Shared opcode, weirdness when comparing

[CheatingMuppet]

I've got an opcode which handles both the health address and the energy address of the player and I need to separate them both into their own pointer.
The script "works" but it occasionally doesn't seem to separate properly and both the health and energy pointers will point to the energy address.

Here's what happens:
1. Activate script
2. Start using energy before script finishes grabbing any addresses.
3. Now both HP and Ene pointers have the same addresses

I don't understand why this happens since I'm comparing r13 which is always 0/1 depending on if its hp or ene.
I've done some testing with breakpoints and no matter if I'm spending my energy, when R13==1, RDX+44 always contains hp.

I'd be very grateful if someone could help me figure out whats wrong with my script.

Also while I'm at it, this code is being run at a place in memory which is being accessed multiple times a second and yet it takes 5+ seconds for the pointers to start working, why is this ?

Here's the script:

Code: Select all

[ENABLE]

aobscanmodule(GetHPAndEnergyAddress,DXMD.exe,0F 2F 73 44 40 0F 96 D6) // should be unique
alloc(newmem,$1000,"DXMD.exe"+3B71F84)
alloc(ptrEne,8)
alloc(ptrHP,8)
alloc(ptrPlayer,8)

label(code)
label(return)

label(setPtrEne)
label(setPtrHP)

registersymbol(ptrHP)
registersymbol(ptrEne)
registersymbol(ptrPlayer)

newmem:
  push rdi
  lea rdi,[rbx]
  mov [ptrPlayer],rdi
  pop rdi
  cmp r13,0
  je setPtrEne
  cmp r13,1
  je setPtrHP

setPtrHP:
  push rdi
  lea rdi,[rbx+44]
  mov [ptrHP],rdi
  pop rdi
  jmp code

setPtrEne:
  push rdi
  lea rdi,[rbx+44]
  mov [ptrEne],rdi
  pop rdi
  jmp code

code:
  comiss xmm6,[rbx+44]
  setbe sil
  jmp return

ptrHP:
dd 0

ptrEne:
dd 0

ptrPlayer:
dd 0

GetHPAndEnergyAddress:
  jmp newmem
  nop
  nop
  nop
return:
registersymbol(GetHPAndEnergyAddress)

[DISABLE]

GetHPAndEnergyAddress:
  db 0F 2F 73 44 40 0F 96 D6

unregistersymbol(ptrHP)
unregistersymbol(ptrEne)
unregistersymbol(ptrPlayer)
unregistersymbol(GetHPAndEnergyAddress)
dealloc(newmem)
dealloc(ptrEne)
dealloc(ptrHP)
dealloc(ptrPlayer)

{
// ORIGINAL CODE - INJECTION POINT: "DXMD.exe"+3B71F84

"DXMD.exe"+3B71F60: 48 FF CF                 -  dec rdi
"DXMD.exe"+3B71F63: 75 F4                    -  jne DXMD.exe+3B71F59
"DXMD.exe"+3B71F65: 48 8B 03                 -  mov rax,[rbx]
"DXMD.exe"+3B71F68: 48 89 D9                 -  mov rcx,rbx
"DXMD.exe"+3B71F6B: FF 90 E0 00 00 00        -  call qword ptr [rax+000000E0]
"DXMD.exe"+3B71F71: 48 8B 06                 -  mov rax,[rsi]
"DXMD.exe"+3B71F74: 48 89 F1                 -  mov rcx,rsi
"DXMD.exe"+3B71F77: 0F 28 F0                 -  movaps xmm6,xmm0
"DXMD.exe"+3B71F7A: FF 90 D0 00 00 00        -  call qword ptr [rax+000000D0]
"DXMD.exe"+3B71F80: F3 0F 59 F0              -  mulss xmm6,xmm0
// ---------- INJECTING HERE ----------
"DXMD.exe"+3B71F84: 0F 2F 73 44              -  comiss xmm6,[rbx+44]
"DXMD.exe"+3B71F88: 40 0F 96 D6              -  setbe sil
// ---------- DONE INJECTING  ----------
"DXMD.exe"+3B71F8C: 48 89 D9                 -  mov rcx,rbx
"DXMD.exe"+3B71F8F: E8 FC F8 FF FF           -  call DXMD.exe+3B71890
"DXMD.exe"+3B71F94: 84 C0                    -  test al,al
"DXMD.exe"+3B71F96: 75 12                    -  jne DXMD.exe+3B71FAA
"DXMD.exe"+3B71F98: 48 8B 03                 -  mov rax,[rbx]
"DXMD.exe"+3B71F9B: 48 89 D9                 -  mov rcx,rbx
"DXMD.exe"+3B71F9E: FF 90 38 01 00 00        -  call qword ptr [rax+00000138]
"DXMD.exe"+3B71FA4: 0F 2F 43 4C              -  comiss xmm0,[rbx+4C]
"DXMD.exe"+3B71FA8: 73 25                    -  jae DXMD.exe+3B71FCF
"DXMD.exe"+3B71FAA: 48 8B 03                 -  mov rax,[rbx]
}

EDIT: The game is Deus Ex Mankind Divided, I should've mentioned that, sorry.

[DrummerIX]

Try putting a jmp after you cmp r13. It could be something other than 1 or 0 at some point.

Also, if it's a 64bit game, then you need dq when defining pointers.

Code: Select all

[ENABLE]

aobscanmodule(GetHPAndEnergyAddress,DXMD.exe,0F 2F 73 44 40 0F 96 D6) // should be unique
alloc(newmem,$1000,"DXMD.exe"+3B71F84)
alloc(ptrEne,8)
alloc(ptrHP,8)
alloc(ptrPlayer,8)

label(code)
label(return)

label(setPtrEne)
label(setPtrHP)

registersymbol(ptrHP)
registersymbol(ptrEne)
registersymbol(ptrPlayer)

newmem:
  push rdi
  lea rdi,[rbx]
  mov [ptrPlayer],rdi
  pop rdi
  cmp r13,0
  je setPtrEne
  cmp r13,1
  je setPtrHP
  jmp code

setPtrHP:
  push rdi
  lea rdi,[rbx+44]
  mov [ptrHP],rdi
  pop rdi
  jmp code

setPtrEne:
  push rdi
  lea rdi,[rbx+44]
  mov [ptrEne],rdi
  pop rdi
  jmp code

code:
  comiss xmm6,[rbx+44]
  setbe sil
  jmp return

ptrHP:
dq 0

ptrEne:
dq 0

ptrPlayer:
dq 0

GetHPAndEnergyAddress:
  jmp newmem
  nop
  nop
  nop
return:
registersymbol(GetHPAndEnergyAddress)

[DISABLE]

GetHPAndEnergyAddress:
  db 0F 2F 73 44 40 0F 96 D6

unregistersymbol(ptrHP)
unregistersymbol(ptrEne)
unregistersymbol(ptrPlayer)
unregistersymbol(GetHPAndEnergyAddress)
dealloc(newmem)
dealloc(ptrEne)
dealloc(ptrHP)
dealloc(ptrPlayer)

{
// ORIGINAL CODE - INJECTION POINT: "DXMD.exe"+3B71F84

"DXMD.exe"+3B71F60: 48 FF CF                 -  dec rdi
"DXMD.exe"+3B71F63: 75 F4                    -  jne DXMD.exe+3B71F59
"DXMD.exe"+3B71F65: 48 8B 03                 -  mov rax,[rbx]
"DXMD.exe"+3B71F68: 48 89 D9                 -  mov rcx,rbx
"DXMD.exe"+3B71F6B: FF 90 E0 00 00 00        -  call qword ptr [rax+000000E0]
"DXMD.exe"+3B71F71: 48 8B 06                 -  mov rax,[rsi]
"DXMD.exe"+3B71F74: 48 89 F1                 -  mov rcx,rsi
"DXMD.exe"+3B71F77: 0F 28 F0                 -  movaps xmm6,xmm0
"DXMD.exe"+3B71F7A: FF 90 D0 00 00 00        -  call qword ptr [rax+000000D0]
"DXMD.exe"+3B71F80: F3 0F 59 F0              -  mulss xmm6,xmm0
// ---------- INJECTING HERE ----------
"DXMD.exe"+3B71F84: 0F 2F 73 44              -  comiss xmm6,[rbx+44]
"DXMD.exe"+3B71F88: 40 0F 96 D6              -  setbe sil
// ---------- DONE INJECTING  ----------
"DXMD.exe"+3B71F8C: 48 89 D9                 -  mov rcx,rbx
"DXMD.exe"+3B71F8F: E8 FC F8 FF FF           -  call DXMD.exe+3B71890
"DXMD.exe"+3B71F94: 84 C0                    -  test al,al
"DXMD.exe"+3B71F96: 75 12                    -  jne DXMD.exe+3B71FAA
"DXMD.exe"+3B71F98: 48 8B 03                 -  mov rax,[rbx]
"DXMD.exe"+3B71F9B: 48 89 D9                 -  mov rcx,rbx
"DXMD.exe"+3B71F9E: FF 90 38 01 00 00        -  call qword ptr [rax+00000138]
"DXMD.exe"+3B71FA4: 0F 2F 43 4C              -  comiss xmm0,[rbx+4C]
"DXMD.exe"+3B71FA8: 73 25                    -  jae DXMD.exe+3B71FCF
"DXMD.exe"+3B71FAA: 48 8B 03                 -  mov rax,[rbx]
}

[CheatingMuppet]

Try putting a jmp after you cmp r13. It could be something other than 1 or 0 at some point.

Also, if it's a 64bit game, then you need dq when defining pointers.

Code: Select all

[ENABLE]

aobscanmodule(GetHPAndEnergyAddress,DXMD.exe,0F 2F 73 44 40 0F 96 D6) // should be unique
alloc(newmem,$1000,"DXMD.exe"+3B71F84)
alloc(ptrEne,8)
alloc(ptrHP,8)
alloc(ptrPlayer,8)

label(code)
label(return)

label(setPtrEne)
label(setPtrHP)

registersymbol(ptrHP)
registersymbol(ptrEne)
registersymbol(ptrPlayer)

newmem:
 push rdi
 lea rdi,[rbx]
 mov [ptrPlayer],rdi
 pop rdi
 cmp r13,0
 je setPtrEne
 cmp r13,1
 je setPtrHP
 jmp code

setPtrHP:
 push rdi
 lea rdi,[rbx+44]
 mov [ptrHP],rdi
 pop rdi
 jmp code

setPtrEne:
 push rdi
 lea rdi,[rbx+44]
 mov [ptrEne],rdi
 pop rdi
 jmp code

code:
 comiss xmm6,[rbx+44]
 setbe sil
 jmp return

ptrHP:
dq 0

ptrEne:
dq 0

ptrPlayer:
dq 0

GetHPAndEnergyAddress:
 jmp newmem
 nop
 nop
 nop
return:
registersymbol(GetHPAndEnergyAddress)

[DISABLE]

GetHPAndEnergyAddress:
 db 0F 2F 73 44 40 0F 96 D6

unregistersymbol(ptrHP)
unregistersymbol(ptrEne)
unregistersymbol(ptrPlayer)
unregistersymbol(GetHPAndEnergyAddress)
dealloc(newmem)
dealloc(ptrEne)
dealloc(ptrHP)
dealloc(ptrPlayer)

{
// ORIGINAL CODE - INJECTION POINT: "DXMD.exe"+3B71F84

"DXMD.exe"+3B71F60: 48 FF CF - dec rdi
"DXMD.exe"+3B71F63: 75 F4 - jne DXMD.exe+3B71F59
"DXMD.exe"+3B71F65: 48 8B 03 - mov rax,[rbx]
"DXMD.exe"+3B71F68: 48 89 D9 - mov rcx,rbx
"DXMD.exe"+3B71F6B: FF 90 E0 00 00 00 - call qword ptr [rax+000000E0]
"DXMD.exe"+3B71F71: 48 8B 06 - mov rax,[rsi]
"DXMD.exe"+3B71F74: 48 89 F1 - mov rcx,rsi
"DXMD.exe"+3B71F77: 0F 28 F0 - movaps xmm6,xmm0
"DXMD.exe"+3B71F7A: FF 90 D0 00 00 00 - call qword ptr [rax+000000D0]
"DXMD.exe"+3B71F80: F3 0F 59 F0 - mulss xmm6,xmm0
// ---------- INJECTING HERE ----------
"DXMD.exe"+3B71F84: 0F 2F 73 44 - comiss xmm6,[rbx+44]
"DXMD.exe"+3B71F88: 40 0F 96 D6 - setbe sil
// ---------- DONE INJECTING ----------
"DXMD.exe"+3B71F8C: 48 89 D9 - mov rcx,rbx
"DXMD.exe"+3B71F8F: E8 FC F8 FF FF - call DXMD.exe+3B71890
"DXMD.exe"+3B71F94: 84 C0 - test al,al
"DXMD.exe"+3B71F96: 75 12 - jne DXMD.exe+3B71FAA
"DXMD.exe"+3B71F98: 48 8B 03 - mov rax,[rbx]
"DXMD.exe"+3B71F9B: 48 89 D9 - mov rcx,rbx
"DXMD.exe"+3B71F9E: FF 90 38 01 00 00 - call qword ptr [rax+00000138]
"DXMD.exe"+3B71FA4: 0F 2F 43 4C - comiss xmm0,[rbx+4C]
"DXMD.exe"+3B71FA8: 73 25 - jae DXMD.exe+3B71FCF
"DXMD.exe"+3B71FAA: 48 8B 03 - mov rax,[rbx]
}

Thanks for the dd into dq thing, I had no idea.

The jmp made no difference. And it seems the problem only occurs when my energy is decreasing (while using augs) but is fine when its passively increasing again after being done using my augmentations.

[DrummerIX]

I don't have the game to help any further.

[fantomas]

I don't understand why this happens since I'm comparing r13 which is always 0/1 depending on if its hp or ene.
I've done some testing with breakpoints and no matter if I'm spending my energy, when R13==1, RDX+44 always contains hp.

Are you sure about r13? I mean, from my point of view, r13 is concerning your energy ONLY. r13=1 for 'energy is currently spending', r13=0 for 'energy is currently not spending'. In theory, it shouldn't have anything to do with your health.
Also, I cannot believe that that's the only opcode handling with these both values. I'm pretty sure that there are more than one address accessing/writing on these values, so you should try with another one. Or if you prefer to bother with that current one, then use another source operand, such like cmp [eax+50],0 //0:health 1:energy

[CheatingMuppet]

I don't understand why this happens since I'm comparing r13 which is always 0/1 depending on if its hp or ene.
I've done some testing with breakpoints and no matter if I'm spending my energy, when R13==1, RDX+44 always contains hp.

Are you sure about r13? I mean, from my point of view, r13 is concerning your energy ONLY. r13=1 for 'energy is currently spending', r13=0 for 'energy is currently not spending'. In theory, it shouldn't have anything to do with your health.
Also, I cannot believe that that's the only opcode handling with these both values. I'm pretty sure that there are more than one address accessing/writing on these values, so you should try with another one. Or if you prefer to bother with that current one, then use another source operand, such like cmp [eax+50],0 //0:health 1:energy

Well I can't be 100% sure but R13 so far has never not been either 0 or 1.
I don't think R13 is being set to 1 whenever energy is spent because if I put a breakpoint on the injection point then R13 is 1 regardless if I'm spending energy or not.

And as far as opcodes handling energy and health, there are a few but none of them are just health or energy. It's either health and energy or health, energy and sprint + random stuff or health + tons and tons of random addresses which I have no idea what they do.

Anyway, I did initially want only the health but when I noticed that the energy is there too then I figured why not grab it.

I found a different offset for health in ptrPlayer while R13=1 (Offset 44 is both HP & Ene but always ene when R13 is 1 and with a compare this will always get the right pointer i think) so I no longer need the +44 offset for health, I just grab the values from ptrPlayer (HP: +3C+EE0 & Ene: +44).
So while I'm still confused to why the original code wasn't working, it's no longer causing me any problems (far as I can tell).

[SunBeam]

...

[CheatingMuppet]

...

Uh, what ?

[Cake-san]

Since, this game is binary/ahead of time compilation , the offset is pretty much static across systems , until developer update the game...(which have a lot of roads for pointers?)

I'm just going to put another approach here. This approach only works when you know the exact count of address being accessed (In this event, only 2 addresses).

Code: Select all

[ENABLE]

aobscanmodule(GetHPAndEnergyAddress,DXMD.exe,0F 2F 73 44 40 0F 96 D6) // should be unique
alloc(newmem,$1000,GetHPAndEnergyAddress)


label(code)
label(return)

label(ptrHP)
label(ptrEne)
label(count)

registersymbol(ptrHP)
registersymbol(ptrEne)


newmem:
  push rdi
  lea rdi,[rbx+44]

  cmp [ptrHP],rdi
  je short code
  cmp [ptrEne],rdi
  je short code

  cmp byte ptr [count],01
  je short @f

  mov [ptrHP],rdi
  mov rdi,count
  add [rdi],01
  jmp short code
@@:
  lea rdi,[rbx+44]
  mov [ptrEne],rdi
  mov [count],0

code:
  pop rdi
  comiss xmm6,[rbx+44]
  setbe sil
  jmp return

ptrHP:
dq 0

ptrEne:
dq 0

count:
dq 0

GetHPAndEnergyAddress:
  jmp newmem
  nop
  nop
  nop
return:
registersymbol(GetHPAndEnergyAddress)

[DISABLE]

GetHPAndEnergyAddress:
  db 0F 2F 73 44 40 0F 96 D6

unregistersymbol(ptrHP)
unregistersymbol(ptrEne)
unregistersymbol(GetHPAndEnergyAddress)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "DXMD.exe"+3B71F84

"DXMD.exe"+3B71F60: 48 FF CF                 -  dec rdi
"DXMD.exe"+3B71F63: 75 F4                    -  jne DXMD.exe+3B71F59
"DXMD.exe"+3B71F65: 48 8B 03                 -  mov rax,[rbx]
"DXMD.exe"+3B71F68: 48 89 D9                 -  mov rcx,rbx
"DXMD.exe"+3B71F6B: FF 90 E0 00 00 00        -  call qword ptr [rax+000000E0]
"DXMD.exe"+3B71F71: 48 8B 06                 -  mov rax,[rsi]
"DXMD.exe"+3B71F74: 48 89 F1                 -  mov rcx,rsi
"DXMD.exe"+3B71F77: 0F 28 F0                 -  movaps xmm6,xmm0
"DXMD.exe"+3B71F7A: FF 90 D0 00 00 00        -  call qword ptr [rax+000000D0]
"DXMD.exe"+3B71F80: F3 0F 59 F0              -  mulss xmm6,xmm0
// ---------- INJECTING HERE ----------
"DXMD.exe"+3B71F84: 0F 2F 73 44              -  comiss xmm6,[rbx+44]
"DXMD.exe"+3B71F88: 40 0F 96 D6              -  setbe sil
// ---------- DONE INJECTING  ----------
"DXMD.exe"+3B71F8C: 48 89 D9                 -  mov rcx,rbx
"DXMD.exe"+3B71F8F: E8 FC F8 FF FF           -  call DXMD.exe+3B71890
"DXMD.exe"+3B71F94: 84 C0                    -  test al,al
"DXMD.exe"+3B71F96: 75 12                    -  jne DXMD.exe+3B71FAA
"DXMD.exe"+3B71F98: 48 8B 03                 -  mov rax,[rbx]
"DXMD.exe"+3B71F9B: 48 89 D9                 -  mov rcx,rbx
"DXMD.exe"+3B71F9E: FF 90 38 01 00 00        -  call qword ptr [rax+00000138]
"DXMD.exe"+3B71FA4: 0F 2F 43 4C              -  comiss xmm0,[rbx+4C]
"DXMD.exe"+3B71FA8: 73 25                    -  jae DXMD.exe+3B71FCF
"DXMD.exe"+3B71FAA: 48 8B 03                 -  mov rax,[rbx]
}

[CheatingMuppet]

Since, this game is binary/ahead of time compilation , the offset is pretty much static across systems , until developer update the game...(which have a lot of roads for pointers?)

I'm just going to put another approach here. This approach only works when you know the exact count of address being accessed (In this event, only 2 addresses).

Code: Select all

[ENABLE]

aobscanmodule(GetHPAndEnergyAddress,DXMD.exe,0F 2F 73 44 40 0F 96 D6) // should be unique
alloc(newmem,$1000,GetHPAndEnergyAddress)


label(code)
label(return)

label(ptrHP)
label(ptrEne)
label(count)

registersymbol(ptrHP)
registersymbol(ptrEne)


newmem:
  push rdi
  lea rdi,[rbx+44]

  cmp [ptrHP],rdi
  je short code
  cmp [ptrEne],rdi
  je short code

  cmp byte ptr [count],01
  je short @f

  mov [ptrHP],rdi
  mov rdi,count
  add [rdi],01
  jmp short code
@@:
  lea rdi,[rbx+44]
  mov [ptrEne],rdi
  mov [count],0

code:
  pop rdi
  comiss xmm6,[rbx+44]
  setbe sil
  jmp return

ptrHP:
dq 0

ptrEne:
dq 0

count:
dq 0

GetHPAndEnergyAddress:
  jmp newmem
  nop
  nop
  nop
return:
registersymbol(GetHPAndEnergyAddress)

[DISABLE]

GetHPAndEnergyAddress:
  db 0F 2F 73 44 40 0F 96 D6

unregistersymbol(ptrHP)
unregistersymbol(ptrEne)
unregistersymbol(GetHPAndEnergyAddress)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "DXMD.exe"+3B71F84

"DXMD.exe"+3B71F60: 48 FF CF                 -  dec rdi
"DXMD.exe"+3B71F63: 75 F4                    -  jne DXMD.exe+3B71F59
"DXMD.exe"+3B71F65: 48 8B 03                 -  mov rax,[rbx]
"DXMD.exe"+3B71F68: 48 89 D9                 -  mov rcx,rbx
"DXMD.exe"+3B71F6B: FF 90 E0 00 00 00        -  call qword ptr [rax+000000E0]
"DXMD.exe"+3B71F71: 48 8B 06                 -  mov rax,[rsi]
"DXMD.exe"+3B71F74: 48 89 F1                 -  mov rcx,rsi
"DXMD.exe"+3B71F77: 0F 28 F0                 -  movaps xmm6,xmm0
"DXMD.exe"+3B71F7A: FF 90 D0 00 00 00        -  call qword ptr [rax+000000D0]
"DXMD.exe"+3B71F80: F3 0F 59 F0              -  mulss xmm6,xmm0
// ---------- INJECTING HERE ----------
"DXMD.exe"+3B71F84: 0F 2F 73 44              -  comiss xmm6,[rbx+44]
"DXMD.exe"+3B71F88: 40 0F 96 D6              -  setbe sil
// ---------- DONE INJECTING  ----------
"DXMD.exe"+3B71F8C: 48 89 D9                 -  mov rcx,rbx
"DXMD.exe"+3B71F8F: E8 FC F8 FF FF           -  call DXMD.exe+3B71890
"DXMD.exe"+3B71F94: 84 C0                    -  test al,al
"DXMD.exe"+3B71F96: 75 12                    -  jne DXMD.exe+3B71FAA
"DXMD.exe"+3B71F98: 48 8B 03                 -  mov rax,[rbx]
"DXMD.exe"+3B71F9B: 48 89 D9                 -  mov rcx,rbx
"DXMD.exe"+3B71F9E: FF 90 38 01 00 00        -  call qword ptr [rax+00000138]
"DXMD.exe"+3B71FA4: 0F 2F 43 4C              -  comiss xmm0,[rbx+4C]
"DXMD.exe"+3B71FA8: 73 25                    -  jae DXMD.exe+3B71FCF
"DXMD.exe"+3B71FAA: 48 8B 03                 -  mov rax,[rbx]
}

Very interesting. It seems to work perfectly. Thanks for the help. Will keep this method in mind for future stuff.

Do you have any knowledge into why the other method doesn't work ?

[SunBeam]

So.. which game is this?..

EDIT: Deus Ex Mankind Divided.