Autem Expert Cheater Reputation: 1
Joined: 30 Jan 2023 Posts: 118
|
Posted: Mon Apr 24, 2023 11:05 am Post subject: Need help with 64bit checking if an address is valid |
|
|
EDIT: I found a workaround by locating a static address that always has a specific value during the window I need the script running and is never invalid! :)
But if anyone can clarify for the future exactly what the best way to check for an invalid address/value in 64bit is, that would be greatly appreciated. I did some searching online and found posts claiming "isbadreadptr" might not be a good idea or might be unsafe? Can anyone elaborate on that, and if there's a better alternative let me know?
-----
Original post: I saw a post by DarkByte about how to check if an address is valid and I tried implementing it into this script and had to convert pushfd and pushad to 64bit, etc... but the game crashes at the exact same time it crashes without the validity check.
My goal is to have the rest of the script NOT run if the address its checking against hasn't been given its value yet, and is still a: ?? value
(the expected value will either be a 0 or 1 which i cmp for also)
I tried a couple different approaches and they all have the same result. Here's the most recent attempt:
Code: | define(address,"WWE2K23_x64.exe"+8998F6)
define(bytes,C5 F8 2E C1 7A 06)
define(address2,"WWE2K23_x64.exe"+899930)
define(bytes2,74 76 48 8B 49 28)
[ENABLE]
assert(address,bytes)
alloc(newmem,$1000,"WWE2K23_x64.exe"+8998F6)
alloc(adder,4)
alloc(check,4)
label(code)
label(good)
label(return)
check:
dd (float)80
adder:
dd (float)35
newmem:
push rax
push rbx
push rdx
push rsi
push rdi
push rbp
push r8
push r9
push r10
push r11
push r12
push r13
push r14
push r15
push rcx //save flags
push 4 //size in bytes of pointer
lea eax, [rcx]
push eax
call isbadreadptr
mov rax,[rcx+28]
mov rax,[rax+2608]
cmp [rax+c0],0
je good
cmp [rax+c0],1
je good
jmp invalidmemory
good:
// push rax
// mov rax,[rcx+28]
// mov rax,[rax+2608]
// cmp [rax+c0],1
// pop rax
// jne code
comiss xmm1, [rcx+3c]
jb code
comiss xmm1, dword ptr [check]
ja code
addss xmm1, dword ptr [adder]
invalidmemory:
pop r15
pop r14
pop r13
pop r12
pop r11
pop r10
pop r9
pop r8
pop rbp
pop rdi
pop rsi
pop rdx
pop rbx
pop rax
code:
vucomiss xmm0,xmm1
jp WWE2K23_x64.exe+899902
jmp return
address:
jmp newmem
nop
return:
assert(address2,bytes2)
alloc(newmem2,$1000,"WWE2K23_x64.exe"+899930)
label(code2)
label(return2)
newmem2:
code2:
jmp WWE2K23_x64.exe+8999A8 //je to restore stunbar gui
mov rcx,[rcx+28]
jmp return2
address2:
jmp newmem2
nop
return2:
[DISABLE]
address:
db bytes
// vucomiss xmm0,xmm1
// jp WWE2K23_x64.exe+899902
dealloc(newmem)
dealloc(adder)
dealloc(check)
{
// ORIGINAL CODE - INJECTION POINT: WWE2K23_x64.exe+8998F6
WWE2K23_x64.exe+8998CB: 57 - push rdi
WWE2K23_x64.exe+8998CC: 41 56 - push r14
WWE2K23_x64.exe+8998CE: 48 81 EC 80 00 00 00 - sub rsp,00000080
WWE2K23_x64.exe+8998D5: C5 F8 29 74 24 70 - vmovaps [rsp+70],xmm6
WWE2K23_x64.exe+8998DB: 48 8B 05 26 97 C6 02 - mov rax,[WWE2K23_x64.exe+3503008]
WWE2K23_x64.exe+8998E2: 48 33 C4 - xor rax,rsp
WWE2K23_x64.exe+8998E5: 48 89 44 24 68 - mov [rsp+68],rax
WWE2K23_x64.exe+8998EA: 41 0F B6 E8 - movzx ebp,r8b
WWE2K23_x64.exe+8998EE: 48 8B D9 - mov rbx,rcx
WWE2K23_x64.exe+8998F1: C5 FA 10 41 3C - vmovss xmm0,[rcx+3C]
// ---------- INJECTING HERE ----------
WWE2K23_x64.exe+8998F6: C5 F8 2E C1 - vucomiss xmm0,xmm1
// ---------- DONE INJECTING ----------
WWE2K23_x64.exe+8998FA: 7A 06 - jp WWE2K23_x64.exe+899902
WWE2K23_x64.exe+8998FC: 0F 84 DE 01 00 00 - je WWE2K23_x64.exe+899AE0
WWE2K23_x64.exe+899902: C5 FA 11 49 3C - vmovss [rcx+3C],xmm1
WWE2K23_x64.exe+899907: 80 79 38 00 - cmp byte ptr [rcx+38],00
WWE2K23_x64.exe+89990B: 74 0A - je WWE2K23_x64.exe+899917
WWE2K23_x64.exe+89990D: C5 FA 10 35 87 A3 96 02 - vmovss xmm6,[WWE2K23_x64.exe+3203C9C]
WWE2K23_x64.exe+899915: EB 08 - jmp WWE2K23_x64.exe+89991F
WWE2K23_x64.exe+899917: 48 8B 41 30 - mov rax,[rcx+30]
WWE2K23_x64.exe+89991B: C5 F2 5E 30 - vdivss xmm6,xmm1,[rax]
WWE2K23_x64.exe+89991F: 48 8B 41 30 - mov rax,[rcx+30]
}
address2:
db bytes2
// je WWE2K23_x64.exe+8999A8
// mov rcx,[rcx+28]
dealloc(newmem2)
{
// ORIGINAL CODE - INJECTION POINT: WWE2K23_x64.exe+899930
WWE2K23_x64.exe+899907: 80 79 38 00 - cmp byte ptr [rcx+38],00
WWE2K23_x64.exe+89990B: 74 0A - je WWE2K23_x64.exe+899917
WWE2K23_x64.exe+89990D: C5 FA 10 35 87 A3 96 02 - vmovss xmm6,[WWE2K23_x64.exe+3203C9C]
WWE2K23_x64.exe+899915: EB 08 - jmp WWE2K23_x64.exe+89991F
WWE2K23_x64.exe+899917: 48 8B 41 30 - mov rax,[rcx+30]
WWE2K23_x64.exe+89991B: C5 F2 5E 30 - vdivss xmm6,xmm1,[rax]
WWE2K23_x64.exe+89991F: 48 8B 41 30 - mov rax,[rcx+30]
WWE2K23_x64.exe+899923: C5 F8 2F 70 04 - vcomiss xmm6,[rax+04]
WWE2K23_x64.exe+899928: 40 0F 93 C6 - setae sil
WWE2K23_x64.exe+89992C: 40 3A 71 61 - cmp sil,[rcx+61]
// ---------- INJECTING HERE ----------
WWE2K23_x64.exe+899930: 74 76 - je WWE2K23_x64.exe+8999A8
// ---------- DONE INJECTING ----------
WWE2K23_x64.exe+899932: 48 8B 49 28 - mov rcx,[rcx+28]
WWE2K23_x64.exe+899936: E8 15 4B E5 FF - call WWE2K23_x64.exe+6EE450
WWE2K23_x64.exe+89993B: 85 C0 - test eax,eax
WWE2K23_x64.exe+89993D: 75 69 - jne WWE2K23_x64.exe+8999A8
WWE2K23_x64.exe+89993F: 48 8B 05 9A D5 F5 02 - mov rax,[WWE2K23_x64.exe+37F6EE0]
WWE2K23_x64.exe+899946: 4C 8B B0 58 01 00 00 - mov r14,[rax+00000158]
WWE2K23_x64.exe+89994D: 41 B8 08 00 00 00 - mov r8d,00000008
WWE2K23_x64.exe+899953: 49 8B 16 - mov rdx,[r14]
WWE2K23_x64.exe+899956: 41 8D 48 18 - lea ecx,[r8+18]
WWE2K23_x64.exe+89995A: E8 11 77 9D FF - call WWE2K23_x64.exe+271070
} |
EDIT: I found a workaround by locating a static address that always has a specific value during the window I need the script running and is never invalid! :)
But if anyone can clarify for the future exactly what the best way to check for an invalid address/value in 64bit is, that would be greatly appreciated. I did some searching online and found posts claiming "isbadreadptr" might not be a good idea or might be unsafe? Can anyone elaborate on that, and if there's a better alternative let me know?
|
|