S1N74X wrote: ↑Tue Mar 01, 2022 4:49 pm
Iam not sure what your Script does, but did you save the Flags with pushf and restored them with popf ?
Gamecrashes are sometimes a hint that flags were not properly set.
I've been seeing this quite a few times with some people, as some sort of rule. If you intend to use pushf/popf as a personal practice, then please don't promote it or suggest it as some attempt to fix crashes.
Saving and restoring flags matters only when you know for certain the next instruction after your code cave is going to be an instruction that uses the flags (so you'd need to restore their original states). Like a JE or JNE. Other than that, it makes no sense to save/restore them. But hey, if you are stubborn, don't care for others' opinions and act like "I know better" so you won't change your mentality when addressed, then that's that. Lastly, using this where not required is also an indication of poor ASM knowledge on the user end.
Here's an example.
Code: Select all
addr:
mov rax,[rcx+2B0]
test rax,rax
je L1
So you want to hook the 2 lines above, but not the JE:
Code: Select all
cave:
mov rax,[rcx+2B0] // original
test rax,rax // original
mov rcx,[rax+200]
test rcx,rcx // at this point you've changed the original zero flag (ZF)
jmp back
addr:
jmp cave
je L1
back:
So with the above implementation (which is a very poor implementation) you're changing the ZF inside the cave. Based on rcx's value (null or not), ZF will be 0 or 1. Because of "test rcx,rcx". So when the "jmp back" occurs (which doesn't affect any flags), the "je L1" can jump or not to L1. When, if not hooked, it would jump to L1 only if rax is 0 as tested by "test rax,rax". So yes, that's where you'd need to use what you said..
Code: Select all
cave:
mov rax,[rcx+2B0] // original
test rax,rax // original
pushf <--
mov rcx,[rax+200]
test rcx,rcx // at this point you've changed the original zero flag (ZF)
popf <--
jmp back
addr:
jmp cave
je L1
back:
But then, again, in the implementation above, there's no point in doing that "test rcx,rcx" anymore if I restore the original flags, is there?
Like I said, poor implementation to exemplify.
Bottom line: is your code-cave changing flags? is the next instruction at "back:" checking flags? Evaluate these questions, then decide if you actually need pushf/popf instead of "I put them here just to be safe". Cuz "just to be safe" to the knowledgeable eye means you don't know WHY you're using them like that or have read/watched some tutorial where another "knowledgeable" person like you instructed you to do so, cuz it's "good", "will not cause errors" and "it's 2 lines of code anyway, so not time consuming to ALWAYS put them there". So you adopt that and boom, before you know it, it becomes a personal rule driven by just the fact that if you use those, chances of crashing are reduced to some imaginary minimum.