Any secrets, Tips, etc. for finding GOOD/Unique values in stack to use for compares?
Posted: Sat Mar 28, 2020 11:05 am
So I am making a table for a game maker game so I am going to use the stack for some compares. I found a great tutorial on youtube by Stephen Chapman about it.
Anyway initially I had lots of problem with crashes but once I decided to just start testing the stack filter/compare BEFORE changing anything, that helped . It was on an instruction that accessed around a thousand or so values. So I needed a compare for resources for the game (4 values) so I found one that really looked unique and was shared by my 4 values..I even checked several other addresses (but not all obviously there were 1000 of them) and so I thought I have it! Well no, after activating the script and checking what addresses it accessed after the compare there were still 30 of them. So I tried again, finding another one I thought was unique and checked MOST of the other values. Nope, it effected 5 values, 1 extra value than I needed. So finally I find another one shared among the 4 and I finally have it. The code looks like this:
newmem:
movsd xmm0,[esp+10]
push ecx
mov ecx,[ebp+80]
pushf
cmp ecx,1
jne code
mov ecx,[ebp+C]
cmp ecx,2
jne code
mov ecx,[ebp+18]
cmp ecx,1
jne code
popf
movsd xmm0,[resource]
movsd [esi],xmm0
pop ecx
jmp return
code:
popf
pop ecx
movsd xmm0,[esp+10]
movsd [esi],xmm0
jmp return
resource:
dq (double)5000
Anyway I was wondering if there was a better way? I mean how can you guys tell its not shared by the other addresses? Any secrets, tips, etc or is it all trial and error or by whittling down using multiple compares like I had to. Or is it just because it was a game maker game? Thanks!
Anyway initially I had lots of problem with crashes but once I decided to just start testing the stack filter/compare BEFORE changing anything, that helped . It was on an instruction that accessed around a thousand or so values. So I needed a compare for resources for the game (4 values) so I found one that really looked unique and was shared by my 4 values..I even checked several other addresses (but not all obviously there were 1000 of them) and so I thought I have it! Well no, after activating the script and checking what addresses it accessed after the compare there were still 30 of them. So I tried again, finding another one I thought was unique and checked MOST of the other values. Nope, it effected 5 values, 1 extra value than I needed. So finally I find another one shared among the 4 and I finally have it. The code looks like this:
newmem:
movsd xmm0,[esp+10]
push ecx
mov ecx,[ebp+80]
pushf
cmp ecx,1
jne code
mov ecx,[ebp+C]
cmp ecx,2
jne code
mov ecx,[ebp+18]
cmp ecx,1
jne code
popf
movsd xmm0,[resource]
movsd [esi],xmm0
pop ecx
jmp return
code:
popf
pop ecx
movsd xmm0,[esp+10]
movsd [esi],xmm0
jmp return
resource:
dq (double)5000
Anyway I was wondering if there was a better way? I mean how can you guys tell its not shared by the other addresses? Any secrets, tips, etc or is it all trial and error or by whittling down using multiple compares like I had to. Or is it just because it was a game maker game? Thanks!