| View previous topic :: View next topic | 
	
	
		| Author | Message | 
	
		| pox911 Grandmaster Cheater
 
  Reputation: 28 
 Joined: 29 Nov 2008
 Posts: 918
 
 
 | 
			
				|  Posted: Wed Jul 24, 2013 6:46 pm    Post subject: Asm only crashing on pointer compare? |   |  
				| 
 |  
				| This is driving me nuts. I'm probably over looking something but im having trouble with a compare. 
 Basicly i have my value at X and the compare is at [X+8]+10. What i did was push ecx, store [x+8] in ecx, then compare [ecx+10] to my value.
 
 Whats wierd is that it causes a crash. I have the pop where it needs to be.
 
 if i have it as "cmp ecx,5" it wont crash but "cmp [ecx+10],5" causes a crash. Any idea as to what im over looking?
 |  | 
	
		| Back to top |  | 
	
		|  | 
	
		| daspamer Grandmaster Cheater Supreme
 
  Reputation: 54 
 Joined: 13 Sep 2011
 Posts: 1588
 
 
 | 
			
				|  Posted: Wed Jul 24, 2013 6:55 pm    Post subject: |   |  
				| 
 |  
				| Sometimes the pointer does not exist? I faced this issue.
 So basically before touching the pointer, check if its valid.
 
  	  | Code: |  	  | cmp [ecx+10],000000 je PointerNotExist
 | 
 _________________
 
 I'm rusty and getting older, help me re-learn lua. |  | 
	
		| Back to top |  | 
	
		|  | 
	
		| pox911 Grandmaster Cheater
 
  Reputation: 28 
 Joined: 29 Nov 2008
 Posts: 918
 
 
 | 
			
				|  Posted: Wed Jul 24, 2013 6:59 pm    Post subject: |   |  
				| 
 |  
				| still crashes 
 Edit: This is the asm i have for what doesnt crash.
 
 
  	  | Code: |  	  | AmmoMem: push ecx
 mov ecx,[esi+8]
 mov [ADat],ecx
 cmp exc,5
 jne Fail
 pop ecx
 mov [esi],ecx
 mov edx,[eax+04]
 jmp AmmoReturn
 Fail:
 pop ecx
 mov [esi],ecx
 mov edx,[eax+04]
 jmp AmmoReturn
 ADat:
 | 
 
 the second i change that ecx to the [ecx] it causes the crash.
 |  | 
	
		| Back to top |  | 
	
		|  | 
	
		| Gniarf Grandmaster Cheater Supreme
 
 ![]() Reputation: 43 
 Joined: 12 Mar 2012
 Posts: 1285
 
 
 | 
			
				|  Posted: Wed Jul 24, 2013 7:09 pm    Post subject: |   |  
				| 
 |  
				| Same line of thought than DaSpamer, just handles more cases than just null pointers. 
  	  | Code: |  	  | pushad mov ecx,dword [esi+8]
 lea ecx,[ecx+10]
 push ecx  //ecx will be overwritten by IsBadReadPtr
 push 4
 push ecx
 call IsBadReadPtr
 pop ecx  //restore saved ecx
 test eax,eax
 jne BadPointer
 //if you reach there, then your crash is NOT caused by reading stuff at the wrong address
 cmp dword [ecx],5
 //.....
 
 BadPointer:
 popad
 mov [esi],ecx
 mov edx,[eax+04]
 jmp AmmoReturn
 | 
 _________________
 
 DO NOT PM me if you want help on making/fixing/using a hack. |  | 
	
		| Back to top |  | 
	
		|  | 
	
		| pox911 Grandmaster Cheater
 
  Reputation: 28 
 Joined: 29 Nov 2008
 Posts: 918
 
 
 | 
			
				|  Posted: Wed Jul 24, 2013 7:38 pm    Post subject: |   |  
				| 
 |  
				| unless i did something wrong, it still crashed the game. 
 I'm still learning assembly so i still dont understand the lea command and how Test compares to the cmp command.
 
 Edit: As a cheap work around i currently have an aob for where the pointer points to and if the address matches up it will do its jump.
 |  | 
	
		| Back to top |  | 
	
		|  | 
	
		| Gniarf Grandmaster Cheater Supreme
 
 ![]() Reputation: 43 
 Joined: 12 Mar 2012
 Posts: 1285
 
 
 | 
			
				|  Posted: Wed Jul 24, 2013 7:48 pm    Post subject: |   |  
				| 
 |  
				| Does my script still crash if you comment the cmp dword [ecx],5 . 
 As for lea and test:
 lea ecx,[ecx+10] is like add ecx,10 or ecx=ecx+10.
 test eax,eax is like cmp eax,0 except that I don't think ja/jb/jl/jg won't work after a test. Compilers (almost?) always use test eax,eax to see if eax is 0.
 _________________
 
 DO NOT PM me if you want help on making/fixing/using a hack. |  | 
	
		| Back to top |  | 
	
		|  | 
	
		| pox911 Grandmaster Cheater
 
  Reputation: 28 
 Joined: 29 Nov 2008
 Posts: 918
 
 
 | 
			
				|  Posted: Thu Jul 25, 2013 10:24 am    Post subject: |   |  
				| 
 |  
				| I could have just messed up the scirpt after the compare. 
 Im trying to understand the call IsBadReadPtr better. I thinki understand the push ad since i have to use the same thing when using the function for button presses. Im guessing the push 4 is the length and one of the push ecx is to tell the function what value to check?
 |  | 
	
		| Back to top |  | 
	
		|  | 
	
		| mgr.inz.Player I post too much
 
  Reputation: 222 
 Joined: 07 Nov 2008
 Posts: 4438
 Location: W kraju nad Wisla. UTC+01:00
 
 | 
			
				|  Posted: Thu Jul 25, 2013 12:33 pm    Post subject: |   |  
				| 
 |  
				|  	  | Code: |  	  | push size            // the size of the memory block, in bytes push pointer         // a pointer to the first byte of the memory block.
 call isbadreadptr
 | 
 
 result is inside EAX
 
 If EAX == 0 , process has read access to all bytes in the specified memory range
 
 
 
 try this
 
 
 
 
 
  	  | Code: |  	  | (...) AmmoMem:
 
 pushad
 
 lea eax,[esi+8]
 push 00000004
 push eax
 call isbadreadptr
 test eax,eax
 jnz originalcode
 
 mov ebx,[esi+8]
 
 lea eax,[ebx+10]
 push 00000004
 push eax
 call isbadreadptr
 test eax,eax
 jnz originalcode
 
 cmp [ebx+10],05
 jne originalcode
 
 // found it
 // do whatever you want
 
 
 originalcode:
 popad
 
 // and your original code here
 (...)
 | 
 _________________
 
 |  | 
	
		| Back to top |  | 
	
		|  | 
	
		| pox911 Grandmaster Cheater
 
  Reputation: 28 
 Joined: 29 Nov 2008
 Posts: 918
 
 
 | 
			
				|  Posted: Mon Jul 29, 2013 7:22 pm    Post subject: |   |  
				| 
 |  
				| I still dont fully understand. 
 i think i understand the lea now but why are you running it twice? It works when done that way but failed if only seen once. why is that?
 
 Edit: This value effects a lot(health, ammo, the works). If im comparing 2 values before a jump, what is the best way to do that?
 
 Curently its just a jne to the next compare, if it passes then it checks the next one and if that fails it goes to default code.
 |  | 
	
		| Back to top |  | 
	
		|  | 
	
		| mgr.inz.Player I post too much
 
  Reputation: 222 
 Joined: 07 Nov 2008
 Posts: 4438
 Location: W kraju nad Wisla. UTC+01:00
 
 | 
			
				|  Posted: Tue Jul 30, 2013 2:53 am    Post subject: |   |  
				| 
 |  
				|  	  | pox911 wrote: |  	  | but why are you running it twice? | 
 If you post screenshot of Memory Viewer (or highlight code with pressed SHIFT key, code surrounding your hackpoint and then press ctrl+c  -  that is, copy disassembled output as text and paste here) I can make more accurate AA script.
 _________________
 
 |  | 
	
		| Back to top |  | 
	
		|  | 
	
		|  |