Single Shared Instruction for lots of things?

Memory scanning, code injection, debugger internals and other gamemodding related discussion
Post Reply
gideon25
Table Makers
Table Makers
Posts: 427
Joined: Mon Mar 20, 2017 1:42 am
Reputation: 271

Single Shared Instruction for lots of things?

Post by gideon25 »

Lets say we have something like this (for the pre-release of Cook Serve Delicious 3):

Code: Select all

"CSD3.exe"+177499: 8B 01                 -  mov eax,[ecx]
"CSD3.exe"+17749B: 89 47 F0              -  mov [edi-10],eax
"CSD3.exe"+17749E: 85 C0                 -  test eax,eax
"CSD3.exe"+1774A0: 74 54                 -  je CSD3.exe+1774F6
"CSD3.exe"+1774A2: FF 00                 -  inc [eax]
"CSD3.exe"+1774A4: 8B 47 F0              -  mov eax,[edi-10]
"CSD3.exe"+1774A7: 83 78 08 00           -  cmp dword ptr [eax+08],00
"CSD3.exe"+1774AB: 75 49                 -  jne CSD3.exe+1774F6
"CSD3.exe"+1774AD: 89 48 08              -  mov [eax+08],ecx
"CSD3.exe"+1774B0: EB 44                 -  jmp CSD3.exe+1774F6
// ---------- INJECTING HERE ----------
"CSD3.exe"+1774B2: F2 0F 10 01           -  movsd xmm0,[ecx]<----------access many  dozens of addresses that have nothing to do with my value
"CSD3.exe"+1774B6: F2 0F 11 47 F0        -  movsd [edi-10],xmm0
// ---------- DONE INJECTING  ----------
"CSD3.exe"+1774BB: EB 39                 -  jmp CSD3.exe+1774F6
"CSD3.exe"+1774BD: 8B 01                 -  mov eax,[ecx]
"CSD3.exe"+1774BF: 89 47 F0              -  mov [edi-10],eax
"CSD3.exe"+1774C2: 8B 41 04              -  mov eax,[ecx+04]
"CSD3.exe"+1774C5: 89 47 F4              -  mov [edi-0C],eax
"CSD3.exe"+1774C8: EB 2C                 -  jmp CSD3.exe+1774F6
"CSD3.exe"+1774CA: 8B 01                 -  mov eax,[ecx]
"CSD3.exe"+1774CC: 85 C0                 -  test eax,eax
"CSD3.exe"+1774CE: 74 23                 -  je CSD3.exe+1774F3
"CSD3.exe"+1774D0: FF 40 04              -  inc [eax+04]
So no offset there and while I can do dissect data/structures and get something to use a compare with, all I get is a crash when trying to do a compare in a script. I once saw a game (don't remember which) that used a single instruction that accessed thousands of addresses (maybe most of everything i n the game) including all the player ones. Also in both of these cases even viewing "Which addressees this instruction accesses" causes the game to slow to a crawl and sometimes the address you are looking for never even shows up among the dozens or hundreds of addresses in that window. So, what do we do in such cases?

User avatar
TheyCallMeTim13
Administration
Administration
Posts: 1480
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 736

Re: Single Shared Instruction for lots of things?

Post by TheyCallMeTim13 »

Use "break and trace" or "see what addresses this instruction accesses" on the RET to back trace and find where the address is calculated (right click the instruction for these options), you might find different addresses come from different CALLs. Or you could find where offsets are added and look to see how the game figures out what offsets are needed. And it might be the address is calculated just above what you posted. You can use a conditional breakpoint to help filter stuff out, it's an option with "break and trace", and in "View -> Breakpoint list -> set/change condition" for the rest (i.e. ECX == 0xDEADBEEF).

User avatar
kantoboy69
Expert Cheater
Expert Cheater
Posts: 90
Joined: Fri Aug 30, 2019 5:33 am
Reputation: 39

Re: Single Shared Instruction for lots of things?

Post by kantoboy69 »

Here is an example in xenonauts 2
viewtopic.php?f=15&t=12308#p134819

get_value is shared by many class that inherits it

when back tracing find a suitable function from it's stack/backtrace that will call your target instruction a few times or atleast once.
I usually use the one in the stack found in"more information" then select rsp+blah (more than 2 rets) function dbl click it and on disas browser move up before the call to the function and set a breakpoint before the function is called. Then continue running. If it breaks again while running automatically, I move up to the last call until it only breaks when I triggered something like selling items. That way I know this is the function that starts to access the addresss I need and set a registersymbol as a flag so that I can use it on my target instruction that access the pointers. Also take note of the registers since it may actually contain the base register to the address which means you don't have to use the shared function to modify/use the targeted address.

Note: stacks contains the return address of function and/or parameters before the call.

Post Reply

Who is online

Users browsing this forum: No registered users