Stumbled across a quirky situation the other day, while using a script in Strange Brigade. The below is my script:
Code: Select all
[ENABLE]
aobscanmodule( GetBaseStuff, StrangeBrigade_DX12.exe, F64439??010F85????????803D????????000F85????????4885FF0F84????????486348??0F2F7C39 )
registersymbol( GetBaseStuff )
label( GetBaseStuff_o )
registersymbol( GetBaseStuff_o )
alloc( Hook, 0x1000, StrangeBrigade_DX12.exe )
label( pEntity )
registersymbol( pEntity )
label( dwEntityId )
registersymbol( dwEntityId )
label( pActor )
registersymbol( pActor )
Hook:
push rax
mov [pEntity],rdi
mov [dwEntityId],edx
mov rax,[rdi+8B0]
mov [pActor],rax
pop rax
GetBaseStuff_o:
readmem( GetBaseStuff, 5 )
jmp GetBaseStuff+5
pEntity:
dq 0
dwEntityId:
dd 0
pActor:
dq 0
GetBaseStuff:
jmp Hook
[DISABLE]
GetBaseStuff:
readmem( GetBaseStuff_o, 5 )
unregistersymbol( pActor )
unregistersymbol( dwEntityId )
unregistersymbol( pEntity )
dealloc( Hook )
unregistersymbol( GetBaseStuff_o )
unregistersymbol( GetBaseStuff )
- before the script is enabled, the memory at the hook location looks like this:
![Image](https://i.imgur.com/pi5onPm.png)
- notice the address at which the array starts -> 14B2CBFF3; notice the protection -> Protect:Execute/Write Copy
- once you enable the script this happens:
![Image](https://i.imgur.com/mWgXe7I.png)
- notice how protection changes to -> Protect:Execute/Read/Write
- if you now click on the C2 byte and scroll the window, you'll find that past our write, the rest remains to Protect:Execute/Write Copy
- also notice how the C2 byte is now part of a 00-aligned address, starting a new memory block -> 14B2CC000
![Image](https://i.imgur.com/Nk6XhgH.png)
- if you now disable the script, which restores the 5 hooked bytes back, this happens:
![Image](https://i.imgur.com/OL6NSA4.png)
- CE restores the bytes, but it doesn't restore the protection; considering the array of bytes we search for spans across the end of a memory block and start of another memory block, any type of scan will now fail
![Image](https://i.imgur.com/Veyh82z.png)
The solution is to force CE to copy more bytes via readmem to include at least 1 byte from the next block of memory (that C2 +1). So I chose this:
![Image](https://i.imgur.com/LeZyHOB.png)
And now the script looks like this:
Code: Select all
[ENABLE]
aobscanmodule( GetBaseStuff, StrangeBrigade_DX12.exe, F64439??010F85????????803D????????000F85????????4885FF0F84????????486348??0F2F7C39 )
registersymbol( GetBaseStuff )
label( GetBaseStuff_o )
registersymbol( GetBaseStuff_o )
alloc( Hook, 0x1000, StrangeBrigade_DX12.exe )
label( pEntity )
registersymbol( pEntity )
label( dwEntityId )
registersymbol( dwEntityId )
label( pActor )
registersymbol( pActor )
label( GetBaseStuff_ext )
registersymbol( GetBaseStuff_ext )
Hook:
push rax
mov [pEntity],rdi
mov [dwEntityId],edx
mov rax,[rdi+8B0]
mov [pActor],rax
pop rax
GetBaseStuff_o:
readmem( GetBaseStuff, 5 )
jmp GetBaseStuff+5
GetBaseStuff_ext:
readmem( GetBaseStuff, 15 )
pEntity:
dq 0
dwEntityId:
dd 0
pActor:
dq 0
GetBaseStuff:
jmp Hook
[DISABLE]
GetBaseStuff:
//readmem( GetBaseStuff_o, 5 )
readmem( GetBaseStuff_ext, 15 )
unregistersymbol( GetBaseStuff_ext )
unregistersymbol( pActor )
unregistersymbol( dwEntityId )
unregistersymbol( pEntity )
dealloc( Hook )
unregistersymbol( GetBaseStuff_o )
unregistersymbol( GetBaseStuff )
Hope this helps those lucky enough to trip over this
![Razz :P](./images/smilies/icon_razz.gif)
Best regards,
Sun