A trick I learned for finding unique compares

SovietWristwatch.jpg

SovietWristwatch.jpg

Expert Cheater
Table Maker
Joined
Dec 24, 2019
Messages
91
I was having trouble with a particular game because a single opcode writes to every useful addresses, as well as thousands of others.
FreeER, on Discord (I think registered here as well) gave me some hints which helped immensely. Hopefully this can help someone else out.

Here is the original code
Code:
<i>
</i>code:
  movss xmm0,[rcx+rax*4]
If I add a compare against [rcx+rax*4], who knows how many addresses it will filter out? I checked register states but many of them were the same.

Create a new script
Code:
<i>
</i>newmem:
  cmp rax,EA // first compare
  jne code
  movss xmm0,[rcx+rax*4] // "restore" original code, but it's a "new" opcode accessing fewer addresses
  jmp return

code:
  movss xmm0,[rcx+rax*4]
  jmp return
Now, activate the script and "Follow" the injection point to the code that you injected.
Code:
<i>
</i>cmp rax,000000EA
jne 7FF655580016
movss xmm0,[rcx+rax*4]
jmp 7FF655707900
movss xmm0,[rcx+rax*4]
jmp 7FF655707900
There are two "duplicate" opcodes now, but the first one is only showing the addresses that matched the compare; the rest are going to the original code. In this case, we've filtered out everything except for 30 addresses.

Now we can add a second compare
Code:
<i>
</i>cmp rax,000000EA
jne 7FF655580016
cmp r8,00000001
jne 7FF655580016
movss xmm0,[rcx+rax*4]
jmp 7FF655707900
movss xmm0,[rcx+rax*4]
jmp 7FF655707900
Following the same steps, there is only one address being written to.
Now you can create your script.

This "drill down filter" makes some things a lot easier for me now, but I'm sure there are better/more advanced methods.
How do you manage this problem?
 
Top