View previous topic :: View next topic |
Author |
Message |
++METHOS I post too much Reputation: 92
Joined: 29 Oct 2010 Posts: 4197
|
Posted: Thu Jan 28, 2016 2:32 pm Post subject: Call Sleep Function For x64 |
|
|
Has anyone had success getting the call sleep function to work properly on 64bit targets? I have tried several different approaches on two different targets, using the proper calling conventions, but I can't get it to work. One game crashes and the other just freezes up.
Thanks.
|
|
Back to top |
|
|
mgr.inz.Player I post too much Reputation: 218
Joined: 07 Nov 2008 Posts: 4438 Location: W kraju nad Wisla. UTC+01:00
|
Posted: Thu Jan 28, 2016 3:25 pm Post subject: |
|
|
Code: | mov rcx,#500
call Sleep |
post AA script you are currently using.
_________________
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 457
Joined: 09 May 2003 Posts: 25262 Location: The netherlands
|
Posted: Thu Jan 28, 2016 3:56 pm Post subject: |
|
|
might need a stack alignment and reservation if the code injection is done in a function that didn't intend to call other functions. (e.g sub rsp, 28 / add rsp,28 )
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
++METHOS I post too much Reputation: 92
Joined: 29 Oct 2010 Posts: 4197
|
Posted: Thu Jan 28, 2016 4:01 pm Post subject: |
|
|
I've tried that. Nothing seems to work.
As a test, I had CE auto-create a script for minesweeper (win 7 X64) that doesn't change anything. Untouched, it works fine. Adding the sleep call freezes/crashes the target.
EDIT:
@ Dark Byte - I've tried that also, on the other target, but not on Minesweeper. Let me try and report back.
EDIT2:
It seems to work as intended on Minesweeper. Thanks!
Unfortunately, for the target process that I am working on, it does not work. The speedhack doesn't work on it, either, so I suppose it's an isolated case.
Thanks for the help, guys. I appreciate it.
|
|
Back to top |
|
|
mgr.inz.Player I post too much Reputation: 218
Joined: 07 Nov 2008 Posts: 4438 Location: W kraju nad Wisla. UTC+01:00
|
Posted: Thu Jan 28, 2016 4:19 pm Post subject: |
|
|
@Dark Byte, sleep function doesn't backup xmm register (movdqa, movaps or movapd) on the stack.
_________________
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 457
Joined: 09 May 2003 Posts: 25262 Location: The netherlands
|
Posted: Fri Jan 29, 2016 12:55 am Post subject: |
|
|
mgr.inz.Player wrote: | @Dark Byte, sleep function doesn't backup xmm register (movdqa, movaps or movapd) on the stack. |
no, but it could use the bytes of scratchspace to store the rcx parameter if it needs to use it for something else.
without that allocation the stack could get corrupted
++methos, try sub rsp,20/add rsp, 20 . perhaps the stack is already aligned, but not enough space (or injection at a point that space is still used by something else)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
++METHOS I post too much Reputation: 92
Joined: 29 Oct 2010 Posts: 4197
|
Posted: Fri Jan 29, 2016 4:59 am Post subject: |
|
|
Thanks, Dark Byte. That did the trick!
|
|
Back to top |
|
|
mgr.inz.Player I post too much Reputation: 218
Joined: 07 Nov 2008 Posts: 4438 Location: W kraju nad Wisla. UTC+01:00
|
Posted: Fri Jan 29, 2016 8:14 am Post subject: |
|
|
Probably it is not alignment problem. I think your injection point is inside a function, and that function doesn't call any other function. It doesn't preserve 0x20 bytes because it doesn't need it, maybe it only preserve space on the stack for local variables. Calling sleep cause overwriting those local variables and crash.
In 64bit architecture, a caller must preserve those 32bytes, also
caller must presume that volatile registers are destroyed across a call.
read: https://msdn.microsoft.com/en-us/library/9z1stfyw.aspx
_________________
|
|
Back to top |
|
|
++METHOS I post too much Reputation: 92
Joined: 29 Oct 2010 Posts: 4197
|
Posted: Fri Jan 29, 2016 9:37 am Post subject: |
|
|
Not sure. The injection point is a basic instruction that handles player coordinates:
Code: | SUBPS XMM2,[RDI+70] |
I can post more, if you like.
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 138
Joined: 06 Jul 2014 Posts: 4275
|
Posted: Fri Jan 29, 2016 11:21 am Post subject: |
|
|
After looking into that link provided by mgr.inz.Player, I'm pretty certain it's because of this:
Quote: | The caller is responsible for allocating space for parameters to the callee, and must always allocate sufficient space for the 4 register parameters, even if the callee doesn’t have that many parameters. |
So while Sleep may preserve RSP it may not preserve the values in the stack if you don't give it enough space.
If you want to find out if this really is the problem, set a breakpoint just before your call to Sleep and see if any of those 32 bytes change after you step over the call.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
|