search

trixnz / justfov

Just Cause 3 FOV Patcher
MIT License
11 stars 7 forks source link

Broke again - patch 1.05 #15

Closed methodbox closed 4 years ago

methodbox commented 8 years ago

Fuck this game.

But please update the patch. I'm going to actually see if I can figure out this code this time.

xforce commented 8 years ago

Address of the CameraManager: 142ED0E20 Address to the SetFov call: 143AEFF41

I currently can't make a PR and test it if the offsets for the CameraManager are still correct, I assume they are as they have not changed in the last update.

If there is no PR later, I will do a PR when I can later today/tomorrow.

methodbox commented 8 years ago

@xforce

Can you tell me how you find what needs to be targeted? Is this using some kind of C# or VB script?

I understand the basics of compiling C# but as to how you're able to identify what needs to change I'm lost.

I usually develop in JS for Nodejs.

xforce commented 8 years ago

In https://github.com/trixnz/justfov/blob/master/JustFOV/Model.cs#L173 you find 2 addresses one is the CameraManager and the other is a call to SetFov in the game, every time a new update is released those addresses change, last time I updated this I added some comments to help others find the updated addresses easily using IDA Pro.

So the usual step is to dump running game using some dump tool (I usually use Scylla), then open the dump in IDA Pro and search for the sequence in the comments, fortunately the patterns still worked this time around so update is easy (but this can change in the next update, depending on what they change in the code). After updating the addresses in the Model.cs you just have to compile everything in Visual Studio and you are good to go.

methodbox commented 8 years ago

I got a dump file using Scylla in x64dbg but I have no idea what to do from here.

I found IDA Pro free, but it won't pull up x64 files.

But it looks lik x64dbg has everything you need to find this, but I have no idea how to search for the memory address.

I'm assuming you need to find this hex pattern somehow, but I don't know where to look for it. Right now I have a bunch of hex addresses for who knows what in my dump, but I can't seem to search them.

Going by this:

// So on the next update use this to find the address to CameraManager easily // Or use a dump in IDA look for the ctor of CCameraManager // 48 8B 05 ? ? ? ? F3 0F 10 05 ? ? ? ? 4D 89 C1 48 8B 90 ? ? ? ? 4C 8D 41 0C 31 C0 // This is a IDA compatible pattern

    // This is the pattern for the SetFOV Call
    // E8 ? ? ? ? 0F 28 BC 24 ? ? ? ? 0F 28 B4 24 ? ? ? ? 48 8B 9C 24 ? ? ? ? 48 81 C4 ? ? ? ?

I'm assuming that hex pattern is supposed to help me find this:

private readonly IntPtr _cameraManagerPtr = new IntPtr(0x142EBEBD0); private readonly IntPtr _setFovCall = new IntPtr(0x143ADAD71);

....but honestly I'm lost here. Any help would be greatly appreciated @xforce !

methodbox commented 8 years ago

Okay actually I figured out how to decompile it directly in x64dbg. Now I just need to find the FOV and camera manager.

methodbox commented 8 years ago

I found this in my dump, but every time I "attach" the exe process, the game closes so I don't really know if this is worth anything:

00007FFA877B1302 | 48 8B 05 FF 70 15 00     | mov rax,qword ptr ds:[7FFA87908408]                                                 |

Decompiled it looks like this:

uint8_t g7ffe0386;

void NtTraceEvent(int64_t rcx, int64_t rdx, int64_t r8, int64_t r9);

void fun_7ffa87845840();

void fun_7ffa877b12fb(int64_t rcx, int64_t rdx, int64_t r8, int64_t r9) {
    int64_t r11_5;
    int64_t r11_6;
    int64_t r11_7;
    int64_t r11_8;
    int64_t r11_9;
    int64_t v10;
    int64_t r11_11;
    int64_t rcx12;
    int64_t r11_13;

    *(int64_t*)(r11_5 - 64) = rdx;
    *(int64_t*)(r11_6 - 56) = r8;
    *(int64_t*)(r11_7 - 48) = r9;
    *(int16_t*)(r11_8 - 98) = 0x1c23;
    *(int64_t*)(r11_9 - 40) = v10;
    *(int64_t*)(r11_11 - 72) = rcx;
    *(uint32_t*)&rcx12 = static_cast<uint32_t>(g7ffe0386);
    *(int32_t*)((int64_t)&rcx12 + 4) = 0;
    NtTraceEvent(rcx12, 0x403, 40, r11_13 - 0x68);
    fun_7ffa87845840();
    return;
}

Which tells me nothing....

I also found:

uint8_t g7ffe0386;

void NtTraceEvent(int64_t rcx, int64_t rdx, int64_t r8, int64_t r9);

void fun_7ffa87845840();

void fun_7ffa877b12fb(int64_t rcx, int64_t rdx, int64_t r8, int64_t r9) {
    int64_t r11_5;
    int64_t r11_6;
    int64_t r11_7;
    int64_t r11_8;
    int64_t r11_9;
    int64_t v10;
    int64_t r11_11;
    int64_t rcx12;
    int64_t r11_13;

    *(int64_t*)(r11_5 - 64) = rdx;
    *(int64_t*)(r11_6 - 56) = r8;
    *(int64_t*)(r11_7 - 48) = r9;
    *(int16_t*)(r11_8 - 98) = 0x1c23;
    *(int64_t*)(r11_9 - 40) = v10;
    *(int64_t*)(r11_11 - 72) = rcx;
    *(uint32_t*)&rcx12 = static_cast<uint32_t>(g7ffe0386);
    *(int32_t*)((int64_t)&rcx12 + 4) = 0;
    NtTraceEvent(rcx12, 0x403, 40, r11_13 - 0x68);
    fun_7ffa87845840();
    return;
}

Decompiled:


void RtlCopyMemory(int64_t rcx, void* rdx, int64_t r8);

void fun_7ffa87845840();

void RtlLargeIntegerToChar(uint64_t* rcx, int32_t edx, int32_t r8d, int64_t r9) {
    void* rsp5;
    int64_t r15_6;
    int32_t edi7;
    void* r14_8;
    uint64_t rax9;
    int64_t r8_10;
    void* rsi11;
    int64_t rsi12;
    int64_t r8_13;

    rsp5 = (void*)((int64_t)__zero_stack_offset() - 8 - 8 - 8 - 0x80);
    r15_6 = r9;
    edi7 = r8d;
    if (!edx) {
    }
    if (edx != 10) {
    }
    r14_8 = (void*)((int64_t)rsp5 + 97);
    if (0) {
    }
    rax9 = *rcx;
    *(int32_t*)&r8_10 = edx;
    *(int32_t*)((int64_t)&r8_10 + 4) = 0;
    do {
        rax9 = rax9 / r8_10;
        r14_8 = (void*)((int64_t)r14_8 - 1);
    } while (rax9);
    rsi11 = (void*)((int64_t)rsp5 + 97);
    *(int32_t*)&rsi12 = (int32_t)*(void**)&rsi11 - (int32_t)*(void**)&r14_8;
    *(int32_t*)((int64_t)&rsi12 + 4) = 0;
    if (edi7 >= 0) 
        goto addr_0x7ffa877b1444_10;
    addr_0x7ffa877b1444_10:
    if (*(int32_t*)&rsi12 <= edi7) {
        *(int32_t*)&r8_13 = *(int32_t*)&rsi12;
        *(int32_t*)((int64_t)&r8_13 + 4) = 0;
        RtlCopyMemory(r15_6, r14_8, r8_13);
        if (*(int32_t*)&rsi12 < edi7) {
            *(int8_t*)(rsi12 + r15_6) = 0;
        }
        fun_7ffa87845840();
        return;
    }
}

void fun_7ffa877b1465() {
    goto 0x7ffa877b1469;
}
xforce commented 8 years ago

The reason the game closes as soon as you attach is probably because of the debug protections put in by denuvo, about how to find the pattern using x64dbg, I am sorry but I am not really familiar with the tool so I can't really help you with that.

methodbox commented 8 years ago

Maybe @trixnz can give us a hand?

I don't have a 32bit version of the game so the free IDA Pro won't work for me - 64bit is paid only.

Also way out of my element here :)

trixnz commented 8 years ago

Unfortunately I am not in a position to fix this right now. @xforce feel free to fork and maintain if you wish :+1:

xforce commented 8 years ago

ok, I just published the update on my fork. Here

methodbox commented 8 years ago

Dude you rock. From what I see in model.cs it looks like you've put in place something to recalculate values for the Camera if it changes on the next update.

Am I reading this correctly?

Thanks again!!