 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
BenInSweden
How do I cheat?
![]() Reputation: 0
Joined: 06 Jan 2019
Posts: 3
|
 Posted: Sun Jan 06, 2019 6:09 am Post subject: Getting a C# Bytearray from the bytecode that uses it? |
 |
|
So a bit of background.
I have written a LiveSplit Autosplitter, that handles multiple Sega Genesis/Mega Drive and Master System games, in multiple emulators.
It is designed in such a way that games or emulators can be easily added, as the emulator portion of the code essentially finds the start of the Genesis/SMS memory, and then the code for the games just use the offsets from there to find the right values for splitting.
This works fine for the 5 emulators currently supported - Fusion, Retroarch (both 32 bit and 64 bit), the two emulators used in the Steam "SEGA Mega Drive & Genesis Classics" release, along with Gens (which can be used to test the autosplitter using Tool Assisted Speedruns).
I want to add support for BizHawk, as this would allow me to more easily find and test values for splitting for any Master System games (and also be able to use some of the more recent Genesis TASes for testing).
I've extensively tried using CheatEngine to find PointerPaths to the memory in BizHawk, but either I get 0 results or THREADSTACK ones.
I was hoping that logically if I could find the byte code that accesses the memory then I should be able to hone in on the memory block used by the two emulation cores used.
SMSHawk is the core that BizHawk uses for SMS games, and it is written in C#.
it has the following portion of code:
| Code: |
void WriteMemorySega(ushort address, byte value)
{
if (address >= 0xC000)
SystemRam[address & RamSizeMask] = value;
....
|
SystemRam is defined as a byte array and has the following in the SMS class initialisation code:
| Code: |
SystemRam = new byte[0x2000];
|
I can do an AoB search to find the relevant code for WriteMemorySega, but as my ASM knowledge is pretty poor, I cannot seem to work out what I would need to do from there, e.g. here's the bytecode for the complete WriteMemorySega function:
| Code: |
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+2 - 53 - push rbx
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+3 - 48 83 EC 20 - sub rsp,20 { 32 }
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+7 - 48 8B F1 - mov rsi,rcx
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+A - 41 8B F8 - mov edi,r8d
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+D - 0FB7 DA - movzx ebx,dx
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+10- 81 FB 00C00000 - cmp ebx,0000C000 { 49152 }
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+16- 7C 25 - jl BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+3D
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+18- 48 8B 46 28 - mov rax,[rsi+28]
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+1C- 8B D3 - mov edx,ebx
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+1E- 81 E2 FF1F0000 - and edx,00001FFF { 8191 }
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+24- 3B 50 08 - cmp edx,[rax+08]
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+27- 0F83 64010000 - jae BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+191
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+2D- 48 63 D2 - movsxd rdx,edx
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+30- 40 0FB6 CF - movzx ecx,dil
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+34- 88 4C 10 10 - mov [rax+rdx+10],cl
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+38- E9 A1000000 - jmp BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+DE
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+3D- 81 FB 00800000 - cmp ebx,00008000 { 32768 }
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+43- 0F8C 95000000 - jl BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+DE
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+49- 48 8B 8E B8000000 - mov rcx,[rsi+000000B8]
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+50- 48 85 C9 - test rcx,rcx
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+53- 74 77 - je BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+CC
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+55- C6 86 29010000 01 - mov byte ptr [rsi+00000129],01 { 1 }
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+5C- 0FB6 86 2A010000 - movzx eax,byte ptr [rsi+0000012A]
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+63- 83 F8 01 - cmp eax,01 { 1 }
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+66- 74 07 - je BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+6F
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+68- 83 F8 02 - cmp eax,02 { 2 }
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+6B- 74 2E - je BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+9B
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+6D- EB 6F - jmp BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+DE
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+6F- 4C 8B C1 - mov r8,rcx
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+72- 8B C3 - mov eax,ebx
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+74- 25 FF3F0000 - and eax,00003FFF { 16383 }
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+79- 44 8B 49 08 - mov r9d,[rcx+08]
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+7D- 99 - cdq
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+7E- 41 F7 F9 - idiv r9d
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+81- 41 3B D1 - cmp edx,r9d
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+84- 0F83 07010000 - jae BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+191
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+8A- 48 63 CA - movsxd rcx,edx
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+8D- 44 0FB6 CF - movzx r9d,dil
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+91- 45 88 4C 08 10 - mov [r8+rcx+10],r9l
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+96- E9 EE000000 - jmp BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+189
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+9B- 4C 8B C1 - mov r8,rcx
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+9E- 8B C3 - mov eax,ebx
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+A0- 25 FF3F0000 - and eax,00003FFF { 16383 }
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+A5- 05 00400000 - add eax,00004000 { 16384 }
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+AA- 44 8B 49 08 - mov r9d,[rcx+08]
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+AE- 99 - cdq
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+AF- 41 F7 F9 - idiv r9d
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+B2- 41 3B D1 - cmp edx,r9d
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+B5- 0F83 D6000000 - jae BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+191
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+BB- 48 63 CA - movsxd rcx,edx
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+BE- 40 0FB6 C7 - movzx eax,dil
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+C2- 41 88 44 08 10 - mov [r8+rcx+10],al
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+C7- E9 BD000000 - jmp BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+189
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+CC- 48 B9 A0AFE751F4010000 - mov rcx,000001F451E7AFA0 { [1F443F17700] }
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+D6- 48 8B 09 - mov rcx,[rcx]
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+D9- E8 A2A9505D - call System.Console::WriteLine
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+DE- 81 FB FCFF0000 - cmp ebx,0000FFFC { 65532 }
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+E4- 0F8C 9F000000 - jl BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+189
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+EA- 81 FB FCFF0000 - cmp ebx,0000FFFC { 65532 }
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+F0- 75 2D - jne BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+11F
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+F2- 40 0FB6 C7 - movzx eax,dil
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+F6- A8 08 - test al,08 { 8 }
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+F8- 74 1C - je BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+116
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+FA- 40 0FB6 C7 - movzx eax,dil
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+FE- A8 04 - test al,04 { 4 }
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+100- 74 07 - je BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+109
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+102- B8 02000000 - mov eax,00000002 { 2 }
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+107- EB 05 - jmp BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+10E
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+109- B8 01000000 - mov eax,00000001 { 1 }
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+10E- 88 86 2A010000 - mov [rsi+0000012A],al
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+114- EB 73 - jmp BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+189
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+116- C6 86 2A010000 00 - mov byte ptr [rsi+0000012A],00 { 0 }
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+11D- EB 6A - jmp BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+189
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+11F- 81 FB FDFF0000 - cmp ebx,0000FFFD { 65533 }
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+125- 75 16 - jne BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+13D
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+127- 40 0FB6 C7 - movzx eax,dil
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+12B- 0FB6 8E 15010000 - movzx ecx,byte ptr [rsi+00000115]
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+132- 99 - cdq
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+133- F7 F9 - idiv ecx
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+135- 88 96 10010000 - mov [rsi+00000110],dl
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+13B- EB 4C - jmp BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+189
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+13D- 81 FB FEFF0000 - cmp ebx,0000FFFE { 65534 }
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+143- 75 16 - jne BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+15B
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+145- 40 0FB6 C7 - movzx eax,dil
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+149- 0FB6 8E 15010000 - movzx ecx,byte ptr [rsi+00000115]
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+150- 99 - cdq
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+151- F7 F9 - idiv ecx
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+153- 88 96 11010000 - mov [rsi+00000111],dl
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+159- EB 2E - jmp BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+189
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+15B- 81 FB FFFF0000 - cmp ebx,0000FFFF { 65535 }
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+161- 75 26 - jne BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+189
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+163- F6 86 1E010000 40 - test byte ptr [rsi+0000011E],40 { 64 }
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+16A- 74 09 - je BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+175
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+16C- 40 88 BE 14010000 - mov [rsi+00000114],dil
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+173- EB 14 - jmp BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+189
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+175- 40 0FB6 C7 - movzx eax,dil
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+179- 0FB6 8E 15010000 - movzx ecx,byte ptr [rsi+00000115]
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+180- 99 - cdq
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+181- F7 F9 - idiv ecx
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+183- 88 96 12010000 - mov [rsi+00000112],dl
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+189- 48 83 C4 20 - add rsp,20 { 32 }
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+18D- 5B - pop rbx
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+18E- 5E - pop rsi
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+18F- 5F - pop rdi
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+190- C3 - ret
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+191- E8 EAFD315F - call clr.dll+4A2760
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+196- CC - int 3
|
There is another function as well called InitSegaMapper which always writes the same values to the same location that I don't know if it would be more useful:
| Code: |
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+2 - 48 83 EC 28 - sub rsp,28 { 40 }
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+6 - 48 8B F1 - mov rsi,rcx
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+9 - 48 B9 D8BD5098F87F0000 - mov rcx,00007FF89850BDD8 { [01000510] }
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+13- E8 78FEE75E - call clr.dll+2540
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+18- 48 8B F8 - mov rdi,rax
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+1B- 48 85 F6 - test rsi,rsi
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+1E- 0F84 EA000000 - je BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+10E
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+24- 48 8D 4F 08 - lea rcx,[rdi+08]
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+28- 48 8B D6 - mov rdx,rsi
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+2B- E8 1019E85E - call clr.dll+3FF0
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+30- 48 BA 48122D98F87F0000 - mov rdx,00007FF8982D1248 { [8CD5D3E9] }
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+3A- 48 89 57 18 - mov [rdi+18],rdx
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+3E- 48 8D 4E 58 - lea rcx,[rsi+58]
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+42- 48 8B D7 - mov rdx,rdi
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+45- E8 F618E85E - call clr.dll+3FF0
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+4A- 48 B9 A0BF5098F87F0000 - mov rcx,00007FF89850BFA0 { [01000510] }
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+54- E8 37FEE75E - call clr.dll+2540
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+59- 48 8B F8 - mov rdi,rax
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+5C- 48 8D 4F 08 - lea rcx,[rdi+08]
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+60- 48 8B D6 - mov rdx,rsi
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+63- E8 D818E85E - call clr.dll+3FF0
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+68- 48 BA 58122D98F87F0000 - mov rdx,00007FF8982D1258 { [701583E9] }
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+72- 48 89 57 18 - mov [rdi+18],rdx
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+76- 48 8D 4E 60 - lea rcx,[rsi+60]
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+7A- 48 8B D7 - mov rdx,rdi
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+7D- E8 BE18E85E - call clr.dll+3FF0
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+82- 48 B9 58C6AE98F87F0000 - mov rcx,00007FF898AEC658 { [01000400] }
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+8C- E8 FFFDE75E - call clr.dll+2540
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+91- 48 8B F8 - mov rdi,rax
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+94- 48 8D 4F 08 - lea rcx,[rdi+08]
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+98- 48 8B D6 - mov rdx,rsi
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+9B- E8 A018E85E - call clr.dll+3FF0
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+A0- 48 BA 50122D98F87F0000 - mov rdx,00007FF8982D1250 { [232] }
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+AA- 48 89 57 18 - mov [rdi+18],rdx
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+AE- 48 8D 4E 78 - lea rcx,[rsi+78]
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+B2- 48 8B D7 - mov rdx,rdi
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+B5- E8 8618E85E - call clr.dll+3FF0
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+BA- 48 8B CE - mov rcx,rsi
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+BD- BA FCFF0000 - mov edx,0000FFFC { 65532 }
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+C2- 45 33 C0 - xor r8d,r8d
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+C5- E8 DEEA8FFF - call 7FF8982D1258
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+CA- 48 8B CE - mov rcx,rsi
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+CD- BA FDFF0000 - mov edx,0000FFFD { 65533 }
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+D2- 45 33 C0 - xor r8d,r8d
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+D5- E8 CEEA8FFF - call 7FF8982D1258
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+DA- 48 8B CE - mov rcx,rsi
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+DD- BA FEFF0000 - mov edx,0000FFFE { 65534 }
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+E2- 41 B8 01000000 - mov r8d,00000001 { 1 }
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+E8- E8 BBEA8FFF - call 7FF8982D1258
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+ED- 48 8B CE - mov rcx,rsi
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+F0- BA FFFF0000 - mov edx,0000FFFF { 65535 }
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+F5- 41 B8 02000000 - mov r8d,00000002 { 2 }
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+FB- E8 A8EA8FFF - call 7FF8982D1258
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+100- C6 86 14010000 02 - mov byte ptr [rsi+00000114],02 { 2 }
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+107- 48 83 C4 28 - add rsp,28 { 40 }
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+10B- 5E - pop rsi
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+10C- 5F - pop rdi
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+10D- C3 - ret
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+10E- 48 8B CF - mov rcx,rdi
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+111- E8 2A58D85D - call System.MulticastDelegate::ThrowNullThisInDelegateToInstance
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+116- CC - int 3
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::InitSegaMapper+117- 00 19 - add [rcx],bl
|
The memory address I would be looking for in this instance would be around 0x1F443F15638 (0x1F443F168F4 is the one I found for the value in 0x12BC).
Not sure if I'm missing something blatantly obvious, over complicating it, or looking in completely the wrong place 
Any help greatly appreciated
Thanks
Ben
|
|
| Back to top |
|
 |
ParkourPenguin
I post too much
 Reputation: 140
Joined: 06 Jul 2014
Posts: 4289
|
| Posted: Sun Jan 06, 2019 11:22 am Post subject: |
|
|
Threadstack base addresses are likely your best option if you want to avoid code injection. You probably won't find a good static base address in JIT-compiled / interpreted languages.
The code is at the very beginning of the function, so it isn't terribly hard to figure out what's going on:
| Code: | push rbx
sub rsp,20 { 32 }
mov rsi,rcx ; rsi = this
mov edi,r8d ; edi = (byte)value
movzx ebx,dx ; ebx = (ushort)address
cmp ebx,0000C000 { 49152 } ; address >= 0xC000
jl WriteMemorySega+3D ; if () {
mov rax,[rsi+28] ; rax = byteArrayObject*
mov edx,ebx ; edx = address
and edx,00001FFF ; address & RamSizeMask
cmp edx,[rax+08] ; index-out-of-bounds check (probably)
jae WriteMemorySega+191 ; if error, jump
movsxd rdx,edx ; effective address displacement sign extension (superfluous w/ constexpr RamSizeMask, but whatever)
movzx ecx,dil ; maybe a low-level optimization
mov [rax+rdx+10],cl ; the write to the array
; ... |
rax becomes the address of the object holding the byte array after "WriteMemorySega+18". The first qword might be a pointer to vtable or something, the next dword looks like the size, no clue what the next dword is, and the data starts at +0x10.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
BenInSweden
How do I cheat?
![]() Reputation: 0
Joined: 06 Jan 2019
Posts: 3
|
| Posted: Mon Jan 07, 2019 3:13 am Post subject: |
|
|
Thanks for the reply, and the asm commenting on what's going on.
I did think that Code Injection was out of the question really, however, after some further digging it appears that LiveSplit has functions to assist with Code Injection including a "WriteDetour" helper in their ProcessExtensions.cs source file (which I can't link to currently).
So I'm thinking that's probably the easiest route here, with something like the following?
| Code: |
// game == Bizhawk process
var target = new SigScanTarget(0, "53 48 83 EC 20 48 8B F1 41 8B F8 0F B7 DA 81 FB 00 C0 00 00 7C 25"); // Signature of start of WriteMemorySega
var scanOffset = vars.SigScan(game, target);
if ( scanOffset > 0 ) {
IntPtr clonedMemory = game.AllocateMemory(0x2000);
byte[] injectionCode = new byte[] {
// ASM bytes to duplicate the write of the byte at the same offset to clonedMemory
};
IntPtr injectionMem = game.AllocateMemory(injectionCode.Length);
game.WriteBytes(injectionMem, injectionCode);
game.WriteDetour(scanOffset + 0x38 /* ~after write to array */, injectionCode.Length, injectionMem);
}
|
I'm not entirely sure what the ASM bytes would need to be here, but I'm guessing with the correct asm, the C# above is along the lines that should hopefully work? and I can just use the clonedMemory pointer for the start of the SMS memory.
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 140
Joined: 06 Jul 2014
Posts: 4289
|
| Posted: Mon Jan 07, 2019 10:14 am Post subject: |
|
|
If you already have code to do all that for you, it's not terribly difficult. You need to find an AoB pattern, allocate memory, possibly change memory protection, and write bytes to the game. I don't know what writeDetour does, but I wouldn't trust it especially since this is a 64-bit process and jumps outside a +-2GiB displacement can be tricky.
You can use CE to see how the bytes would look:
| Code: | [ENABLE]
aobscan(INJECT,53 48 83 EC 20 48 8B F1 41 8B F8 0F B7 DA 81 FB 00 C0 00 00 7C 25 48 8B 46 28 8B D3 81 E2 FF 1F 00 00 3B 50 08)
alloc(newmem,4096)
label(return)
label(mySpecialAddress)
registersymbol(INJECT)
registersymbol(mySpecialAddress)
newmem:
mov rax,[rsi+28]
mov [newmem+800],rax
mov edx,ebx
and edx,00001FFF
cmp edx,[rax+08]
db ff 25 00 00 00 00 // jmp [rip+0]
dq return
newmem+800:
mySpecialAddress:
dq 0
INJECT+16:
db ff 25 00 00 00 00 // jmp [rip+0]
dq newmem
nop
return:
[DISABLE]
INJECT+16:
db 48 8B 46 28 8B D3 81 E2 FF 1F 00 00 3B 50 08
unregistersymbol(INJECT)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: WriteMemorySega+18
WriteMemorySega+2 - 53 - push rbx
WriteMemorySega+3 - 48 83 EC 20 - sub rsp,20
WriteMemorySega+7 - 48 8B F1 - mov rsi,rcx
WriteMemorySega+A - 41 8B F8 - mov edi,r8d
WriteMemorySega+D - 0FB7 DA - movzx ebx,dx
WriteMemorySega+10- 81 FB 00C00000 - cmp ebx,0000C000
WriteMemorySega+16- 7C 25 - jl WriteMemorySega+3D
// ---------- INJECTING HERE ----------
WriteMemorySega+18- 48 8B 46 28 - mov rax,[rsi+28]
WriteMemorySega+1C- 8B D3 - mov edx,ebx
WriteMemorySega+1E- 81 E2 FF1F0000 - and edx,00001FFF
WriteMemorySega+24- 3B 50 08 - cmp edx,[rax+08]
// ---------- DONE INJECTING ----------
WriteMemorySega+27- 0F83 64010000 - jae WriteMemorySega+191
WriteMemorySega+2D- 48 63 D2 - movsxd rdx,edx
WriteMemorySega+30- 40 0FB6 CF - movzx ecx,dil
WriteMemorySega+34- 88 4C 10 10 - mov [rax+rdx+10],cl
WriteMemorySega+38- E9 A1000000 - jmp WriteMemorySega+DE
WriteMemorySega+3D- 81 FB 00800000 - cmp ebx,00008000
WriteMemorySega+43- 0F8C 95000000 - jl WriteMemorySega+DE
} |
PS: WriteMemorySega+2 is not the start of the function. That would be WriteMemorySega (+0). If the memory before the start of the function isn't code, you may need to use the left/right arrow keys to manually align the disassembler on the right address.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
BenInSweden
How do I cheat?
![]() Reputation: 0
Joined: 06 Jan 2019
Posts: 3
|
| Posted: Tue Jan 08, 2019 1:20 pm Post subject: |
|
|
Awesome ParkourPenguin,
Thanks so much for the help, wouldn't have been able to work it out without your guidance.
It was a struggle with getting it working in the C# code for a while, but here is essentially the working code I have now after injection:
| Code: |
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+2 - 53 - push rbx
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+3 - 48 83 EC 20 - sub rsp,20 { 32 }
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+7 - 48 8B F1 - mov rsi,rcx
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+A - 41 8B F8 - mov edi,r8d
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+D - 0FB7 DA - movzx ebx,dx
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+10- 81 FB 00C00000 - cmp ebx,0000C000 { 49152 }
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+16- 7C 25 - jl BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+3D
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+18- 50 - push rax
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+19- 48 B8 0A00629887010000 - mov rax,000001879862000A { [18520] }
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+23- FF E0 - jmp rax
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+25- 90 - nop
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+26- 90 - nop
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+27- 90 - nop
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+28- 90 - nop
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+29- 90 - nop
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+2A- 90 - nop
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+2B- 90 - nop
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+2C- 90 - nop
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+2D- 58 - pop rax
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+2E- 63 D2 - movsxd rdx,edx
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+30- 40 0FB6 CF - movzx ecx,dil
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+34- 88 4C 10 10 - mov [rax+rdx+10],cl
BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+38- E9 A1000000 - jmp BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+DE
;; 000001879862000A
1879862000A - 58 - pop rax
1879862000B - 48 8B 46 28 - mov rax,[rsi+28]
1879862000F - 48 A3 0000629887010000 - mov [18798620000],rax { -1738407936 }
18798620019 - 50 - push rax
1879862001A - 8B D3 - mov edx,ebx
1879862001C - 81 E2 FF1F0000 - and edx,00001FFF { 8191 }
18798620022 - 3B 50 08 - cmp edx,[rax+08]
18798620025 - 72 0C - jb 18798620033
18798620027 - 48 B8 610AE561F97F0000 - mov rax,BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+191 { [232] }
18798620031 - FF E0 - jmp rax
18798620033 - 48 B8 FC08E561F97F0000 - mov rax,BizHawk.Emulation.Cores.Sega.MasterSystem.SMS::WriteMemorySega+2C { [D2635890] }
1879862003D - FF E0 - jmp rax
|
I'm probably going to need to support older 32bit versions of BizHawk, as some TASes are heavily reliant on the version of emulator as well, but hopefully most of the gruntwork is now done in the above, and it's just adapting it around the different address space.
Thanks
Ben
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
