{"id":1670,"date":"2021-06-07T21:11:30","date_gmt":"2021-06-08T02:11:30","guid":{"rendered":"https:\/\/badecho.com\/?p=1670"},"modified":"2023-03-15T01:01:49","modified_gmt":"2023-03-15T06:01:49","slug":"how-to-push-sse-registers","status":"publish","type":"post","link":"https:\/\/badecho.com\/index.php\/2021\/06\/07\/how-to-push-sse-registers\/","title":{"rendered":"How To \u201cPush\u201d SSE (XMM) Registers"},"content":{"rendered":"\n
\"Let's<\/figure><\/div>\n\n\n\n

Maintaining the integrity and state of the CPU and stack is always vital whenever we’re discussing Omnified<\/a> processes, as these usually contain code concerned with the seamless overhaul of one gameplay system or another. Because this code gets injected into a running process’s memory, we need to make sure that anything we’re using for our own calculations is restored to how it was when we’re done doing our thing (save for the desired outcome<\/em> or affected part<\/em> of the injection, of course).<\/p>\n\n\n\n

This, seemingly neurotic, need to preserve CPU data integrity is, without a doubt, exacerbated a<\/em> bit <\/em>when we’re talking about injecting foreign code into a process (as is my wont when playing games on my streams<\/a>), since it is critical that everything is identical<\/em> as to how it was prior to our code executing (lest a crash doth follow). But, code injection aside, when writing assembly, you’ll often need to temporarily store data in order to make use of whatever register said data was occupying.<\/p>\n\n\n\n

Most of the time, this is a simple affair. Well, it is when we’re talking about general-purpose registers. Backing up the “globs” of data found in 128-bit (or wider) SSE registers<\/a> however? Not as clear cut. Let me show you how I do it.<\/p>\n\n\n\n

But first, an overview!<\/p>\n\n\n\n

Push it! Pop It!<\/h2>\n\n\n\n

As you may very well know, it’s easy to temporarily store data in a general-purpose register and then later restore it. We simply use the push<\/code> instruction to push <\/em>the data to the stack, and then later use the pop<\/code> instruction to essentially pop<\/em> said data off the stack.<\/p>\n\n\n\n

Pushing and Popping Some Stuff<\/h3>\n\n\n
\n\/\/ We need to use rax, rbx, rcx. Back them up!\npush rax\npush rbx\npush rcx\n\/\/ rax, rbx, and rcx are essentially backed up.\nmov rax,[someAddress]\nmov rbx,[rax+20]\nmov rcx,[rbx+10]\nmovss xmm0,[rcx+4]\n\/\/ Do whatever we need with these registers...\npop rcx\npop rbx\npop rax\n\/\/ rax, rbx, and rcx should now have their original values.\n<\/pre>\n\n\n
Pretty simple. It happens all the time.<\/p>\n\n\n\n
Very often, however, we might want to back up some data from a register that isn’t so general-purpose<\/em>, such as an SSE register. Perhaps we wanted to back up the xmm0<\/code> used in the previous example before writing to it — something you’d always want to do if injecting code that makes use of SSE registers into a running process (unless you love those crashes baby).<\/p>\n\n\n\n
Illegal Pushing and Popping!<\/h3>\n\n\n
\n\/\/ Same as before...\npush xmm0 \/\/ <-- This will fail!\nmovss xmm0,[rcx+4]\n\/\/ Do whatever we need with xmm0...\npop xmm0 \/\/ <-- This too! Fail!\n<\/pre>\n\n\n
That isn’t going to assemble buddy! You lose!<\/p>\n\n\n\n
I would be lying if I said I never tried the above before. Hey, I bet you may have too! The push<\/code> instruction is just so convenient! Why can’t it work for everything<\/em>! Sadly, attempting to back up a beefy SSE register in this fashion can only fail horribly<\/em>.<\/p>\n\n\n\n
Looking at some documentation<\/a>, it’s clear, more or less, that we’re limited in what we can “push” using this instruction: general-purpose registers, memory locations, and an even more limited range of immediate values.<\/p>\n\n\n\n
So How Can I Push an SSE Register?<\/h2>\n\n\n\n
If we understand the mechanics behind how the push<\/code> and pop<\/code> instructions actually work, then it becomes rather clear as to how we can back up the data in SSE registers such as xmm0<\/code>, xmm1<\/code>, or what have you. <\/p>\n\n\n\n
When we push<\/code> a register, we’re taking what’s on that register and placing it on the stack, the place in memory that essentially acts as temporary storage and which is being pointed to by the rsp<\/code> register. <\/p>\n\n\n\n
How does it place the register’s value on top of the stack? Typically, by subtracting a number of bytes from the stack pointer’s address, causing rsp<\/code> to essentially point to the next piece of memory that’s not currently being occupied by data that may still be needed (and if it is needed, then someone screwed up bad). <\/p>\n\n\n\n
Business is then concluded by writing the value to where rsp<\/code> now points to. When we pop<\/code> the value back onto the register, we’re essentially doing what’s described above, but in reverse.<\/p>\n\n\n\n
So, if we want to back up one of our SSE registers, we need only do exactly what the push<\/code> instruction itself does, bearing in mind the difference in the amount of memory required to store an SSE register’s value (sixteen bytes vs a general-purpose register’s eight bytes).<\/p>\n\n\n\n
Backing Up an SSE Register<\/h3>\n\n\n
\n\/\/ We need 16 bytes of space to write to on the stack.\nsub rsp,0x10 \/\/ 0x10 = 16 of course.\n\/\/ And then we just dump our SSE register onto the stack.\nmovdqu [rsp],xmm0\n\/\/ Do what needs to be done with xmm0...\nmovdqu xmm0,[rsp]\nadd rsp,0x10\n\/\/ xmm0 now has its original value, and the stack pointer is pointing to\n\/\/ where it was. All is well.\n<\/pre>\n\n\n
You see me do this all the time in my Omnified hacking framework<\/a>. <\/p>\n\n\n\n
Now: with this knowledge go forth and conquer the world, with the surety attainable only when one is confident in the integrity of those many SSE registers that helped them along in their journey.<\/p>\n","protected":false},"excerpt":{"rendered":"
Maintaining the integrity and state of the CPU and stack is always vital whenever we’re discussing Omnified processes, as these […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[10,16],"tags":[61],"yoast_head":"\r\nHow To \u201cPush\u201d SSE (XMM) Registers - omni's hackpad<\/title>\r\n<meta name=\"description\" content=\"Backing up general purpose registers is easy using "push". This doesn't work with XMM registers, however. Read on to see what I do instead.\" \/>\r\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\r\n<link rel=\"canonical\" href=\"https:\/\/badecho.com\/index.php\/2021\/06\/07\/how-to-push-sse-registers\/\" \/>\r\n<meta property=\"og:locale\" content=\"en_US\" \/>\r\n<meta property=\"og:type\" content=\"article\" \/>\r\n<meta property=\"og:title\" content=\"How To \u201cPush\u201d SSE (XMM) Registers - omni's hackpad\" \/>\r\n<meta property=\"og:description\" content=\"Backing up general purpose registers is easy using "push". This doesn't work with XMM registers, however. Read on to see what I do instead.\" \/>\r\n<meta property=\"og:url\" content=\"https:\/\/badecho.com\/index.php\/2021\/06\/07\/how-to-push-sse-registers\/\" \/>\r\n<meta property=\"og:site_name\" content=\"omni's hackpad\" \/>\r\n<meta property=\"article:published_time\" content=\"2021-06-08T02:11:30+00:00\" \/>\r\n<meta property=\"article:modified_time\" content=\"2023-03-15T06:01:49+00:00\" \/>\r\n<meta property=\"og:image\" content=\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/06\/PushSSE.png\" \/>\r\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\r\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/badecho.com\/#website\",\"url\":\"https:\/\/badecho.com\/\",\"name\":\"omni's hackpad\",\"description\":\"Game Code Disassembly. Omnified Modification. Madness.\",\"publisher\":{\"@id\":\"https:\/\/badecho.com\/#\/schema\/person\/3de67496328be7ae6e1f52faf582e9d2\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":\"https:\/\/badecho.com\/?s={search_term_string}\",\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/badecho.com\/index.php\/2021\/06\/07\/how-to-push-sse-registers\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/badecho.com\/wp-content\/uploads\/2021\/06\/PushSSE.png\",\"width\":891,\"height\":543,\"caption\":\"Let's figure out how to backup these gigantic 128-bit registers...\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/badecho.com\/index.php\/2021\/06\/07\/how-to-push-sse-registers\/#webpage\",\"url\":\"https:\/\/badecho.com\/index.php\/2021\/06\/07\/how-to-push-sse-registers\/\",\"name\":\"How To \\u201cPush\\u201d SSE (XMM) Registers - omni's hackpad\",\"isPartOf\":{\"@id\":\"https:\/\/badecho.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/badecho.com\/index.php\/2021\/06\/07\/how-to-push-sse-registers\/#primaryimage\"},\"datePublished\":\"2021-06-08T02:11:30+00:00\",\"dateModified\":\"2023-03-15T06:01:49+00:00\",\"description\":\"Backing up general purpose registers is easy using \\\"push\\\". This doesn't work with XMM registers, however. Read on to see what I do instead.\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/badecho.com\/index.php\/2021\/06\/07\/how-to-push-sse-registers\/\"]}]},{\"@type\":\"Article\",\"@id\":\"https:\/\/badecho.com\/index.php\/2021\/06\/07\/how-to-push-sse-registers\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/badecho.com\/index.php\/2021\/06\/07\/how-to-push-sse-registers\/#webpage\"},\"author\":{\"@id\":\"https:\/\/badecho.com\/#\/schema\/person\/3de67496328be7ae6e1f52faf582e9d2\"},\"headline\":\"How To \\u201cPush\\u201d SSE (XMM) Registers\",\"datePublished\":\"2021-06-08T02:11:30+00:00\",\"dateModified\":\"2023-03-15T06:01:49+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/badecho.com\/index.php\/2021\/06\/07\/how-to-push-sse-registers\/#webpage\"},\"publisher\":{\"@id\":\"https:\/\/badecho.com\/#\/schema\/person\/3de67496328be7ae6e1f52faf582e9d2\"},\"image\":{\"@id\":\"https:\/\/badecho.com\/index.php\/2021\/06\/07\/how-to-push-sse-registers\/#primaryimage\"},\"keywords\":\"assembly\",\"articleSection\":\"General Dev,Omnified Design\",\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/badecho.com\/#\/schema\/person\/3de67496328be7ae6e1f52faf582e9d2\",\"name\":\"Matt Weber\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/badecho.com\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/7e345ac2708b3a41c7bd70a4a0440d41?s=96&d=mm&r=g\",\"caption\":\"Matt Weber\"},\"logo\":{\"@id\":\"https:\/\/badecho.com\/#personlogo\"}}]}<\/script>\r\n<!-- \/ Yoast SEO plugin. -->","_links":{"self":[{"href":"https:\/\/badecho.com\/index.php\/wp-json\/wp\/v2\/posts\/1670"}],"collection":[{"href":"https:\/\/badecho.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/badecho.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/badecho.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/badecho.com\/index.php\/wp-json\/wp\/v2\/comments?post=1670"}],"version-history":[{"count":10,"href":"https:\/\/badecho.com\/index.php\/wp-json\/wp\/v2\/posts\/1670\/revisions"}],"predecessor-version":[{"id":2676,"href":"https:\/\/badecho.com\/index.php\/wp-json\/wp\/v2\/posts\/1670\/revisions\/2676"}],"wp:attachment":[{"href":"https:\/\/badecho.com\/index.php\/wp-json\/wp\/v2\/media?parent=1670"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/badecho.com\/index.php\/wp-json\/wp\/v2\/categories?post=1670"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/badecho.com\/index.php\/wp-json\/wp\/v2\/tags?post=1670"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}