panraven
Grandmaster Cheater
![]() Reputation: 59
Joined: 01 Oct 2008
Posts: 957
|
 Posted: Mon Feb 27, 2023 2:20 pm Post subject: aacomp |
 |
|
From https://forum.cheatengine.org/viewtopic.php?t=620717
I intent to make an extension to solve the reassemble problem,
next_rip https://pastebin.com/RrC0PfWb
but turn out new ce can do it already, but then I extended to this one
aacomp.lua https://pastebin.com/bmfz6i88
this provide 1 aa command "COMP", and a custom assembler instruction 'FCOMP'.
[[[[[[[[[[[[[[[[[[[[[
NOTE: custom assembler currently can not emit zero bytes, so the fall back option is to emit 1 byte nop (0x90).
NOTE2:
for integer defined <symbol> (not FCOMP persist symbol), if want to use in <lua-expression> in following COMP or
custom FCOMP, it should be enclosed by [[<symbol>]] or [=[<symbol>]=] or [==[<symbol>]==] etc,
otherwise it will not be expanded, eg.
define(sym,666)
comp(Name,readInteger'sym') // lua readInteger see input parameter as 'sym'
comp(Name,readInteger[[sym]]) // lua readInteger see input parameter as '666'
]]]]]]]]]]]]]]]]]]]]]
In following <symbol> is string of following characters: . # @ _ and alphanum
--
COMP is a aa command to transform to 'DEFINE(<symbol>,<lua-calc-result>)' or just use the lua-side-effect.
ie.
COMP(<symbol>,<lua-expression>) or
COMP(<lua-expression>)
eg.
COMP(SymbolName,getCEVersion()) -> define(SymbolName,7.5)
or just use the side effect
COMP(showMessage'Hello') -> return empty line
--
FCOMP is a valid x86 instruction, but if it write like following format, then the custom assembler may take its effect,
FCOMP<optional-spcs>&<symbol>,<lua-expression>
--
The <lua-expression> must result in integer value <result>,
then depend on the name of <symbol>, <result> can be used in following instructions.
if <symbol> is one of '_' or 'rax;rbx;rcx;rdx;rsi;rdi;rbp;r11;r12;r13;r14;r15;'
then it is in ONE_OFF_mode, which <result> will only use in immediate next instruction (if not another custom fcomp),
the <symbol> matching register may use in this immediate next instruction, so it should be a known free register.
If <symbol> is '_' then no register is use, some instruction may not compile.
If <symbol> is otherwise, then it is in Persist_mode, then <symbol> use as key to store <result>, then if matching &<symbol>
find in following instruction, it will replace with <result >(integer in hex format), however, if &<symbol> already has
a value, the <lua-expression> will not be run to replace <result>. To force a refresh in this case, run a lua function
forget_fcomp(<symbol>) first, or in AA context:
COMP(forget_fcomp'NEW_VALUE') // note no & prefix.
Because <symbol> cannot specify in ce reassemble, so the ONE_OFF_mode is need.
------
the following is an example aa script with its result (copy from pastebin)
Use a 64bit ce to attached another 64bit ce may compile the script.
| Code: |
globalalloc(__X,$1000)
__X:
mov eax,666
mov rax,-1
//// lua53-64.lua_absindex+B:
//// - 77 13 - ja lua53-64.lua_absindex+20
reassemble(lua53-64.lua_absindex+B) /// ce seem do it not right, ja * -> jmp *,
/// but my ce version may be outdated and it already been fixed.
fcomp &rax,calc_rip('lua53-64.lua_absindex+B',1,2,1)
/// if what follow & is a int register, then it is in ONE_OFF_mode,
/// the result addr only use in next instruction and forget;
/// otherwise, it is a VARIABLE <name> stored persisted,
/// next time (not just next) &<name> will be replaced
reassemble(lua53-64.lua_absindex+B)
mov rax,-1
fcomp &_,calc_rip('lua53-64.lua_absindex+B',1,2,1)
jna 1 /// jcc in ONE_OFF_mode can have a dummy target address, result addr will replace it
mov rax,-1
//// lua53-64.lua_version+5:
//// - 48 8D 05 FC7B0600 - lea rax,[lua53-64.dll.rdata+9F28] /// also displace as lua53-64.dll+68F28
reassemble(lua53-64.lua_version+5)
mov rax,-1
fcomp &r15,calc_rip('lua53-64.lua_version+5',3,7) /// note there is 2 number following base addr,
/// the 3rd rip-size default to 4 bytes
reassemble(lua53-64.lua_version+5) //// ONE_OFF_mode value can use in reassemble
mov rax,-1
fcomp &r15,calc_rip('lua53-64.lua_version+5',3,7)
mov rbx,[rax] /// similar to jcc, anything between [*dummy] is replaced
mov rax,-1
fcomp &VARNAME,calc_rip('lua53-64.lua_version+5',3,7) /// using store VARIABLE, they must be integer
fcomp &B1Bytes,0x66 /// prepare to use multiple store VARIABLE
fcomp &W2Bytes,0x666
cmp [rax+&W2Bytes],&B1Bytes /// multiple VARIABLE, note that if some value is 64bit, most won't compile in this case
call &VARNAME
mov rax,-1
jmp &VARNAME+&W2Bytes
{
call &VARNAME
mov rax,-1
jmp &VARNAME
}
mov rax,-1
mov rax,-1
mov rax,-1
ret
@@:
mov rax,-1
mov rax,-1
comp(XXXX,calc_rip('lua53-64.lua_version+5',3,7)) /// --> define(XXXX,<calc-result>)
jmp XXXX
mov rax,-1
mov rax,-1
//
{ edited output
__X:
07CF0000- mov eax,10333333
07CF0005- mov rax,FFFFFFFFFFFFFFFF
07CF000F- nop
07CF0010- nop
07CF0011- jmp lua53-64.lua_absindex+20
07CF001F- nop
07CF0020- ja 07CF0024
07CF0022- jmp 07CF0032
07CF0024- jmp lua53-64.lua_absindex+20
07CF0032- mov rax,FFFFFFFFFFFFFFFF
07CF003C- nop
07CF003D- jna 07CF0041
07CF003F- jmp 07CF004F
07CF0041- jmp lua53-64.lua_absindex+20
07CF004F- mov rax,FFFFFFFFFFFFFFFF
07CF0059- mov rax,lua53-64.dll.rdata+9F28
07CF0063- mov rax,FFFFFFFFFFFFFFFF
07CF006D- nop
07CF006E- mov rax,lua53-64.dll.rdata+9F28
07CF0078- mov rax,FFFFFFFFFFFFFFFF
07CF0082- nop
07CF0083- push r15
07CF0085- mov r15,lua53-64.dll.rdata+9F28
07CF008F- mov rbx,[r15]
07CF0092- pop r15
07CF0094- mov rax,FFFFFFFFFFFFFFFF
07CF009E- nop
07CF009F- nop
07CF00A0- nop
07CF00A1- cmp dword ptr [rax+00000666],66
07CF00A8- call lua53-64.dll.rdata+9F28
07CF00B8- mov rax,FFFFFFFFFFFFFFFF
07CF00C2- jmp lua53-64.dll.rdata+A58E
07CF00D0- mov rax,FFFFFFFFFFFFFFFF
07CF00DA- mov rax,FFFFFFFFFFFFFFFF
07CF00E4- mov rax,FFFFFFFFFFFFFFFF
07CF00EE- ret
07CF00EF- mov rax,FFFFFFFFFFFFFFFF
07CF00F9- mov rax,FFFFFFFFFFFFFFFF
07CF0103- jmp lua53-64.dll.rdata+9F28
07CF0111- mov rax,FFFFFFFFFFFFFFFF
07CF011B- mov rax,FFFFFFFFFFFFFFFF
}
|
_________________
- Retarded. |
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
