Crash when asm meet with the bad value at mov?
Posted: Thu Feb 08, 2018 7:14 pm
Hi!
At current moment i faced with the problem when script with compares and mov multilevel pointers very unstable: it can be activated on "press any key" screen of the AC:Origins game, but not when map already loaded even with fullaccess and even while AOB is correct or it just crash when it can be activated anytime.
I'm already give up to deal with this multipointer and found another one-level compare that looks stable, but for learning purposes and if i made here some mistake, i want to understand what's the problem here. Or maybe this can be because of the game? Here is post of SunBeam that can help to understand some aspects of this game and why here is fullaccess on the top of the script:viewtopic.php?p=31616#p31616
but if short, it is CPY version of the game, game have denovu and vmprotect.
And "clear" script,without of any null checks:
So what happened here is when i found address for Exposure (it's more like multiplier for original exposure), because this instruction access for a tons of addresses, i check dissect data and at first i found stable value at rbx+348+34 offset (in pointer) and looks like anything else here have it's own unique and stable value. But because of something, anything i try to make script works cause crash or script just can't be enabled. I mean i try to past compare for rax and rcx before and after of some strings:
Using TEST, only rax:
does not make difference too and if script run, it anyway crash at rax,[rax+34]. Interesting here, that if i Toggle Breakpoint at "push rax" (here why i'm sure which string cause crash) and check how it's going - i can see that sometimes it passes through the whole script normally, but than it cause crash and i'm not have enough of skill to read information around it. Here is example if i try use script with compares for "0" and right after game crash when something wrong happen at mov rcx,[rax+34]
Just in case the whole script which was using for taking screenshot above:
In the very end, very two simple versions of the script that just disable instruction and works great:
At current moment i faced with the problem when script with compares and mov multilevel pointers very unstable: it can be activated on "press any key" screen of the AC:Origins game, but not when map already loaded even with fullaccess and even while AOB is correct or it just crash when it can be activated anytime.
I'm already give up to deal with this multipointer and found another one-level compare that looks stable, but for learning purposes and if i made here some mistake, i want to understand what's the problem here. Or maybe this can be because of the game? Here is post of SunBeam that can help to understand some aspects of this game and why here is fullaccess on the top of the script:viewtopic.php?p=31616#p31616
but if short, it is CPY version of the game, game have denovu and vmprotect.
And "clear" script,without of any null checks:
Code: Select all
fullaccess( ACOrigins.exe, 0x1000 )
define( newmem, ACOrigins.exe+500 )
[ENABLE]
aobscanmodule(Enviro1,ACOrigins.exe,89 03 48 81 C4 90 00 00 00 5F 5E 5B C3 8B) // should be unique
alloc(newmem,0x1000,ACOrigins.exe)
alloc(store_pointer,8)
alloc(myExposure,8) // use external "myExposure" address for control Exposure
label(code)
label(return)
registersymbol(store_pointer)
store_pointer:
dd 00
newmem:
push rax
push rcx
mov rax,[rbx+348] // first level pointer
mov rcx,[rax+34] // second level, crash here if script can be enabled
mov [store_pointer],rcx // this and next two lines should be commented if script can not to run
cmp [store_pointer],00CB0002 // if rbx+348+34 equal 00CB0002, than this should be Exposure value
jne code
pop rcx
pop rax
mov eax,[myExposure] // Send decided Exposure value
mov [rbx],eax // original code
add rsp,00000090
jmp return
code:
pop rcx
pop rax
mov [rbx],eax
add rsp,00000090
jmp return
Enviro1:
jmp newmem
nop
nop
nop
nop
return:
registersymbol(Enviro1)
registersymbol(myExposure)
[DISABLE]
Enviro1:
db 89 03 48 81 C4 90 00 00 00
unregistersymbol(Enviro1)
unregistersymbol(myExposure)
unregistersymbol(store_pointer)
dealloc(myExposure)
dealloc(store_pointer)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "ACOrigins.exe"+84DF92
"ACOrigins.exe"+84DF78: 0F B7 06 - movzx eax,word ptr [rsi]
"ACOrigins.exe"+84DF7B: 66 89 03 - mov [rbx],ax
"ACOrigins.exe"+84DF7E: 0F B6 46 02 - movzx eax,byte ptr [rsi+02]
"ACOrigins.exe"+84DF82: 88 43 02 - mov [rbx+02],al
"ACOrigins.exe"+84DF85: 48 81 C4 90 00 00 00 - add rsp,00000090
"ACOrigins.exe"+84DF8C: 5F - pop rdi
"ACOrigins.exe"+84DF8D: 5E - pop rsi
"ACOrigins.exe"+84DF8E: 5B - pop rbx
"ACOrigins.exe"+84DF8F: C3 - ret
"ACOrigins.exe"+84DF90: 8B 06 - mov eax,[rsi]
// ---------- INJECTING HERE ----------
"ACOrigins.exe"+84DF92: 89 03 - mov [rbx],eax
"ACOrigins.exe"+84DF94: 48 81 C4 90 00 00 00 - add rsp,00000090
// ---------- DONE INJECTING ----------
"ACOrigins.exe"+84DF9B: 5F - pop rdi
"ACOrigins.exe"+84DF9C: 5E - pop rsi
"ACOrigins.exe"+84DF9D: 5B - pop rbx
"ACOrigins.exe"+84DF9E: C3 - ret
"ACOrigins.exe"+84DF9F: 8B 06 - mov eax,[rsi]
"ACOrigins.exe"+84DFA1: 89 03 - mov [rbx],eax
"ACOrigins.exe"+84DFA3: 0F B7 46 04 - movzx eax,word ptr [rsi+04]
"ACOrigins.exe"+84DFA7: 66 89 43 04 - mov [rbx+04],ax
"ACOrigins.exe"+84DFAB: 48 81 C4 90 00 00 00 - add rsp,00000090
"ACOrigins.exe"+84DFB2: 5F - pop rdi
}
Code: Select all
cmp rax,0
je code
Code: Select all
mov rax,[rbx+348]
mov rax,[rax+34]
Just in case the whole script which was using for taking screenshot above:
Code: Select all
fullaccess( ACOrigins.exe, 0x1000 )
define( newmem, ACOrigins.exe+500 )
[ENABLE]
aobscanmodule(Enviro1,ACOrigins.exe,89 03 48 81 C4 90 00 00 00 5F 5E 5B C3 8B) // should be unique
alloc(newmem,0x1000,ACOrigins.exe)
alloc(store_pointer,8)
alloc(myExposure,8)
label(code)
label(return)
registersymbol(store_pointer)
store_pointer:
dd 00
newmem:
push rax
push rcx
mov rax,[rbx+348]
cmp rax,0 // difference
je code // difference
mov rcx,[rax+34]
cmp rcx,0 // difference
je code // difference
mov [store_pointer],rcx
cmp [store_pointer],00CB0002
jne code
pop rcx
pop rax
mov eax,[myExposure]
mov [rbx],eax
add rsp,00000090
jmp return
code:
pop rcx
pop rax
mov [rbx],eax
add rsp,00000090
jmp return
Enviro1:
jmp newmem
nop
nop
nop
nop
return:
registersymbol(Enviro1)
registersymbol(myExposure)
[DISABLE]
Enviro1:
db 89 03 48 81 C4 90 00 00 00
unregistersymbol(Enviro1)
unregistersymbol(myExposure)
unregistersymbol(store_pointer)
dealloc(myExposure)
dealloc(store_pointer)
dealloc(newmem)
Code: Select all
[ENABLE]
aobscanmodule(Enviro1,ACOrigins.exe,89 03 48 81 C4 90 00 00 00 5F 5E 5B C3 8B) // should be unique
Enviro1:
db 90 90
registersymbol(Enviro1)
[DISABLE]
Enviro1:
db 89 03
unregistersymbol(Enviro1)
Code: Select all
fullaccess( ACOrigins.exe, 0x1000 )
define( newmem, ACOrigins.exe+500 )
[ENABLE]
aobscanmodule(Enviro1,ACOrigins.exe,89 03 48 81 C4 90 00 00 00 5F 5E 5B C3 8B) // should be unique
alloc(newmem,0x1000,ACOrigins.exe)
label(code)
label(return)
newmem:
code:
//mov [rbx],eax
add rsp,00000090
jmp return
Enviro1:
jmp newmem
nop
nop
nop
nop
return:
registersymbol(Enviro1)
[DISABLE]
Enviro1:
db 89 03 48 81 C4 90 00 00 00
unregistersymbol(Enviro1)
dealloc(newmem)