First up, let's use google. Search for "movss assembly" and you find this: [Link] -> "Moves a scalar single-precision floating-point value from the source operand (second operand) to the destination operand (first operand)". That means FLOAT. Then let's use google again. Search for "movd assembly" and you find this: [Link] -> "Copies a doubleword from the source operand (second operand) to the destination operand (first operand)." That means DWORD.
Your code crashes because you operate with a FLOAT and write it as a DWORD (check what EAX is supposed to actually store as a value). If it's not that, then check that EAX isn't used in other functions/calculations (that it's hit only when you do that injection), as I have a feeling that's your actual reason for the crash.
Sorry, I wasn't clear on this. I did search for answer before posting here but I couldn't understand . What I don't understand is that why would the game crash when I use movss that is same instruction the game use couple lines above.
It would crash at that line before hitting below code.
movdqu xmm1,dqword [xmm_backup1] // restore it
jmp return
Any way, I'm pretty sure eax was 0x0 when I and did stepping if F7 but I'll check again. Maybe it has some address there and I'm trying to override value like you said.
Re: I need help understanding movss and movd
Posted: Mon Aug 12, 2019 10:45 pm
by SunBeam
You do realize you don't need to store xmm1 and restore it. You can work with either MMX (use xmm11 if you want, as long as it's not used in the calculus). "movdqu" assumes your code is 16-bytes unaligned. "movss" should not be impacted by that.
EDIT: Can you actually post the whole function you're trying to hook in? I have a feeling your EAX is 16-bytes aligned. Do you see any "movaps"?
Re: I need help understanding movss and movd
Posted: Tue Aug 13, 2019 1:34 am
by TheByteSize
Well, I have figured out my dumb ass mistakes. movss [eax] works when eax is actually acting as a pointer which mean that it is holding an address instead of a value. Since, I'm trying move hex value directly from xmm to eax(eax was 0x0), I need to use movd. DOH
As for method of saving xmm. I copied it from [Link].
I got a question though. Since xmm is a register consist of 4 set of aligned 32 bits floating point, can I assume it's always aligned and can I always use movdqa to save xmm value?
Well, I have figured out my dumb ass mistakes. movss [eax] works when eax is actually acting as a pointer which mean that it is holding an address instead of a value. Since, I'm trying move hex value directly from xmm to eax(eax was 0x0), I need to use movd. DOH
As for method of saving xmm. I copied it from [Link].
I got a question though. Since xmm is a register consist of 4 set of aligned 32 bits floating point, can I assume it's always aligned and can I always use movdqa to save xmm value?
Well, I have figured out my dumb ass mistakes. movss [eax] works when eax is actually acting as a pointer which mean that it is holding an address instead of a value. Since, I'm trying move hex value directly from xmm to eax(eax was 0x0), I need to use movd. DOH
As for method of saving xmm. I copied it from [Link].
I got a question though. Since xmm is a register consist of 4 set of aligned 32 bits floating point, can I assume it's always aligned and can I always use movdqa to save xmm value?
I do want to learn a sure way to save xmm.
Thanks for the hints.
You have xmm0 ... xmm15. I'm sure you can find one of them, at that hook spot of yours, that is not used. Really now Make no sense to clog the hook with "movdqu [crap],your_xmm" I'd use that only as a last resort; only if ALL of them are in use at that spot. You're clearly not breaking in the middle of some heavy MMX computations, so pick one.. as far away from yours as possible.
"I'm trying move hex value directly from xmm to eax(eax was 0x0), I need to use movd" - you're not making any sense here. If your "eax" is 0, both movss and movd will fail. You're not moving anything to eax, but to [eax]. That will cause an exception when eax is 0. That's because [0] == crash. Trying to read or write from 0 address never worked for anyone. Like I said.. make sure the address you write to is valid and a constant (the function you hook in is not used by other functions, thus eax changing; and perhaps being 0 from time to time).
Lastly, my point was exactly the opposite. For 'movaps' or anything with an 'a' in MMX world you'll need a 16-bytes aligned address. In short, an address that ends in 0 (xxxxxxx0). If the address is not aligned, you'll hit an exception, thus crash. Always use 'movups' (or 'u' equivalent) to move stuff around.
Yeah, my bad. You got xmm0-xmm7. Use the latter one
I forgot to answer your other inquiry. The reason I chose to save/restore xmm instead of simply reuse xmm register is that the hook point get called many different times and I'm lazy to check all of them to make sure xmm doesn't contain any data. So I though, it might be better idea to learn how to save xmm data and think of it as simpler way to keep xmm intact.