Try to find the queuepopped function by tracing back from a function …

…inside it, pattern is stable from past several patches unlike the pattern for the base function
easly1989 · Apr 18, 2021 · 1344de3 · 1344de3
1 parent 4777626
commit 1344de3
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 7 deletions.
diff --git a/DFAssist/Helpers/OpCodeHelper.cs b/DFAssist/Helpers/OpCodeHelper.cs
@@ -19,7 +19,13 @@ public OpCodeHelper()
             memhelper = new MemHelper(target);
             patternscanner = new PatternScanner(memhelper);
         }
-
+        public static string ByteArrayToString(byte[] ba)
+        {
+            StringBuilder hex = new StringBuilder(ba.Length * 2);
+            foreach (byte b in ba)
+                hex.AppendFormat("{0:x2} ", b);
+            return hex.ToString();
+        }
 
         public ushort GetAlertOpCode()
         {
@@ -33,12 +39,42 @@ public ushort GetAlertOpCode()
 
             _logger.Write($"Jumptable index offset 0x{(int)jumpTableIndexOffset:X}", LogLevel.Warn);
 
-            var functionptr = patternscanner.FindSingle("48 89 5C 24 ? 57 48 83 EC 70 48 8B D9 48 8D 0D ? ? ? ?");
-
+            var functionptr = patternscanner.FindSingle("48 89 5C 24 ? 57 48 83 EC 20 80 79 55 00");
             var functionRef = patternscanner.FindFunctionCall(functionptr);
 
             _logger.Write($"Found function call of 0x{(ulong)functionptr:X} at 0x{(ulong)functionRef:X}",LogLevel.Warn);
 
+
+
+
+
+            //Read backwards until 0xCC CC is found to get the start of the queue function
+            var memory = memhelper.ReadBytes(functionRef - 0x200, 0x205);
+            //_logger.Write("read bytes",LogLevel.Warn);
+            Array.Reverse(memory);
+            //_logger.Write(ByteArrayToString(memory),LogLevel.Warn);
+            functionptr = IntPtr.Zero;
+            for (int i = 0; i < memory.Length; i++)
+            {
+                //if (memory[i] == 0xCC && memory[i - 1] == 0xCC && memory[i - 2] == 0xCC && memory[i - 3] == 0xCC)
+                var m = BitConverter.ToUInt32(memory, i);
+                //_logger.Write($"Fo 0x{m:X} {i}", LogLevel.Warn);
+                if (m == 0xCCCCCCCC)
+                {
+                    functionptr = functionRef - i + 5;
+                    _logger.Write($"functionRef:0x{(ulong)functionRef:X} functionptr:0x{(ulong)functionptr:X} {i}", LogLevel.Warn);
+                    break;
+                }
+            }
+
+
+            //_logger.Write("Finished loop", LogLevel.Warn);
+            functionRef = patternscanner.FindFunctionCall(functionptr);
+            _logger.Write($"Found function call of 0x{(ulong)functionptr:X} at 0x{(ulong)functionRef:X}", LogLevel.Warn);
+
+
+
+
             //Go back 0x13 bytes from the function call location to get where the jumptable points to
             var jumplocation = functionRef - 0x13;
 

diff --git a/DFAssist/Helpers/PatternScanner.cs b/DFAssist/Helpers/PatternScanner.cs
@@ -311,12 +311,23 @@ public IntPtr FindFunctionCall(IntPtr functionAddress)
         {
             bool funcTest(int start)
             {
-                if (_data[start] != 0xE9) return false;
+                if (_data[start] == 0xE9)
+                {
+                    var val = BitConverter.ToUInt32(_data, start + 1) + 5;
+                    var address = (long) _baseAddress + start + val;
+
+                    return (IntPtr) address == functionAddress;
+                }
 
-                var val = BitConverter.ToUInt32(_data, start + 1) + 5;
-                var address = (long) _baseAddress + start + val;
+                if (_data[start] == 0xE8)
+                {
+                    var val = BitConverter.ToInt32(_data, start + 1) + 5;
+                    var address = (long)_baseAddress + start + val;
+
+                    return (IntPtr)address == functionAddress;
+                }
 
-                return (IntPtr) address == functionAddress;
+                return false;
             }
 
             uint plen = (uint)5;