Values ​​in "Code" that change at each restart

[SilverRabbit90]

In this script when I restart the game there are values ​​in "Code" that change every time the game is restarted.

Spoiler

I tried removing the two lines of code, which change at every restart, but the game crashes.

jmp 2B9032EB0A7
mov rax,00007FF6D4192C64

Spoiler

Code: Select all

{ Game   : Ryujinx.exe
  Version: 
  Date   : 2023-10-05
  Author : C0MPUTER

  This script does blah blah blah
}

[ENABLE]

aobscanregion(StorageItemQuantityListA,10000000000,40000000000,48 83 EC 40 48 89 CB 48 8B 2B 48 8B B3 F0 00 00 00 8B 83 10 04 00 00 85 C0 74 1F 83 E8 01 89 83 10 04 00 00 48 B8 00 00 ?? ?? ?? 0? 00 00    8B 44 28 10  48 89 03 48 89 F0 EB 12 48 B8 ?4 ?? ?? ?? F? 7F 00 00 FF D0 85 C0 75 DA 31 C0 48 83 C4 40 5E 5D 5B C3 00 53 55 56 57 41 54 41 55 41 56 41 57 48 83 EC 68) // should be unique
                                                               //48 83 EC 40 48 89 CB 48 8B 2B 48 8B B3 F0 00 00 00 8B 83 10 04 00 00 85 C0 74 1F 83 E8 01 89 83 10 04 00 00 48 B8 00 00 89 9A 99 02 00 00    8B 44 28 10  48 89 03 48 89 F0 EB 12 48 B8 24 32 35 0B F7 7F 00 00 FF D0 85 C0 75 DA 31 C0 48 83 C4 40 5E
                                                               //48 83 EC 40 48 89 CB 48 8B 2B 48 8B B3 F0 00 00 00 8B 83 10 04 00 00 85 C0 74 1F 83 E8 01 89 83 10 04 00 00 48 B8 00 00 4B D7 C3 01 00 00    8B 44 28 10  48 89 03 48 89 F0 EB 12 48 B8 64 34 16 D4 F6 7F 00 00 FF D0 85 C0 75 DA 31 C0 48 83 C4 40 5E 5D 5B C3 00 53 55 56 57 41 54 41 55 41 56 41 57 48 83 EC 68
alloc(newmem,$1000)

label(code)
label(return)

label(seeCurStorItQuanV1)
registersymbol(seeCurStorItQuanV1)

newmem:

push rbx
lea rbx,[rax+rbp+10]
mov [seeCurStorItQuanV1],rbx
pop rbx

code:
  mov eax,[rax+rbp+10]
  mov [rbx],rax
  mov rax,rsi

  jmp return

  seeCurStorItQuanV1:

StorageItemQuantityListA+2E:
  jmp far newmem
  nop 8
return:
registersymbol(StorageItemQuantityListA)

[DISABLE]

StorageItemQuantityListA+2E:
  db 8B 44 28 10 48 89 03 48 89 F0 EB 12 48 B8

unregistersymbol(*)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: 3A21D60CDED

3A21D60CDBF: 48 83 EC 40                    - sub rsp,40
3A21D60CDC3: 48 89 CB                       - mov rbx,rcx
3A21D60CDC6: 48 8B 2B                       - mov rbp,[rbx]
3A21D60CDC9: 48 8B B3 F0 00 00 00           - mov rsi,[rbx+000000F0]
3A21D60CDD0: 8B 83 10 04 00 00              - mov eax,[rbx+00000410]
3A21D60CDD6: 85 C0                          - test eax,eax
3A21D60CDD8: 74 1F                          - je 3A21D60CDF9
3A21D60CDDA: 83 E8 01                       - sub eax,01
3A21D60CDDD: 89 83 10 04 00 00              - mov [rbx+00000410],eax
3A21D60CDE3: 48 B8 00 00 6C 12 A2 02 00 00  - mov rax,000002A2126C0000
// ---------- INJECTING HERE ----------
3A21D60CDED: 8B 44 28 10                    - mov eax,[rax+rbp+10]
// ---------- DONE INJECTING  ----------
3A21D60CDF1: 48 89 03                       - mov [rbx],rax
3A21D60CDF4: 48 89 F0                       - mov rax,rsi
3A21D60CDF7: EB 12                          - jmp 3A21D60CE0B
3A21D60CDF9: 48 B8 64 2C 19 D4 F6 7F 00 00  - mov rax,00007FF6D4192C64
3A21D60CE03: FF D0                          - call rax
3A21D60CE05: 85 C0                          - test eax,eax
3A21D60CE07: 75 DA                          - jne 3A21D60CDE3
3A21D60CE09: 31 C0                          - xor eax,eax
3A21D60CE0B: 48 83 C4 40                    - add rsp,40
3A21D60CE0F: 5E                             - pop rsi
}

By manually changing those two lines of code the script works perfectly (that means searching for the value all over again or using AOB scan). Is there a way to make those values ​​change automatically? or is there a way to ignore those two lines of code without crashing the game?

Thx

[imjustmaxie]

In this script when I restart the game there are values ​​in "Code" that change every time the game is restarted.

I tried removing the two lines of code, which change at every restart, but the game crashes.

jmp 2B9032EB0A7
mov rax,00007FF6D4192C64

By manually changing those two lines of code the script works perfectly (that means searching for the value all over again or using AOB scan). Is there a way to make those values ​​change automatically? or is there a way to ignore those two lines of code without crashing the game?

Thx

The reason being it crashing because the memory location is not the same on every load.
The best possible way to solve it is to store a backup of the current AoB, use reassemble() on those two lines and restore the whole thing on disable.

Spoiler

Code: Select all

// readmem() : reads the memory location with exact bytes
// reassemble() : reads the memory location while adjusting the correct RIP

[ENABLE]

aobscanregion(StorageItemQuantityListA,10000000000,40000000000,48 83 EC 40 48 89 CB 48 8B 2B 48 8B B3 F0 00 00 00 8B 83 10 04 00 00 85 C0 74 1F 83 E8 01 89 83 10 04 00 00 48 B8 00 00 ?? ?? ?? 0? 00 00    8B 44 28 10  48 89 03 48 89 F0 EB 12 48 B8 ?4 ?? ?? ?? F? 7F 00 00 FF D0 85 C0 75 DA 31 C0 48 83 C4 40 5E 5D 5B C3 00 53 55 56 57 41 54 41 55 41 56 41 57 48 83 EC 68) // should be unique
                                                               //48 83 EC 40 48 89 CB 48 8B 2B 48 8B B3 F0 00 00 00 8B 83 10 04 00 00 85 C0 74 1F 83 E8 01 89 83 10 04 00 00 48 B8 00 00 89 9A 99 02 00 00    8B 44 28 10  48 89 03 48 89 F0 EB 12 48 B8 24 32 35 0B F7 7F 00 00 FF D0 85 C0 75 DA 31 C0 48 83 C4 40 5E
                                                               //48 83 EC 40 48 89 CB 48 8B 2B 48 8B B3 F0 00 00 00 8B 83 10 04 00 00 85 C0 74 1F 83 E8 01 89 83 10 04 00 00 48 B8 00 00 4B D7 C3 01 00 00    8B 44 28 10  48 89 03 48 89 F0 EB 12 48 B8 64 34 16 D4 F6 7F 00 00 FF D0 85 C0 75 DA 31 C0 48 83 C4 40 5E 5D 5B C3 00 53 55 56 57 41 54 41 55 41 56 41 57 48 83 EC 68
alloc(newmem,$1000)

label(code)
label(return)

registersymbol(StorageItemQuantityListA)
registersymbol(bkpStorageItemQuantityListA)
registersymbol(seeCurStorItQuanV1)

newmem:

  push rbx
  lea rbx,[rax+rbp+10]
  mov [seeCurStorItQuanV1],rbx
  pop rbx

  code:  // Indented the label because 'code' is inside 'newmem'
  readmem(StorageItemQuantityListA,10)
  {mov eax,[rax+rbp+10]
  mov [rbx],rax
  mov rax,rsi}
  reassemble(StorageItemQuantityListA+A)
  //jmp 2B9032EB0A7
  reassemble(StorageItemQuantityListA+C)
  //mov rax,00007FF6D4192C64

  jmp return

  align 10,CC  // alignment

  bkpStorageItemQuantityListA:
  readmem(StorageItemQuantityListA,20)

  align 10,CC // alignment

  seeCurStorItQuanV1:
  dq 0

StorageItemQuantityListA+2E:
  jmp far newmem
  nop 8
return:


[DISABLE]

StorageItemQuantityListA+2E:
  readmem(bkpStorageItemQuantityListA,20)
  //db 8B 44 28 10 48 89 03 48 89 F0 EB 12 48 B8

unregistersymbol(*)
dealloc(*)

[Paul44]

@SilverRabbit90: first and foremost, you are in the wrong section; this topic is about Tutorials. Unfortunately, others have started doing this as well (and #admin should move these to their proper section)...

that said: I noticed the 'jump far' instruction. If you can create a standard injection, then use a 'trampoline' (see my tutorial - yep - a bit lower in the list).
Or: find a pointer(chain) to the address you want to collect, and hopefully some related opcode solves that problem.
Tip: I tend you build a pointerscan, have it "cleaned out" spanning some days; and then 'F5' their origin addresses (iow I'm hoping to find some hardcoded addresses this way...)
ps: no experience whatsoever with these emulators.
ps2: a good/practical example: [ viewtopic.php?t=22204 ] (COD Advanced Warfare)
it is a small table, but uses several trampolines; thus giving you a good idea on how to approach this. Need some assistance, then just pm me.