob injection method? Is it in order to safeguard my code against changing pointer offsets after game updates? The offset is currently at +350821, but changes with game updates. Would the other method of code injection also work, or is aob injection the only way?

Yes it safeguards against updates by acting as though it has a built-in assert. If you don't use aob scan you should use assert.

Quote:
The instructions get re-written to another location every time I re-spawn, so I have to inject the code each time anew.

If this is true it's jit compiling and I would find a different injection point or use a multilevel pointer for something more reliable.

Quote:
What is the best injection point given the fact that the first of the following lines of original code is shared and crashes the game if I mess with it?

It doesn't matter. rdi has your pointer and if you inject anywhere near that general location rdi will always have all the shared addresses running through it. There are many discussions about dealing with shared instructions here in many different ways all unique to a particular situation. It sounds like because your previous statement indicates jit compiling you might need a different injection point or method anyway.
Back to top
View user's profile Send private message
Trisolaris
Newbie cheater
Reputation: 0

Joined: 10 Mar 2019
Posts: 18

PostPosted: Sat Aug 20, 2022 7:46 am    Post subject: Reply with quote

sbryzl wrote:
It doesn't matter. rdi has your pointer and if you inject anywhere near that general location rdi will always have all the shared addresses running through it. There are many discussions about dealing with shared instructions here in many different ways all unique to a particular situation. It sounds like because your previous statement indicates jit compiling you might need a different injection point or method anyway.


Ahh, thanks, things are starting to become clearer.
This instruction writes camera coordinates into [rdi-20] every few seconds. As a proof-of-concept, I've NOPed the instruction, and have then overwritten the value in rdi-20, which worked fine (I only need to write my values in there once per spawn). Unfortunately, rdi-20 is in a very dynamic area of memory, and I wasn't able to find good AOBs. I haven't had much success with finding pointers in this game (mostly multiple levels, often changing upon re-spawn, and really hard to validate, at least with my limited skills).
Would it be possible to do a code / aob injection which writes the desired coordinates to rdi-20 and then NOPs the instruction? If so, how would I go about that?
Back to top
View user's profile Send private message
sbryzl
Master Cheater
Reputation: 6

Joined: 25 Jul 2016
Posts: 252

PostPosted: Sat Aug 20, 2022 8:48 am    Post subject: Reply with quote

Sorry, let me correct something I said: I see you said the first instruction was shared not the one giving you your pointer. This would be expected as the first instruction is likely pulling values off the stack which is always highly active. So nothing to worry about as far as shared instructions though the jit compiling is still a concern.

I'm not sure what is causing your crash. It's possible the other float values are important for some cause other than your targeted one. In that case you can preserve them by doing this so it only changes the data you want leaving the rest:

edit: Try this.

Code:

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048,"MyGame.exe"+350821)
label(returnhere)
label(originalcode)
label(exit)

alloc(our_address, 40, "MyGame.exe"+350821) //allocates new address(8-byte fp Quad Word / Qword)

our_address:
dd (float)8.0 //declares float data value
dd (float)0.6 //declares float data value
dq 0

newmem:

push rax
mov rax,[rax-18]
mov [our_address+8],rax
pop rax

movups xmm0, [our_address]

originalcode:
movups [rdi-20],xmm0

exit:
jmp returnhere

"MyGame.exe"+350821:
jmp newmem
nop
nop
nop
returnhere:

[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
dealloc(our_address)
"MyGame.exe"+350821:
movups [rdi-20],xmm0

Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Sat Aug 20, 2022 11:22 am    Post subject: Reply with quote

Trisolaris wrote:
Is it in order to safeguard my code against changing pointer offsets after game updates?
Pointer offsets aren't relevant here. If the game updates, most stuff in the exe will change location. e.g. something that was at game.exe+1234 might now be at game.exe+5678. Scanning for the injection point with an aobscan will find the code regardless of where it is in the exe.

Trisolaris wrote:
Would the other method of code injection also work, or is aob injection the only way?
You could use the "Full injection" template if you want. If the game ever updates, though, you have to update the table yourself.

Trisolaris wrote:
The instructions get re-written to another location every time I re-spawn, so I have to inject the code each time anew.
I highly doubt the game is assembling new code inside the exe each time you respawn. Did you mean that instruction writes to a different address each time you respawn? If so, you don't need to disable and enable the script again.

Trisolaris wrote:
I thought going the code injection path would perhaps be faster compared to the aob injection.
aob injection is a type of code injection. There is a "Code injection" template, but unlike the "Full Injection" template, it doesn't assert the injection point contains the bytes you think it does. The only reason I'd use the "Code injection" template is for a quick and dirty code injection that I'm not even going to assign to the cheat table.
The "Full Injection" template doesn't scan through the exe for the code, so yes, it should be faster. It's probably not much faster since you're already limiting the scan region with aobscanmodule.

Trisolaris wrote:
What is the best injection point given the fact that the first of the following lines of original code is shared and crashes the game if I mess with it?
Right click the second instruction (`movups [rdi-20],xmm0`) and select "Find out what addresses this instruction accesses". If any address you don't want to modify comes up, see step 9 of the CE tutorial.

Trisolaris wrote:
Would it be possible to do a code / aob injection which writes the desired coordinates to rdi-20 and then NOPs the instruction?
That's exactly what my code did, with 2 extra things: it also modified the other two values in the xmm0 register, and it left xmm0 modified. If you want to fix that:
Code:
newmem:
  movups xmm0,[rax-20]
  blendps xmm0,[myData],3  // xmm0 = mem[0,1],xmm0[2,3]
  movups [rdi-20],xmm0
  movups xmm0,[rax-20]
  jmp return

align 10 CC
myData:
  dd (float)5.0
  dd (float)0.6
  dd (float)0.0
  dd (float)0.0
I'm pretty sure the `blendps` instruction requires memory accesses to be aligned, so make sure `myData` is aligned.
_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Trisolaris
Newbie cheater
Reputation: 0

Joined: 10 Mar 2019
Posts: 18

PostPosted: Sun Aug 21, 2022 3:40 am    Post subject: Reply with quote

Thank you guys!
I hope I can continue coding during the coming week . I'll keep you postedon my progress 😉
Back to top
View user's profile Send private message
Trisolaris
Newbie cheater
Reputation: 0

Joined: 10 Mar 2019
Posts: 18

PostPosted: Tue Aug 23, 2022 3:07 pm    Post subject: Reply with quote

ParkourPenguin wrote:
Right click the second instruction (`movups [rdi-20],xmm0`) and select "Find out what addresses this instruction accesses". If any address you don't want to modify comes up, see step 9 of the CE tutorial.


This instruction accesses more than 150! addresses Shocked
I made MyInjectionPoint AOB longer until it was unique. Now your code works & the game doesn't crash, but given the many addresses this instruction writes to, there are interesting side effects ....

I'll definitely have a look at step 9 of the CE tut to see how I can unscramble this.

I still struggle with understanding the movups though. I thought it moves float values into double float addresses. When I check what it writes to the camera coordinates that interest me, I find following values in XMM0:
Float: 2.00 _ 1.77 _ 0.15 _ -1.57
Double float: 0.60 _ -0.20

I have 2 versions of the script and they appear to work just the same:
Here's a version with float values in myData. I came up with these by writing my desired values into the DF target address and displaying them as float.
Code:
align 10 CC
myData:
dd (float)0.00
dd (float)2.3125
dd (float)4.172325063E-8
dd (float)1.774999976


This version has DF in myData:
Code:

align 10 CC
myData:
dq (double)5.0
dq (double)0.6

The first value is the camera position along one axis, the second value equals the second axis position. While the first one works, the second doesn't produce any change Question
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Tue Aug 23, 2022 4:38 pm    Post subject: Reply with quote

Trisolaris wrote:
I still struggle with understanding the movups though.
"movups" stands for "move unaligned packed singles". "move" means it's moving data, "unaligned" means memory accesses aren't required to be aligned, "packed" means it's moving several values at once (i.e. 4 floats), and "singles" means the "Float" data type. In simpler terms, it's just moving 16 bytes using xmm register(s).

There's also movupd, "move unaligned packed doubles", which practically does the same thing- move 16 bytes using xmm register(s). There are probably some differences under certain microarchitectures, but it's probably not important.

Trisolaris wrote:
While the first one works, the second doesn't produce any change
It should. Make sure there isn't something else in the script screwing things up. You may also have some other script enabled at the same time, or maybe some artifact of a previous script is still around (restart the game and CE).
Code:
label(myData)
...

newmem:
  movupd xmm0,[myData]
  movupd [rdi-20],xmm0

  movups xmm0,[rax-20]
  jmp return

align 10 CC
myData:
  dq (double)5.0
  dq (double)0.6

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Trisolaris
Newbie cheater
Reputation: 0

Joined: 10 Mar 2019
Posts: 18

PostPosted: Thu Sep 01, 2022 9:45 am    Post subject: Reply with quote

ParkourPenguin wrote:

If any address you don't want to modify comes up, see step 9 of the CE tutorial.

I've had a good long look at that tutorial and similar youtube tutorials. I tried to dissect the structure in CE but it's just too complex for me. More than 150 addresses are being written to by the instruction. Looks like it controls the postitions of many different cameras and a few other things.

On the upside though, it looks like all values that it writes are constants, and so are the values that interest me.

Is there a way to sneak in a comparison step so that if the value that is about to be written is not among the ones I'm looking to change (can I place these in an array?) it can pass through, and else the script writes my values.

Are there other ways of dealing with this level of complexity? The writing sequence perhaps? No idea whether the code actually has a specific writing sequence though. Does the "Find out what addresses this code writes to" function return the address-value combinations according to the sequence they were written?
Back to top
View user's profile Send private message
Trisolaris
Newbie cheater
Reputation: 0

Joined: 10 Mar 2019
Posts: 18

PostPosted: Wed Nov 09, 2022 2:38 pm    Post subject: Reply with quote

@ParkourPenguin: It's been a while, but I finally had another look at the code and values. My issue is that the instruction is shared code and writes to dozens of addresses.

I'm now looking for a way to compare the value that comes through xmm0 to a constant, and to only execute the "player" label when xmm0 contains the value of interest (e.g. 0.600000023841858).

What instruction / approach do I need to do that comparison? I've tried cmp, but CE said that the code is not injectable because of the "cmp" line.
As always, any help would be much appreciated!

Here's a portion of my current code:

Code:
newmem:
  movups xmm0,[rax-20]
  cmp xmm0, 0.600000023841858
  je player //jump equal
  jmp originalcode //jump here if value <> 0.6....

align 10 CC
myData:
  //dq (double)5.0
  //dq (double)0.6
  dq (double)5.0
  dq (double)0.6

exit:
  jmp returnhere

player:
  blendps xmm0,[myData],3  // xmm0 = mem[0,1],xmm0[2,3]
  movups [rdi-20],xmm0
  jmp return

originalcode:
  movups [rdi-20],xmm0
  movups xmm1,[rax-10]
  movups [rdi-10],xmm1
  sub rcx,01
Back to top
View user's profile Send private message
cooleko
Grandmaster Cheater
Reputation: 11

Joined: 04 May 2016
Posts: 717

PostPosted: Wed Nov 09, 2022 2:53 pm    Post subject: Reply with quote

You cant compare a double value (0.600000023841858) raw. Either convert it to its hex equivalent or use a different approach.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites