|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
Shademp How do I cheat? Reputation: 0
Joined: 21 Mar 2017 Posts: 9 Location: Sweden
|
Posted: Mon Mar 12, 2018 9:45 am Post subject: Q: Can one read operations happening between XMM registers? |
|
|
Is it even accurate to say that XMM registers perform operations on each other?
The reason I ask is because I recently solved an encryption where it turned out the bitmask was placed in the xmm1 register.
xmm0: 0B 05 DA E3 91 78 23 D9 [ENCRYPTED BYTES]
xmm1: 6C 70 B4 C3 D3 0D 4F B5 [BITMASK]
xmm2: 67 75 6E 20 42 75 6C 6C [DECRYPTED BYTES]
xmm0 is filtered through xmm1 with a XOR operation, resulting in xmm2. These decrypted values are then sent back to the proper addresses.
But if I didn't know that a XOR operation was taking place, could I learn this by viewing the disassembler? So far I haven't been able to make sense of what I'm seeing in the disassembler, but with some help I might.
I may have further questions as I'm interested in anything that might help me solve encryptions.
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4290
|
Posted: Mon Mar 12, 2018 10:05 am Post subject: |
|
|
xmm registers store memory. They are used as operands in instructions; they don't do operations. You're probably looking for a pxor, xorpd, or xorps instruction somewhere.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
Shademp How do I cheat? Reputation: 0
Joined: 21 Mar 2017 Posts: 9 Location: Sweden
|
Posted: Mon Mar 12, 2018 12:07 pm Post subject: |
|
|
To show what I'm looking at, here is the disassembler activity for when the address values [ecx] with encrypted bytes are first accessed and moved to xmm0 (see first step) and at last the decrypted bytes in xmm2 are moved back to ecx (final step).
- movlps xmm0,[ecx]
- movlps [edx],xmm0
- mov eax,[pcsx2.exe+609B30] { [00000000] }
- shl eax,03 { 3 }
- cdq
- mov [pcsx2.exe+609B30],eax { [000000C0] }
- mov [pcsx2.exe+609B34],edx { [00000000] }
- add dword ptr [pcsx2.exe+609B70],01 { [00FD4800] }
- lahf
- sar ax,0F { 15 }
- cwde
- mov [pcsx2.exe+609B74],eax { [00000000] }
- mov eax,[pcsx2.exe+609B30] { [00000140] }
- add eax,[pcsx2.exe+609B80] { [00451F98] }
- cdq
- mov [pcsx2.exe+609B30],eax { [30D40000] }
- mov [pcsx2.exe+609B34],edx { [00000000] }
- mov edx,pcsx2.exe+609B20 { [00000001] }
- mov ecx,[pcsx2.exe+609B30] { [0000002B] }
- mov eax,ecx
- shr eax,0C { 12 }
- mov eax,[eax*4+0E2DD030]
- mov ebx,300D2EFC { [2.65] }
- add ecx,eax
- js pcsx2.exe+1FC00C0
- movlps xmm1,[ecx]
- movlps [edx],xmm1
- mov eax,[pcsx2.exe+609B20] { [00000000] }
- xor [pcsx2.exe+609B40],eax { [00000000] }
- mov eax,[pcsx2.exe+609B24] { [00000000] }
- xor [pcsx2.exe+609B44],eax { [00000000] }
- mov edx,pcsx2.exe+609B40 { [00000008] }
- mov ecx,[pcsx2.exe+609B60] { [00000000] }
- mov eax,ecx
- shr eax,0C { 12 }
- mov eax,[eax*4+0E2DD030]
- mov ebx,300D2F3C { [9C000D8B] }
- add ecx,eax
- js pcsx2.exe+1FC0280
- movlps xmm2,[edx]
- movlps [ecx],xmm2
I can't see where the bitmask is being retrieved from and where the actual xor operation is happening, even though there are two instances above of xor being used. I understand perfectly if nobody wants to do a step-by-step deconstruction of the long list shown above, but even just pointers to "this is where the bitmask is retrieved" and "this is where the xor happens" would be helpful.
In the pcsx2.exe+609B40 address area there is always too much activity happening too fast for me to spot anything. Is there a way to freeze all activity or at least slow things down well enough that I can take snapshots? The standard speedhack function can only slow down the emulator so much.
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4290
|
Posted: Mon Mar 12, 2018 1:25 pm Post subject: |
|
|
"movlps xmm0,[ecx]" is reading the value, "movlps xmm1,[ecx]" is reading the key, they are xor'd where the two xor instructions are, and "movlps [ecx],xmm2" writes the result back into memory somewhere.
Shademp wrote: | Is there a way to freeze all activity or at least slow things down well enough that I can take snapshots? |
Right click on an instruction and select "Break and trace". The next time a thread passes by, CE will store information as it runs for a few instructions. If those instructions also access other addresses, pause the process first (advanced options menu), set the break and trace, put a condition on that breakpoint (right click), and resume.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
Shademp How do I cheat? Reputation: 0
Joined: 21 Mar 2017 Posts: 9 Location: Sweden
|
Posted: Tue Mar 13, 2018 11:20 am Post subject: |
|
|
Thank you so much ParkourPenguin for your help. This is the first time I've used "Break and trace" and I'm finding it to be a useful tool, along with the process pause.
Follow-up question:
At...
- movlps xmm1,[ecx]
...ECX is 21FFFB60 and has a float of value -360.88
Somehow, this becomes the first half of the aforementioned bitmask:
6C 70 B4 C3 D3 0D 4F B5
I have tried running the float through a float → hex converter, but the results are nothing at all like the bitmask that is ultimately entered into the xmm1 register.
How does -360.88 become 6C 70 B4 C3 D3 0D 4F B5?
EDIT: Actually I noticed now that while the float → hex conversion doesn't work, doing the opposite direction, hex → float, gives an approximate result.
B54F0DD3C3B4706C → -360.878
I assume then that -360.88 is approximated into 6C 70 B4 C3 D3 0D 4F B5.
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4290
|
Posted: Tue Mar 13, 2018 11:41 am Post subject: |
|
|
A float is 4 bytes, not 8.
Code: | float: -360.8782959
binary32: 1 10000111 01101000111000001101100
32-bit hex: C3B4706C
little endian: 6C 70 B4 C3 |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|