[Solved] Modifying a hardcoded value

xerox8521 · **Author**

Hi,

so I have this hardcoded value at

PHP Code:


			
0EC D9 05 E4 A6 17 01 fld     ds:flt_117A6E4

which is the 0.75 from here

PHP Code:


			
(*(*random_valve + 4))(random_valve, 0, 0x3F800000) < 0.75) )

is it possible with a sourcemod plugin to change this value based on a convar value? So it would end up something like this

PHP Code:


			
(*(*random_valve + 4))(random_valve, 0, 0x3F800000) < myConVar.FloatValue) )

rather than the hardcoded value.

nosoop · *Last edited by nosoop; 03-25-2022 at 07:12.*

If you don't mind depending on Source Scramble / SM-Memory, that would be possible.

The fld operation takes an indirect, or fixed address (0x0117A6E4) as its operand, so in this case you would:

Get the address of a cell in the plugin's heap (GetAddressOfCell in Source Scramble, AddressOf in SM-Memory). The variable should be globally scoped.
Patch the operand to point to that address (use the memory patching functionality in Source Scramble to validate that your operations are where you expect them to be, then overlay it with a StoreToAddress; in SM-Memory I think you'd have to validate with LoadToAddress and make sure you restore the original values on plugin unload).
Attach a change hook to your ConVar to update the value of the cell.

xerox8521 · 03-25-2022 , 08:16 Re: Modifying a hardcoded value

Could you go a bit more in depth about the second part? I've never done this before or used source scramble.
Like finding offset, the verify part and later with StoreToAddress.

nosoop · *Last edited by nosoop; 03-25-2022 at 08:38.*

The offset is the number of bytes from the start of the function (or from the start of a unique signature), similar to what you'd use for the Addresses section for gamedata. IDA should indicate the current offset as function+offset below your preferred view, but you may need to switch to hex view and click around to get something other than a loc_* label.

Verification in Source Scramble just confirms that the location you're patching is what you expect it to be - in this case, that the bytes are D9 05 ?? ?? ?? ??. You can use LoadFromAddress in the same way; just read and make sure that D9 05 exist.

You'd then use StoreToAddress to patch the ?? ?? ?? ?? bytes to the address of the cell (variable) in plugin space.

xerox8521 · 03-25-2022 , 08:57 Re: Modifying a hardcoded value

I'm unsure what the "patch" part should look like in the game data config file.

I've set it up like this. Wouldn't the address of the cell change if the server restarts or the plugin gets reloaded?!

PHP Code:


			
"Games"

{

    "zps"

    {

        "MemPatches"

        {

            "signature" "CHL2MP_Player::OnTakeDamage"

            "offset"    "B28"

            "verify"    "\xD9\x05"

            "patch"     ""

        }

        "Signatures"

        {

            "CHL2MP_Player::OnTakeDamage"

            {

                "library"   "server"

                "linux"     "@_ZN13CHL2MP_Player12OnTakeDamageERK15CTakeDamageInfo"

            }

        }

    }

}

nosoop · *Last edited by nosoop; 03-25-2022 at 15:59.*

The patch can be something like \xD9\x05\x00\x00\x00\x00 (and optionally add the relatively new preserve value, with something like \xFF\xFF\xFF\xFF\xFF\xFF).

Yes; the address of the cell would change on every reload of the plugin. You'd want to perform the patch and set StoreToAddress within your plugin's OnPluginStart (which is why the address defined in gamedata doesn't have to be valid - you'll be overwriting it with StoreToAddress immediately after).

It'd be StoreToAddress(patch.Address + view_as<Address>(2), GetAddressOfCell(g_flCustomValue), NumberType_Int32); (don't forget to add 2 to skip past the opcodes).

xerox8521 · 03-25-2022 , 16:44 Re: Modifying a hardcoded value

I've set up the game data file now like so

PHP Code:


			
"Games"

{

    "zps"

    {

        "MemPatches"

        {

            "CHL2MP_Player::OnTakeDamage::HardcoreInfectionChance"

            {

                "signature" "CHL2MP_Player::OnTakeDamage"

                "linux"

                {

                    "offset"    "B28"

                    "verify"    "\xD9\x05"

                    "patch"     "\xD9\x05\x00\x00\x00\x00"

                    "preserve"  "\xFF\xFF\xFF\xFF\xFF\xFF"

                }

            } 

        }

        "Signatures"

        {

            "CHL2MP_Player::OnTakeDamage"

            {

                "library"   "server"

                "linux"     "@_ZN13CHL2MP_Player12OnTakeDamageERK15CTakeDamageInfo"

            }

        }

    }

}

and the test plugin like so

PHP Code:


			
#include <sourcemod>

#include <sourcescramble>



float flHardcoreInfectionChance;



Handle g_pGameConfig;



ConVar infected_chance_hardcore;





MemoryPatch patch;



public void OnPluginStart()

{

    g_pGameConfig = LoadGameConfigFile("test");



    patch = MemoryPatch.CreateFromConf(g_pGameConfig, "CHL2MP_Player::OnTakeDamage::HardcoreInfectionChance");

    if(!patch.Validate())

    {

        PrintToServer("[MEMPATCH - FAILED]: Failed to verify patch for CHL2MP_Player::OnTakeDamage::HardcoreInfectionChance");

        delete g_pGameConfig;

        return;

    }

        

    if(patch.Enable())

    {

        PrintToServer("[MEMPATCH - SUCCESS]: CHL2MP_Player::OnTakeDamage::HardcoreInfectionChance Patch has been applied");

    }



    infected_chance_hardcore = CreateConVar("infected_chance_hardcore", "0.10", "Chance for carriers to infect someone in harcore mode", FCVAR_NOTIFY, true, 0.0, true, 1.0);

    infected_chance_hardcore.AddChangeHook(OnInfectedChanceHardcoreChanged);



    StoreToAddress(patch.Address + view_as<Address>(2), view_as<int>(GetAddressOfCell(flHardcoreInfectionChance)), NumberType_Int32);

}



public void OnInfectedChanceHardcoreChanged(ConVar convar, const char[] oldValue, const char[] newValue)

{

    flHardcoreInfectionChance = StringToFloat(newValue);

}



public void OnPluginEnd()

{

    patch.Disable();

}

It currently fails at the validate step.

Offset in IDA is shown as https://i.imgur.com/R1mfppQ.png so it should be correct.

Something else I'm missing here?

nosoop · *Last edited by nosoop; 03-25-2022 at 18:01.*

You might need to do B28h (including the 'h' suffix) for the offset, the extension might be getting tripped up on the integer parsing. The 'h' suffix is specific to Source Scramble and indicates a hex offset. I probably should change the parsing logic to use strtol to do automatic base resolution and to match SourceMod's newer behavior (so you'd be able to use 0xB28 instead).

Side note: Since you're using Source Scramble, you don't actually need to disable the patch manually during OnPluginEnd (SourceMod cleans up handles on unloaded plugins).

xerox8521 · 03-25-2022 , 17:49 Re: Modifying a hardcoded value

Yea the missing h solved it. Thanks alot for the help getting this done.

Gazyi · 04-01-2022 , 16:18 Re: Modifying a hardcoded value

I have similar problem trying to patch bone name that used to attach shield hitbox when it's not deployed (CS:GO).

PHP Code:


			
"Games"

{

    "csgo"

    {

        "MemPatches"

        {

            "ShieldAttachBone_AttachEquipment"

            {

                "signature" "AttachEquipment"

                "windows"

                {

                    "offset"     "77Ah"

                    "verify"     "\x68\x70"

                    "patch"     "\x68\x70\x00\x00\x00\x00"

                    "preserve"     "\xFF\xFF\xFF\xFF\xFF\xFF" 

                }

            }

        }

        "Signatures"

        {

            "AttachEquipment"

            {

                "library" "server"

                "windows" "\x55\x8B\xEC\x83\xE4\xF0\x81\xEC\x88\x02\x00\x00"

            }

        }

    }

}

According to IDA, the offset in that function contains push opcode with pointer to string "spine_2":

PHP Code:


			
68 70 D9 8D 10   push    offset aSpine_2 ; "spine_2"

I tried to make plugin that will override that string in that specific function. This "spine_2" string is also used by 3 other function, so I thought it'd be better to patch opcode pointer like in plugin above instead of overriding string directly.

PHP Code:


			
#include <sourcemod>

#include <sourcescramble>



char BoneName[32];



Handle g_pGameConfig;



ConVar shieldattach_bonename;



MemoryPatch patch;



public void OnPluginStart()

{

    g_pGameConfig = LoadGameConfigFile("shieldattach.games");



    patch = MemoryPatch.CreateFromConf(g_pGameConfig, "ShieldAttachBone_AttachEquipment");

    if(!patch.Validate())

    {

        PrintToServer("[MEMPATCH - FAILED]: Failed to verify patch!");

        delete g_pGameConfig;

        return;

    }

    

    if(patch.Enable())

    {

        PrintToServer("[MEMPATCH - SUCCESS]: Patch has been applied!");

    }



    shieldattach_bonename = CreateConVar("shieldattach_bonename", "spine_2", "Bone name for attaching shield hitbox", FCVAR_NOTIFY, true, 0.0, true, 1.0);

    shieldattach_bonename.AddChangeHook(OnBoneChanged);



    StoreToAddress(patch.Address + view_as<Address>(2), view_as<int>(GetAddressOfString(BoneName)), NumberType_Int32);

}



public void OnBoneChanged(ConVar convar, const char[] oldValue, const char[] newValue)

{

    strcopy(BoneName, sizeof(BoneName), newValue);

}

That code makes server crash when player is killed and address of plugin string seems to be incorrect.

Opcodes before patch:

PHP Code:


			
server.dll+469999 - 50 - push eax

server.dll+46999A - 68 70D99920 - push server.dll+8DD970 { ("spine_2") }

server.dll+46999F - E8 5CFCD5FF - call server.dll+1C9600

server.dll+4699A4 - 50 - push eax

server.dll+4699A5 - 8B CF - mov ecx,edi

server.dll+4699A7 - FF 96 58030000 - call dword ptr [esi+00000358]

Opcodes after patch:

PHP Code:


			
server.dll+469999 - 50 - push eax

server.dll+46999A - 68 7074186E - push 6E187470 { 1847096432 }

server.dll+46999F - 22 5C FC D5 - and bl,[esp+edi*8-2B]

server.dll+4699A3 - FF 50 8B - call dword ptr [eax-75]

server.dll+4699A6 - CF - iretd 

server.dll+4699A7 - FF 96 58030000 - call dword ptr [esi+00000358]