[ASM Help] Coord. write, not understanding ASM.

Memory scanning, code injection, debugger internals and other gamemodding related discussion
Post Reply
User avatar
TheyCallMeTim13
Administration
Administration
Posts: 1178
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 232
Contact:

[ASM Help] Coord. write, not understanding ASM.

Post by TheyCallMeTim13 » Sun Apr 15, 2018 11:56 am

So I've been trying to find a delta multiplier (super speed), but I keep finding code like this and just can't figure out what's going on even after stepping thought the code.

[CODE=nasm]

Game+168E3C: 0F11 5C 24 70 - movups [rsp+70],xmm3

Game+168E41: 0F11 55 F0 - movups [rbp-10],xmm2

Game+168E45: FF 50 60 - call qword ptr [rax+60]

Game+168E48: 48 8B 58 08 - mov rbx,[rax+08]

Game+168E4C: F6 83 AE000000 02 - test byte ptr [rbx+000000AE],02

Game+168E53: 74 08 - je 14037751D

Game+168E55: 48 8B CB - mov rcx,rbx

Game+168E58: E8 43878600 - call 140BDFC60

Game+168E5D: 49 8B 8F F0000000 - mov rcx,[r15+000000F0] <<<--- AOB Starts Here

Game+168E64: 0F28 CE - movaps xmm1,xmm6

Game+168E67: 0FC6 CE 00 - shufps xmm1,xmm6,00

Game+168E6B: 0F28 C6 - movaps xmm0,xmm6

Game+168E6E: 0F59 4B 40 - mulps xmm1,[rbx+40]

Game+168E72: 48 83 C1 20 - add rcx,20

Game+168E76: 0FC6 C6 55 - shufps xmm0,xmm6,55

Game+168E7A: 0F59 43 50 - mulps xmm0,[rbx+50]

Game+168E7E: 48 8B 01 - mov rax,[rcx]

Game+168E81: 0F58 4B 70 - addps xmm1,[rbx+70]

Game+168E85: 0FC6 F6 AA - shufps xmm6,xmm6,-56

Game+168E89: 0F59 73 60 - mulps xmm6,[rbx+60]

//// INJECTING START ----------------------------------------------------------

Game+168E8D: 0F58 C8 - addps xmm1,xmm0

Game+168E90: 0F58 CE - addps xmm1,xmm6

//// INJECTING END ----------------------------------------------------------

Game+168E93: 0F28 C1 - movaps xmm0,xmm1

Game+168E96: F3 0F11 4D 24 - movss [rbp+24],xmm1

Game+168E9B: 0FC6 C1 55 - shufps xmm0,xmm1,55

Game+168E9F: 0FC6 C9 AA - shufps xmm1,xmm1,-56

Game+168EA3: F3 0F11 4D 2C - movss [rbp+2C],xmm1

Game+168EA8: F3 0F11 45 28 - movss [rbp+28],xmm0

Game+168EAD: FF 50 60 - call qword ptr [rax+60]

Game+168EB0: 48 8B 58 08 - mov rbx,[rax+08]

Game+168EB4: F6 83 AE000000 02 - test byte ptr [rbx+000000AE],02

Game+168EBB: 74 08 - je 140377585

Game+168EBD: 48 8B CB - mov rcx,rbx

Game+168EC0: E8 DB868600 - call 140BDFC60

Game+168EC5: 0F28 43 40 - movaps xmm0,[rbx+40]

Game+168EC9: 0F28 4B 50 - movaps xmm1,[rbx+50]

Game+168ECD: 49 8B 8F F0000000 - mov rcx,[r15+000000F0]

Game+168ED4: 44 0F28 73 50 - movaps xmm14,[rbx+50]

Game+168ED9: 48 83 C1 20 - add rcx,20

Game+168EDD: 44 0FC6 73 60 49 - shufps xmm14,[rbx+60],49

Game+168EE3: 0FC6 C8 A0 - shufps xmm1,xmm0,-60 [/CODE]

User avatar
SunBeam
Administration
Administration
Posts: 1713
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 349

[ASM Help] Coord. write, not understanding ASM.

Post by SunBeam » Sun Apr 15, 2018 3:46 pm

Having fiddled a bit with MMX, I can tell you the shuffling is used to bring 2nd or 3rd DWORD in XMMx to first position so you can then use one-param instructions like "movss". See your code:



[code=nasm]

Game+168E64: 0F28 CE - movaps xmm1,xmm6

Game+168E67: 0FC6 CE 00 - shufps xmm1,xmm6,00

Game+168E6B: 0F28 C6 - movaps xmm0,xmm6

Game+168E6E: 0F59 4B 40 - mulps xmm1,[rbx+40][/code]

XMM6 is moved into XMM1, then the shufps you can view it as A XOR B (so XMM1 XOR XMM6), 00-ing the result of non-equal DWORDs. I'm guessing after this you get a single DWORD in xmm1 (your xmm1 looks like this -> xxxxxxxx - 00000000 - 00000000 - 00000000). So, of course now 'mulps xmm1,[rbx+40]' (am guessing a FLOAT's stored here) works nicely :p



See more about it [URL='http://www.jaist.ac.jp/iscenter-new/mpc/altix/altixdata/opt/intel/vtune/doc/users_guide/mergedProjects/analyzer_ec/mergedProjects/reference_olh/mergedProjects/instructions/instruct32_hh/vc293.htm']here[/URL]. What I recommend is writing down xmm1 and xmm6 on a piece of paper, apply the theory from that page and see what you get as result. Similarly, try changing this: "shufps xmm1,xmm0,-60" to "shufps xmm1,xmm0,x" (where x is 0,1,2,3..) and see the result with each re-run to get a feel on it ;)



BR,

Sun
Last edited by SunBeam on Thu Jan 01, 1970 12:00 am, edited 1 time in total.

User avatar
Cielos
RCE Fanatics
RCE Fanatics
Posts: 512
Joined: Fri Mar 03, 2017 4:35 am
Reputation: 411
Contact:

[ASM Help] Coord. write, not understanding ASM.

Post by Cielos » Tue May 22, 2018 12:11 pm

about a month already, you may have solved the problem you're having already, but here are some personal tips on how to read what that byte at the shufps means, or how to write one easily.



to write the byte, the way I often use to plan the shuffling is this:

1. write down the 4 elements order on the notepad like this:

[code]4th 3rd 2nd 1st

11 10 01 00[/code]



2. then write down how you want it to become. e.g., I want to broadcast the 3rd element on all 4 elements. that means all 4 elements should be the 3rd element:

[code]10 10 10 10[/code]



3. now use the calculator to convert it back to hex, that would be 0xAA. and done.



4. or you want to reorder to 2 4 1 4, then:

[code]01 11 00 11[/code]

in hex: 0x73



so, for the 0x00 on the line Game+168e67 that SubBeam mentioned, just convert the 0x00 to binary, which is easy for 0x00:



[code]00 00 00 00[/code]



so, that means it's boardcasting the 1st element into all 4 elements.





EDIT:

EDIT2 (rewrote the example):

if you want to apply a multiplier (or force, etc.) to a vector that would apply to a coord, you can do something like this.

[code]



//xmm1 : the vector

//xmm2 : coord you want to manipulate







mov eax,(flaot)2 //multiplier to be appiled.

movd xmm0,eax // 4th 3rd 2nd 1st

// xmm0 becomes 0 0 0 2



shufps xmm0,xmm0,00 //broadcast the least significant element to all 4 elements.

//i.e. 2 2 2 2



//shufps xmm0,xmm0,c0 //consider using c0 if you want the 4th element stay zero.

//if use this: 0 2 2 2



//shufps xmm0,xmm0,e0 //use e0 if the vector is 2d.

//if use this: 0 0 2 2



mulps xmm1,xmm0 //applied the multiplier to vector.

addps xmm2,xmm1 //apply the vector to the coord.[/code]
Last edited by Cielos on Wed May 23, 2018 4:53 am, edited 3 times in total.
want a custom cheat that no one seems bothered?
prepare a paypal and PM me, or just find a way for me to access the game in question.

Post Reply

Who is online

Users browsing this forum: No registered users