A trick I learned for finding unique compares
Posted: Thu Mar 05, 2020 10:59 pm
I was having trouble with a particular game because a single opcode writes to every useful addresses, as well as thousands of others.
FreeER, on Discord (I think registered here as well) gave me some hints which helped immensely. Hopefully this can help someone else out.
Here is the original code
If I add a compare against [rcx+rax*4], who knows how many addresses it will filter out? I checked register states but many of them were the same.
Create a new script
Now, activate the script and "Follow" the injection point to the code that you injected.
There are two "duplicate" opcodes now, but the first one is only showing the addresses that matched the compare; the rest are going to the original code. In this case, we've filtered out everything except for 30 addresses.
Now we can add a second compare
Following the same steps, there is only one address being written to.
Now you can create your script.
This "drill down filter" makes some things a lot easier for me now, but I'm sure there are better/more advanced methods.
How do you manage this problem?
FreeER, on Discord (I think registered here as well) gave me some hints which helped immensely. Hopefully this can help someone else out.
Here is the original code
Code: Select all
code:
movss xmm0,[rcx+rax*4]
Create a new script
Code: Select all
newmem:
cmp rax,EA // first compare
jne code
movss xmm0,[rcx+rax*4] // "restore" original code, but it's a "new" opcode accessing fewer addresses
jmp return
code:
movss xmm0,[rcx+rax*4]
jmp return
Code: Select all
cmp rax,000000EA
jne 7FF655580016
movss xmm0,[rcx+rax*4]
jmp 7FF655707900
movss xmm0,[rcx+rax*4]
jmp 7FF655707900
Now we can add a second compare
Code: Select all
cmp rax,000000EA
jne 7FF655580016
cmp r8,00000001
jne 7FF655580016
movss xmm0,[rcx+rax*4]
jmp 7FF655707900
movss xmm0,[rcx+rax*4]
jmp 7FF655707900
Now you can create your script.
This "drill down filter" makes some things a lot easier for me now, but I'm sure there are better/more advanced methods.
How do you manage this problem?