Punz1A4 Cheater Reputation: 0
Joined: 10 Jun 2016 Posts: 25
|
Posted: Sat Aug 19, 2017 11:24 am Post subject: Allocated memory jump messing up following instructions |
|
|
I've been playing around with ppsspp emulator (Kingdom Hearts Birth By Sleep) and because CE's automated AOB Injection function from auto assembler never managed to found unique aob, I had to manually use AOB scan function.
The problem is after activating script CE correctly jumps to allocated memory but messes up two op codes that followed instruction at which code is being injected.
The script doesn't do anything special it's just the original code.
I noticed that the byte code for allocated code jump is longer than the byte code of original instruction - could this be the source of the problem?
My code with some additional comments:
Code: | [ENABLE]
aobscan(moneys,44 89 84 33 24250000 44 0FB6 44 3B 31 42 8B B4 0B 705E0000 41 81 E0 FF000000 66 44 89 84 33 2C250000 44 0FB6 44 3B 35 42 8B B4 0B 705E0000 41 81 E0 FF000000 66 44 89 84 33 4A250000 44 0FB6 44 3B 32 42 8B B4 0B 705E0000 41 81 E0 FF000000 66 44 89 84 33 4E250000 44 0FB6 44 3B 33 42 8B B4 0B 705E0000 41 81 E0 FF000000 66 44 89 84 33 38250000 44 0FB6 44 3B 34 42 8B B4 0B 705E0000 41 81 E0 FF000000 66 44 89 84 33 3A250000 44 0FBF 44 3B 38 42 8B B4 0B 705E0000 66 44 89 84 33 40250000 44 0FBF 44 3B 3A 42 8B B4 0B 705E0000 66 44 89 84 33 42250000 44 0FBF 44 3B 3C 42 8B B4 0B 705E0000 66 44 89 84 33 44250000 44 0FBF 44 3B 3E 42 8B B4 0B 705E0000 66 44 89 84 33 46250000 44 0FBF 44 3B 40 42 8B B4 0B 705E0000 66 44 89 84 33 48250000 44 0FB6 44 3B 37 42 8B B4 0B 705E0000 41 81 E0 FF000000 66 44 89 84 33 3C250000 44 8B 44 3B 08 42 8B B4 0B 705E0000 44 89 84 33 28250000 44 0FB6 44 3B 36 46 8B 8C 0B 705E0000 41 81 E0 FF000000 66 46 89 84 0B DA270000 45 8B 46 C4 45 89 46 90 45 89 4E 94 41 89 76 98 41 C7 46 FC 7CE8A508 83 2D ???????? 44)
// yes, it had to be this long
alloc(newmem,$1000) // $1000 = 1000 in hex = 4096 bytes allocated
label(code)
label(return)
newmem:
code:
mov [rbx+rsi+00002524],r8d // original code
jmp return
moneys:
jmp newmem
nop
nop
nop
// db 44 0F B6 44 3B 31 // I wanted to fix the two messed up instructions this way but since the byte code for the jump newmem is longer than the original instruction, this eats up instructions that would normally follow this code
// db 42 8B B4 0B 70 5E 00 00
return:
registersymbol(moneys)
[DISABLE]
moneys:
db 44 89 84 33 24 25 00 00 // original code
db 44 0F B6 44 3B 31 // had to add this and the one below to fix the messed up code (two following instructions I was talking about)
db 42 8B B4 0B 70 5E 00 00
unregistersymbol(moneys)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: 13EFC9587
13EFC953E: 42 8B B4 0B 70 5E 00 00 - mov esi,[rbx+r9+00005E70]
13EFC9546: 66 44 89 84 33 36 25 00 00 - mov [rbx+rsi+00002536],r8w
13EFC954F: 46 8B 84 0B 70 5E 00 00 - mov r8d,[rbx+r9+00005E70]
13EFC9557: 0F B7 74 3B 20 - movzx esi,word ptr [rbx+rdi+20]
13EFC955C: 66 42 89 B4 03 34 25 00 00 - mov [rbx+r8+00002534],si
13EFC9565: 44 8B 44 3B 00 - mov r8d,[rbx+rdi+00]
13EFC956A: 42 8B B4 0B 70 5E 00 00 - mov esi,[rbx+r9+00005E70]
13EFC9572: 44 89 84 33 20 25 00 00 - mov [rbx+rsi+00002520],r8d
13EFC957A: 44 8B 44 3B 04 - mov r8d,[rbx+rdi+04]
13EFC957F: 42 8B B4 0B 70 5E 00 00 - mov esi,[rbx+r9+00005E70]
// ---------- INJECTING HERE ----------
13EFC9587: 44 89 84 33 24 25 00 00 - mov [rbx+rsi+00002524],r8d
// ---------- DONE INJECTING ----------
13EFC958F: 44 0F B6 44 3B 31 - movzx r8d,byte ptr [rbx+rdi+31] // this one is getting messed up
13EFC9595: 42 8B B4 0B 70 5E 00 00 - mov esi,[rbx+r9+00005E70] // this one is also getting messed up
13EFC959D: 41 81 E0 FF 00 00 00 - and r8d,000000FF
13EFC95A4: 66 44 89 84 33 2C 25 00 00 - mov [rbx+rsi+0000252C],r8w
13EFC95AD: 44 0F B6 44 3B 35 - movzx r8d,byte ptr [rbx+rdi+35]
13EFC95B3: 42 8B B4 0B 70 5E 00 00 - mov esi,[rbx+r9+00005E70]
13EFC95BB: 41 81 E0 FF 00 00 00 - and r8d,000000FF
13EFC95C2: 66 44 89 84 33 4A 25 00 00 - mov [rbx+rsi+0000254A],r8w
13EFC95CB: 44 0F B6 44 3B 32 - movzx r8d,byte ptr [rbx+rdi+32]
13EFC95D1: 42 8B B4 0B 70 5E 00 00 - mov esi,[rbx+r9+00005E70]
} |
So basically I am able to fix the code after disabling the script but I can't find a way to fix the running scipt code.
I attached screenshot of activated script memory fragment.
Also the messed up code is the remaining bytes of the two instructions that followed original code:
Code: | 13EFC958F: 44 0F B6 44 3B 31 - movzx r8d,byte ptr [rbx+rdi+31]
13EFC9595: 42 8B B4 >0B 70 5E 00 00< - mov esi,[rbx+r9+00005E70] |
Can this be fixed somehow?
EDIT:
Well I found a workaround by placing the two messed up instructions in injected code and adding 5 nops, but it's not a very good option because if some jump instruction wants to jump to one of thse two instructions the game / emulator will crash....
Is there a better way to do it?
Code: | code:
mov [rbx+rsi+00002524],r8d
db 44 0F B6 44 3B 31
db 42 8B B4 0B 70 5E 00 00
jmp return
moneys:
jmp newmem
nop
nop
nop
nop
nop
nop
nop
nop
// db 44 0F B6 44 3B 31
// db 42 8B B4 0B 70 5E 00 00
return:
registersymbol(moneys) |
EDIT2:
Actually I can remove all nops, because it frees 8 bytes which is exactly how many 2nd instruction needs (db 42 8B B4 0B 70 5E 00 00), however there still will be one additional instruction left that has to stay in injected code, so the questions is still the same...
Description: |
|
Filesize: |
20.83 KB |
Viewed: |
3301 Time(s) |
|
|
|