 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Dr.Disrespect
Grandmaster Cheater
![]() Reputation: 3
Joined: 17 Feb 2016
Posts: 526
|
 Posted: Sat Nov 12, 2016 10:59 am Post subject: RIP- relative addressing? |
 |
|
I am reading the "Introduction to x64" on the Intel website, and the RIP register got me confused.
This is the part on the website, which explains RIP:
| Code: |
RIP-relative addressing: this is new for x64 and allows accessing data tables and such in the code relative to the current instruction pointer, making position independent code easier to implement.
MOV AL, [RIP] ; RIP points to the next instruction aka NOP
NOP
|
In the example, it shows that [RIP] points to the next instruction-"NOP", so my question is, does RIP always point to the next instruction? If not, how to use it or understand it correctly?
Thanks.
|
|
| Back to top |
|
 |
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Sat Nov 12, 2016 11:25 am Post subject: |
|
|
RIP equals the address of the currently running instruction.
I know nothing about [RIP] pointing to the next instruction.
I guess that's just something the x64 processor understands.
You probably won't ever have the need to use RIP for a hack.
|
|
| Back to top |
|
|
Dr.Disrespect
Grandmaster Cheater
![]() Reputation: 3
Joined: 17 Feb 2016
Posts: 526
|
| Posted: Sat Nov 12, 2016 11:33 am Post subject: |
|
|
| Zanzer wrote: | RIP equals the address of the currently running instruction.
I know nothing about [RIP] pointing to the next instruction.
I guess that's just something the x64 processor understands.
You probably won't ever have the need to use RIP for a hack. |
I was glad and relieved when I saw the last sentence. Thanks, Zanzer. 
|
|
| Back to top |
|
|
predprey
Master Cheater
![]() Reputation: 24
Joined: 08 Oct 2015
Posts: 486
|
| Posted: Sat Nov 12, 2016 7:35 pm Post subject: |
|
|
https://en.wikipedia.org/wiki/Program_counter
IP or instruction pointer denotes the address for the next instruction to be executed. It is automatically incremented after the instruction fetch stage of cpu pipelining. For x86, it is referenced by EIP while for x86_64 it is referenced by RIP.
You probably wouldn't use it for normal game hacking, but I have heard of people using it for evading online cheat detectors by manually setting a breakpoint and changing the instruction pointer to skip a few instructions instead of NOPping the few instructions. Apparently doing so can fool the cheat detection systems. You could also theoretically make a jmp by changing the instruction pointer.
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
 Reputation: 154
Joined: 06 Jul 2014
Posts: 4754
|
| Posted: Sat Nov 12, 2016 8:01 pm Post subject: |
|
|
While you will rarely use the RIP register directly, RIP-relative addressing is a very common occurrence in any application. It allows you to address any memory location within 2GB of the next instruction. This is why you should specify a memory region when allocating memory in a 64-bit process: it allows CE to use a 5-byte jump instead of having to store the 8-byte memory location and jump to that instead (14-byte jump).
When it's necessary, CE's assembler will take care of it the majority of the time. You don't have to worry about it unless you're encoding instructions yourself.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
STN
I post too much
 Reputation: 43
Joined: 09 Nov 2005
Posts: 2676
|
| Posted: Sat Nov 12, 2016 9:32 pm Post subject: |
|
|
It just means the current instruction(RIP) will be used in calculation of the instruction. Just look at the jmp, movsd and other 64bit instructions, they use relative addressing instead of absolute positioning e.g (F2 0F10 35 D8466808 - movsd xmm6,[game.exe+94AB0F0]) ...its something like this
Destination address - current address - 8
You can control flow of execution with IP and as such it is useful in certain situations. In games with anti-cheats not allowing memory editing (codbo3, infinite warfare, mafia 2 etc), i've used it to redirect code execution to my cave, doing what i like without the game scanners ever being triggered!. But yeah, you won't use RIP much like other special purpose registers.
_________________
|
|
| Back to top |
|
|
mgr.inz.Player
I post too much
 Reputation: 222
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Sat Nov 12, 2016 9:48 pm Post subject: |
|
|
| Quote: | | It just means the current instruction(RIP) will be used in calculation of the instruction |
Nope.
In (R/E)IP relative addressing, it means address of next instruction will be used in calculations in current instruction.
For example instruction at address 01000540:
| Code: | | 01000540 - F3 0F10 35 55000000 - movss xmm6,[0100059D] |
Look at 55000000, it is offset used in calculations, you have to treat it as signed 32 bit integer. Because i386 and x86_64 architecture is Little Endian, it means offset 0x55.
Instruction is 8 bytes long.
Calculation: 01000540 + 8 + 55 = 0100059D
What predprey wrote is more accurate.
_________________
Last edited by mgr.inz.Player on Sat Nov 12, 2016 9:50 pm; edited 1 time in total |
|
| Back to top |
|
|
Dr.Disrespect
Grandmaster Cheater
![]() Reputation: 3
Joined: 17 Feb 2016
Posts: 526
|
| Posted: Sat Nov 12, 2016 9:49 pm Post subject: |
|
|
Thanks for all the replies, STN, Penguin and predprey. I have a general idea about RIP now.
I will come up with more questions if I need to deal with it in the future.
Thanks again, guys.
|
|
| Back to top |
|
|
STN
I post too much
Reputation: 43
Joined: 09 Nov 2005
Posts: 2676
|
| Posted: Sat Nov 12, 2016 9:56 pm Post subject: |
|
|
| mgr.inz.Player wrote: | | Quote: | | It just means the current instruction(RIP) will be used in calculation of the instruction |
Nope.
In (R/E)IP relative addressing, it means address of next instruction will be used in calculations in current instruction.
For example instruction at address 01000540:
| Code: | | 01000540 - F3 0F10 35 55000000 - movss xmm6,[0100059D] |
Look at 55000000, it is offset used in calculations, you have to treat it as signed 32 bit integer. Because i386 and x86_64 architecture is Little Endian, it means offset 0x55.
Instruction is 8 bytes long.
Calculation: 01000540 + 8 + 55 = 0100059D
What predprey wrote is more accurate. |
That's exactly what i said lol  look at my example.
This is one of those times where i wish my english translated better to what i was thinking in my head :s
_________________
|
|
| Back to top |
|
|
mgr.inz.Player
I post too much
Reputation: 222
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Sat Nov 12, 2016 9:59 pm Post subject: |
|
|
uhm, nope.
For (R/E)IP relative addressing you have to keep in mind that CPU works like this:
| Code: | fetch instruction pointed by (R/E)IP
increase (R/E)IP register (so it points to next instruction)
if current instruction uses relative addressing use (R/E)IP register in calculations
execute current instruction
fetch instruction pointed by (R/E)IP
increase (R/E)IP register (so it points to next instruction)
if current instruction uses relative addressing use (R/E)IP register in calculations
execute current instruction
and so on |
_________________
|
|
| Back to top |
|
|
panraven
Grandmaster Cheater
![]() Reputation: 62
Joined: 01 Oct 2008
Posts: 961
|
| Posted: Sun Nov 13, 2016 9:59 am Post subject: |
|
|
These might be examples that knowing the offset (<...>) and where the offset is (address of beginning of <...>), can still not be determined where the target is:
| Code: |
""+8480016: C6 05<00 00 00 00>01 - mov byte ptr [0848001D],01 // RIP to byte
""+848001D: 66 C7 05<00 00 00 00>01 00 - mov word ptr [08480026],0001 // RIP to word
""+8480026: C7 05<00 00 00 00>01 00 00 00 - mov [08480030],00000001 // RIP to dword
""+8480030: 48 C7 05<00 00 00 00>01 00 00 00 - mov [0848003B],00000001 // // RIP to qword
""+848003B: 66 C7 04 25 00 00 00 00 01 00 - mov word ptr [00000000],0001 // word not RIP
""+8480045: 00 00 - add [rax],al
|
What more have to be known beside checking the actual instruction?
(note: CE RIP Scanner only give the RIP-Address, not the starting address of the instruction it being contained)
These cases are not practical as rip jump target, ie. jump target = RIP-address + 4 + signed-RIP-offset, but for curiosity~
btw, the byte before the rip offset seems always be 05, 0d, 15, 1d, 25, 2d, 35,3d ? (ADDED: oops, beside near jump/call and short jump, ofc)
bye~
ADDED:
how to assemble RIP-address (as memory/data-address-target) in CE? it may be useful to make relocatable sub-routine.
_________________
- Retarded. |
|
| Back to top |
|
|
predprey
Master Cheater
![]() Reputation: 24
Joined: 08 Oct 2015
Posts: 486
|
| Posted: Sun Nov 13, 2016 9:17 pm Post subject: |
|
|
| panraven wrote: | These might be examples that knowing the offset (<...>) and where the offset is (address of beginning of <...>), can still not be determined where the target is:
| Code: |
""+8480016: C6 05<00 00 00 00>01 - mov byte ptr [0848001D],01 // RIP to byte
""+848001D: 66 C7 05<00 00 00 00>01 00 - mov word ptr [08480026],0001 // RIP to word
""+8480026: C7 05<00 00 00 00>01 00 00 00 - mov [08480030],00000001 // RIP to dword
""+8480030: 48 C7 05<00 00 00 00>01 00 00 00 - mov [0848003B],00000001 // // RIP to qword
""+848003B: 66 C7 04 25 00 00 00 00 01 00 - mov word ptr [00000000],0001 // word not RIP
""+8480045: 00 00 - add [rax],al
|
What more have to be known beside checking the actual instruction?
(note: CE RIP Scanner only give the RIP-Address, not the starting address of the instruction it being contained)
These cases are not practical as rip jump target, ie. jump target = RIP-address + 4 + signed-RIP-offset, but for curiosity~
btw, the byte before the rip offset seems always be 05, 0d, 15, 1d, 25, 2d, 35,3d ? (ADDED: oops, beside near jump/call and short jump, ofc)
bye~
ADDED:
how to assemble RIP-address (as memory/data-address-target) in CE? it may be useful to make relocatable sub-routine. |
to assemble RIP-relative addressing in autoassembler, use "reassemble(address/label of original instruction)". it reassembles a single line of instruction though, so repeat and change address as needed. because of this, there is an issue of compatibility and instruction byte size may be different across different program versions so subsequent reassemble() lines may break due to a wrong address.
|
|
| Back to top |
|
|
panraven
Grandmaster Cheater
![]() Reputation: 62
Joined: 01 Oct 2008
Posts: 961
|
| Posted: Mon Nov 14, 2016 11:55 am Post subject: |
|
|
reassemble is more a disassembler, since it read the address bytes and disassemble it as some text then put that text on the new address that the reassemble command located.
These may be example of rip addressing, http://www.agner.org/optimize/optimizing_assembly.pdf
| Code: |
; Example 3.7a. RIP-relative memory operand, MASM syntax
mov eax, [mem]
; Example 3.7b. RIP-relative memory operand, NASM/YASM syntax
default rel
mov eax, [mem]
; Example 3.7c. RIP-relative memory operand, Gas/Intel syntax
mov eax, [mem+rip]
|
_________________
- Retarded. |
|
| Back to top |
|
|
Dr.Disrespect
Grandmaster Cheater
![]() Reputation: 3
Joined: 17 Feb 2016
Posts: 526
|
| Posted: Mon Nov 14, 2016 12:57 pm Post subject: |
|
|
Thanks for all the posts, guys. It's a bit complicated for me, need some time to digest. 
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
