Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Q: Can one read operations happening between XMM registers?

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
Shademp
How do I cheat?
Reputation: 0

Joined: 21 Mar 2017
Posts: 9
Location: Sweden

PostPosted: Mon Mar 12, 2018 9:45 am    Post subject: Q: Can one read operations happening between XMM registers? Reply with quote

Is it even accurate to say that XMM registers perform operations on each other?

The reason I ask is because I recently solved an encryption where it turned out the bitmask was placed in the xmm1 register.


xmm0: 0B 05 DA E3 91 78 23 D9 [ENCRYPTED BYTES]
xmm1: 6C 70 B4 C3 D3 0D 4F B5 [BITMASK]
xmm2: 67 75 6E 20 42 75 6C 6C [DECRYPTED BYTES]

xmm0 is filtered through xmm1 with a XOR operation, resulting in xmm2. These decrypted values are then sent back to the proper addresses.


But if I didn't know that a XOR operation was taking place, could I learn this by viewing the disassembler? So far I haven't been able to make sense of what I'm seeing in the disassembler, but with some help I might.

I may have further questions as I'm interested in anything that might help me solve encryptions.
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Mon Mar 12, 2018 10:05 am    Post subject: Reply with quote

xmm registers store memory. They are used as operands in instructions; they don't do operations. You're probably looking for a pxor, xorpd, or xorps instruction somewhere.
_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Shademp
How do I cheat?
Reputation: 0

Joined: 21 Mar 2017
Posts: 9
Location: Sweden

PostPosted: Mon Mar 12, 2018 12:07 pm    Post subject: Reply with quote

To show what I'm looking at, here is the disassembler activity for when the address values [ecx] with encrypted bytes are first accessed and moved to xmm0 (see first step) and at last the decrypted bytes in xmm2 are moved back to ecx (final step).


- movlps xmm0,[ecx]
- movlps [edx],xmm0
- mov eax,[pcsx2.exe+609B30] { [00000000] }
- shl eax,03 { 3 }
- cdq
- mov [pcsx2.exe+609B30],eax { [000000C0] }
- mov [pcsx2.exe+609B34],edx { [00000000] }
- add dword ptr [pcsx2.exe+609B70],01 { [00FD4800] }
- lahf
- sar ax,0F { 15 }
- cwde
- mov [pcsx2.exe+609B74],eax { [00000000] }
- mov eax,[pcsx2.exe+609B30] { [00000140] }
- add eax,[pcsx2.exe+609B80] { [00451F98] }
- cdq
- mov [pcsx2.exe+609B30],eax { [30D40000] }
- mov [pcsx2.exe+609B34],edx { [00000000] }
- mov edx,pcsx2.exe+609B20 { [00000001] }
- mov ecx,[pcsx2.exe+609B30] { [0000002B] }
- mov eax,ecx
- shr eax,0C { 12 }
- mov eax,[eax*4+0E2DD030]
- mov ebx,300D2EFC { [2.65] }
- add ecx,eax
- js pcsx2.exe+1FC00C0
- movlps xmm1,[ecx]
- movlps [edx],xmm1
- mov eax,[pcsx2.exe+609B20] { [00000000] }
- xor [pcsx2.exe+609B40],eax { [00000000] }
- mov eax,[pcsx2.exe+609B24] { [00000000] }
- xor [pcsx2.exe+609B44],eax { [00000000] }
- mov edx,pcsx2.exe+609B40 { [00000008] }
- mov ecx,[pcsx2.exe+609B60] { [00000000] }
- mov eax,ecx
- shr eax,0C { 12 }
- mov eax,[eax*4+0E2DD030]
- mov ebx,300D2F3C { [9C000D8B] }
- add ecx,eax
- js pcsx2.exe+1FC0280
- movlps xmm2,[edx]
- movlps [ecx],xmm2

I can't see where the bitmask is being retrieved from and where the actual xor operation is happening, even though there are two instances above of xor being used. I understand perfectly if nobody wants to do a step-by-step deconstruction of the long list shown above, but even just pointers to "this is where the bitmask is retrieved" and "this is where the xor happens" would be helpful.


In the pcsx2.exe+609B40 address area there is always too much activity happening too fast for me to spot anything. Is there a way to freeze all activity or at least slow things down well enough that I can take snapshots? The standard speedhack function can only slow down the emulator so much.
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Mon Mar 12, 2018 1:25 pm    Post subject: Reply with quote

"movlps xmm0,[ecx]" is reading the value, "movlps xmm1,[ecx]" is reading the key, they are xor'd where the two xor instructions are, and "movlps [ecx],xmm2" writes the result back into memory somewhere.

Shademp wrote:
Is there a way to freeze all activity or at least slow things down well enough that I can take snapshots?

Right click on an instruction and select "Break and trace". The next time a thread passes by, CE will store information as it runs for a few instructions. If those instructions also access other addresses, pause the process first (advanced options menu), set the break and trace, put a condition on that breakpoint (right click), and resume.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Shademp
How do I cheat?
Reputation: 0

Joined: 21 Mar 2017
Posts: 9
Location: Sweden

PostPosted: Tue Mar 13, 2018 11:20 am    Post subject: Reply with quote

Thank you so much ParkourPenguin for your help. This is the first time I've used "Break and trace" and I'm finding it to be a useful tool, along with the process pause.

Follow-up question:
At...
- movlps xmm1,[ecx]
...ECX is 21FFFB60 and has a float of value -360.88

Somehow, this becomes the first half of the aforementioned bitmask:
6C 70 B4 C3 D3 0D 4F B5

I have tried running the float through a float → hex converter, but the results are nothing at all like the bitmask that is ultimately entered into the xmm1 register.

How does -360.88 become 6C 70 B4 C3 D3 0D 4F B5?


EDIT: Actually I noticed now that while the float → hex conversion doesn't work, doing the opposite direction, hex → float, gives an approximate result.


B54F0DD3C3B4706C → -360.878

I assume then that -360.88 is approximated into 6C 70 B4 C3 D3 0D 4F B5.
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Tue Mar 13, 2018 11:41 am    Post subject: Reply with quote

A float is 4 bytes, not 8.
Code:
        float: -360.8782959
     binary32: 1 10000111 01101000111000001101100
   32-bit hex: C3B4706C
little endian: 6C 70 B4 C3

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites