Opcode injection?

[monobogdan]

Hi. How to make opcode injection i.e inject my own "scm" into game scm dynamically? Without cleo.

I think i should override pointer to opcodehandler.

[madleg]

Well... I dont judge

 

In following example will be used custom script, which will be loaded manually with plugin sdk (no cleo, pretty much same goes for scm). To execute "jump" will be used script current pointer (CRunningScript::curIP), memory access from scm with arrays trick and some useless scm variable.

 

CLEO/test_script.cc (compile script without additional SCM info)

{$CLEO .cc}0000::LABELwait 1000109: player $PLAYER_CHAR money += 1jump @LABEL// adding some space because code injection will take more than actual script size after targeted opcodehex90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 end 

CLEO/test_inject.cc (same)

{$CLEO .cc}// do nothing, just return0004: $10947 = -100006: [email protected]($10947,1i) = 1234569 // this value means nothing, just space holder

plugin

#include "plugin.h"#include "game_sa\CRunningScript.h"#include "game_sa\CTheScripts.h"#include "game_sa\common.h"#include "game_sa\CTimer.h"using namespace plugin;class custom_plgn{public:		static void* script_buffer;	static void* inject_script_buffer;	static CRunningScript* myscript;	static unsigned int button_press_time;	static bool script_attached;	static bool script_hooked;	custom_plgn()	{		// create test script		myscript = new CRunningScript();		myscript->Init();		FILE* _f = fopen("CLEO//test_script.cc", "r");		fseek(_f, 0, SEEK_END);		int fsize = ftell(_f);		fseek(_f, 0, SEEK_SET);		script_buffer = malloc(fsize + 4);		memset(script_buffer, 0, fsize + 4);		fread(script_buffer, fsize, 1, _f);		myscript->baseIP = (uint8_t*)script_buffer;		myscript->curIP = (uint8_t*)script_buffer;		myscript->isActive = true;		fclose(_f);		// load compiled code lines for injection		_f = fopen("CLEO//test_inject.cc", "r");		fseek(_f, 0, SEEK_END);		fsize = ftell(_f);		fseek(_f, 0, SEEK_SET);		inject_script_buffer = malloc(fsize + 4);		memset(inject_script_buffer, 0, fsize + 4);		fread(inject_script_buffer, fsize, 1, _f);		// add callback to manipulate script activation		Events::gameProcessEvent.Add(MyScriptHandler);	}	static void MyScriptHandler()	{		if (KeyPressed(VK_TAB) && CTimer::m_snTimeInMilliseconds > (button_press_time + 500))		{			if (!script_attached)			{				// activate test script				myscript->AddScriptToList(&(CTheScripts::pActiveScripts));				script_attached = true;				button_press_time = CTimer::m_snTimeInMilliseconds;			}			else			{				if (!script_hooked)				{					// make injection in test script					// my target is 0109: player $PLAYER_CHAR money += 10, its offset in test script = 6					// jump injection is 21 bytes long, take care about opcodes it will overwrite and move them in your script					/* overwrite script with 					0004: $10947 = -10					0006: [email protected]($10947,1i) = pointer to injection code 					it will set script curIP */					memcpy((void*)((int)script_buffer + 6), "\x04\x00\x02\x0C\xAB\x04\xF6\x06\x00\x08\x00\x00\x0C\xAB\x01\x80\x01", 17);					int offset = (int)inject_script_buffer;					memcpy((void*)((int)script_buffer + 23), &offset, 4);					/* set return point (it will be :LABEL for this example (its offset in test script = 2))					it will be executed in a same way. it is included in script injection, so we have to set offset only 					variable offset in injection script = 17 */					offset = (int)script_buffer + 2;					memcpy((void*)((int)inject_script_buffer + 17), &offset, 4);					script_hooked = true;					button_press_time = CTimer::m_snTimeInMilliseconds;				}				else				{					// restore test script					memcpy((void*)((int)script_buffer + 6), "\x09\x01\x02\x08\x00\x04\x01\x02\x00\x01\xFE\xFF\xFF\xFF", 14); // rest doesnt matter					script_hooked = false;					button_press_time = CTimer::m_snTimeInMilliseconds;				}			}					}	}} cp;unsigned int custom_plgn::button_press_time = 0;bool custom_plgn::script_attached = false;bool custom_plgn::script_hooked = false;void* custom_plgn::script_buffer = 0;void* custom_plgn::inject_script_buffer = 0;CRunningScript* custom_plgn::myscript = 0;

press tab to get/stop getting some cash

Have fun

[monobogdan]

What is game_sa?

It's GTA SA: SDK?

I'm developing small 32 players multiplayer.

I'm sure, i can't do anything without injecting opcodes, because as far as i know we don't have direct access to ped manager, and so, we can't for example create ped and set it's position and animation without any use of SCM.

So, i think the best way to implement it's is CLEO plugin + small cleo script.

CLEO plugin is client, it's receiving and sending packets.

So, server 30 times in second send packets about all players in streamed location. Every package is up to 1024 bytes because contains string with format like "pedpos playerid x y z rotation anim". So, all players must have fast internet, and client send 30 times in second info about player with similiar package.

So, CLEO plugin process packages, CLEO script set peds/vehicles positions.

[madleg]

it is plugin sdk. Also you can check out mta sa source code.

Edited May 9, 2017 by madleg

[monobogdan]

it is plugin sdk. Also you can check out mta sa source code.

Thanks