Replies: 1 comment
-
Here is the excerpt from my code. // This finds the address that holds the same pattern.
template <size_t N>
inline uintptr_t
VA (const uint8_t (&arr)[N])
{
const uintptr_t pe_base = internal::get_process_base_addr ();
auto text = std::span<uint8_t>{
// reinterpret_cast<uint8_t *>(pe_base) + base_of_code,
// size_of_code
reinterpret_cast<uint8_t *>(pe_base) + 0xb5c4b0,
0xd2
};
auto pat = span{arr};
boyer_moore_searcher searcher {
pat.begin (), pat.end ()
};
auto addr = searcher (text.begin (), text.end ());
return pe_base + 0x1000 + distance(text.begin (), addr.first);
}
const uint8_t check_dlls_func_pattern[] = {
0x48, 0x8b, 0xc4, 0x48, 0x89, 0x48, 0x08, 0x56,
0x57, 0x41, 0x56, 0x48, 0x81, 0xec, 0x80, 0x00,
0x00, 0x00, 0x48, 0xc7, 0x40, 0x98, 0xfe, 0xff,
0xff, 0xff, 0x48, 0x89, 0x58, 0x18,
};
uintptr_t check_dlls_func = VA (check_dlls_func_pattern) My whole code is at https://github.com/nm004/ngs2-nm-plugin, but I think only this portion of my code is related to that behavior. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi all.
I have met an weird CPU behavior. In a nutshell, CPU did wrongly
movzx ebx, byte ptr ds:[rax-1]
instead ofmovzx ebx, byte ptr ds:[rax]
. Now, I will tell you more background.That weird behavior could be observed in the program of my project. My project is just a dll injection into the video game, namely NINJA GAIDEN SIGMA 2 on Steam (more specifically it is a Japanese version of the game). The weird thing happens in the middle of the pattern matching against the .text section of the process. Pattern matching is done by libstdc++'s
std::boyer_moore_searcher
. A pattern passed to the searcher is uint8_t array constant wrapped in std::span. I confirmed the pattern matches against the portion of the .text and it is unique in the .text. The comparisons of characters succeeds except the last comparison (the first character comparison in the context of Boyer Moore search failed) because of the weird CPU behavor.Here is the screenshot taken one step after the execution of
movzx ebx, byte ptr ds:[rax]
.BL has a character in the .text. RAX is pointing to the address of that character. In this time, the address is
00007FF61DE3C4B0
and the character is48
(H
). But BL hasCC
that is at [RAX-1] instead of48
. After stepping forward, AL has48
in the pattern, thencmp bl, al
will fail.I first observed this behavior on Wine (Windows emulator on Linux), then on Windows too. I could easily reproduce this behavior by restarting the process. Also, the behavior still exists after restarting my PC. I could have seen the correct behavior once that BL had
48
after executingmovzx ebx, byte ptr ds:[rax]
, but I could not reproduce the correct behavior after restarting my PC and I didn't have any idea why that happened.Interestingly, the code behave badly only on the specific portion of the .text, where RVA is
0xb5c4b0
. Searching did a job against the image read from the disk.It would be very helpful if someone tells me any info about this. Thank you.
Note:
My CPU is AMD Ryzen 5 5600X.
Beta Was this translation helpful? Give feedback.
All reactions