Raised This Month: $12 Target: $400
 3% 

Solved Skip an instruction?


Post New Thread Reply   
 
Thread Tools Display Modes
Author Message
Spirit_12
Veteran Member
Join Date: Dec 2012
Location: Toronto, CA
Old 09-08-2018 , 17:55   Skip an instruction?
Reply With Quote #1

I'm trying to patch a function in IDA for L4D2. In my disassembly I have two conditional jumps which I would like to skip completely. Is there a way to completely skip the functions?



PHP Code:
0F 84 7D 01 00 00                       jz      loc_7F3B88
0F 85 20 02 00 00                       jnz     loc_7F3C38 
NOP them is not an option, as I still need the function to complete. Just want to remove these 2 conditions. I have address and offsets, but not sure how to skip.

Any ideas?
__________________

Last edited by Spirit_12; 09-10-2018 at 03:28.
Spirit_12 is offline
Fyren
FyrenFyrenFyrenFyrenFyren FyrenFyrenFyrenFyrenFyren FyrenFyrenFyrenFyrenFyren FyrenFyrenFyrenFyrenFyren
Join Date: Feb 2106
Old 09-08-2018 , 18:25   Re: Skip an instruction?
Reply With Quote #2

It is extremely unclear what you're asking. "Skip the functions" and "need the function to complete" don't make much sense here.

If "skip the functions" means you don't want the jumps to ever be taken, then replacing them with NOPs is exactly the obvious solution.
Fyren is offline
Spirit_12
Veteran Member
Join Date: Dec 2012
Location: Toronto, CA
Old 09-08-2018 , 18:36   Re: Skip an instruction?
Reply With Quote #3

Let me elaborate.

PHP Code:
if(a)
{
    return 
1;
}
if(
b)
{
    return 
2;
}
if(
c)
{
    return 
3;

In my above example if a,b,c are all bool variables. Now if a code is written out like this then the moment a becomes true my function will return 1 and rest won't execute. Same for b, but I only want to check, if c if true or false. Both a and b are stopping the function prematurely and it doesn't even run till c.

I thought of using NOPs, but would that not stop the whole function? If I was to NOP an instruction then would I NOP test or jz?
__________________
Spirit_12 is offline
Dr!fter
The Salt Boss
Join Date: Mar 2007
Old 09-08-2018 , 20:38   Re: Skip an instruction?
Reply With Quote #4

NOP the jumps
Dr!fter is offline
Fyren
FyrenFyrenFyrenFyrenFyren FyrenFyrenFyrenFyrenFyren FyrenFyrenFyrenFyrenFyren FyrenFyrenFyrenFyrenFyren
Join Date: Feb 2106
Old 09-08-2018 , 20:41   Re: Skip an instruction?
Reply With Quote #5

It depends on the assembly. You might want to change the first conditional jump to instead unconditionally jump to target the later test that you want.
Fyren is offline
Spirit_12
Veteran Member
Join Date: Dec 2012
Location: Toronto, CA
Old 09-08-2018 , 21:04   Re: Skip an instruction?
Reply With Quote #6

Quote:
Originally Posted by Dr!fter View Post
NOP the jumps
Results in an instant crash.

Quote:
Originally Posted by Fyren View Post
It depends on the assembly. You might want to change the first conditional jump to instead unconditionally jump to target the later test that you want.
I was trying the same approach, but function is coded in a way where the jump end up in a 0 result, while if the condition doesn't meet then the whole code continues to execute.

BTW if you are wondering, I'm trying to fix the tongue breaking when the smoker moves with a survivor.

PHP Code:
CTongue::OnUpdateAttachedToTargetState(CTongue *this
Blocking the following function stops the tongue from breaking, but it handles changing of tongue state based on the results. Blocking it completely results in smoker tongue still existing and tied to the smoker on one end while survivor can move freely.

PHP Code:
.text:007F3C03                         loc_7F3C03:                             ; CODE XREFCTongue::OnUpdateAttachedToTargetState(void)+2B1j
.text:007F3C03 8B 03                                   mov     eax, [ebx]
.
text:007F3C05 C7 44 24 08 4C FF C6 00                 mov     dword ptr [esp+8], offset aTongueBrokeBec "Tongue broke because we left the ground"... 
The above code is what I'm trying to avoid. Instructions go through the event manager block and then to loc_7F3C03, but if I'm blocking the tongue release, then there is no reason to run it through event manager either.
__________________
Spirit_12 is offline
Dr!fter
The Salt Boss
Join Date: Mar 2007
Old 09-09-2018 , 21:26   Re: Skip an instruction?
Reply With Quote #7

You didn’t post any code and posting 2 line snippets of the function doesn’t help at all. Noping the jumps shouldn’t cause a crash. CSSDM does this in multiple places if you want to look at that.

Last edited by Dr!fter; 09-09-2018 at 21:27.
Dr!fter is offline
Spirit_12
Veteran Member
Join Date: Dec 2012
Location: Toronto, CA
Old 09-09-2018 , 21:50   Re: Skip an instruction?
Reply With Quote #8

Function is too long, that's why I didn't post the code initially. All I'm doing to NOP is changing the first byte of the instruction to 90. Am I supposed to change all the bytes? I'll look into CSSDM.

BTW I'm using the LoadFromAddress and StoreToAddress method and not going for extension.

PHP Code:
.text:007F3900
.text:007F3900                         ; =============== S U B R O U T I N E =======================================
.
text:007F3900
.text:007F3900                         Attributesbp-based frame
.text:007F3900
.text:007F3900                         _DWORD __cdecl CTongue::OnUpdateAttachedToTargetState(CTongue *this)
.
text:007F3900                         _ZN7CTongue29OnUpdateAttachedToTargetStateEv proc near
.text:007F3900                                                                 DATA XREF: .data:00F01420o
.text:007F3900
.text:007F3900                         var_48          qword ptr -48h
.text:007F3900                         var_38          qword ptr -38h
.text:007F3900                         var_20          dword ptr -20h
.text:007F3900                         var_1C          dword ptr -1Ch
.text:007F3900                         this            dword ptr  8
.text:007F3900
.text:007F3900 55                                      push    ebp
.text:007F3901 89 E5                                   mov     ebpesp
.text:007F3903 57                                      push    edi
.text:007F3904 56                                      push    esi
.text:007F3905 53                                      push    ebx
.text:007F3906 83 EC 6C                                sub     esp6Ch
.text:007F3909 8B 5D 08                                mov     ebx, [ebp+this]
.
text:007F390C 8B 0D 64 44 ED 00                       mov     ecxg_pEntityList
.text:007F3912 8B 83 4C 04 00 00                       mov     eax, [ebx+44Ch]
.
text:007F3918 83 F8 FF                                cmp     eax0FFFFFFFFh
.text:007F391B 74 15                                   jz      short loc_7F3932
.text:007F391D 89 C2                                   mov     edxeax
.text:007F391F C1 E8 0C                                shr     eax0Ch
.text:007F3922 81 E2 FF 0F 00 00                       and     edx0FFFh
.text:007F3928 C1 E2 04                                shl     edx4
.text:007F392B 01 CA                                   add     edxecx
.text:007F392D 39 42 08                                cmp     [edx+8], eax
.text:007F3930 74 0E                                   jz      short loc_7F3940
.text:007F3932
.text:007F3932                         loc_7F3932:                             ; CODE XREFCTongue::OnUpdateAttachedToTargetState(void)+1Bj
.text:007F3932                                                                 CTongue::OnUpdateAttachedToTargetState(void)+45j ...
.
text:007F3932 83 C4 6C                                add     esp6Ch
.text:007F3935 5B                                      pop     ebx
.text:007F3936 5E                                      pop     esi
.text:007F3937 5F                                      pop     edi
.text:007F3938 5D                                      pop     ebp
.text:007F3939 C3                                      retn
.text:007F3939                         ; ---------------------------------------------------------------------------
.
text:007F393A 8D B6 00 00 00 00                       align 10h
.text:007F3940
.text:007F3940                         loc_7F3940:                             ; CODE XREFCTongue::OnUpdateAttachedToTargetState(void)+30j
.text:007F3940 8B 7A 04                                mov     edi, [edx+4]
.
text:007F3943 85 FF                                   test    ediedi
.text:007F3945 74 EB                                   jz      short loc_7F3932
.text:007F3947 A1 FC EF F9 00                          mov     eaxds:dword_F9EFFC
.text:007F394C 8B 50 30                                mov     edx, [eax+30h]
.
text:007F394F 85 D2                                   test    edxedx
.text:007F3951 75 4D                                   jnz     short loc_7F39A0
.text:007F3953 8B 87 E0 33 00 00                       mov     eax, [edi+33E0h]
.
text:007F3959 83 F8 FF                                cmp     eax0FFFFFFFFh
.text:007F395C 74 15                                   jz      short loc_7F3973
.text:007F395E 89 C2                                   mov     edxeax
.text:007F3960 C1 E8 0C                                shr     eax0Ch
.text:007F3963 81 E2 FF 0F 00 00                       and     edx0FFFh
.text:007F3969 C1 E2 04                                shl     edx4
.text:007F396C 01 D1                                   add     ecxedx
.text:007F396E 39 41 08                                cmp     [ecx+8], eax
.text:007F3971 74 5D                                   jz      short loc_7F39D0
.text:007F3973
.text:007F3973                         loc_7F3973:                             ; CODE XREFCTongue::OnUpdateAttachedToTargetState(void)+5Cj
.text:007F3973                                                                 CTongue::OnUpdateAttachedToTargetState(void)+D5j ...
.
text:007F3973 8B 03                                   mov     eax, [ebx]
.
text:007F3975 C7 44 24 04 18 FF C6 00                 mov     dword ptr [esp+4], offset aTongueDroppi_0 "Tongue dropping because we no longer ha"...
.
text:007F397D
.text:007F397D                         loc_7F397D:                             ; CODE XREFCTongue::OnUpdateAttachedToTargetState(void)+608j
.text:007F397D 89 1C 24                                mov     [esp], ebx
.text:007F3980 FF 90 8C 03 00 00                       call    dword ptr [eax+38Ch]
.
text:007F3986
.text:007F3986                         loc_7F3986:                             ; CODE XREFCTongue::OnUpdateAttachedToTargetState(void)+636j
.text:007F3986                                                                 CTongue::OnUpdateAttachedToTargetState(void)+683j
.text:007F3986 89 1C 24                                mov     [esp], ebx
.text:007F3989 C7 44 24 04 04 00 00 00                 mov     dword ptr [esp+4], 4
.text:007F3991 E8 DA D6 FF FF                          call    _ZN7CTongue16State_TransitionE11TongueState CTongue::State_Transition(TongueState)
.
text:007F3996 83 C4 6C                                add     esp6Ch
.text:007F3999 5B                                      pop     ebx
.text:007F399A 5E                                      pop     esi
.text:007F399B 5F                                      pop     edi
.text:007F399C 5D                                      pop     ebp
.text:007F399D C3                                      retn
.text:007F399D                         ; ---------------------------------------------------------------------------
.
text:007F399E 66 90                                   align 10h
.text:007F39A0
.text:007F39A0                         loc_7F39A0:                             ; CODE XREFCTongue::OnUpdateAttachedToTargetState(void)+51j
.text:007F39A0 C7 44 24 04 00 00 00 00                 mov     dword ptr [esp+4], int
.text:007F39A8 C7 04 24 E0 EF F9 00                    mov     dword ptr [esp], offset TongueForceBreak this
.text:007F39AF E8 AC 35 31 00                          call    _ZN6ConVar8SetValueEi ConVar::SetValue(int)
.
text:007F39B4 89 1C 24                                mov     [esp], ebx
.text:007F39B7 C7 44 24 04 04 00 00 00                 mov     dword ptr [esp+4], 4
.text:007F39BF E8 AC D6 FF FF                          call    _ZN7CTongue16State_TransitionE11TongueState CTongue::State_Transition(TongueState)
.
text:007F39C4 83 C4 6C                                add     esp6Ch
.text:007F39C7 5B                                      pop     ebx
.text:007F39C8 5E                                      pop     esi
.text:007F39C9 5F                                      pop     edi
.text:007F39CA 5D                                      pop     ebp
.text:007F39CB C3                                      retn
.text:007F39CB                         ; ---------------------------------------------------------------------------
.
text:007F39CC 8D 74 26 00                             align 10h
.text:007F39D0
.text:007F39D0                         loc_7F39D0:                             ; CODE XREFCTongue::OnUpdateAttachedToTargetState(void)+71j
.text:007F39D0 8B 71 04                                mov     esi, [ecx+4]
.
text:007F39D3 85 F6                                   test    esiesi
.text:007F39D5 74 9C                                   jz      short loc_7F3973
.text:007F39D7 8B 06                                   mov     eax, [esi]
.
text:007F39D9 89 34 24                                mov     [esp], esi
.text:007F39DC FF 90 28 01 00 00                       call    dword ptr [eax+128h]
.
text:007F39E2 84 C0                                   test    alal
.text:007F39E4 74 8D                                   jz      short loc_7F3973
.text:007F39E6 89 34 24                                mov     [esp], esi      this
.text:007F39E9 E8 42 9A DD FF                          call    _ZNK11CBaseEntity13GetTeamNumberEv CBaseEntity::GetTeamNumber(void)
.
text:007F39EE 89 04 24                                mov     [esp], eax      int
.text:007F39F1 E8 2A C1 CF FF                          call    _Z15IsASurvivorTeami IsASurvivorTeam(int)
.
text:007F39F6 84 C0                                   test    alal
.text:007F39F8 0F 84 75 FF FF FF                       jz      loc_7F3973
.text:007F39FE F6 87 50 01 00 00 01                    test    byte ptr [edi+150h], 1
.text:007F3A05 0F 84 7D 01 00 00                       jz      loc_7F3B88
.text:007F3A0B F6 86 50 01 00 00 08                    test    byte ptr [esi+150h], 8
.text:007F3A12 0F 85 20 02 00 00                       jnz     loc_7F3C38
.text:007F3A18 8B 86 C4 33 00 00                       mov     eax, [esi+33C4h]
.
text:007F3A1E 8B 0D 64 44 ED 00                       mov     ecxg_pEntityList
.text:007F3A24 83 F8 FF                                cmp     eax0FFFFFFFFh
.text:007F3A27 74 19                                   jz      short loc_7F3A42
.text:007F3A29 89 C2                                   mov     edxeax
.text:007F3A2B C1 E8 0C                                shr     eax0Ch
.text:007F3A2E 81 E2 FF 0F 00 00                       and     edx0FFFh
.text:007F3A34 C1 E2 04                                shl     edx4
.text:007F3A37 01 CA                                   add     edxecx
.text:007F3A39 39 42 08                                cmp     [edx+8], eax
.text:007F3A3C 0F 84 86 02 00 00                       jz      loc_7F3CC8
.text:007F3A42
.text:007F3A42                         loc_7F3A42:                             ; CODE XREFCTongue::OnUpdateAttachedToTargetState(void)+127j
.text:007F3A42                                                                 CTongue::OnUpdateAttachedToTargetState(void)+3CDj
.text:007F3A42 8B 06                                   mov     eax, [esi]
.
text:007F3A44 89 34 24                                mov     [esp], esi
.text:007F3A47 FF 90 84 02 00 00                       call    dword ptr [eax+284h]
.
text:007F3A4D 8B 10                                   mov     edx, [eax]
.
text:007F3A4F 89 93 50 05 00 00                       mov     [ebx+550h], edx
.text:007F3A55 8B 50 04                                mov     edx, [eax+4]
.
text:007F3A58 89 93 54 05 00 00                       mov     [ebx+554h], edx
.text:007F3A5E 8B 40 08                                mov     eax, [eax+8]
.
text:007F3A61 89 83 58 05 00 00                       mov     [ebx+558h], eax
.text:007F3A67 89 1C 24                                mov     [esp], ebx      this
.text:007F3A6A E8 71 F7 FF FF                          call    _ZN7CTongue14UpdateAirChokeEv CTongue::UpdateAirChoke(void)
.
text:007F3A6F A1 EC 71 F8 00                          mov     eaxds:gpGlobals
.text:007F3A74 F3 0F 10 40 0C                          movss   xmm0dword ptr [eax+0Ch]
.
text:007F3A79 A1 3C F5 F9 00                          mov     eaxds:dword_F9F53C
.text:007F3A7E F3 0F 5C 83 68 04 00 00                 subss   xmm0dword ptr [ebx+468h]
.
text:007F3A86 0F 2F 40 2C                             comiss  xmm0dword ptr [eax+2Ch]
.
text:007F3A8A 0F 83 D0 02 00 00                       jnb     loc_7F3D60
.text:007F3A90
.text:007F3A90                         loc_7F3A90:                             ; CODE XREFCTongue::OnUpdateAttachedToTargetState(void)+46Dj
.text:007F3A90 A1 9C F5 F9 00                          mov     eaxds:dword_F9F59C
.text:007F3A95 0F 2F 40 2C                             comiss  xmm0dword ptr [eax+2Ch]
.
text:007F3A99 72 10                                   jb      short loc_7F3AAB
.text:007F3A9B
.text:007F3A9B                         loc_7F3A9B:                             ; CODE XREFCTongue::OnUpdateAttachedToTargetState(void)+467j
.text:007F3A9B 89 1C 24                                mov     [esp], ebx      this
.text:007F3A9E E8 CD F2 FF FF                          call    _ZN7CTongue17UpdateGroundChokeEv CTongue::UpdateGroundChoke(void)
.
text:007F3AA3 84 C0                                   test    alal
.text:007F3AA5 0F 84 62 04 00 00                       jz      loc_7F3F0D
.text:007F3AAB
.text:007F3AAB                         loc_7F3AAB:                             ; CODE XREFCTongue::OnUpdateAttachedToTargetState(void)+199j
.text:007F3AAB 89 1C 24                                mov     [esp], ebx      this
.text:007F3AAE E8 6D CA FF FF                          call    _ZN7CTongue10UpdateBendEv CTongue::UpdateBend(void)
.
text:007F3AB3 84 C0                                   test    alal
.text:007F3AB5 0F 85 BD 02 00 00                       jnz     loc_7F3D78
.text:007F3ABB A1 BC F9 F9 00                          mov     eaxds:dword_F9F9BC
.text:007F3AC0 8B 40 30                                mov     eax, [eax+30h]
.
text:007F3AC3 85 C0                                   test    eaxeax
.text:007F3AC5 0F 85 13 04 00 00                       jnz     loc_7F3EDE
.text:007F3ACB
.text:007F3ACB                         loc_7F3ACB:                             ; CODE XREFCTongue::OnUpdateAttachedToTargetState(void)+5EBj
.text:007F3ACB                                                                 CTongue::OnUpdateAttachedToTargetState(void)+5F8j
.text:007F3ACB 8B 83 54 05 00 00                       mov     eax, [ebx+554h]
.
text:007F3AD1 F3 0F 10 83 50 05 00 00                 movss   xmm0dword ptr [ebx+550h]
.
text:007F3AD9 F3 0F 11 83 A0 04 00 00                 movss   dword ptr [ebx+4A0h], xmm0
.text:007F3AE1 89 83 A4 04 00 00                       mov     [ebx+4A4h], eax
.text:007F3AE7 8B 83 58 05 00 00                       mov     eax, [ebx+558h]
.
text:007F3AED 89 83 A8 04 00 00                       mov     [ebx+4A8h], eax
.text:007F3AF3 80 BE FC 33 00 00 00                    cmp     byte ptr [esi+33FCh], 0
.text:007F3AFA 0F 84 88 04 00 00                       jz      loc_7F3F88
.text:007F3B00
.text:007F3B00                         loc_7F3B00:                             ; CODE XREFCTongue::OnUpdateAttachedToTargetState(void)+6A0j
.text:007F3B00 0F 2F 83 38 05 00 00                    comiss  xmm0dword ptr [ebx+538h]
.
text:007F3B07 75 27                                   jnz     short loc_7F3B30
.text:007F3B09 F3 0F 10 8B 54 05 00 00                 movss   xmm1dword ptr [ebx+554h]
.
text:007F3B11 0F 2F 8B 3C 05 00 00                    comiss  xmm1dword ptr [ebx+53Ch]
.
text:007F3B18 75 16                                   jnz     short loc_7F3B30
.text:007F3B1A F3 0F 10 8B 58 05 00 00                 movss   xmm1dword ptr [ebx+558h]
.
text:007F3B22 0F 2F 8B 40 05 00 00                    comiss  xmm1dword ptr [ebx+540h]
.
text:007F3B29 0F 84 03 FE FF FF                       jz      loc_7F3932
.text:007F3B2F 90                                      nop
.text:007F3B30
.text:007F3B30                         loc_7F3B30:                             ; CODE XREFCTongue::OnUpdateAttachedToTargetState(void)+207j
.text:007F3B30                                                                 CTongue::OnUpdateAttachedToTargetState(void)+218j
.text:007F3B30 80 7B 6C 00                             cmp     byte ptr [ebx+6Ch], 0
.text:007F3B34 0F 85 D1 04 00 00                       jnz     loc_7F400B
.text:007F3B3A 8B 43 30                                mov     eax, [ebx+30h]
.
text:007F3B3D 85 C0                                   test    eaxeax
.text:007F3B3F 74 1C                                   jz      short loc_7F3B5D
.text:007F3B41 81 08 01 01 00 00                       or      dword ptr [eax], 101h
.text:007F3B47 89 04 24                                mov     [esp], eax      this
.text:007F3B4A E8 11 33 E9 FF                          call    _ZN10CBaseEdict17GetChangeAccessorEv CBaseEdict::GetChangeAccessor(void)
.
text:007F3B4F 66 C7 40 02 00 00                       mov     word ptr [eax+2], 0
.text:007F3B55 F3 0F 10 83 50 05 00 00                 movss   xmm0dword ptr [ebx+550h]
.
text:007F3B5D
.text:007F3B5D                         loc_7F3B5D:                             ; CODE XREFCTongue::OnUpdateAttachedToTargetState(void)+23Fj
.text:007F3B5D                                                                 CTongue::OnUpdateAttachedToTargetState(void)+70Fj
.text:007F3B5D 8B 83 54 05 00 00                       mov     eax, [ebx+554h]
.
text:007F3B63 F3 0F 11 83 38 05 00 00                 movss   dword ptr [ebx+538h], xmm0
.text:007F3B6B 89 83 3C 05 00 00                       mov     [ebx+53Ch], eax
.text:007F3B71 8B 83 58 05 00 00                       mov     eax, [ebx+558h]
.
text:007F3B77 89 83 40 05 00 00                       mov     [ebx+540h], eax
.text:007F3B7D E9 B0 FD FF FF                          jmp     loc_7F3932
.text:007F3B7D                         ; ---------------------------------------------------------------------------
.
text:007F3B82 8D B6 00 00 00 00                       align 8
.text:007F3B88
.text:007F3B88                         loc_7F3B88:                             ; CODE XREFCTongue::OnUpdateAttachedToTargetState(void)+105j
.text:007F3B88 A1 3C 75 F8 00                          mov     eaxds:gameeventmanager
.text:007F3B8D 8B 10                                   mov     edx, [eax]
.
text:007F3B8F C7 44 24 0C 00 00 00 00                 mov     dword ptr [esp+0Ch], 0
.text:007F3B97 C7 44 24 08 00 00 00 00                 mov     dword ptr [esp+8], 0
.text:007F3B9F C7 44 24 04 4E FA C6 00                 mov     dword ptr [esp+4], offset aTongue_broke_b "tongue_broke_bent"
.text:007F3BA7 89 04 24                                mov     [esp], eax
.text:007F3BAA FF 52 1C                                call    dword ptr [edx+1Ch]
.
text:007F3BAD 85 C0                                   test    eaxeax
.text:007F3BAF 89 C2                                   mov     edxeax
.text:007F3BB1 74 50                                   jz      short loc_7F3C03
.text:007F3BB3 8B 00                                   mov     eax, [eax]
.
text:007F3BB5 8B 7F 30                                mov     edi, [edi+30h]
.
text:007F3BB8 8B 40 30                                mov     eax, [eax+30h]
.
text:007F3BBB 89 45 E4                                mov     [ebp+var_1C], eax
.text:007F3BBE A1 64 75 F8 00                          mov     eaxds:engine
.text:007F3BC3 8B 08                                   mov     ecx, [eax]
.
text:007F3BC5 89 55 E0                                mov     [ebp+var_20], edx
.text:007F3BC8 89 7C 24 04                             mov     [esp+4], edi
.text:007F3BCC 89 04 24                                mov     [esp], eax
.text:007F3BCF FF 51 40                                call    dword ptr [ecx+40h]
.
text:007F3BD2 8B 55 E0                                mov     edx, [ebp+var_20]
.
text:007F3BD5 C7 44 24 04 CD 64 CC 00                 mov     dword ptr [esp+4], offset aUserid "userid"
.text:007F3BDD 89 44 24 08                             mov     [esp+8], eax
.text:007F3BE1 89 14 24                                mov     [esp], edx
.text:007F3BE4 FF 55 E4                                call    [ebp+var_1C]
.
text:007F3BE7 A1 3C 75 F8 00                          mov     eaxds:gameeventmanager
.text:007F3BEC 8B 55 E0                                mov     edx, [ebp+var_20]
.
text:007F3BEF 8B 08                                   mov     ecx, [eax]
.
text:007F3BF1 C7 44 24 08 00 00 00 00                 mov     dword ptr [esp+8], 0
.text:007F3BF9 89 54 24 04                             mov     [esp+4], edx
.text:007F3BFD 89 04 24                                mov     [esp], eax
.text:007F3C00 FF 51 20                                call    dword ptr [ecx+20h]
.
text:007F3C03
.text:007F3C03                         loc_7F3C03:                             ; CODE XREFCTongue::OnUpdateAttachedToTargetState(void)+2B1j
.text:007F3C03 8B 03                                   mov     eax, [ebx]
.
text:007F3C05 C7 44 24 08 4C FF C6 00                 mov     dword ptr [esp+8], offset aTongueBrokeBec "Tongue broke because we left the ground"...
.
text:007F3C0D
.text:007F3C0D                         loc_7F3C0D:                             ; CODE XREFCTongue::OnUpdateAttachedToTargetState(void)+3BDj
.text:007F3C0D                                                                 CTongue::OnUpdateAttachedToTargetState(void)+458j
.text:007F3C0D 89 74 24 04                             mov     [esp+4], esi
.text:007F3C11 89 1C 24                                mov     [esp], ebx
.text:007F3C14 FF 90 90 03 00 00                       call    dword ptr [eax+390h]
.
text:007F3C1A 89 1C 24                                mov     [esp], ebx
.text:007F3C1D C7 44 24 04 04 00 00 00                 mov     dword ptr [esp+4], 4
.text:007F3C25 E8 46 D4 FF FF                          call    _ZN7CTongue16State_TransitionE11TongueState CTongue::State_Transition(TongueState)
.
text:007F3C2A 83 C4 6C                                add     esp6Ch
.text:007F3C2D 5B                                      pop     ebx
.text:007F3C2E 5E                                      pop     esi
.text:007F3C2F 5F                                      pop     edi
.text:007F3C30 5D                                      pop     ebp
.text:007F3C31 C3                                      retn
.text:007F3C31                         ; ---------------------------------------------------------------------------
.
text:007F3C32 8D B6 00 00 00 00                       align 8
.text:007F3C38
.text:007F3C38                         loc_7F3C38:                             ; CODE XREFCTongue::OnUpdateAttachedToTargetState(void)+112j
.text:007F3C38 A1 3C 75 F8 00                          mov     eaxds:gameeventmanager
.text:007F3C3D 8B 10                                   mov     edx, [eax]
.
text:007F3C3F C7 44 24 0C 00 00 00 00                 mov     dword ptr [esp+0Ch], 0
.text:007F3C47 C7 44 24 08 00 00 00 00                 mov     dword ptr [esp+8], 0
.text:007F3C4F C7 44 24 04 4E FA C6 00                 mov     dword ptr [esp+4], offset aTongue_broke_b "tongue_broke_bent"
.text:007F3C57 89 04 24                                mov     [esp], eax
.text:007F3C5A FF 52 1C                                call    dword ptr [edx+1Ch]
.
text:007F3C5D 85 C0                                   test    eaxeax
.text:007F3C5F 89 C2                                   mov     edxeax
.text:007F3C61 74 50                                   jz      short loc_7F3CB3
.text:007F3C63 8B 00                                   mov     eax, [eax]
.
text:007F3C65 8B 7F 30                                mov     edi, [edi+30h]
.
text:007F3C68 8B 40 30                                mov     eax, [eax+30h]
.
text:007F3C6B 89 45 E4                                mov     [ebp+var_1C], eax
.text:007F3C6E A1 64 75 F8 00                          mov     eaxds:engine
.text:007F3C73 8B 08                                   mov     ecx, [eax]
.
text:007F3C75 89 55 E0                                mov     [ebp+var_20], edx
.text:007F3C78 89 7C 24 04                             mov     [esp+4], edi
.text:007F3C7C 89 04 24                                mov     [esp], eax
.text:007F3C7F FF 51 40                                call    dword ptr [ecx+40h]
.
text:007F3C82 8B 55 E0                                mov     edx, [ebp+var_20]
.
text:007F3C85 C7 44 24 04 CD 64 CC 00                 mov     dword ptr [esp+4], offset aUserid "userid"
.text:007F3C8D 89 44 24 08                             mov     [esp+8], eax
.text:007F3C91 89 14 24                                mov     [esp], edx
.text:007F3C94 FF 55 E4                                call    [ebp+var_1C]
.
text:007F3C97 A1 3C 75 F8 00                          mov     eaxds:gameeventmanager
.text:007F3C9C 8B 55 E0                                mov     edx, [ebp+var_20]
.
text:007F3C9F 8B 08                                   mov     ecx, [eax]
.
text:007F3CA1 C7 44 24 08 00 00 00 00                 mov     dword ptr [esp+8], 0
.text:007F3CA9 89 54 24 04                             mov     [esp+4], edx
.text:007F3CAD 89 04 24                                mov     [esp], eax
.text:007F3CB0 FF 51 20                                call    dword ptr [ecx+20h]
.
text:007F3CB3
.text:007F3CB3                         loc_7F3CB3:                             ; CODE XREFCTongue::OnUpdateAttachedToTargetState(void)+361j
.text:007F3CB3 8B 03                                   mov     eax, [ebx]
.
text:007F3CB5 C7 44 24 08 78 FF C6 00                 mov     dword ptr [esp+8], offset aTongueBrokeB_0 "Tongue broke because victim is on a mov"...
.
text:007F3CBD E9 4B FF FF FF                          jmp     loc_7F3C0D
.text:007F3CBD                         ; ---------------------------------------------------------------------------
.
text:007F3CC2 8D B6 00 00 00 00                       align 8
.text:007F3CC8
.text:007F3CC8                         loc_7F3CC8:                             ; CODE XREFCTongue::OnUpdateAttachedToTargetState(void)+13Cj
.text:007F3CC8 8B 42 04                                mov     eax, [edx+4]
.
text:007F3CCB 85 C0                                   test    eaxeax
.text:007F3CCD 0F 84 6F FD FF FF                       jz      loc_7F3A42
.text:007F3CD3 A1 3C 75 F8 00                          mov     eaxds:gameeventmanager
.text:007F3CD8 8B 10                                   mov     edx, [eax]
.
text:007F3CDA C7 44 24 0C 00 00 00 00                 mov     dword ptr [esp+0Ch], 0
.text:007F3CE2 C7 44 24 08 00 00 00 00                 mov     dword ptr [esp+8], 0
.text:007F3CEA C7 44 24 04 4E FA C6 00                 mov     dword ptr [esp+4], offset aTongue_broke_b "tongue_broke_bent"
.text:007F3CF2 89 04 24                                mov     [esp], eax
.text:007F3CF5 FF 52 1C                                call    dword ptr [edx+1Ch]
.
text:007F3CF8 85 C0                                   test    eaxeax
.text:007F3CFA 89 C2                                   mov     edxeax
.text:007F3CFC 74 50                                   jz      short loc_7F3D4E
.text:007F3CFE 8B 00                                   mov     eax, [eax]
.
text:007F3D00 8B 7F 30                                mov     edi, [edi+30h]
.
text:007F3D03 8B 40 30                                mov     eax, [eax+30h]
.
text:007F3D06 89 45 E4                                mov     [ebp+var_1C], eax
.text:007F3D09 A1 64 75 F8 00                          mov     eaxds:engine
.text:007F3D0E 8B 08                                   mov     ecx, [eax]
.
text:007F3D10 89 55 E0                                mov     [ebp+var_20], edx
.text:007F3D13 89 7C 24 04                             mov     [esp+4], edi
.text:007F3D17 89 04 24                                mov     [esp], eax
.text:007F3D1A FF 51 40                                call    dword ptr [ecx+40h]
.
text:007F3D1D 8B 55 E0                                mov     edx, [ebp+var_20]
.
text:007F3D20 C7 44 24 04 CD 64 CC 00                 mov     dword ptr [esp+4], offset aUserid "userid"
.text:007F3D28 89 44 24 08                             mov     [esp+8], eax
.text:007F3D2C 89 14 24                                mov     [esp], edx
.text:007F3D2F FF 55 E4                                call    [ebp+var_1C]
.
text:007F3D32 A1 3C 75 F8 00                          mov     eaxds:gameeventmanager
.text:007F3D37 8B 55 E0                                mov     edx, [ebp+var_20]
.
text:007F3D3A 8B 08                                   mov     ecx, [eax]
.
text:007F3D3C C7 44 24 08 00 00 00 00                 mov     dword ptr [esp+8], 0
.text:007F3D44 89 54 24 04                             mov     [esp+4], edx
.text:007F3D48 89 04 24                                mov     [esp], eax
.text:007F3D4B FF 51 20                                call    dword ptr [ecx+20h]
.
text:007F3D4E
.text:007F3D4E                         loc_7F3D4E:                             ; CODE XREFCTongue::OnUpdateAttachedToTargetState(void)+3FCj
.text:007F3D4E 8B 03                                   mov     eax, [ebx]
.
text:007F3D50 C7 44 24 08 B0 FF C6 00                 mov     dword ptr [esp+8], offset aTongueBrokeB_1 "Tongue broke because victim is on the r"...
.
text:007F3D58 E9 B0 FE FF FF                          jmp     loc_7F3C0D
.text:007F3D58                         ; ---------------------------------------------------------------------------
.
text:007F3D5D 8D 76 00                                align 10h
.text:007F3D60
.text:007F3D60                         loc_7F3D60:                             ; CODE XREFCTongue::OnUpdateAttachedToTargetState(void)+18Aj
.text:007F3D60 80 BB 6C 04 00 00 00                    cmp     byte ptr [ebx+46Ch], 0
.text:007F3D67 0F 85 2E FD FF FF                       jnz     loc_7F3A9B
.text:007F3D6D E9 1E FD FF FF                          jmp     loc_7F3A90
.text:007F3D6D                         ; ---------------------------------------------------------------------------
.
text:007F3D72 8D B6 00 00 00 00                       align 8
.text:007F3D78
.text:007F3D78                         loc_7F3D78:                             ; CODE XREFCTongue::OnUpdateAttachedToTargetState(void)+1B5j
.text:007F3D78 A1 3C 75 F8 00                          mov     eaxds:gameeventmanager
.text:007F3D7D 8B 10                                   mov     edx, [eax]
.
text:007F3D7F C7 44 24 0C 00 00 00 00                 mov     dword ptr [esp+0Ch], 0
.text:007F3D87 C7 44 24 08 00 00 00 00                 mov     dword ptr [esp+8], 0
.text:007F3D8F C7 44 24 04 4E FA C6 00                 mov     dword ptr [esp+4], offset aTongue_broke_b "tongue_broke_bent"
.text:007F3D97 89 04 24                                mov     [esp], eax
.text:007F3D9A FF 52 1C                                call    dword ptr [edx+1Ch]
.
text:007F3D9D 85 C0                                   test    eaxeax
.text:007F3D9F 89 C2                                   mov     edxeax
.text:007F3DA1 74 50                                   jz      short loc_7F3DF3
.text:007F3DA3 8B 00                                   mov     eax, [eax]
.
text:007F3DA5 8B 7F 30                                mov     edi, [edi+30h]
.
text:007F3DA8 8B 40 30                                mov     eax, [eax+30h]
.
text:007F3DAB 89 45 E4                                mov     [ebp+var_1C], eax
.text:007F3DAE A1 64 75 F8 00                          mov     eaxds:engine
.text:007F3DB3 8B 08                                   mov     ecx, [eax]
.
text:007F3DB5 89 55 E0                                mov     [ebp+var_20], edx
.text:007F3DB8 89 7C 24 04                             mov     [esp+4], edi
.text:007F3DBC 89 04 24                                mov     [esp], eax
.text:007F3DBF FF 51 40                                call    dword ptr [ecx+40h]
.
text:007F3DC2 8B 55 E0                                mov     edx, [ebp+var_20]
.
text:007F3DC5 C7 44 24 04 CD 64 CC 00                 mov     dword ptr [esp+4], offset aUserid "userid"
.text:007F3DCD 89 44 24 08                             mov     [esp+8], eax
.text:007F3DD1 89 14 24                                mov     [esp], edx
.text:007F3DD4 FF 55 E4                                call    [ebp+var_1C]
.
text:007F3DD7 A1 3C 75 F8 00                          mov     eaxds:gameeventmanager
.text:007F3DDC 8B 55 E0                                mov     edx, [ebp+var_20]
.
text:007F3DDF 8B 08                                   mov     ecx, [eax]
.
text:007F3DE1 C7 44 24 08 00 00 00 00                 mov     dword ptr [esp+8], 0
.text:007F3DE9 89 54 24 04                             mov     [esp+4], edx
.text:007F3DED 89 04 24                                mov     [esp], eax
.text:007F3DF0 FF 51 20                                call    dword ptr [ecx+20h]
.
text:007F3DF3
.text:007F3DF3                         loc_7F3DF3:                             ; CODE XREFCTongue::OnUpdateAttachedToTargetState(void)+4A1j
.text:007F3DF3 8B 03                                   mov     eax, [ebx]
.
text:007F3DF5 C7 44 24 04 E8 FF C6 00                 mov     dword ptr [esp+4], offset aTongueDroppi_1 "Tongue dropping because it bent too man"...
.
text:007F3DFD 89 1C 24                                mov     [esp], ebx
.text:007F3E00 FF 90 8C 03 00 00                       call    dword ptr [eax+38Ch]
.
text:007F3E06 8B 83 34 05 00 00                       mov     eax, [ebx+534h]
.
text:007F3E0C 85 C0                                   test    eaxeax
.text:007F3E0E 7E 64                                   jle     short loc_7F3E74
.text:007F3E10 8D 83 BC 04 00 00                       lea     eax, [ebx+4BCh]
.
text:007F3E16 89 75 E4                                mov     [ebp+var_1C], esi
.text:007F3E19 31 FF                                   xor     ediedi
.text:007F3E1B 89 C6                                   mov     esieax
.text:007F3E1D 8D 76 00                                lea     esi, [esi+0]
.
text:007F3E20
.text:007F3E20                         loc_7F3E20:                             ; CODE XREFCTongue::OnUpdateAttachedToTargetState(void)+56Fj
.text:007F3E20 8D 04 7F                                lea     eax, [edi+edi*2]
.
text:007F3E23 8B 13                                   mov     edx, [ebx]
.
text:007F3E25 8D 04 86                                lea     eax, [esi+eax*4]
.
text:007F3E28 F3 0F 10 40 08                          movss   xmm0dword ptr [eax+8]
.
text:007F3E2D 0F 5A C0                                cvtps2pd xmm0xmm0
.text:007F3E30 F2 0F 11 44 24 1C                       movsd   qword ptr [esp+1Ch], xmm0
.text:007F3E36 F3 0F 10 40 04                          movss   xmm0dword ptr [eax+4]
.
text:007F3E3B 0F 5A C0                                cvtps2pd xmm0xmm0
.text:007F3E3E F2 0F 11 44 24 14                       movsd   qword ptr [esp+14h], xmm0
.text:007F3E44 F3 0F 10 00                             movss   xmm0dword ptr [eax]
.
text:007F3E48 89 7C 24 08                             mov     [esp+8], edi
.text:007F3E4C 83 C7 01                                add     edi1
.text:007F3E4F 0F 5A C0                                cvtps2pd xmm0xmm0
.text:007F3E52 C7 44 24 04 60 FA C6 00                 mov     dword ptr [esp+4], offset unk_C6FA60
.text:007F3E5A F2 0F 11 44 24 0C                       movsd   qword ptr [esp+0Ch], xmm0
.text:007F3E60 89 1C 24                                mov     [esp], ebx
.text:007F3E63 FF 92 8C 03 00 00                       call    dword ptr [edx+38Ch]
.
text:007F3E69 39 BB 34 05 00 00                       cmp     [ebx+534h], edi
.text:007F3E6F 7F AF                                   jg      short loc_7F3E20
.text:007F3E71 8B 75 E4                                mov     esi, [ebp+var_1C]
.
text:007F3E74
.text:007F3E74                         loc_7F3E74:                             ; CODE XREFCTongue::OnUpdateAttachedToTargetState(void)+50Ej
.text:007F3E74 8B 03                                   mov     eax, [ebx]
.
text:007F3E76 F6 86 4D 01 00 00 08                    test    byte ptr [esi+14Dh], 8
.text:007F3E7D 8B B8 8C 03 00 00                       mov     edi, [eax+38Ch]
.
text:007F3E83 0F 85 1C 01 00 00                       jnz     loc_7F3FA5
.text:007F3E89 F3 0F 10 8E E8 02 00 00                 movss   xmm1dword ptr [esi+2E8h]
.
text:007F3E91 0F 5A C9                                cvtps2pd xmm1xmm1
.text:007F3E94
.text:007F3E94                         loc_7F3E94:                             ; CODE XREFCTongue::OnUpdateAttachedToTargetState(void)+6BFj
.text:007F3E94 F3 0F 10 86 E4 02 00 00                 movss   xmm0dword ptr [esi+2E4h]
.
text:007F3E9C 0F 5A C0                                cvtps2pd xmm0xmm0
.text:007F3E9F
.text:007F3E9F                         loc_7F3E9F:                             ; CODE XREFCTongue::OnUpdateAttachedToTargetState(void)+6E9j
.text:007F3E9F                                                                 CTongue::OnUpdateAttachedToTargetState(void)+706j
.text:007F3E9F F2 0F 11 4C 24 18                       movsd   qword ptr [esp+18h], xmm1
.text:007F3EA5 F2 0F 11 44 24 10                       movsd   qword ptr [esp+10h], xmm0
.text:007F3EAB F3 0F 10 86 E0 02 00 00                 movss   xmm0dword ptr [esi+2E0h]
.
text:007F3EB3 C7 44 24 04 78 FA C6 00                 mov     dword ptr [esp+4], offset aTargetIsAtFFF "Target is at %f %f %f"
.text:007F3EBB 0F 5A C0                                cvtps2pd xmm0xmm0
.text:007F3EBE 89 1C 24                                mov     [esp], ebx
.text:007F3EC1 F2 0F 11 44 24 08                       movsd   qword ptr [esp+8], xmm0
.text:007F3EC7 FF D7                                   call    edi
.text:007F3EC9 C7 44 24 04 04 00 00 00                 mov     dword ptr [esp+4], 4
.text:007F3ED1 89 1C 24                                mov     [esp], ebx
.text:007F3ED4 E8 97 D1 FF FF                          call    _ZN7CTongue16State_TransitionE11TongueState CTongue::State_Transition(TongueState)
.
text:007F3ED9 E9 54 FA FF FF                          jmp     loc_7F3932
.text:007F3EDE                         ; ---------------------------------------------------------------------------
.
text:007F3EDE
.text:007F3EDE                         loc_7F3EDE:                             ; CODE XREFCTongue::OnUpdateAttachedToTargetState(void)+1C5j
.text:007F3EDE 8B 07                                   mov     eax, [edi]
.
text:007F3EE0 89 3C 24                                mov     [esp], edi
.text:007F3EE3 FF 90 74 07 00 00                       call    dword ptr [eax+774h]
.
text:007F3EE9 84 C0                                   test    alal
.text:007F3EEB 0F 85 DA FB FF FF                       jnz     loc_7F3ACB
.text:007F3EF1 F6 87 D1 1C 00 00 08                    test    byte ptr [edi+1CD1h], 8
.text:007F3EF8 0F 84 CD FB FF FF                       jz      loc_7F3ACB
.text:007F3EFE 8B 03                                   mov     eax, [ebx]
.
text:007F3F00 C7 44 24 04 18 00 C7 00                 mov     dword ptr [esp+4], offset aTongueDroppi_2 "Tongue dropping because we released it."
.text:007F3F08 E9 70 FA FF FF                          jmp     loc_7F397D
.text:007F3F0D                         ; ---------------------------------------------------------------------------
.
text:007F3F0D
.text:007F3F0D                         loc_7F3F0D:                             ; CODE XREFCTongue::OnUpdateAttachedToTargetState(void)+1A5j
.text:007F3F0D A1 3C 75 F8 00                          mov     eaxds:gameeventmanager
.text:007F3F12 8B 10                                   mov     edx, [eax]
.
text:007F3F14 C7 44 24 0C 00 00 00 00                 mov     dword ptr [esp+0Ch], 0
.text:007F3F1C C7 44 24 08 00 00 00 00                 mov     dword ptr [esp+8], 0
.text:007F3F24 C7 44 24 04 4E FA C6 00                 mov     dword ptr [esp+4], offset aTongue_broke_b "tongue_broke_bent"
.text:007F3F2C 89 04 24                                mov     [esp], eax
.text:007F3F2F FF 52 1C                                call    dword ptr [edx+1Ch]
.
text:007F3F32 85 C0                                   test    eaxeax
.text:007F3F34 89 C6                                   mov     esieax
.text:007F3F36 0F 84 4A FA FF FF                       jz      loc_7F3986
.text:007F3F3C 8B 00                                   mov     eax, [eax]
.
text:007F3F3E 8B 4F 30                                mov     ecx, [edi+30h]
.
text:007F3F41 8B 40 30                                mov     eax, [eax+30h]
.
text:007F3F44 89 45 E4                                mov     [ebp+var_1C], eax
.text:007F3F47 A1 64 75 F8 00                          mov     eaxds:engine
.text:007F3F4C 8B 10                                   mov     edx, [eax]
.
text:007F3F4E 89 4C 24 04                             mov     [esp+4], ecx
.text:007F3F52 89 04 24                                mov     [esp], eax
.text:007F3F55 FF 52 40                                call    dword ptr [edx+40h]
.
text:007F3F58 C7 44 24 04 CD 64 CC 00                 mov     dword ptr [esp+4], offset aUserid "userid"
.text:007F3F60 89 44 24 08                             mov     [esp+8], eax
.text:007F3F64 89 34 24                                mov     [esp], esi
.text:007F3F67 FF 55 E4                                call    [ebp+var_1C]
.
text:007F3F6A A1 3C 75 F8 00                          mov     eaxds:gameeventmanager
.text:007F3F6F 8B 10                                   mov     edx, [eax]
.
text:007F3F71 C7 44 24 08 00 00 00 00                 mov     dword ptr [esp+8], 0
.text:007F3F79 89 74 24 04                             mov     [esp+4], esi
.text:007F3F7D 89 04 24                                mov     [esp], eax
.text:007F3F80 FF 52 20                                call    dword ptr [edx+20h]
.
text:007F3F83 E9 FE F9 FF FF                          jmp     loc_7F3986
.text:007F3F88                         ; ---------------------------------------------------------------------------
.
text:007F3F88
.text:007F3F88                         loc_7F3F88:                             ; CODE XREFCTongue::OnUpdateAttachedToTargetState(void)+1FAj
.text:007F3F88 C7 44 24 04 01 00 00 00                 mov     dword ptr [esp+4], bool
.text:007F3F90 89 34 24                                mov     [esp], esi      this
.text:007F3F93 E8 E8 F7 FF FF                          call    _ZN13CTerrorPlayer21NotifyTongueIsPullingEb CTerrorPlayer::NotifyTongueIsPulling(bool)
.
text:007F3F98 F3 0F 10 83 50 05 00 00                 movss   xmm0dword ptr [ebx+550h]
.
text:007F3FA0 E9 5B FB FF FF                          jmp     loc_7F3B00
.text:007F3FA5                         ; ---------------------------------------------------------------------------
.
text:007F3FA5
.text:007F3FA5                         loc_7F3FA5:                             ; CODE XREFCTongue::OnUpdateAttachedToTargetState(void)+583j
.text:007F3FA5 89 34 24                                mov     [esp], esi      this
.text:007F3FA8 E8 B3 9B DD FF                          call    _ZN11CBaseEntity20CalcAbsolutePositionEv CBaseEntity::CalcAbsolutePosition(void)
.
text:007F3FAD F6 86 4D 01 00 00 08                    test    byte ptr [esi+14Dh], 8
.text:007F3FB4 F3 0F 10 8E E8 02 00 00                 movss   xmm1dword ptr [esi+2E8h]
.
text:007F3FBC 0F 5A C9                                cvtps2pd xmm1xmm1
.text:007F3FBF 0F 84 CF FE FF FF                       jz      loc_7F3E94
.text:007F3FC5 F2 0F 11 4D C8                          movsd   [ebp+var_38], xmm1
.text:007F3FCA 89 34 24                                mov     [esp], esi      this
.text:007F3FCD E8 8E 9B DD FF                          call    _ZN11CBaseEntity20CalcAbsolutePositionEv CBaseEntity::CalcAbsolutePosition(void)
.
text:007F3FD2 F6 86 4D 01 00 00 08                    test    byte ptr [esi+14Dh], 8
.text:007F3FD9 F3 0F 10 86 E4 02 00 00                 movss   xmm0dword ptr [esi+2E4h]
.
text:007F3FE1 0F 5A C0                                cvtps2pd xmm0xmm0
.text:007F3FE4 F2 0F 10 4D C8                          movsd   xmm1, [ebp+var_38]
.
text:007F3FE9 0F 84 B0 FE FF FF                       jz      loc_7F3E9F
.text:007F3FEF F2 0F 11 45 B8                          movsd   [ebp+var_48], xmm0
.text:007F3FF4 89 34 24                                mov     [esp], esi      this
.text:007F3FF7 E8 64 9B DD FF                          call    _ZN11CBaseEntity20CalcAbsolutePositionEv CBaseEntity::CalcAbsolutePosition(void)
.
text:007F3FFC F2 0F 10 4D C8                          movsd   xmm1, [ebp+var_38]
.
text:007F4001 F2 0F 10 45 B8                          movsd   xmm0, [ebp+var_48]
.
text:007F4006 E9 94 FE FF FF                          jmp     loc_7F3E9F
.text:007F400B                         ; ---------------------------------------------------------------------------
.
text:007F400B
.text:007F400B                         loc_7F400B:                             ; CODE XREFCTongue::OnUpdateAttachedToTargetState(void)+234j
.text:007F400B 80 4B 70 01                             or      byte ptr [ebx+70h], 1
.text:007F400F E9 49 FB FF FF                          jmp     loc_7F3B5D
.text:007F400F                         _ZN7CTongue29OnUpdateAttachedToTargetStateEv endp
.text:007F400F
.text:007F400F                         ; --------------------------------------------------------------------------- 
__________________

Last edited by Spirit_12; 09-09-2018 at 21:51.
Spirit_12 is offline
nosoop
Veteran Member
Join Date: Aug 2014
Old 09-09-2018 , 21:57   Re: Skip an instruction?
Reply With Quote #9

Quote:
Originally Posted by Spirit_12 View Post
All I'm doing to NOP is changing the first byte of the instruction to 90. Am I supposed to change all the bytes?
Thank you for the explanation.
Yes; NOP consumes no other bytes, so it reads the next byte as an instruction.

Also, since I cracked open IDA to see what you're actually looking at, patch 007F39F8 to use an unconditional jump and skip all three event calls. Pretty sure you can do one of the following:
  • NOP the first byte then JMP on second
  • Patch the near jump to use JNO so it always jumps (only requires modification of the second byte)
Spoke too soon; didn't see the entity check after the second branch. Unless you want to do a jump straight to that branch, just NOP the jumps.
__________________
I do TF2, TF2 servers, and TF2 plugins.
I don't do DMs over Discord -- PM me on the forums regarding inquiries.
AlliedModders Releases / Github / TF2 Server / Donate (BTC / BCH / coffee)

Last edited by nosoop; 09-09-2018 at 23:11. Reason: tone
nosoop is offline
Spirit_12
Veteran Member
Join Date: Dec 2012
Location: Toronto, CA
Old 09-10-2018 , 03:28   Re: Skip an instruction?
Reply With Quote #10

Thanks to everyone for their input. I was able to make it work today and considering this was my first binary patch. It feels pretty good.

For the ones interested I just NOP the jump and things sailed smoothly.
__________________

Last edited by Spirit_12; 09-10-2018 at 11:22.
Spirit_12 is offline
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 15:27.


Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Theme made by Freecode