peddroelm
Advanced Cheater
![]() Reputation: 0
Joined: 03 Oct 2014
Posts: 84
|
 Posted: Fri May 24, 2019 7:09 am Post subject: Cannot figure out why this crashes:AOB scan lua funct. call |
 |
|
can be enabled / disabled multiple times
triggers once ,
displays "(GUN) CRIT !! Gun Crit Multiplier was = correct value "
then the game crashes (I added xmm registers save and restore which saved me in a similar situation ... still crashes the same)
| Code: |
{ Game : BorderlandsPreSequel.exe
Version:
Date : 2019-05-24
Author : adminlocal
This script does blah blah blah
}
loadlibrary(luaclient-i386.dll)
luacall(openLuaServer('CELUASERVER'))
CELUA_ServerName:
db 'CELUASERVER',0
[ENABLE]
{$lua}
print("Gun Crit Signaling Damage log Enabled:");
function signalCrits(params)
local GunCritMul = readFloat(params);
print(string.format(" (GUN) CRIT !! Gun Crit Multiplier was = %12.3f ", GunCritMul));
end
{$asm}
aobscanmodule(ReadCritMultiplier,BorderlandsPreSequel.exe,F3 0F 10 80 B4 0C 00 00) // should be unique
alloc(newmem,$1000)
alloc(LUA_Crit,$1000)
alloc(logCritParams,$1000) // some memory space to pass parameters to lua function
alloc(XMMbackup, 50)
registersymbol(XMMbackup)
label(code)
label(return)
LUA_Crit:
db 'signalCrits(parameter)',0
newmem:
movdqu dqword [XMMbackup],xmm0 // save it
movdqu dqword [XMMbackup+10],xmm1 // save it
movdqu dqword [XMMbackup+20],xmm2 // save it
movdqu dqword [XMMbackup+30],xmm3 // save it
movdqu dqword [XMMbackup+40],xmm4 // save it
movdqu dqword [XMMbackup+50],xmm5 // save it
push ebx
push eax
push ebp
mov ebx, [eax+00000CB4]
mov [logCritParams], ebx // damage value about to be written
mov [logCritParams+100], eax // pointer to Entity Data structure
push logCritParams // parameters to be read by lua function
push LUA_Crit //
call CELUA_ExecuteFunction // the call
pop ebp
pop eax
pop ebx
movdqu xmm5,dqword [XMMbackup+50] // restore it
movdqu xmm4,dqword [XMMbackup+40] // restore it
movdqu xmm3,dqword [XMMbackup+30] // restore it
movdqu xmm2,dqword [XMMbackup+20] // restore it
movdqu xmm1,dqword [XMMbackup+10] // restore it
movdqu xmm0,dqword [XMMbackup] // restore it
code:
movss xmm0,[eax+00000CB4]
jmp return
ReadCritMultiplier:
jmp newmem
nop
nop
nop
return:
registersymbol(ReadCritMultiplier)
[DISABLE]
ReadCritMultiplier:
db F3 0F 10 80 B4 0C 00 00
unregistersymbol(ReadCritMultiplier)
unregistersymbol(XMMbackup)
dealloc(XMMbackup,80)
dealloc(newmem)
dealloc(LUA_Crit)
dealloc(logCrit)
{
// ORIGINAL CODE - INJECTION POINT: "BorderlandsPreSequel.exe"+AFF93E
"BorderlandsPreSequel.exe"+AFF917: F6 42 6C 01 - test byte ptr [edx+6C],01
"BorderlandsPreSequel.exe"+AFF91B: 0F 84 B4 00 00 00 - je BorderlandsPreSequel.exe+AFF9D5
"BorderlandsPreSequel.exe"+AFF921: 8B BE FC 00 00 00 - mov edi,[esi+000000FC]
"BorderlandsPreSequel.exe"+AFF927: 85 FF - test edi,edi
"BorderlandsPreSequel.exe"+AFF929: 0F 84 A6 00 00 00 - je BorderlandsPreSequel.exe+AFF9D5
"BorderlandsPreSequel.exe"+AFF92F: 85 C0 - test eax,eax
"BorderlandsPreSequel.exe"+AFF931: 0F 85 9E 00 00 00 - jne BorderlandsPreSequel.exe+AFF9D5
"BorderlandsPreSequel.exe"+AFF937: 8B 45 FC - mov eax,[ebp-04]
"BorderlandsPreSequel.exe"+AFF93A: 85 C0 - test eax,eax
"BorderlandsPreSequel.exe"+AFF93C: 74 3E - je BorderlandsPreSequel.exe+AFF97C
// ---------- INJECTING HERE ----------
"BorderlandsPreSequel.exe"+AFF93E: F3 0F 10 80 B4 0C 00 00 - movss xmm0,[eax+00000CB4]
// ---------- DONE INJECTING ----------
"BorderlandsPreSequel.exe"+AFF946: F3 0F 11 45 EC - movss [ebp-14],xmm0
"BorderlandsPreSequel.exe"+AFF94B: 85 C9 - test ecx,ecx
"BorderlandsPreSequel.exe"+AFF94D: 74 28 - je BorderlandsPreSequel.exe+AFF977
"BorderlandsPreSequel.exe"+AFF94F: A1 70 04 5E 02 - mov eax,[BorderlandsPreSequel.exe+1540470]
"BorderlandsPreSequel.exe"+AFF954: 50 - push eax
"BorderlandsPreSequel.exe"+AFF955: E8 46 46 50 FF - call BorderlandsPreSequel.exe+3FA0
"BorderlandsPreSequel.exe"+AFF95A: 85 C0 - test eax,eax
"BorderlandsPreSequel.exe"+AFF95C: 74 14 - je BorderlandsPreSequel.exe+AFF972
"BorderlandsPreSequel.exe"+AFF95E: 8B 4D FC - mov ecx,[ebp-04]
"BorderlandsPreSequel.exe"+AFF961: F3 0F 10 81 C8 0C 00 00 - movss xmm0,[ecx+00000CC8]
} |
Edit: I might have something. The original instruction must be moved up ?
I moved the original instruction before the registers backup and restore . Same Crash .
| Code: |
Damage log Enabled:
Gun Crit Signaling Damage log Enabled:
Gun Crit Signaling Damage log Enabled:
Gun Crit Signaling Damage log Enabled:
716255359 1408502.625 Max 1408065.875 Cur 1408502.625 Prev 436.750 Damage 44BCCBD8 baseaddress Captured Lost L vsHealthOrArmor
(GUN) CRIT !! Gun Crit Multiplier was = 5.277 <CRASH!!>
|
I suppose i should try to do Step By Step with around this instruction with my inject off/on and see if I notice the difference / cause ..
EDIT 2: new idea. Would it help to take to instructions instead of just one ? I 'll need to mess with the nops ?
EDIT3: Cannot double post. Started over and it worked.
| Code: |
{ Game : BorderlandsPreSequel.exe
Version:
Date : 2019-05-27
Author : adminlocal
This script does blah blah blah
}
loadlibrary(luaclient-i386.dll)
luacall(openLuaServer('CELUASERVER'))
CELUA_ServerName:
db 'CELUASERVER',0
[ENABLE]
{$lua}
print("Crit Signaling Enabled:");
function logCrit(params)
local critMul = readFloat(params);
print(string.format(" CRIT !!! ;(gun)Crit Multiplier = %2.3f ", critMul));
end
{$asm}
aobscanmodule(Gun_Crits,BorderlandsPreSequel.exe,F3 0F 10 80 B4 0C 00 00) // should be unique
alloc(newmem,$1000)
alloc(LUA_Crit_DamageScript,$1000)
alloc(logCritParams,$1000) // some memory space to pass parameters to lua function
label(code)
label(return)
LUA_Crit_DamageScript:
db 'logCrit(parameter)',0
newmem:
push ecx // save off all registers we might muck up
push eax
mov ecx, [eax+00000CB4]
mov [logCritParams],ecx // crit val
mov [logCritParams+100], eax // pointer to Entity Data structure
// movss [esi+6C],xmm0 original instrunction
push logCritParams // parameters to be read by lua function
push LUA_Crit_DamageScript //
call CELUA_ExecuteFunction // the call
pop eax
pop ecx
code:
movss xmm0,[eax+00000CB4]
jmp return
Gun_Crits:
jmp newmem
nop
nop
nop
return:
registersymbol(Gun_Crits)
[DISABLE]
Gun_Crits:
db F3 0F 10 80 B4 0C 00 00
unregistersymbol(Gun_Crits)
dealloc(newmem)
dealloc(LUA_Crit_DamageScript)
dealloc(logCritParams)
{
// ORIGINAL CODE - INJECTION POINT: "BorderlandsPreSequel.exe"+AFF93E
"BorderlandsPreSequel.exe"+AFF917: F6 42 6C 01 - test byte ptr [edx+6C],01
"BorderlandsPreSequel.exe"+AFF91B: 0F 84 B4 00 00 00 - je BorderlandsPreSequel.exe+AFF9D5
"BorderlandsPreSequel.exe"+AFF921: 8B BE FC 00 00 00 - mov edi,[esi+000000FC]
"BorderlandsPreSequel.exe"+AFF927: 85 FF - test edi,edi
"BorderlandsPreSequel.exe"+AFF929: 0F 84 A6 00 00 00 - je BorderlandsPreSequel.exe+AFF9D5
"BorderlandsPreSequel.exe"+AFF92F: 85 C0 - test eax,eax
"BorderlandsPreSequel.exe"+AFF931: 0F 85 9E 00 00 00 - jne BorderlandsPreSequel.exe+AFF9D5
"BorderlandsPreSequel.exe"+AFF937: 8B 45 FC - mov eax,[ebp-04]
"BorderlandsPreSequel.exe"+AFF93A: 85 C0 - test eax,eax
"BorderlandsPreSequel.exe"+AFF93C: 74 3E - je BorderlandsPreSequel.exe+AFF97C
// ---------- INJECTING HERE ----------
"BorderlandsPreSequel.exe"+AFF93E: F3 0F 10 80 B4 0C 00 00 - movss xmm0,[eax+00000CB4]
// ---------- DONE INJECTING ----------
"BorderlandsPreSequel.exe"+AFF946: F3 0F 11 45 EC - movss [ebp-14],xmm0
"BorderlandsPreSequel.exe"+AFF94B: 85 C9 - test ecx,ecx
"BorderlandsPreSequel.exe"+AFF94D: 74 28 - je BorderlandsPreSequel.exe+AFF977
"BorderlandsPreSequel.exe"+AFF94F: A1 70 04 8A 01 - mov eax,[BorderlandsPreSequel.exe+1540470]
"BorderlandsPreSequel.exe"+AFF954: 50 - push eax
"BorderlandsPreSequel.exe"+AFF955: E8 46 46 50 FF - call BorderlandsPreSequel.exe+3FA0
"BorderlandsPreSequel.exe"+AFF95A: 85 C0 - test eax,eax
"BorderlandsPreSequel.exe"+AFF95C: 74 14 - je BorderlandsPreSequel.exe+AFF972
"BorderlandsPreSequel.exe"+AFF95E: 8B 4D FC - mov ecx,[ebp-04]
"BorderlandsPreSequel.exe"+AFF961: F3 0F 10 81 C8 0C 00 00 - movss xmm0,[ecx+00000CC8]
}
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
