[ASM Help] Coord. write, not understanding ASM.

TheyCallMeTim13

Wiki Monster
Talents
Fearless Donors
Mar 3, 2017
428
47
28
#1
So I've been trying to find a delta multiplier (super speed), but I keep finding code like this and just can't figure out what's going on even after stepping thought the code.
NASM:
Game+168E3C:  0F11 5C 24 70               -  movups [rsp+70],xmm3               
Game+168E41:  0F11 55 F0                  -  movups [rbp-10],xmm2               
Game+168E45:  FF 50 60                    -  call qword ptr [rax+60]           
Game+168E48:  48 8B 58 08                 -  mov rbx,[rax+08]                   
Game+168E4C:  F6 83 AE000000 02           -  test byte ptr [rbx+000000AE],02   
Game+168E53:  74 08                       -  je 14037751D                       
Game+168E55:  48 8B CB                    -  mov rcx,rbx                       
Game+168E58:  E8 43878600                 -  call 140BDFC60                     
Game+168E5D:  49 8B 8F F0000000           -  mov rcx,[r15+000000F0]             <<<--- AOB Starts Here
Game+168E64:  0F28 CE                     -  movaps xmm1,xmm6                   
Game+168E67:  0FC6 CE 00                  -  shufps xmm1,xmm6,00               
Game+168E6B:  0F28 C6                     -  movaps xmm0,xmm6                   
Game+168E6E:  0F59 4B 40                  -  mulps xmm1,[rbx+40]               
Game+168E72:  48 83 C1 20                 -  add rcx,20                         
Game+168E76:  0FC6 C6 55                  -  shufps xmm0,xmm6,55               
Game+168E7A:  0F59 43 50                  -  mulps xmm0,[rbx+50]               
Game+168E7E:  48 8B 01                    -  mov rax,[rcx]                     
Game+168E81:  0F58 4B 70                  -  addps xmm1,[rbx+70]               
Game+168E85:  0FC6 F6 AA                  -  shufps xmm6,xmm6,-56               
Game+168E89:  0F59 73 60                  -  mulps xmm6,[rbx+60]               
////  INJECTING START  ----------------------------------------------------------
Game+168E8D:  0F58 C8                     -  addps xmm1,xmm0                   
Game+168E90:  0F58 CE                     -  addps xmm1,xmm6                   
////  INJECTING END  ----------------------------------------------------------
Game+168E93:  0F28 C1                     -  movaps xmm0,xmm1                   
Game+168E96:  F3 0F11 4D 24               -  movss [rbp+24],xmm1               
Game+168E9B:  0FC6 C1 55                  -  shufps xmm0,xmm1,55               
Game+168E9F:  0FC6 C9 AA                  -  shufps xmm1,xmm1,-56               
Game+168EA3:  F3 0F11 4D 2C               -  movss [rbp+2C],xmm1               
Game+168EA8:  F3 0F11 45 28               -  movss [rbp+28],xmm0               
Game+168EAD:  FF 50 60                    -  call qword ptr [rax+60]           
Game+168EB0:  48 8B 58 08                 -  mov rbx,[rax+08]                   
Game+168EB4:  F6 83 AE000000 02           -  test byte ptr [rbx+000000AE],02   
Game+168EBB:  74 08                       -  je 140377585                       
Game+168EBD:  48 8B CB                    -  mov rcx,rbx                       
Game+168EC0:  E8 DB868600                 -  call 140BDFC60                     
Game+168EC5:  0F28 43 40                  -  movaps xmm0,[rbx+40]               
Game+168EC9:  0F28 4B 50                  -  movaps xmm1,[rbx+50]               
Game+168ECD:  49 8B 8F F0000000           -  mov rcx,[r15+000000F0]             
Game+168ED4:  44 0F28 73 50               -  movaps xmm14,[rbx+50]             
Game+168ED9:  48 83 C1 20                 -  add rcx,20                         
Game+168EDD:  44 0FC6 73 60 49            -  shufps xmm14,[rbx+60],49           
Game+168EE3:  0FC6 C8 A0                  -  shufps xmm1,xmm0,-60
 

SunBeam

RCE Fanatics
Talents
Fearless Donors
Feb 4, 2018
743
397
63
#2
Having fiddled a bit with MMX, I can tell you the shuffling is used to bring 2nd or 3rd DWORD in XMMx to first position so you can then use one-param instructions like "movss". See your code:

NASM:
Game+168E64:  0F28 CE                     -  movaps xmm1,xmm6                  
Game+168E67:  0FC6 CE 00                  -  shufps xmm1,xmm6,00              
Game+168E6B:  0F28 C6                     -  movaps xmm0,xmm6                  
Game+168E6E:  0F59 4B 40                  -  mulps xmm1,[rbx+40]
XMM6 is moved into XMM1, then the shufps you can view it as A XOR B (so XMM1 XOR XMM6), 00-ing the result of non-equal DWORDs. I'm guessing after this you get a single DWORD in xmm1 (your xmm1 looks like this -> xxxxxxxx - 00000000 - 00000000 - 00000000). So, of course now 'mulps xmm1,[rbx+40]' (am guessing a FLOAT's stored here) works nicely :p

See more about it here. What I recommend is writing down xmm1 and xmm6 on a piece of paper, apply the theory from that page and see what you get as result. Similarly, try changing this: "shufps xmm1,xmm0,-60" to "shufps xmm1,xmm0,x" (where x is 0,1,2,3..) and see the result with each re-run to get a feel on it ;)

BR,
Sun
 

Cielos

RCE Fanatics
Talents
Mar 3, 2017
345
76
28
#3
about a month already, you may have solved the problem you're having already, but here are some personal tips on how to read what that byte at the shufps means, or how to write one easily.

to write the byte, the way I often use to plan the shuffling is this:
1. write down the 4 elements order on the notepad like this:
Code:
4th    3rd    2nd    1st
11     10     01     00
2. then write down how you want it to become. e.g., I want to broadcast the 3rd element on all 4 elements. that means all 4 elements should be the 3rd element:
Code:
10    10    10    10
3. now use the calculator to convert it back to hex, that would be 0xAA. and done.

4. or you want to reorder to 2 4 1 4, then:
Code:
01    11    00    11
in hex: 0x73

so, for the 0x00 on the line Game+168e67 that SubBeam mentioned, just convert the 0x00 to binary, which is easy for 0x00:

Code:
00    00    00    00
so, that means it's boardcasting the 1st element into all 4 elements.


EDIT:
EDIT2 (rewrote the example):
if you want to apply a multiplier (or force, etc.) to a vector that would apply to a coord, you can do something like this.
Code:
//xmm1 : the vector
//xmm2 : coord you want to manipulate



mov eax,(flaot)2      //multiplier to be appiled.
movd xmm0,eax         //              4th  3rd  2nd  1st
                      // xmm0 becomes 0    0    0    2

shufps xmm0,xmm0,00   //broadcast the  least significant element to all 4 elements.
                      //i.e.          2    2    2    2

//shufps xmm0,xmm0,c0 //consider using c0 if you want the 4th element stay zero.
                      //if use this:  0    2    2    2

//shufps xmm0,xmm0,e0 //use e0 if the vector is 2d.
                      //if use this:  0    0    2    2

mulps xmm1,xmm0       //applied the multiplier to vector.
addps xmm2,xmm1       //apply the vector to the coord.
 
Last edited:
Top Bottom