[ASM Help] Coord. write, not understanding ASM.

TheyCallMeTim13

I... am an enchanter.
Fearless Donors
Mar 3, 2017
311
11
18
#1
So I've been trying to find a delta multiplier (super speed), but I keep finding code like this and just can't figure out what's going on even after stepping thought the code.
NASM:
Game+168E3C:  0F11 5C 24 70               -  movups [rsp+70],xmm3               
Game+168E41:  0F11 55 F0                  -  movups [rbp-10],xmm2               
Game+168E45:  FF 50 60                    -  call qword ptr [rax+60]           
Game+168E48:  48 8B 58 08                 -  mov rbx,[rax+08]                   
Game+168E4C:  F6 83 AE000000 02           -  test byte ptr [rbx+000000AE],02   
Game+168E53:  74 08                       -  je 14037751D                       
Game+168E55:  48 8B CB                    -  mov rcx,rbx                       
Game+168E58:  E8 43878600                 -  call 140BDFC60                     
Game+168E5D:  49 8B 8F F0000000           -  mov rcx,[r15+000000F0]             <<<--- AOB Starts Here
Game+168E64:  0F28 CE                     -  movaps xmm1,xmm6                   
Game+168E67:  0FC6 CE 00                  -  shufps xmm1,xmm6,00               
Game+168E6B:  0F28 C6                     -  movaps xmm0,xmm6                   
Game+168E6E:  0F59 4B 40                  -  mulps xmm1,[rbx+40]               
Game+168E72:  48 83 C1 20                 -  add rcx,20                         
Game+168E76:  0FC6 C6 55                  -  shufps xmm0,xmm6,55               
Game+168E7A:  0F59 43 50                  -  mulps xmm0,[rbx+50]               
Game+168E7E:  48 8B 01                    -  mov rax,[rcx]                     
Game+168E81:  0F58 4B 70                  -  addps xmm1,[rbx+70]               
Game+168E85:  0FC6 F6 AA                  -  shufps xmm6,xmm6,-56               
Game+168E89:  0F59 73 60                  -  mulps xmm6,[rbx+60]               
////  INJECTING START  ----------------------------------------------------------
Game+168E8D:  0F58 C8                     -  addps xmm1,xmm0                   
Game+168E90:  0F58 CE                     -  addps xmm1,xmm6                   
////  INJECTING END  ----------------------------------------------------------
Game+168E93:  0F28 C1                     -  movaps xmm0,xmm1                   
Game+168E96:  F3 0F11 4D 24               -  movss [rbp+24],xmm1               
Game+168E9B:  0FC6 C1 55                  -  shufps xmm0,xmm1,55               
Game+168E9F:  0FC6 C9 AA                  -  shufps xmm1,xmm1,-56               
Game+168EA3:  F3 0F11 4D 2C               -  movss [rbp+2C],xmm1               
Game+168EA8:  F3 0F11 45 28               -  movss [rbp+28],xmm0               
Game+168EAD:  FF 50 60                    -  call qword ptr [rax+60]           
Game+168EB0:  48 8B 58 08                 -  mov rbx,[rax+08]                   
Game+168EB4:  F6 83 AE000000 02           -  test byte ptr [rbx+000000AE],02   
Game+168EBB:  74 08                       -  je 140377585                       
Game+168EBD:  48 8B CB                    -  mov rcx,rbx                       
Game+168EC0:  E8 DB868600                 -  call 140BDFC60                     
Game+168EC5:  0F28 43 40                  -  movaps xmm0,[rbx+40]               
Game+168EC9:  0F28 4B 50                  -  movaps xmm1,[rbx+50]               
Game+168ECD:  49 8B 8F F0000000           -  mov rcx,[r15+000000F0]             
Game+168ED4:  44 0F28 73 50               -  movaps xmm14,[rbx+50]             
Game+168ED9:  48 83 C1 20                 -  add rcx,20                         
Game+168EDD:  44 0FC6 73 60 49            -  shufps xmm14,[rbx+60],49           
Game+168EE3:  0FC6 C8 A0                  -  shufps xmm1,xmm0,-60
 

SunBeam

Administrator
Staff member
Administrative Team
Feb 4, 2018
349
33
28
#2
Having fiddled a bit with MMX, I can tell you the shuffling is used to bring 2nd or 3rd DWORD in XMMx to first position so you can then use one-param instructions like "movss". See your code:

NASM:
Game+168E64:  0F28 CE                     -  movaps xmm1,xmm6                  
Game+168E67:  0FC6 CE 00                  -  shufps xmm1,xmm6,00              
Game+168E6B:  0F28 C6                     -  movaps xmm0,xmm6                  
Game+168E6E:  0F59 4B 40                  -  mulps xmm1,[rbx+40]
XMM6 is moved into XMM1, then the shufps you can view it as A XOR B (so XMM1 XOR XMM6), 00-ing the result of non-equal DWORDs. I'm guessing after this you get a single DWORD in xmm1 (your xmm1 looks like this -> xxxxxxxx - 00000000 - 00000000 - 00000000). So, of course now 'mulps xmm1,[rbx+40]' (am guessing a FLOAT's stored here) works nicely :p

See more about it here. What I recommend is writing down xmm1 and xmm6 on a piece of paper, apply the theory from that page and see what you get as result. Similarly, try changing this: "shufps xmm1,xmm0,-60" to "shufps xmm1,xmm0,x" (where x is 0,1,2,3..) and see the result with each re-run to get a feel on it ;)

BR,
Sun