Registered Symbol Value Keeps Resetting?

[Badass Dolphin]

I'm pretty sure I know what the cause of this issue is, the instruction is shared op code. It's being used thousands of times a second by 30+ addresses. I found a 100% guaranteed commonality to get the specific address I want so that's not the issue, the issue is the script is resetting my custom allocated address back to its original value when the instruction is called. How do I fix this?

First script:

Script#1

Code: Select all

[ENABLE]
aobscanmodule(rowerStaminaData,ACOdyssey.exe,F3 44 0F 11 43 50 74) // should be unique
alloc(newmem,$500,rowerStaminaData)
alloc(maxRowerStamina,$4,rowerStaminaData)
alloc(rowerStaminaAddy,$4,rowerStaminaData)
alloc(infiniteStaminaEnabled,$1,rowerStaminaData)

label(code,return)
registersymbol(maxRowerStamina,rowerStaminaAddy,infiniteStaminaEnabled)

newmem:
	cmp [rbx+48],#4
  jne code
  push rdx
  mov rdx,[rbx+3C]
  mov [maxRowerStamina],rdx
  pop rdx
  push rdx
  mov rdx,[rbx+50]
  mov [rowerStaminaAddy],rdx
  pop rdx
  cmp [infiniteStaminaEnabled],#1 // HERE
  jne code
  push rdx
  mov rdx,[rbx+3C]
  mov [rbx+50],rdx
  pop rdx
  jmp return

code:
  movss [rbx+50],xmm8
  jmp return

rowerStaminaData:
  jmp newmem
  nop

return:
	registersymbol(rowerStaminaData)

[DISABLE]
rowerStaminaData:
  db F3 44 0F 11 43 50

unregistersymbol(*)
dealloc(*)

{
// ORIGINAL CODE - INJECTION POINT: ACOdyssey.exe+308AD89

ACOdyssey.exe+308AD6A: 0F 2F 43 50           - comiss xmm0,[rbx+50]
ACOdyssey.exe+308AD6E: 76 15                 - jna ACOdyssey.exe+308AD85
ACOdyssey.exe+308AD70: B2 01                 - mov dl,01
ACOdyssey.exe+308AD72: EB 08                 - jmp ACOdyssey.exe+308AD7C
ACOdyssey.exe+308AD74: 0F 2F 43 50           - comiss xmm0,[rbx+50]
ACOdyssey.exe+308AD78: 77 0B                 - ja ACOdyssey.exe+308AD85
ACOdyssey.exe+308AD7A: 33 D2                 - xor edx,edx
ACOdyssey.exe+308AD7C: 48 8D 4B 08           - lea rcx,[rbx+08]
ACOdyssey.exe+308AD80: E8 1B A8 93 FD        - call ACOdyssey.exe+9C55A0
ACOdyssey.exe+308AD85: 45 0F 2E C8           - ucomiss xmm9,xmm8
// ---------- INJECTING HERE ----------
ACOdyssey.exe+308AD89: F3 44 0F 11 43 50     - movss [rbx+50],xmm8
// ---------- DONE INJECTING  ----------
ACOdyssey.exe+308AD8F: 74 07                 - je ACOdyssey.exe+308AD98
ACOdyssey.exe+308AD91: 80 8B 82 00 00 00 01  - or byte ptr [rbx+00000082],01
ACOdyssey.exe+308AD98: 0F 28 74 24 50        - movaps xmm6,[rsp+50]
ACOdyssey.exe+308AD9D: 0F 28 7C 24 40        - movaps xmm7,[rsp+40]
ACOdyssey.exe+308ADA2: 44 0F 28 44 24 30     - movaps xmm8,[rsp+30]
ACOdyssey.exe+308ADA8: 44 0F 28 4C 24 20     - movaps xmm9,[rsp+20]
ACOdyssey.exe+308ADAE: 48 83 C4 60           - add rsp,60
ACOdyssey.exe+308ADB2: 5B                    - pop rbx
ACOdyssey.exe+308ADB3: C3                    - ret
ACOdyssey.exe+308ADB4: CC                    - int 3
}

Script #2

Code: Select all

[ENABLE]
infiniteStaminaEnabled:
	db 1

[DISABLE]
infiniteStaminaEnabled:
	db 0

infiniteStaminaEnabled is reset immediately.

[ShyTwig16]

Doesn't seem like any thing in the first script is writing to it. You'll just have to debug, and try to see what writes the the flag.

[Badass Dolphin]

Doesn't seem like any thing in the first script is writing to it. You'll just have to debug, and try to see what writes the the flag.

No, nothing is writing to infiniteStaminaEnabled only the second script. Which is why I'm confused the first script is resetting the value to 0, nothing writing to it, just reading.

[LeFiXER]

Code: Select all

  // move value from [RBX+3C] into RDX
  mov rdx,[rbx+3C]
  // move value from RDX into allocated memory [maxRowerStamina]
  mov [maxRowerStamina],rdx
  pop rdx

Is this intentional? Or did you want the maxRowerStamina to be a set value by the user? Also, not sure if this is an issue but your logic compares an integer against a byte value.

Code: Select all

cmp [infiniteStaminaEnabled],#1 // HERE
// # = Integer
-------------------------
infiniteStaminaEnabled:
	db 1
// db = byte

Again, not sure if that bears any problems.

Lastly, try this (assuming it's a single-float value)

Code: Select all

  cmp [infiniteStaminaEnabled],#1 // HERE
  jne code
  movss xmm8,[rbx+3C]
  movss [rbx+50],xmm8
  jmp return

code:
  movss [rbx+50],xmm8 
  jmp return

[DrummerIX]

Try defining 8 bytes for your variables. It is 64-bit program, so pointers are 8 bytes, not 4.

When it writes to rowerStaminaAddy, it overwrites the next 4 bytes too.

[ShyTwig16]

...

I was only thinking about what you ask, but after seeing what LeFiXER said I would add this. The compare for "infiniteStaminaEnabled" you compare a 4 byte (32 bit) value, so you probably want to use cmp byte ptr [infiniteStaminaEnabled],01 so you are only comparing a byte. And you only allocate 4 bytes for "rowerStaminaAddy" and "maxRowerStamina", but you set those values using a 64 bit registry (8 bytes); and that might actually be what's overriding the flag if CE packs all those in the same place. But you should have gotten a hit for "see what writes to this address" when debugging.

...

Using # is the same as using (int), it's more about the format than the size. But yeah, if the value isn't over 9 there is no reason for it since (int) 1 is equal to 0x1 and so on up to 9. And using a general purpose registry is fine like this, but they need to use the right size (i.e. edx for 32 bits, not rdx which is 64 bits). But since the original code uses xmm8, I too would use that instead of pushing and popping one.

EDIT:
Looks like DrummerIX beat me to it.

[Badass Dolphin]

Try defining 8 bytes for your variables. It is 64-bit program, so pointers are 8 bytes, not 4.

When it writes to rowerStaminaAddy, it overwrites the next 4 bytes too.

Thanks that did it!