aobscanmodule or any scan fails after enabling/disabling a script
Posted: Tue Jan 08, 2019 6:44 pm
Hi there.
Stumbled across a quirky situation the other day, while using a script in Strange Brigade. The below is my script:
The script itself works wonders. However, if you were to disable it, then re-enable it, you'll find that it doesn't work anymore. Additionally, searching for the array of bytes separately in CE's GUI will return 0 results. Did some trial & error after talking to Dark Byte and found the below is occurring:
The solution is to force CE to copy more bytes via readmem to include at least 1 byte from the next block of memory (that C2 +1). So I chose this:
And now the script looks like this:
Having done this, both sections will now be restored to their original Protect:Execute/Write Copy when you disable the script.
Hope this helps those lucky enough to trip over this
Best regards,
Sun
Stumbled across a quirky situation the other day, while using a script in Strange Brigade. The below is my script:
Code: Select all
[ENABLE]
aobscanmodule( GetBaseStuff, StrangeBrigade_DX12.exe, F64439??010F85????????803D????????000F85????????4885FF0F84????????486348??0F2F7C39 )
registersymbol( GetBaseStuff )
label( GetBaseStuff_o )
registersymbol( GetBaseStuff_o )
alloc( Hook, 0x1000, StrangeBrigade_DX12.exe )
label( pEntity )
registersymbol( pEntity )
label( dwEntityId )
registersymbol( dwEntityId )
label( pActor )
registersymbol( pActor )
Hook:
push rax
mov [pEntity],rdi
mov [dwEntityId],edx
mov rax,[rdi+8B0]
mov [pActor],rax
pop rax
GetBaseStuff_o:
readmem( GetBaseStuff, 5 )
jmp GetBaseStuff+5
pEntity:
dq 0
dwEntityId:
dd 0
pActor:
dq 0
GetBaseStuff:
jmp Hook
[DISABLE]
GetBaseStuff:
readmem( GetBaseStuff_o, 5 )
unregistersymbol( pActor )
unregistersymbol( dwEntityId )
unregistersymbol( pEntity )
dealloc( Hook )
unregistersymbol( GetBaseStuff_o )
unregistersymbol( GetBaseStuff )
- before the script is enabled, the memory at the hook location looks like this:
- notice the address at which the array starts -> 14B2CBFF3; notice the protection -> Protect:Execute/Write Copy
- once you enable the script this happens:
- notice how protection changes to -> Protect:Execute/Read/Write
- if you now click on the C2 byte and scroll the window, you'll find that past our write, the rest remains to Protect:Execute/Write Copy
- also notice how the C2 byte is now part of a 00-aligned address, starting a new memory block -> 14B2CC000
- if you now disable the script, which restores the 5 hooked bytes back, this happens:
- CE restores the bytes, but it doesn't restore the protection; considering the array of bytes we search for spans across the end of a memory block and start of another memory block, any type of scan will now fail
The solution is to force CE to copy more bytes via readmem to include at least 1 byte from the next block of memory (that C2 +1). So I chose this:
And now the script looks like this:
Code: Select all
[ENABLE]
aobscanmodule( GetBaseStuff, StrangeBrigade_DX12.exe, F64439??010F85????????803D????????000F85????????4885FF0F84????????486348??0F2F7C39 )
registersymbol( GetBaseStuff )
label( GetBaseStuff_o )
registersymbol( GetBaseStuff_o )
alloc( Hook, 0x1000, StrangeBrigade_DX12.exe )
label( pEntity )
registersymbol( pEntity )
label( dwEntityId )
registersymbol( dwEntityId )
label( pActor )
registersymbol( pActor )
label( GetBaseStuff_ext )
registersymbol( GetBaseStuff_ext )
Hook:
push rax
mov [pEntity],rdi
mov [dwEntityId],edx
mov rax,[rdi+8B0]
mov [pActor],rax
pop rax
GetBaseStuff_o:
readmem( GetBaseStuff, 5 )
jmp GetBaseStuff+5
GetBaseStuff_ext:
readmem( GetBaseStuff, 15 )
pEntity:
dq 0
dwEntityId:
dd 0
pActor:
dq 0
GetBaseStuff:
jmp Hook
[DISABLE]
GetBaseStuff:
//readmem( GetBaseStuff_o, 5 )
readmem( GetBaseStuff_ext, 15 )
unregistersymbol( GetBaseStuff_ext )
unregistersymbol( pActor )
unregistersymbol( dwEntityId )
unregistersymbol( pEntity )
dealloc( Hook )
unregistersymbol( GetBaseStuff_o )
unregistersymbol( GetBaseStuff )
Hope this helps those lucky enough to trip over this
Best regards,
Sun