 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Dr.Disrespect
Grandmaster Cheater
![]() Reputation: 3
Joined: 17 Feb 2016
Posts: 526
|
 Posted: Tue Nov 28, 2017 11:15 am Post subject: [ASM] How to check if a pointer or address is valid? |
 |
|
I have read this post from DB: http://forum.cheatengine.org/viewtopic.php?t=511049
But it seems it doesn't work. EAX always return 00, so the condition is always met even when the address is "?? ?? ??"", which means it's not valid.
Is it because the game is 64-bit? I don't know what the problem is.
Thanks in advance.
BTW, I have to use "pushfq" instead of "pushfd", and "pushad" cannot be used because of the AMD cpu or 64-bit (I assume).
Here is what my code look like:
| Code: |
pushfq
push rax
push rcx
push r8
push r9
push 4 //size in bytes of pointer
xor rax,rax
lea eax,[rbx+0c]
push eax
call isbadreadptr
cmp eax,0 <-----------------eax is always 0 even when the address is clearly invalid: "?? ?? ?? ??"
jne originalcode //invalid memory
|
_________________
**************
A simple example is better then ten links.  |
|
| Back to top |
|
 |
Hatschi
Master Cheater
![]() Reputation: 2
Joined: 28 Jan 2010
Posts: 327
|
| Posted: Tue Nov 28, 2017 1:15 pm Post subject: |
|
|
| Code: | lea eax,[rbx+0c]
push eax |
Do you know 100% for sure that whats stored inside [rbx+0C] does not exceed 32bit range? Because even if there is 0,1% chance it does you have to rax otherwise whats stored inside rbx+0c gets cut off.
//edit: Also pushing size of pointer needs to be fixed then. I think you cannot copy&paste the script of Dark byte as his script is for a 32bit target but yours is obviously 64bit.
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
 Reputation: 150
Joined: 06 Jul 2014
Posts: 4647
|
| Posted: Tue Nov 28, 2017 1:26 pm Post subject: |
|
|
That's not how calling conventions work in x64.
| Code: | globalalloc(foo,4096)
createthread(foo)
foo:
push rbp
mov rbp,rsp
and spl,F0 // align stack on 16-byte boundary
sub rsp,20 // give stack space for callees
lea rcx,[foo+100] // rcx = 1st parameter
mov edx,4 // rdx = 2nd parameter
call isBadReadPtr
mov [foo+800],eax // [foo+800] is 0
xor rcx,rcx
mov edx,4
call isBadReadPtr
mov [foo+804],eax // [foo+804] is nonzero
mov rsp,rbp
pop rbp
ret |
See this MSDN page for more information.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
Dr.Disrespect
Grandmaster Cheater
![]() Reputation: 3
Joined: 17 Feb 2016
Posts: 526
|
| Posted: Tue Nov 28, 2017 2:04 pm Post subject: |
|
|
| ParkourPenguin wrote: | That's not how calling conventions work in x64.
| Code: | globalalloc(foo,4096)
createthread(foo)
foo:
push rbp
mov rbp,rsp
and spl,F0 // align stack on 16-byte boundary
sub rsp,20 // give stack space for callees
lea rcx,[foo+100] // rcx = 1st parameter
mov edx,4 // rdx = 2nd parameter
call isBadReadPtr
mov [foo+800],eax // [foo+800] is 0
xor rcx,rcx
mov edx,4
call isBadReadPtr
mov [foo+804],eax // [foo+804] is nonzero
mov rsp,rbp
pop rbp
ret |
See this MSDN page for more information. |
@Hatschi
Thanks for the reply.
Yes, I'm sure the value in [rbx+0C] does not exceed 32 bit, even if it does, I only need the 32-bit of it.
@Penguin
Thanks for the help. But I don't quite understand your example.  Especially this:
and:
1. does [foo+804] have the result of the check?
2. why clear the value in rcx before moving 4 to edx? Are you just trying to show different results from two different 1st parameters?
3. why move 4 to edx before the routine call? and why use rcx? Are these mandatory?
I will try to read what's in the link you provided.
_________________
**************
A simple example is better then ten links. |
|
| Back to top |
|
|
OldCheatEngineUser
Whateven rank
 Reputation: 20
Joined: 01 Feb 2016
Posts: 1586
|
| Posted: Tue Nov 28, 2017 2:30 pm Post subject: |
 |
|
| Dr.Disrespect wrote: | Especially this:
|
bpl, spl, dil, and sil are available in 64-bit mode using REX opcode prefix, simply {and - spl (F0)} means bitwise-and the lower 8-bit of SP register with value of "F0".
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
| STN wrote: | | i am a sweetheart. |
|
|
| Back to top |
|
|
Dr.Disrespect
Grandmaster Cheater
![]() Reputation: 3
Joined: 17 Feb 2016
Posts: 526
|
| Posted: Tue Nov 28, 2017 5:33 pm Post subject: |
|
|
| OldCheatEngineUser wrote: | | Dr.Disrespect wrote: | Especially this:
|
bpl, spl, dil, and sil are available in 64-bit mode using REX opcode prefix, simply {and - spl (F0)} means bitwise-and the lower 8-bit of SP register with value of "F0". |
Thanks for the explanation.
_________________
**************
A simple example is better then ten links. |
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 150
Joined: 06 Jul 2014
Posts: 4647
|
|
| Back to top |
|
|
Dr.Disrespect
Grandmaster Cheater
![]() Reputation: 3
Joined: 17 Feb 2016
Posts: 526
|
| Posted: Sun Dec 03, 2017 11:42 am Post subject: |
|
|
Oops, I totally forgot about this post.
Thanks for the detailed explanations, Penguin. 
_________________
**************
A simple example is better then ten links. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
