Port 59NL server patches to 59NJ (pt. 1)
This commit is contained in:
committed by
Martin Michelsen
parent
b8e7d81a22
commit
a57cca6c12
@@ -0,0 +1,44 @@
|
||||
# (uint16_t entity_id @ eax) -> TObjectV00b421c0* @ eax
|
||||
# Preserves all registers except eax
|
||||
get_enemy_entity:
|
||||
push esi
|
||||
push edi
|
||||
push edx
|
||||
push ecx
|
||||
xor edx, edx
|
||||
xchg edx, eax
|
||||
cmp edx, 0x1000
|
||||
jl done
|
||||
cmp edx, 0x4000
|
||||
jge done
|
||||
|
||||
mov esi, [0x00AABCE8] # bs_low = next_player_entity_index
|
||||
mov edi, [0x00AABCE4]
|
||||
lea edi, [edi + esi - 1] # bs_high = next_player_entity_index + next_enemy_entity_index - 1
|
||||
bs_again:
|
||||
cmp esi, edi
|
||||
jge bs_done
|
||||
lea ecx, [esi + edi]
|
||||
shr ecx, 1
|
||||
mov eax, [ecx * 4 + 0x00AAB2A0] # all_entities[ecx]
|
||||
cmp [eax + 0x1C], dx
|
||||
jge bs_not_less
|
||||
lea esi, [ecx + 1]
|
||||
jmp bs_again
|
||||
bs_not_less:
|
||||
mov edi, ecx
|
||||
jmp bs_again
|
||||
bs_done:
|
||||
|
||||
mov eax, [esi * 4 + 0x00AAB2A0] # all_entities[bs_low]
|
||||
test eax, eax
|
||||
je done
|
||||
xor ecx, ecx
|
||||
cmp [eax + 0x1C], dx
|
||||
cmovne eax, ecx
|
||||
|
||||
done:
|
||||
pop ecx
|
||||
pop edx
|
||||
pop edi
|
||||
pop esi
|
||||
@@ -0,0 +1,42 @@
|
||||
# This file defines the following function:
|
||||
# write_address_of_code(
|
||||
# const void* patch_code,
|
||||
# size_t patch_code_size,
|
||||
# void** ptr_addr);
|
||||
# This function allocates memory for patch_code, copies patch_code to that
|
||||
# memory, then writes the address of the allocated code at the specified
|
||||
# pointer. The allocated memory is never freed.
|
||||
# This function pops its arguments off the stack before returning.
|
||||
|
||||
write_call_to_code:
|
||||
# [esp + 0x04] = code ptr
|
||||
# [esp + 0x08] = code size
|
||||
# [esp + 0x0C] = ptr addr
|
||||
|
||||
# Allocate memory for the copied code
|
||||
mov ecx, [0x00AA8F84]
|
||||
push dword [esp + 0x08]
|
||||
mov eax, 0x007A984C
|
||||
call eax # malloc7
|
||||
test eax, eax
|
||||
je done
|
||||
|
||||
# Copy the code to the newly-allocated memory
|
||||
# eax = dest pointer (from malloc7 call above)
|
||||
mov edx, [esp + 0x04] # edx = source pointer
|
||||
mov ecx, [esp + 0x08] # ecx = source size
|
||||
push ebx
|
||||
memcpy_again:
|
||||
dec ecx
|
||||
mov bl, [edx + ecx] # Copy one byte from source to dest
|
||||
mov [eax + ecx], bl
|
||||
test ecx, ecx
|
||||
jne memcpy_again
|
||||
pop ebx
|
||||
|
||||
# Write the address
|
||||
mov ecx, [esp + 0x0C]
|
||||
mov [ecx], eax
|
||||
|
||||
done:
|
||||
ret 0x0C
|
||||
@@ -0,0 +1,76 @@
|
||||
# This file defines the following function:
|
||||
# write_call_to_code(
|
||||
# const void* patch_code,
|
||||
# size_t patch_code_size,
|
||||
# void* call_opcode_address,
|
||||
# ssize_t call_opcode_bytes);
|
||||
# This function allocates memory for patch_code, copies patch_code to that
|
||||
# memory, then writes a call or jmp opcode to call_opcode_address that calls
|
||||
# the code in the allocated memory region. The allocated memory is never freed.
|
||||
# call_opcode_bytes specifies how many bytes at the callsite should be
|
||||
# overwritten. This value must be at least 5; the first 5 bytes are overwritten
|
||||
# with the call/jmp opcode itself; the rest are overwritten with nop opcodes.
|
||||
# If call_opcode_bytes is positive, a call opcode is written; if it's negative,
|
||||
# a jmp opcode is written.
|
||||
# This function pops its arguments off the stack before returning.
|
||||
|
||||
write_call_to_code:
|
||||
# [esp + 0x04] = code ptr
|
||||
# [esp + 0x08] = code size
|
||||
# [esp + 0x0C] = jump callsite
|
||||
# [esp + 0x10] = callsite size (if zero, write the address instead of a call)
|
||||
|
||||
# Allocate memory for the copied code
|
||||
mov ecx, [0x00AA8F84]
|
||||
push dword [esp + 0x08]
|
||||
mov eax, 0x007A984C
|
||||
call eax # malloc7
|
||||
test eax, eax
|
||||
je done
|
||||
|
||||
# Copy the code to the newly-allocated memory
|
||||
# eax = dest pointer (from malloc7 call above)
|
||||
mov edx, [esp + 0x04] # edx = source pointer
|
||||
mov ecx, [esp + 0x08] # ecx = source size
|
||||
push ebx
|
||||
memcpy_again:
|
||||
dec ecx
|
||||
mov bl, [edx + ecx] # Copy one byte from source to dest
|
||||
mov [eax + ecx], bl
|
||||
test ecx, ecx
|
||||
jne memcpy_again
|
||||
pop ebx
|
||||
|
||||
mov edx, [esp + 0x0C] # edx = jump callsite
|
||||
|
||||
# If the callsite size is zero, just write the address directly
|
||||
cmp dword [esp + 0x10], 0
|
||||
jne write_call_or_jmp
|
||||
mov [edx], eax
|
||||
jmp done
|
||||
|
||||
# Write the call or jmp opcode
|
||||
write_call_or_jmp:
|
||||
lea ecx, [eax - 5]
|
||||
sub ecx, edx # ecx = (dest code addr) - (jump callsite) - 5
|
||||
cmp dword [esp + 0x10], 0
|
||||
setl al
|
||||
or al, 0xE8
|
||||
mov [edx], al # Write E8 (call), or E9 (jmp) if size was negative
|
||||
mov [edx + 1], ecx # Write delta
|
||||
|
||||
# Write as many nops after the call opcode as necessary
|
||||
mov ecx, 5
|
||||
mov eax, [esp + 0x10]
|
||||
cmp eax, 0
|
||||
jge write_nop_again
|
||||
neg eax
|
||||
write_nop_again:
|
||||
cmp ecx, eax
|
||||
jge done
|
||||
mov byte [edx + ecx], 0x90
|
||||
inc ecx
|
||||
jmp write_nop_again
|
||||
|
||||
done:
|
||||
ret 0x10
|
||||
@@ -0,0 +1,83 @@
|
||||
# This file defines the following function:
|
||||
# void [/std] write_call_to_code(
|
||||
# const void* patch_code @ [esp + 0x04],
|
||||
# size_t patch_code_size @ [esp + 0x08],
|
||||
# size_t call_count @ [esp + 0x0C],
|
||||
# void* call_opcode_address @ [esp + 0x10],
|
||||
# ssize_t call_opcode_bytes @ [esp + 0x14],
|
||||
# ...);
|
||||
# This function allocates memory for patch_code, copies patch_code to that
|
||||
# memory, then writes a call or jmp opcode to call_opcode_address that calls
|
||||
# the code in the allocated memory region. The allocated memory is never freed.
|
||||
# call_opcode_bytes specifies how many bytes at the callsite should be
|
||||
# overwritten. This value must be at least 5; the first 5 bytes are overwritten
|
||||
# with the call/jmp opcode itself; the rest are overwritten with nop opcodes.
|
||||
# This function pops its arguments off the stack before returning (including
|
||||
# all the varargs).
|
||||
|
||||
write_call_to_code:
|
||||
# [esp + 0x04] = code ptr
|
||||
# [esp + 0x08] = code size
|
||||
# [esp + 0x0C] = callsite count
|
||||
# [esp + 0x10] = callsite address
|
||||
# [esp + 0x14] = callsite size
|
||||
# ... (further callsite address/size pairs)
|
||||
|
||||
# Allocate memory for the copied code
|
||||
mov ecx, [0x00AA8F84]
|
||||
push dword [esp + 0x08]
|
||||
mov eax, 0x007A984C
|
||||
call eax # malloc7
|
||||
test eax, eax
|
||||
je done
|
||||
|
||||
# Copy the code to the newly-allocated memory
|
||||
# eax = dest pointer (from malloc7 call above)
|
||||
mov edx, [esp + 0x04] # edx = source pointer
|
||||
mov ecx, [esp + 0x08] # ecx = source size
|
||||
push ebx
|
||||
memcpy_again:
|
||||
dec ecx
|
||||
mov bl, [edx + ecx] # Copy one byte from source to dest
|
||||
mov [eax + ecx], bl
|
||||
test ecx, ecx
|
||||
jne memcpy_again
|
||||
pop ebx
|
||||
|
||||
# Write the call opcodes
|
||||
xchg ebx, [esp + 0x0C] # Save ebx; get callsite count
|
||||
mov [esp - 0x08], esi
|
||||
mov [esp - 0x0C], eax
|
||||
mov esi, 0x10 # Stack offset of first callsite pair
|
||||
|
||||
next_callsite:
|
||||
mov edx, [esp + esi] # edx = jump callsite
|
||||
lea ecx, [eax - 5]
|
||||
sub ecx, edx # ecx = (dest code addr) - (jump callsite) - 5
|
||||
mov byte [edx], 0xE8
|
||||
mov [edx + 1], ecx # Write E8 (call) followed by delta
|
||||
|
||||
# Write as many nops after the call opcode as necessary
|
||||
mov ecx, 5
|
||||
mov eax, [esp + esi + 4]
|
||||
write_nop_again:
|
||||
cmp ecx, eax
|
||||
jge this_callsite_done
|
||||
mov byte [edx + ecx], 0x90
|
||||
inc ecx
|
||||
jmp write_nop_again
|
||||
|
||||
this_callsite_done:
|
||||
mov eax, [esp - 0x0C]
|
||||
add esi, 8
|
||||
dec ebx
|
||||
jnz next_callsite
|
||||
|
||||
mov ecx, esi
|
||||
mov ebx, [esp + 0x0C]
|
||||
mov esi, [esp - 0x08]
|
||||
|
||||
done:
|
||||
mov eax, [esp]
|
||||
add esp, ecx
|
||||
jmp eax
|
||||
Reference in New Issue
Block a user