Code Injection - Working with Floats
Posted: Mon May 07, 2018 5:07 am
[Link]
Code Injection - Working with Floats
This tutorial builds on the topic of Code Injection:
Note: SS is for singles and SD is for doubles. (i.e.: [Link] or [Link]
What if what writes to the value is only a [Link]. Try to find a spot above the write instruction that has an [Link] (or a [Link] depending on what you want to do).
Editable value
We could use a [Link], giving it some memory. And optionally [Link] it so the label can be used on the table as an address.
Adding a Multiplier
We could add an editable value like above but use [Link] to add a multiplier to the script.
Calculate a value for a Multiplier
Let's say we just can't find an [Link] or a [Link], and all we have is a [Link].
We can just do some math in the script, to calculate a value for a multiplier.
Working with doubles
Let's say the game use doubles, we can use [Link], [Link], [Link], and [Link] instead. We just need to also make our scripts value a double.
So to calculate a value for a multiplier.
Working with packed instructions
Some times (especially with vectors) you'll see packed instructions, like [Link], [Link], [Link], [Link], [Link]. These type of instructions work on 16 bytes at a time.
So let's say you have some code accessing the player coordinate deltas, and it's using packed instructions.
So let's add a multiplier for this.
Calculate a value for packed instruction
Let's say we just can't find an [Link] or a [Link], and all we have is a [Link] or a [Link].
We can just do some math in the script, to calculate a value for a multiplier.
We could use the [Link] command and then be able to use aligned instructions. So if the injection point looks like this.
Then we could make a script like this.
Working with the FPU registry
Some times you'll find some opcode that uses the [Link] registry. These include [Link], [Link], [Link], [Link], [Link], [Link].
So with singles it might look like this.
And if it was with doubles it might look like this.
So say we have some opcode that decreases health that looks like this.
So the add a multiplier to this we could make a script like this.
See Also
Code Injection - Working with Floats
This tutorial builds on the topic of Code Injection:
- [Link]
- [Link]
- [Link]
- [Link]
Code: Select all
addss [eax+10],xmm0
What if what writes to the value is only a [Link]. Try to find a spot above the write instruction that has an [Link] (or a [Link] depending on what you want to do).
Code: Select all
addss xmm0,xmm1
//...
movss [eax+10],xmm0
Editable value
We could use a [Link], giving it some memory. And optionally [Link] it so the label can be used on the table as an address.
Code: Select all
//...
alloc(someMem, 0x400)
//...
label(someSymbol)
registerSymbol(someSymbol)
//...
someMem:
//...
movss xmm0,[someSymbol]
addss [eax+10],xmm0
//...
jmp return
//...
someSymbol:
dd (float)100
//...
Adding a Multiplier
We could add an editable value like above but use [Link] to add a multiplier to the script.
Code: Select all
//...
alloc(someMem, 0x400)
//...
label(someSymbol)
registerSymbol(someSymbol)
//...
someMem:
//...
mulss xmm0,[someSymbol]
addss [eax+10],xmm0
//...
jmp return
//...
someSymbol:
dd (float)100
//...
Calculate a value for a Multiplier
Let's say we just can't find an [Link] or a [Link], and all we have is a [Link].
Code: Select all
movss [eax+10],xmm0
Code: Select all
//...
alloc(someMem, 0x400)
//...
label(someSymbol)
registerSymbol(someSymbol)
//...
someMem:
//...
subss xmm0,[eax+10]
mulss xmm0,[someSymbol]
addss xmm0,[eax+10]
movss [eax+10],xmm0
//...
jmp return
//...
someSymbol:
dd (float)10
//...
Working with doubles
Let's say the game use doubles, we can use [Link], [Link], [Link], and [Link] instead. We just need to also make our scripts value a double.
Code: Select all
movsd [eax+10],xmm0
Code: Select all
//...
alloc(someMem, 0x400)
//...
label(someSymbol)
registerSymbol(someSymbol)
//...
someMem:
//...
subsd xmm0,[eax+10]
mulsd xmm0,[someSymbol]
addsd xmm0,[eax+10]
movsd [eax+10],xmm0
//...
jmp return
//...
someSymbol:
dq (double)10
//...
Working with packed instructions
Some times (especially with vectors) you'll see packed instructions, like [Link], [Link], [Link], [Link], [Link]. These type of instructions work on 16 bytes at a time.
So let's say you have some code accessing the player coordinate deltas, and it's using packed instructions.
Code: Select all
addps [eax+10],xmm0
Code: Select all
//...
alloc(someMem, 0x400)
//...
label(someSymbol)
registerSymbol(someSymbol)
//...
someMem:
//...
mulps xmm0,[someSymbol]
addps [eax+10],xmm0
//...
jmp return
//...
someSymbol:
dd (float)1.75
dd (float)1.75
dd (float)1.25
dd (float)1
//...
Calculate a value for packed instruction
Let's say we just can't find an [Link] or a [Link], and all we have is a [Link] or a [Link].
Code: Select all
movups [eax+10],xmm0
Code: Select all
//...
alloc(someMem, 0x400)
//...
label(someSymbol)
registerSymbol(someSymbol)
//...
someMem:
//...
subps xmm0,[eax+10]
mulps xmm0,[someSymbol]
addps xmm0,[eax+10]
movups [eax+10],xmm0
//...
jmp return
//...
someSymbol:
dd (float)1.75
dd (float)1.75
dd (float)1.25
dd (float)1
//...
Code: Select all
movaps [eax+10],xmm0
Code: Select all
//...
alloc(someMem, 0x400)
//...
label(someSymbol)
registerSymbol(someSymbol)
//...
someMem:
//...
subps xmm0,[eax+10]
mulps xmm0,[someSymbol]
addps xmm0,[eax+10]
movaps [eax+10],xmm0
//...
jmp return
//...
align 10 CC
someSymbol:
dd (float)1.75
dd (float)1.75
dd (float)1.25
dd (float)1
//...
Working with the FPU registry
Some times you'll find some opcode that uses the [Link] registry. These include [Link], [Link], [Link], [Link], [Link], [Link].
So with singles it might look like this.
Code: Select all
fld dword ptr [ebp+20]
fmul dword ptr [ebp+40]
fadd dword ptr [eax+10]
fstp dword ptr [eax+10]
Code: Select all
fld qword ptr [ebp+20]
fmul qword ptr [ebp+40]
fadd qword ptr [eax+10]
fstp qword ptr [eax+10]
Code: Select all
fld dword ptr [eax+10]
fsub dword ptr [ebp+20]
fstp dword ptr [eax+10]
Code: Select all
//...
alloc(someMem, 0x400)
//...
label(someSymbol)
registerSymbol(someSymbol)
//...
someMem:
//...
fld dword ptr [ebp+20]
fmul dword ptr [someSymbol]
fld dword ptr [eax+10]
fsub st(0),st(1)
fstp dword ptr [eax+10]
fstp st(0)
//...
jmp return
//...
someSymbol:
dd (float)0.25
//...
See Also
- [Link]
- [Link]
- [Link]
- [Link]
- [Link]
- [Link]