I need help understanding movss and movd

[TheByteSize]

here is snip set.

Code: Select all

  movdqu dqword [xmm_backup1],xmm1 // save it
  xorps xmm1,xmm1
  movss xmm1,[esi+00000124]
  addss xmm1,[more_speed]
  movss [eax],xmm1
  movdqu xmm1,dqword [xmm_backup1] // restore it

this will crash at

Code: Select all

movss [eax],xmm1

I changed that line to this and works fine

Code: Select all

movd eax,xmm1

couple line above where Injection occur the game have code like this and works fine.

Code: Select all

mov eax,[edi+000004B4]
mov edx,[ebp-0C]
movss [eax],xmm1
mov ecx,[edi+00000384]

[SunBeam]

First up, let's use google. Search for "movss assembly" and you find this: [Link] -> "Moves a scalar single-precision floating-point value from the source operand (second operand) to the destination operand (first operand)". That means FLOAT. Then let's use google again. Search for "movd assembly" and you find this: [Link] -> "Copies a doubleword from the source operand (second operand) to the destination operand (first operand)." That means DWORD.

Your code crashes because you operate with a FLOAT and write it as a DWORD (check what EAX is supposed to actually store as a value). If it's not that, then check that EAX isn't used in other functions/calculations (that it's hit only when you do that injection), as I have a feeling that's your actual reason for the crash.

Google powa!

BR,
Sun

[TheByteSize]

Sorry, I wasn't clear on this. I did search for answer before posting here but I couldn't understand . What I don't understand is that why would the game crash when I use movss that is same instruction the game use couple lines above.
It would crash at that line before hitting below code.

Code: Select all

movdqu xmm1,dqword [xmm_backup1] // restore it
jmp return

Any way, I'm pretty sure eax was 0x0 when I and did stepping if F7 but I'll check again. Maybe it has some address there and I'm trying to override value like you said.

[SunBeam]

You do realize you don't need to store xmm1 and restore it. You can work with either MMX (use xmm11 if you want, as long as it's not used in the calculus). "movdqu" assumes your code is 16-bytes unaligned. "movss" should not be impacted by that.

EDIT: Can you actually post the whole function you're trying to hook in? I have a feeling your EAX is 16-bytes aligned. Do you see any "movaps"?

[TheByteSize]

Well, I have figured out my dumb ass mistakes. movss [eax] works when eax is actually acting as a pointer which mean that it is holding an address instead of a value. Since, I'm trying move hex value directly from xmm to eax(eax was 0x0), I need to use movd. DOH

As for method of saving xmm. I copied it from [Link].
I got a question though. Since xmm is a register consist of 4 set of aligned 32 bits floating point, can I assume it's always aligned and can I always use movdqa to save xmm value?

I do want to learn a sure way to save xmm.

Thanks for the hints.

[Chucky]

Well, I have figured out my dumb ass mistakes. movss [eax] works when eax is actually acting as a pointer which mean that it is holding an address instead of a value. Since, I'm trying move hex value directly from xmm to eax(eax was 0x0), I need to use movd. DOH

As for method of saving xmm. I copied it from [Link].
I got a question though. Since xmm is a register consist of 4 set of aligned 32 bits floating point, can I assume it's always aligned and can I always use movdqa to save xmm value?

I do want to learn a sure way to save xmm.

Thanks for the hints.

[TheByteSize]

STN already showed that method in the other post. Are you trying to promote your channel?

EDIT: Additionally, I wouldn't trust someone that reserve 20 bytes for a 16 bytes xmm without explanation.

[SunBeam]

Well, I have figured out my dumb ass mistakes. movss [eax] works when eax is actually acting as a pointer which mean that it is holding an address instead of a value. Since, I'm trying move hex value directly from xmm to eax(eax was 0x0), I need to use movd. DOH

As for method of saving xmm. I copied it from [Link].
I got a question though. Since xmm is a register consist of 4 set of aligned 32 bits floating point, can I assume it's always aligned and can I always use movdqa to save xmm value?

I do want to learn a sure way to save xmm.

Thanks for the hints.

You have xmm0 ... xmm15. I'm sure you can find one of them, at that hook spot of yours, that is not used. Really now Make no sense to clog the hook with "movdqu [crap],your_xmm" I'd use that only as a last resort; only if ALL of them are in use at that spot. You're clearly not breaking in the middle of some heavy MMX computations, so pick one.. as far away from yours as possible.

"I'm trying move hex value directly from xmm to eax(eax was 0x0), I need to use movd" - you're not making any sense here. If your "eax" is 0, both movss and movd will fail. You're not moving anything to eax, but to [eax]. That will cause an exception when eax is 0. That's because [0] == crash. Trying to read or write from 0 address never worked for anyone. Like I said.. make sure the address you write to is valid and a constant (the function you hook in is not used by other functions, thus eax changing; and perhaps being 0 from time to time).

Lastly, my point was exactly the opposite. For 'movaps' or anything with an 'a' in MMX world you'll need a 16-bytes aligned address. In short, an address that ends in 0 (xxxxxxx0). If the address is not aligned, you'll hit an exception, thus crash. Always use 'movups' (or 'u' equivalent) to move stuff around.

[TheByteSize]

Isn't xmm8~15 only available only if the executable was compiled as 64bit?

And thanks for explanation on align float part and the use of []; I totally forgot the meaning of bracket. Err, tunnel vision.

[SunBeam]

Yeah, my bad. You got xmm0-xmm7. Use the latter one

[TheByteSize]

Yeah, my bad. You got xmm0-xmm7. Use the latter one

I forgot to answer your other inquiry. The reason I chose to save/restore xmm instead of simply reuse xmm register is that the hook point get called many different times and I'm lazy to check all of them to make sure xmm doesn't contain any data. So I though, it might be better idea to learn how to save xmm data and think of it as simpler way to keep xmm intact.

[SunBeam]

the hook point get called many different times

Exactly my point when I said it's most likely the reason for the crash

[Chucky]

STN already showed that method in the other post. Are you trying to promote your channel?

EDIT: Additionally, I wouldn't trust someone that reserve 20 bytes for a 16 bytes xmm without explanation.

First of all this is not my channel.
You don`t know how to use xmm regs (wtf is xmm reg) and you still can not trust him ?

[Chucky]

Watch some vids, read tuts and stop posting shits that you don`t understand.