Skip to content

Commit 9765c86

Browse files
authored
fix(gta-core-five): task NMShot behaviour failure exploit
1 parent cfed16a commit 9765c86

1 file changed

Lines changed: 46 additions & 0 deletions

File tree

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,46 @@
1+
#include <StdInc.h>
2+
#include <jitasm.h>
3+
#include <Hooking.h>
4+
#include "XBRVirtual.h"
5+
6+
static HookFunction hookFunction([]
7+
{
8+
// There's an exploit where a remote ped can trigger BehaviourFailure with an
9+
// invalid PedIntelligence pointer. The game dereferences it without checking,
10+
// causing a null pointer crash on other clients. This patch adds a check and
11+
// skips the code path if PedIntelligence is null.
12+
auto location = xbr::IsGameBuildOrGreater<2802>() ?
13+
hook::get_pattern("48 8B 88 ? ? ? ? 48 85 C9 74 ? 8B 41 ? D1 E8 83 E0 ? EB ? 41 8B C6 EB ? 8B 51 ? D1 EA 83 E2 ? 3B C2 73 ? 83 F8 ? 73 ? 81 79 ? ? ? ? ? 8B C2 74 ? 48 8B 49 ? 48 85 C9 75 ? 49 8B CE 48 85 C9 74")
14+
:
15+
hook::get_pattern("48 8B 88 ? ? ? ? 48 85 C9 74 ? 8B 41 ? D1 E8 83 E0 ? EB ? 41 8B C6 EB ? 8B 51 ? D1 EA 83 E2 ? 3B C2 73 ? 83 F8 ? 73 ? 81 79 ? ? ? ? ? 8B C2 74 ? 48 8B 49 ? 48 85 C9 75 ? 49 8B CE 48 85 C9 74 ? F3 0F 10 05 ? ? ? ? 44 88 74 24 ? C7 44 24 ? ? ? ? ? 44 88 74 24 ? 44 89 74 24 ? 83 C8 ? F3 0F 11 44 24 ? 89 44 24 ? 44 89 74 24 ? 4C 89 74 24 ? 89 44 24 ? 48 8D 15 ? ? ? ? 45 33 C9 45 33 C0 48 8B CB 44 88 74 24 ? E8 ? ? ? ? 8B 86 ? ? ? ? 48 8D 15");
16+
17+
static struct : jitasm::Frontend
18+
{
19+
intptr_t ret;
20+
21+
void Init(intptr_t location)
22+
{
23+
this->ret = location;
24+
}
25+
26+
void InternalMain() override
27+
{
28+
test(rax, rax);
29+
jz("fail");
30+
mov(rcx, qword_ptr[rax+0xB08]); // PedIntelligence->m_queriableInterface
31+
32+
mov(rax, ret);
33+
jmp(rax);
34+
35+
L("fail");
36+
// Clear the rcx register, in the next jmp the game will check if it's null and skip the code
37+
xor(rcx, rcx);
38+
mov(rax, ret);
39+
jmp(rax);
40+
}
41+
} stub;
42+
43+
stub.Init((intptr_t)location + 0x7);
44+
hook::nop(location, 0x7);
45+
hook::jump_rcx(location, stub.GetCode());
46+
});

0 commit comments

Comments
 (0)