 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
h3x1c
Master Cheater
 Reputation: 17
Joined: 27 Apr 2013
Posts: 306
|
 Posted: Sat Jun 25, 2016 3:03 pm Post subject: Buggy disassembler behavior when scrolling. |
 |
|
EDIT: Not a bug! Just me being a newbie.  But for anyone else who happens to find this post via Google or something, reading the replies below will clarify what's going on.
I've noticed this happen at times before, but I've had it occur with a few different games lately. I have a video (it's unlisted) of the bug here, but the process goes as follows:
1: I right-click in the disassembler window and choose "Go to address."
2: I enter the address I want to go to and then go to it.
3: Once I get to that address, the moment I scroll up, the addresses on the left-hand side change, which then changes the instructions shown.
Is this normal behavior for a reason I'm unfamiliar with?
_________________
Last edited by h3x1c on Sat Jun 25, 2016 4:39 pm; edited 1 time in total |
|
| Back to top |
|
 |
hhhuut
Grandmaster Cheater
 Reputation: 6
Joined: 08 Feb 2015
Posts: 607
|
| Posted: Sat Jun 25, 2016 3:32 pm Post subject: |
|
|
| Probably some disassembly obfusication ...
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4706
|
| Posted: Sat Jun 25, 2016 3:35 pm Post subject: |
|
|
Instructions aren't of a fixed width in Intel 64 and IA-32 architectures. This means that instructions can start anywhere, and you can jump in the middle of another instruction if you want. Thus, when disassembling bytes, the disassembler guesses where the first instruction starts and goes from there.
The reason why that happens is usually either you jumped in the middle of another instruction or you scrolled up past the start of a contiguous section of asm. For example:
| Code: | // what the game treats this executable memory as:
...
C3 - ret (end of some subroutine)
00 00 00 - padding between sections
55 - push ebp (beginning of another)
8B EC - mov ebp,esp
...
// what CE disassembles this to:
C3 - ret
00 00 - add [eax],al
00 55 8B - add [ebp-75],dl
EC - in al,dx |
I'll also mention that, between the page protection and the disassembly, it should be very clear that section of memory isn't meant to be executed.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
h3x1c
Master Cheater
Reputation: 17
Joined: 27 Apr 2013
Posts: 306
|
| Posted: Sat Jun 25, 2016 4:00 pm Post subject: |
|
|
| ParkourPenguin wrote: | Instructions aren't of a fixed width in Intel 64 and IA-32 architectures. This means that instructions can start anywhere, and you can jump in the middle of another instruction if you want. Thus, when disassembling bytes, the disassembler guesses where the first instruction starts and goes from there.
The reason why that happens is usually either you jumped in the middle of another instruction or you scrolled up past the start of a contiguous section of asm. For example:
| Code: | // what the game treats this executable memory as:
...
C3 - ret (end of some subroutine)
00 00 00 - padding between sections
55 - push ebp (beginning of another)
8B EC - mov ebp,esp
...
// what CE disassembles this to:
C3 - ret
00 00 - add [eax],al
00 55 8B - add [ebp-75],dl
EC - in al,dx |
I'll also mention that, between the page protection and the disassembly, it should be very clear that section of memory isn't meant to be executed. |
I knew some of that to an extent, but you framing it that way certainly gives more clarity to the topic.
"... or you scrolled up past the start of a contiguous section of asm."
That must be what the case is for the times I'm running into this, as I'm cognizant of the addresses I go to (most of the time, at least ).
So, if I know the address I've gone to is correct--as in, it's not in the middle of another instruction--then what would I need to do to correctly see that disassembled section? Just go to an address that's, say, -30 bytes from the instruction I'm interested in?
Thanks for your advice!
_________________
|
|
| Back to top |
|
|
M-Z
Advanced Cheater
![]() Reputation: 1
Joined: 08 Nov 2014
Posts: 77
Location: Poland
|
| Posted: Sat Jun 25, 2016 4:23 pm Post subject: |
|
|
| Why are you expecting code to be under EBP register?
|
|
| Back to top |
|
|
h3x1c
Master Cheater
Reputation: 17
Joined: 27 Apr 2013
Posts: 306
|
| Posted: Sat Jun 25, 2016 4:30 pm Post subject: |
|
|
| M-Z wrote: | | Why are you expecting code to be under EBP register? |
Because I'm still a newbie and was trying to sort my way through doing some back-tracing. EBP+4 is what I was ultimately trying to experiment with. I should have been looking at the address in [EBP+4] and trying to go there (I think, at least...).
_________________
Last edited by h3x1c on Sat Jun 25, 2016 4:37 pm; edited 1 time in total |
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4706
|
| Posted: Sat Jun 25, 2016 4:35 pm Post subject: |
|
|
| h3x1c wrote: | | So, if I know the address I've gone to is correct... then what would I need to do to correctly see that disassembled section? |
Right click in the disassembler, select "Go to address", enter the address of that instruction, and CE will disassemble it as if that address is the start of an instruction that's meant to be executed.
| h3x1c wrote: | | Just go to an address that's, say, -30 bytes from the instruction I'm interested in? |
If the disassembler starts in the middle of some instruction, there is a tendency for it to get back on track as it continues disassembling instructions. Using my previous example, any instructions after mov ebp,esp would be disassembled correctly by CE even though it didn't correctly interpret the previous bytes as the game would have executed them.
CE makes use of this tendency whenever you scroll in the disassembler. It is required to do this when you scroll upwards, as it has no feasible way of determining what the preceding instructions are.
That being said, your speculation as to the solution is actually what's causing the problem. Assuming you're at the address of an instruction you're sure the game is executing and scrolling makes CE disassemble it incorrectly, the padding prior to your address is causing it to get off track. When you scroll up, CE correctly disassembles the previous section of asm, but the padding between the sections throws the disassembler off of where it should be for the next section. The asm in my previous post exemplifies this.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
M-Z
Advanced Cheater
![]() Reputation: 1
Joined: 08 Nov 2014
Posts: 77
Location: Poland
|
| Posted: Sat Jun 25, 2016 4:42 pm Post subject: |
|
|
From what I see in this code, EBP contains some real data, not frame pointer.
Nonetheless if it was frame pointer, then after execution it wouldn't do you much good.
I sometimes find useful to do an AA injection at the beginning of some function, to see where from it is called. It goes something like this:
| Code: |
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
originalcode:
mov eax,[esp]
mov eax,[eax]
push ebp
mov ebp,esp
and esp,-08
exit:
jmp returnhere
"eu4.exe"+5A96A0:
jmp newmem
nop
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
"eu4.exe"+5A96A0:
push ebp
mov ebp,esp
and esp,-08
|
You set "What this instruction accesses" breakpoint on mov eax,[eax] and voila... 
|
|
| Back to top |
|
|
h3x1c
Master Cheater
Reputation: 17
Joined: 27 Apr 2013
Posts: 306
|
| Posted: Sat Jun 25, 2016 4:49 pm Post subject: |
|
|
| ParkourPenguin wrote: | | ... |
Totally clear now! Thanks for taking the time to explain.
The common denominator of why I've been experiencing this lately is ME and my fumbling my way through misunderstanding EBP/EBP+4 in the context of function calls. I'm just on the cusp of "getting it," but I'm at that point where I'm trying to do things without referencing any help or tutorials.
So, I basically end up doing dumb-ass stuff like this without really understanding exactly what I'm doing, but I walk away with a better understanding from people like you, so thanks! 
| M-Z wrote: | From what I see in this code, EBP contains some real data, not frame pointer.
Nonetheless if it was frame pointer, then after execution it wouldn't do you much good.
I sometimes find useful to do an AA injection at the beginning of some function, to see where from it is called. It goes something like this:
| Code: |
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
originalcode:
mov eax,[esp]
mov eax,[eax]
push ebp
mov ebp,esp
and esp,-08
exit:
jmp returnhere
"eu4.exe"+5A96A0:
jmp newmem
nop
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
"eu4.exe"+5A96A0:
push ebp
mov ebp,esp
and esp,-08
|
You set "What this instruction accesses" breakpoint on mov eax,[eax] and voila... |
Neat! Thanks for sharing that. Topically, this is exactly what I'm wrestling with my brain about: seeing where a function was called from. I'm studying calling conventions (and how they look in ASM), etc. I'm in that weird place with it where I understand just enough to make myself look like an articulate dumb-ass, lol. 
_________________
|
|
| Back to top |
|
|
mgr.inz.Player
I post too much
 Reputation: 222
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Sun Jun 26, 2016 8:30 am Post subject: |
|
|
Also, keep in mind that some newer games (e.g. Rise of the Tomb Raider) can use "random bytes padding" between sections. Causing code analyzing to be even more complicated.
_________________
|
|
| Back to top |
|
|
h3x1c
Master Cheater
Reputation: 17
Joined: 27 Apr 2013
Posts: 306
|
| Posted: Sun Jun 26, 2016 11:41 am Post subject: |
|
|
| mgr.inz.Player wrote: | | Also, keep in mind that some newer games (e.g. Rise of the Tomb Raider) can use "random bytes padding" between sections. Causing code analyzing to be even more complicated. |
Is that an intentional obfuscation technique?
_________________
|
|
| Back to top |
|
|
mgr.inz.Player
I post too much
Reputation: 222
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Sun Jun 26, 2016 1:17 pm Post subject: |
|
|
Maybe. It is possible that those "weird padding bytes" aren't just for obfuscation. Could it be some kind of ID, or checksum.
Or, initial values for temporary variables.
Try this yourself:
| Code: | newmem:
code1:
//your code here
...
...
...
jmp returnhere1
tmpVariableValue:
dq (double)3.14
code2:
//your code here
mov eax,ecx
imul eax,eax,3
...
...
fld qword ptr [tmpVariableValue]
...
jmp returnhere2 |
Disassembler will show something like this:
| Code: | E9 xxxxxxxx - jmp xxxxxxxx // <==== last line of code1 section
1F - pop ds
85 EB - test ebx,ebp
51 - push rcx
B8 1E09408B - mov eax,8B40091E // <==== first line of code2 section is 8B C1
C1 6B C0 03 - shr [rbx-40],03 |
_________________
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
