Page 1 of 1
z The Last Stand: Aftermath
Posted: Wed Nov 17, 2021 6:11 am
by Zanzer
Unlimited Armory
Unlimited Fuel
Unlimited Throwables
Full Ammo Clip
Full Durability
No Health Penalty
No Stamina Penalty
Stop Infection
Unlimited Stamina When Running
Unlimited Stamina When Attacking
Show Hidden Objects/Traps
Can Always Interact
Always Within Interact Range
Craft For Free
Inventory Mouseover
Weapon Mouseover
- Quantity
- Durability
- Clip Count
Experience Multipler new
Game State Pointers
- Knowledge
- Supplies
Re: z The Last Stand: Aftermath
Posted: Wed Nov 17, 2021 6:49 am
by toydefenser
nice thank
Re: z The Last Stand: Aftermath
Posted: Wed Nov 17, 2021 9:24 am
by Send
I added a few of your options to my existing table, if you don't mind. Let me know and I'll remove them if you'd like. Credits given in table and thread.
viewtopic.php?f=4&t=18221&p=220899#p220899 +29
Re: z The Last Stand: Aftermath
Posted: Thu Nov 25, 2021 2:51 pm
by tfigment
Zanzer wrote: ↑Wed Nov 17, 2021 6:11 am
...
Inventory Mouseover
...
Learned new stuff like reassemble command from this table. Anyway running into crashes with your table.
The root causes is something I've started seeing a lot on my machine. Basically jmp becomes a 14 byte 64-bit jmp instruction instead of a 5 byte 32-bit jmp instruction and mangles the assembly.
I assume this is known issue in general but not sure if there is reliable workaround. The last time I encountered this I ended up having to assume the 14 byte version and include a lot of nops and related protection to deal with either case.
Not expecting solution as I will figure it out myself. But would love to see a simple reliable workaround that is fairly generic.
This is "Inventory Mouseover". GameAssembly.dll is at 1429D1A0000, inventoryPtr is at 14352DE0000
Code: Select all
GameAssembly.dll+6FBE5D - C6 05 930BBC03 01 - mov byte ptr [GameAssembly.dll+42BC9F7],01 { (1),1 }
GameAssembly.dll+6FBE64 - 48 85 FF - test rdi,rdi
// ---------- INJECTING HERE ----------
GameAssembly.dll+6FBE67 - 0F84 DE010000 - je GameAssembly.dll+6FC04B
GameAssembly.dll+6FBE6D - 83 7F 20 01 - cmp dword ptr [rdi+20],01 { 1 }
GameAssembly.dll+6FBE71 - 0F8E 4A010000 - jng GameAssembly.dll+6FBFC1
// ---------- DONE INJECTING ----------
GameAssembly.dll+6FBE77 - 48 8B B3 B8000000 - mov rsi,[rbx+000000B8]
GameAssembly.dll+6FBE7E - 48 85 F6 - test rsi,rsi
GameAssembly.dll+6FBE81 - 0F84 1C020000 - je GameAssembly.dll+6FC0A3
GameAssembly.dll+6FBE87 - 48 8B 05 C211BD03 - mov rax,[GameAssembly.dll+42CD050] { (7FFC5F19D3B0) }
becomes
Code: Select all
GameAssembly.dll+6FBE5D - C6 05 930BBC03 01 - mov byte ptr [GameAssembly.dll+42BC9F7],01 { (1),1 }
GameAssembly.dll+6FBE64 - 48 85 FF - test rdi,rdi
inventory - FF25 00000000 0000DE5243010000 - jmp inventoryBkp
GameAssembly.dll+6FBE75 - 90 - nop
// ---------- Misalignment here ----------
GameAssembly.dll+6FBE76 - 00 48 8B - add [rax-75],cl
GameAssembly.dll+6FBE79 - B3 B8 - mov bl,-48 { 184 }
GameAssembly.dll+6FBE7B - 00 00 - add [rax],al
GameAssembly.dll+6FBE7D - 00 48 85 - add [rax-7B],cl
GameAssembly.dll+6FBE80 - F6 - db -0A
GameAssembly.dll+6FBE81 - 0F84 1C020000 - je GameAssembly.dll+6FC0A3
Here is my alternative version using a different point later in function with 16 bytes open. reassemble would be nice if you give it a size and have it reassemble what it can from the size and then pad with nops or something. Instead of picking individual instructions but then again readmem is sufficient here.
Code: Select all
[ENABLE]
aobscanmodule(inventory,GameAssembly.dll,48 8B B3 C8 00 00 00 33 D2 48 8B 8B E8 00 00 00)
alloc(inventoryBkp,$100,inventory)
label(return)
label(inventoryPtr)
inventoryBkp:
readmem(inventory, 16)
mov [inventoryPtr],rdi
jmp return
align 8
inventoryPtr:
dq 0
inventory:
nop 5 // 32 bit jmp align
nop 9 // 64 bit jmp align if needed
nop 2
return:
inventory:
jmp inventoryBkp
registersymbol(inventory)
registersymbol(inventoryBkp)
registersymbol(inventoryPtr)
[DISABLE]
inventory:
readmem(inventoryBkp, 16)
unregistersymbol(inventory)
unregistersymbol(inventoryBkp)
unregistersymbol(inventoryPtr)
dealloc(inventoryBkp)
Re: z The Last Stand: Aftermath
Posted: Thu Nov 25, 2021 3:52 pm
by Zanzer
Yea, I don't believe CE has something automatic to assist with this. If these long jumps seem to be occurring a lot, you may just need to write your scripts to always assume it will need to reserve 15 bytes. It happens when CE can't find an empty block of code near your target injection. It's possible that reducing the alloc() size will help it find a better code cave. Instead of $1000, pick a much smaller number that reflects your actual needed space. Although, it probably always reserves a chunk of bytes and doesn't necessarily honor your requested size.
But, for something like this scenario, if you always assume it will require 15 bytes, you could do something like below. Note you don't have to NOP as long as you tell the code where to JMP properly. The disassembler view may look bad, but the code itself doesn't care when running.
Code: Select all
[ENABLE]
aobscanmodule(inventory,GameAssembly.dll,0F 84 ?? ?? ?? ?? 83 7F ?? 01 0F 8E)
alloc(inventoryBkp,$1000,inventory)
label(inventoryPtr)
inventoryBkp:
reassemble(inventory+00)
reassemble(inventory+06)
reassemble(inventory+0A)
mov rcx,inventoryPtr
mov [rcx],rdi
jmp inventory+10
align 8
inventoryPtr:
dq 0
inventory:
jmp inventoryBkp
registersymbol(inventory)
registersymbol(inventoryBkp)
registersymbol(inventoryPtr)
[DISABLE]
inventory:
reassemble(inventoryBkp+00)
reassemble(inventoryBkp+06)
reassemble(inventoryBkp+0A)
unregistersymbol(inventory)
unregistersymbol(inventoryBkp)
unregistersymbol(inventoryPtr)
dealloc(inventoryBkp)
Re: z The Last Stand: Aftermath
Posted: Thu Nov 25, 2021 3:58 pm
by tfigment
Zanzer wrote: ↑Thu Nov 25, 2021 3:52 pm
Thanks. This was my assumption. Even a smaller block does not always work. I edited post with my approach here. Mentally easier in this case. Would be nice if reassemble could do more than one instruction and do a range but its all doable manually.
Re: z The Last Stand: Aftermath
Posted: Thu Sep 19, 2024 6:42 pm
by litrpg
Zanzer wrote: ↑Wed Nov 17, 2021 6:11 am
Unlimited Armory
Unlimited Fuel
Unlimited Throwables
Full Ammo Clip
Full Durability
No Health Penalty
No Stamina Penalty
Stop Infection
Unlimited Stamina When Running
Unlimited Stamina When Attacking
Show Hidden Objects/Traps
Can Always Interact
Always Within Interact Range
Craft For Free
Inventory Mouseover
Weapon Mouseover
- Quantity
- Durability
- Clip Count
Experience Multipler
new
Game State Pointers
- Knowledge
- Supplies
Do you mind updating this for the Epic Games Free Game of the Week?