The same question,
The FrameScript__ExecuteBuffer CALL has been confusing
I used HOOK DX11 ,It worked before
Code:
{
sub rsp, 0x60
lea rax, [ @Out]
push rax
sub rsp, 0x48
mov r8, 0
mov rdx, LuafilePtr
mov rcx, lusCmdPtr
mov rax, MoveToAddress+75 //set Current stack pointer?
push rax
jmp FrameScript_ExecuteBuffer
@Out:
add rsp, 0x60
ret
}
This code, is a long time ago copy others successful code
I wonder if the stack imbalance is to blame
Or there's a detection code somewhere
Does anyone understand how it works?
小学文化,汇编确实没学好,之前都是抄别人现成的用。
这英文翻译的确实烂,没办法。
MoveTo = 0x1CC0AA0,FrameScript__ExecuteBuffer1 = 0x6AFCF0,//10.1.0.49474
Code:
00007FF74DFA0AA0 | 40:57 | push rdi |//move to
00007FF74DFA0AA2 | 48:83EC 40 | sub rsp,40 |
00007FF74DFA0AA6 | 48:83B9 E8180000 00 | cmp qword ptr ds:[rcx+18E8],0 |
00007FF74DFA0AAE | 7E 70 | jle wow.7FF74DFA0B20 |
00007FF74DFA0AB0 | 48:8B81 E8000000 | mov rax,qword ptr ds:[rcx+E8] |
00007FF74DFA0AB7 | 48:8B78 38 | mov rdi,qword ptr ds:[rax+38] |
00007FF74DFA0ABB | 48:8B07 | mov rax,qword ptr ds:[rdi] |
00007FF74DFA0ABE | 48:3905 0388D901 | cmp qword ptr ds:[7FF74FD392C8],rax |
00007FF74DFA0AC5 | 75 59 | jne wow.7FF74DFA0B20 |
00007FF74DFA0AC7 | 48:8B47 08 | mov rax,qword ptr ds:[rdi+8] |
00007FF74DFA0ACB | 48:3905 FE87D901 | cmp qword ptr ds:[7FF74FD392D0],rax |
00007FF74DFA0AD2 | 75 4C | jne wow.7FF74DFA0B20 |
00007FF74DFA0AD4 | 48:8B05 6D89FD01 | mov rax,qword ptr ds:[7FF74FF79448] |
00007FF74DFA0ADB | 8378 14 00 | cmp dword ptr ds:[rax+14],0 |
00007FF74DFA0ADF | 74 3F | je wow.7FF74DFA0B20 |
00007FF74DFA0AE1 | F681 C6150000 20 | test byte ptr ds:[rcx+15C6],20 |
00007FF74DFA0AE8 | 75 36 | jne wow.7FF74DFA0B20 |
00007FF74DFA0AEA | 33C0 | xor eax,eax |
00007FF74DFA0AEC | 4C:8D4C24 30 | lea r9,qword ptr ss:[rsp+30] |
00007FF74DFA0AF1 | 0F57C0 | xorps xmm0,xmm0 |
00007FF74DFA0AF4 | 48:894424 30 | mov qword ptr ss:[rsp+30],rax |
00007FF74DFA0AF9 | F3:0F114424 28 | movss dword ptr ss:[rsp+28],xmm0 |
00007FF74DFA0AFF | 48:895424 20 | mov qword ptr ss:[rsp+20],rdx |
00007FF74DFA0B04 | 8D50 05 | lea edx,qword ptr ds:[rax+5] |
00007FF74DFA0B07 | 48:894424 38 | mov qword ptr ss:[rsp+38],rax |
00007FF74DFA0B0C | 44:8D40 09 | lea r8d,qword ptr ds:[rax+9] |
00007FF74DFA0B10 | E8 EB2EFEFF | call wow.7FF74DF83A00 |
00007FF74DFA0B15 | 666666:0F1F8400 00000000 | nop word ptr ds:[rax+rax],ax |//push
00007FF74DFA0B20 | 90 | nop |
00007FF74DFA0B21 | F6C1 D1 | test cl,D1 |
00007FF74DFA0B24 | 73 5A | jae wow.7FF74DFA0B80 |
00007FF74DFA0B26 | 80E8 34 | sub al,34 |
00007FF74DFA0B29 | 81C5 136B92A9 | add ebp,A9926B13 |
00007FF74DFA0B2F | 0F8B 9C200000 | jnp wow.7FF74DFA2BD1 |
00007FF74DFA0B35 | 83C5 20 | add ebp,20 |
00007FF74DFA0B38 | C6C3 02 | mov bl,2 |
00007FF74DFA0B3B | E8 69910000 | call wow.7FF74DFA9CA9 |
00007FF74DFA0B40 | C6C3 56 | mov bl,56 | 56:'V'
00007FF74DFA0B43 | 81EF 46BFD60B | sub edi,BD6BF46 |
00007FF74DFA0B49 | 0F31 | rdtsc |
00007FF74DFA0B4B | 81C6 B35BFADB | add esi,DBFA5BB3 |
00007FF74DFA0B51 | 83C0 FE | add eax,FFFFFFFE |
00007FF74DFA0B54 | 81EB EC320B9E | sub ebx,9E0B32EC |
00007FF74DFA0B5A | 51 | push rcx |