Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Allocated memory jump messing up following instructions

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
Punz1A4
Cheater
Reputation: 0

Joined: 10 Jun 2016
Posts: 25

PostPosted: Sat Aug 19, 2017 11:24 am    Post subject: Allocated memory jump messing up following instructions Reply with quote

I've been playing around with ppsspp emulator (Kingdom Hearts Birth By Sleep) and because CE's automated AOB Injection function from auto assembler never managed to found unique aob, I had to manually use AOB scan function.

The problem is after activating script CE correctly jumps to allocated memory but messes up two op codes that followed instruction at which code is being injected.

The script doesn't do anything special it's just the original code.

I noticed that the byte code for allocated code jump is longer than the byte code of original instruction - could this be the source of the problem?

My code with some additional comments:
Code:
[ENABLE]

aobscan(moneys,44 89 84 33 24250000 44 0FB6 44 3B 31     42 8B B4 0B 705E0000 41 81 E0 FF000000    66 44 89 84 33 2C250000 44 0FB6 44 3B 35     42 8B B4 0B 705E0000 41 81 E0 FF000000    66 44 89 84 33 4A250000 44 0FB6 44 3B 32     42 8B B4 0B 705E0000 41 81 E0 FF000000    66 44 89 84 33 4E250000 44 0FB6 44 3B 33     42 8B B4 0B 705E0000 41 81 E0 FF000000    66 44 89 84 33 38250000 44 0FB6 44 3B 34     42 8B B4 0B 705E0000 41 81 E0 FF000000    66 44 89 84 33 3A250000 44 0FBF 44 3B 38     42 8B B4 0B 705E0000 66 44 89 84 33 40250000 44 0FBF 44 3B 3A     42 8B B4 0B 705E0000 66 44 89 84 33 42250000 44 0FBF 44 3B 3C     42 8B B4 0B 705E0000 66 44 89 84 33 44250000 44 0FBF 44 3B 3E     42 8B B4 0B 705E0000 66 44 89 84 33 46250000 44 0FBF 44 3B 40     42 8B B4 0B 705E0000 66 44 89 84 33 48250000 44 0FB6 44 3B 37     42 8B B4 0B 705E0000 41 81 E0 FF000000    66 44 89 84 33 3C250000 44 8B 44 3B 08       42 8B B4 0B 705E0000 44 89 84 33 28250000 44 0FB6 44 3B 36     46 8B 8C 0B 705E0000 41 81 E0 FF000000    66 46 89 84 0B DA270000 45 8B 46 C4          45 89 46 90          45 89 4E 94          41 89 76 98          41 C7 46 FC 7CE8A508 83 2D ???????? 44)
// yes, it had to be this long
alloc(newmem,$1000)   // $1000 = 1000 in hex = 4096 bytes allocated

label(code)
label(return)

newmem:

code:
  mov [rbx+rsi+00002524],r8d   // original code
  jmp return

moneys:
  jmp newmem
  nop
  nop
  nop
//  db 44 0F B6 44 3B 31                  // I wanted to fix the two messed up instructions this way but since the byte code for the jump newmem is longer than the original instruction, this eats up instructions that would normally follow this code
//  db 42 8B B4 0B 70 5E 00 00
return:
registersymbol(moneys)

[DISABLE]

moneys:
  db 44 89 84 33 24 25 00 00      // original code
  db 44 0F B6 44 3B 31               // had to add this and the one below to fix the messed up code (two following instructions I was talking about)
  db 42 8B B4 0B 70 5E 00 00

unregistersymbol(moneys)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: 13EFC9587

13EFC953E: 42 8B B4 0B 70 5E 00 00     -  mov esi,[rbx+r9+00005E70]
13EFC9546: 66 44 89 84 33 36 25 00 00  -  mov [rbx+rsi+00002536],r8w
13EFC954F: 46 8B 84 0B 70 5E 00 00     -  mov r8d,[rbx+r9+00005E70]
13EFC9557: 0F B7 74 3B 20              -  movzx esi,word ptr [rbx+rdi+20]
13EFC955C: 66 42 89 B4 03 34 25 00 00  -  mov [rbx+r8+00002534],si
13EFC9565: 44 8B 44 3B 00              -  mov r8d,[rbx+rdi+00]
13EFC956A: 42 8B B4 0B 70 5E 00 00     -  mov esi,[rbx+r9+00005E70]
13EFC9572: 44 89 84 33 20 25 00 00     -  mov [rbx+rsi+00002520],r8d
13EFC957A: 44 8B 44 3B 04              -  mov r8d,[rbx+rdi+04]
13EFC957F: 42 8B B4 0B 70 5E 00 00     -  mov esi,[rbx+r9+00005E70]
// ---------- INJECTING HERE ----------
13EFC9587: 44 89 84 33 24 25 00 00     -  mov [rbx+rsi+00002524],r8d
// ---------- DONE INJECTING  ----------
13EFC958F: 44 0F B6 44 3B 31           -  movzx r8d,byte ptr [rbx+rdi+31]  // this one is getting messed up
13EFC9595: 42 8B B4 0B 70 5E 00 00     -  mov esi,[rbx+r9+00005E70] // this one is also getting messed up
13EFC959D: 41 81 E0 FF 00 00 00        -  and r8d,000000FF
13EFC95A4: 66 44 89 84 33 2C 25 00 00  -  mov [rbx+rsi+0000252C],r8w
13EFC95AD: 44 0F B6 44 3B 35           -  movzx r8d,byte ptr [rbx+rdi+35]
13EFC95B3: 42 8B B4 0B 70 5E 00 00     -  mov esi,[rbx+r9+00005E70]
13EFC95BB: 41 81 E0 FF 00 00 00        -  and r8d,000000FF
13EFC95C2: 66 44 89 84 33 4A 25 00 00  -  mov [rbx+rsi+0000254A],r8w
13EFC95CB: 44 0F B6 44 3B 32           -  movzx r8d,byte ptr [rbx+rdi+32]
13EFC95D1: 42 8B B4 0B 70 5E 00 00     -  mov esi,[rbx+r9+00005E70]
}


So basically I am able to fix the code after disabling the script but I can't find a way to fix the running scipt code.

I attached screenshot of activated script memory fragment.

Also the messed up code is the remaining bytes of the two instructions that followed original code:
Code:
13EFC958F: 44 0F B6 44 3B 31           -  movzx r8d,byte ptr [rbx+rdi+31]
13EFC9595: 42 8B B4 >0B 70 5E 00 00<    -  mov esi,[rbx+r9+00005E70]


Can this be fixed somehow?

EDIT:
Well I found a workaround by placing the two messed up instructions in injected code and adding 5 nops, but it's not a very good option because if some jump instruction wants to jump to one of thse two instructions the game / emulator will crash....

Is there a better way to do it?

Code:
code:
  mov [rbx+rsi+00002524],r8d
  db 44 0F B6 44 3B 31
  db 42 8B B4 0B 70 5E 00 00
  jmp return

moneys:
  jmp newmem
  nop
  nop
  nop
  nop
  nop
  nop
  nop
  nop
//  db 44 0F B6 44 3B 31
//  db 42 8B B4 0B 70 5E 00 00
return:
registersymbol(moneys)


EDIT2:
Actually I can remove all nops, because it frees 8 bytes which is exactly how many 2nd instruction needs (db 42 8B B4 0B 70 5E 00 00), however there still will be one additional instruction left that has to stay in injected code, so the questions is still the same...



ppsspp_problem1.PNG
 Description:
 Filesize:  20.83 KB
 Viewed:  3300 Time(s)

ppsspp_problem1.PNG


Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites