Death-Table-Addon EUPs (Topic)

Staredit Network > Forums > SC1 UMS Theory and Ideas > Topic: Death-Table-Addon EUPs

Death-Table-Addon EUPs

May 17 2014, 8:12 am
By:

jjf28

Pages: < 1 2 3 4 >

Jul 21 2014, 5:46 am iCCup.xboi209 Post #21

Is anyone even working on briging back EUD actions with this?

None.

Jul 22 2014, 5:47 pm

Cinolt Post #22

Quote from

jjf28

New method for 4-byte sets confirmed!

Prime the surrounding memories to avoid the restrictions (see below)
Adjust CSprite ptr of a powerup so the "sprites" position overlaps the target address
Move the worker holding the powerup to the position (the value you want to set the target address to)
Remove the worker holding the powerup
Restore CSprite ptr of the powerup

Restrictions:
��targetAddress-0x14 and -0x10 (both 4 bytes) must be 0
��targetAddress+0x4, +0x8, and +0xA (all 4 bytes) must point to readable memory

So to run an exe...

- Setup death-table addon
- Put executable code in a string, note the distance of the string from the stringSectionStart
- Find the value of the highest byte of stringSectionPointer (256 EUD triggers)
- Set the value of the highest byte of stringSectionPointer to 0 (with death-table addon)
- Find the value of the second highest byte of stringSectionPointer (256 EUD triggers)
- Set the value of the second highest byte of stringSectionPointer to 0 (with death-table addon)
(repeat for third and fourth highest byte)
- Add stringDistance to your value for stringSectionPointer
- Move a location however you wish to a position that equates to the value of stringSectionPointer+stringDistance
- Set modify unit energy action pointer to 0 (with 4 death-table addon gives)
- Set modify unit shield action pointer to 0 (with 4 death-table addon gives)
- Set set alliance status action pointer to 0 (with 4 death-table addon gives)
- Set disable debug mode action pointer to 0 (with 4 death-table addon gives)
- Set sprite pointer of powerup to 5318856
- Move worker holding powerup to the location you set up
- Remove worker
- Restore powerup's sprite pointer
- Use the unpause timer action
- Enjoy the power of executables!

Is there a map to confirm this yet? It seems that modifying the sprite pointer of a unit that's actively in the Unit Node table is polled every frame, so it will crash if you're modifying it incrementally (i.e. with the Completed/All Units score), unless it's modified in an entire trigger cycle with "Loop" EPU's, but I doubt that's feasible given how many triggers must take place in one cycle.

None.

Jul 22 2014, 6:13 pm

jjf28 Post #23

Cartography Artisan

Don't have a test map yet, it would probably have to be done all in one cycle, it could be split into 2 by moving it to the death table where a mock sprite is, then moving it to its final destination, or 3 by using that and the mineral/gas table, or 4 if we pre-write a sprite into the location table.

It wouldn't use loop EUPs to do the subtracting per say, it would use the 2nd method ("Use 2" from the first post), which only takes 1 give and 1 death set (bout a 6th as expensive as the operation used to subtract from the cc's addon): I think the whole operation would be around 300kb triggers this way.

Hopefully "Use 1" would also be usable, taking advantage of that we could subtract in increments of 1, 255, and 65535

TheNitesWhoSay - Clan Aura - github

Reached the top of StarCraft theory crafting 2:12 AM CST, August 2nd, 2014.

Jul 28 2014, 8:04 pm

Cinolt Post #24

Wow, so this is actually a lot harder than I initially thought. If StarCraft didn't crash at randomass places enabling EUD actions in a map should be easy, so I can see why they haven't been enabled yet.

Anyway, I copied pretty much verbatim the layout of preplaced units in DeathTableAddon.scx, and I made a trigger to do the "set" trigger and one iteration of "add to unitID", and it crashes. How did you prevent that in your map? Your map also appears to have "Add 13 to unitID" followed by "Add 1 to unitID", they really can't be combined into a single trigger? If so more insight is needed as how to prevent crashes, that's probably the most essential information at this point.

Here's the map and source code for what it's worth:

Collapsable Box

Code

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <assert.h>
#include "scm.h"

struct{
struct scm_sectSTR sectSTR;
int16_t offset[4];
char str[100];
}my_str = { { { SCM_STR, sizeof( my_str ) - 8 } }, {}, "01234567890123456789012345678901234567890123456789\0" };

struct scm_sectSPRP my_sprp = { { SCM_SPRP, sizeof( my_sprp ) - 8 } };

struct scm_sectOWNR my_ownr = { { SCM_OWNR, sizeof( my_ownr ) - 8 } };

struct scm_sectSIDE my_side = { { SCM_SIDE, sizeof( my_side ) - 8 } };

struct scm_sectFORC my_forc = { { SCM_FORC, sizeof( my_forc ) - 8 } };

struct scm_sectUNIx my_unix = { { SCM_UNIx, sizeof( my_unix ) - 8 } };

struct scm_sectDIM my_dim = { { SCM_DIM, sizeof( my_dim ) - 8 } };

struct scm_sectERA my_era = { { SCM_ERA, sizeof( my_era ) - 8 } };

struct{
struct scm_sectMTXM sectMTXM;
int16_t tile[ 256*256 ];
}my_mtxm = { { { SCM_MTXM, sizeof( my_mtxm ) - 8 } } };

struct{
struct scm_sectUNIT sectUNIT;
struct scm_unit unit[ 1658 ];
}my_unit = { { { SCM_UNIT, sizeof( my_unit ) - 8 } } };

struct{
struct scm_sectMRGN sectMRGN;
struct scm_mrgn mrgn[ 255 ];
}my_mrgn = { { { SCM_MRGN, sizeof( my_mrgn ) - 8 } } };

struct{
struct scm_sectTRIG sectTRIG;
struct scm_trig trig[ 2 ];
}my_trig = { { { SCM_TRIG, sizeof( my_trig ) - 8 } } };

struct{
struct scm_sectMBRF sectMBRF;
struct scm_trig mbrf[ 0 ];
}my_mbrf = { { { SCM_MBRF, sizeof( my_mbrf ) - 8 } } };

int main( int argc, char **argv ){
assert( argc == 3 );

int i;

//str
{
}

//sprp
{
}

//ownr
{
my_ownr.owner[ 0 ] = SCM_OWNER_COMPUTER;
my_ownr.owner[ 1 ] = SCM_OWNER_HUMAN;
my_ownr.owner[ 2 ] = SCM_OWNER_NEUTRAL;
my_ownr.owner[ 3 ] = SCM_OWNER_NEUTRAL;
my_ownr.owner[ 4 ] = SCM_OWNER_NEUTRAL;
my_ownr.owner[ 5 ] = SCM_OWNER_NEUTRAL;
my_ownr.owner[ 6 ] = SCM_OWNER_NEUTRAL;
my_ownr.owner[ 7 ] = SCM_OWNER_NEUTRAL;
}

//side
{
}

//forc
{
}

//unix
{
}

//dim
{
}

//era
{
}

//mtxm
{
}

int8_t human_player = 2;
int ext_uid = 2547;
int ext_uid2 = 2635;

//unit
{
my_unit.unit[ 0 ].instance = 1;
my_unit.unit[ 0 ].related_instance = 2;
my_unit.unit[ 0 ].player = 0;
my_unit.unit[ 0 ].id = SCM_UNIT_COMSATSTATION;
my_unit.unit[ 0 ].x = 32*8;
my_unit.unit[ 0 ].y = 32*8;

my_unit.unit[ 1 ].player = 11; // pid:0 modifies node1648.playerID
my_unit.unit[ 1 ].id = ext_uid2;
my_unit.unit[ 1 ].x = 32*100;
my_unit.unit[ 1 ].y = 32*100;

my_unit.unit[ 2 ].player = 11; // pid:0 modifies node1648.playerID
my_unit.unit[ 2 ].id = ext_uid2;
my_unit.unit[ 2 ].x = 32*105;
my_unit.unit[ 2 ].y = 32*105;

my_unit.unit[ 3 ].player = 11; // pid:0 modifies node1648.playerID
my_unit.unit[ 3 ].id = ext_uid2;
my_unit.unit[ 3 ].x = 32*110;
my_unit.unit[ 3 ].y = 32*110;

my_unit.unit[ 4 ].player = 11; // pid:0 modifies node1648.playerID
my_unit.unit[ 4 ].id = ext_uid2;
my_unit.unit[ 4 ].x = 32*115;
my_unit.unit[ 4 ].y = 32*115;

my_unit.unit[ 5 ].player = 11; // pid:0 modifies node1648.playerID
my_unit.unit[ 5 ].id = ext_uid2;
my_unit.unit[ 5 ].x = 32*120;
my_unit.unit[ 5 ].y = 32*120;

my_unit.unit[ 6 ].player = 11; // pid:0 modifies node1648.playerID
my_unit.unit[ 6 ].id = ext_uid2;
my_unit.unit[ 6 ].x = 32*125;
my_unit.unit[ 6 ].y = 32*125;

for( i = 7; i != 1627; i++ ){
my_unit.unit[ i ].player = human_player;
my_unit.unit[ i ].id = SCM_UNIT_MAPREVEALER;
my_unit.unit[ i ].x = 32*1;
my_unit.unit[ i ].y = 32*1;
}

my_unit.unit[ 1627 ].player = 4; // pid:? modifies node1698.addon
my_unit.unit[ 1627 ].id = SCM_UNIT_CARRIER;
my_unit.unit[ 1627 ].x = 32*196;
my_unit.unit[ 1627 ].y = 32*196;
my_unit.unit[ 1627 ].hangar = 1;
my_unit.unit[ 1627 ].changeable = 1 << 5;

for( i = 1628; i != 1647; i++ ){
my_unit.unit[ i ].player = human_player;
my_unit.unit[ i ].id = SCM_UNIT_MAPREVEALER;
my_unit.unit[ i ].x = 32*1;
my_unit.unit[ i ].y = 32*1;
}

my_unit.unit[ 1647 ].player = 11; // pid:6 modifies node1628.unitID
my_unit.unit[ 1647 ].id = ext_uid;
my_unit.unit[ 1647 ].x = 32*150;
my_unit.unit[ 1647 ].y = 32*150;

my_unit.unit[ 1648 ].instance = 2;
my_unit.unit[ 1648 ].related_instance = 1;
my_unit.unit[ 1648 ].player = 0;
my_unit.unit[ 1648 ].id = SCM_UNIT_COMMANDCENTER;
my_unit.unit[ 1648 ].x = 32*8;
my_unit.unit[ 1648 ].y = 32*8;

for( i = 1649; i != 8 + 1649; i++ ){
my_unit.unit[ i ].player = i - 1649;
my_unit.unit[ i ].id = SCM_UNIT_STARTLOCATION;
my_unit.unit[ i ].x = 32*3;
my_unit.unit[ i ].y = 32*3;
}

/*
my_unit.unit[ 3 ].player = human_player;
my_unit.unit[ 3 ].id = SCM_UNIT_DRONE;
my_unit.unit[ 3 ].x = 32*1;
my_unit.unit[ 3 ].y = 32*1;
*/
/*
for( i = 1648; i != 1698; i++ ){
my_unit.unit[ i ].player = human_player;
my_unit.unit[ i ].id = SCM_UNIT_MAPREVEALER;
my_unit.unit[ i ].x = 32*1;
my_unit.unit[ i ].y = 32*1;
}
*/
/*
my_unit.unit[ 1698 ].player = human_player;
my_unit.unit[ 1698 ].id = SCM_UNIT_KHAYDARINCRYSTAL;
my_unit.unit[ 1698 ].x = 32*1;
my_unit.unit[ 1698 ].y = 32*1;
*/
}

//mrgn
{
my_mrgn.mrgn[ 0 ].start_x = 0;
my_mrgn.mrgn[ 0 ].start_y = 0;
my_mrgn.mrgn[ 0 ].end_x = 32*256;
my_mrgn.mrgn[ 0 ].end_y = 32*256;
}

//trig
{
my_trig.trig[ 0 ].owner[ 0 ] = 1;
my_trig.trig[ 0 ].act[ 0 ] = scm_act_giveunitstoplayer( 1, 11, ext_uid, 1, 2 );
my_trig.trig[ 0 ].act[ 1 ] = scm_act_giveunitstoplayer( 1, 11, ext_uid2, 2, 0 );
my_trig.trig[ 0 ].act[ 2 ] = scm_act_giveunitstoplayer( 1, 4, ext_uid, 1, 6 );
my_trig.trig[ 0 ].act[ 3 ] = scm_act_giveunitstoplayer( 1, 0, ext_uid2, 2, 11 );
my_trig.trig[ 0 ].act[ 4 ] = scm_act_giveunitstoplayer( 1, 4, ext_uid, 1, 2 );
// my_trig.trig[ 0 ].act[ 4 ] = scm_act_giveunitstoplayer( 1, 0, ext_uid2, SCM_NUM_ALL, 11 );
// my_trig.trig[ 0 ].act[ 5 ] = scm_act_giveunitstoplayer( 1, 5, ext_uid, SCM_NUM_ALL, 4 );
// my_trig.trig[ 0 ].act[ 4 ] = scm_act_giveunitstoplayer( 1, 0, ext_uid2, SCM_NUM_ALL, 11 );
// my_trig.trig[ 0 ].act[ 4 ] = scm_act_giveunitstoplayer( 1, 0, ext_uid2, SCM_NUM_ALL, 11 );
// my_trig.trig[ 0 ].act[ 5 ] = scm_act_giveunitstoplayer( 1, 5, ext_uid, SCM_NUM_ALL, 6 );
// my_trig.trig[ 0 ].act[ 2 ] = scm_act_giveunitstoplayer( 1, 6, 2551, SCM_NUM_ALL, 5 );
// my_trig.trig[ 0 ].act[ 3 ] = scm_act_giveunitstoplayer( 1, 5, 2551, SCM_NUM_ALL, 6 );
// my_trig.trig[ 0 ].act[ 4 ] = scm_act_giveunitstoplayer( 1, 6, 2551, SCM_NUM_ALL, 5 );
// my_trig.trig[ 0 ].act[ 5 ] = scm_act_giveunitstoplayer( 1, 5, 2551, SCM_NUM_ALL, 6 );
// my_trig.trig[ 0 ].act[ 6 ] = scm_act_giveunitstoplayer( 1, 6, 2551, SCM_NUM_ALL, 5 );
}

//mbrf
{
}

scm_in_mpq( argv[1], 0 );

struct scm_sect *sect;
while( ( sect = scm_in_sect() ) ){
if( sect->id != SCM_OWNR &&
sect->id != SCM_FORC &&
sect->id != SCM_UNIT &&
sect->id != SCM_MRGN &&
sect->id != SCM_TRIG &&
sect->id != SCM_MBRF )
scm_out_sect( sect );
}

scm_out_sect( &my_ownr.sect );
scm_out_sect( &my_forc.sect );
scm_out_sect( &my_unit.sectUNIT.sect );
scm_out_sect( &my_mrgn.sectMRGN.sect );
scm_out_sect( &my_trig.sectTRIG.sect );
scm_out_sect( &my_mbrf.sectMBRF.sect );

scm_out_mpq( argv[2], 0 );

scm_in_reset();
scm_out_reset();

return 0;
}

Attachments:

out.scx
Hits: 1 Size: 69.85kb

None.

Jul 28 2014, 9:34 pm

jjf28 Post #25

Cartography Artisan

Ok two problems, you're missing the reset trigger that gives ID:2547 back to neutral (comes last): Give Units to Player("Player 3", "Player 12", 2547, 1, "Anywhere");
prevents crash that happens when ID:2547 stays with p3 outside of a trigger cycle, don't know precisely why this crashes.

Second change p3 to a computer, your map revelers are showing up so... i don't know what the deal is here.

(fixed map)

TheNitesWhoSay - Clan Aura - github

Reached the top of StarCraft theory crafting 2:12 AM CST, August 2nd, 2014.

Jul 29 2014, 12:00 am

Cinolt Post #26

I see. I verified that both the absense of the "reset" trigger and p3 being neutral vs being a computer both cause crashes (p3 was set to neutral only in OWNR not in IOWN, dunno if that matters. I thought setting to neutral would reduce the chance of crashes because it doesn't have to handle AI and shit, but this proves that the cause of crashes is anyone's guess). Anyway, it also looks like the "add to unitID" triggers have to be done in a single cycle, it's not like they could be Preserved and executed through cycles. No idea why.

None.

Jul 29 2014, 3:26 pm

Cinolt Post #27

Giving a unit to p9-p12 does not change the playerID in the sprite struct. So "death table addons" can only set to values 0-7.

None.

Jul 30 2014, 1:51 am

Cinolt Post #28

"Death Table Addons" has another restriction that when the command center is given, it looks to the addon unit, then to the sprite struct, modifies CSprite.playerID (+0xA), and also dereferences CSprite.underlay (+0x1C), then modifies CImage.flags (+0xC). Thus, CSprite.underlay must contain a pointer that points to writeable memory. This is a fairly big limitation and may be a game stopper (e.g. we can't modify STR Section Pointer using Death Table Addons), and the above is only one limitation; there may be more.

We might be able to modify STR Section Pointer if we knew what the data is at address 0x5993D8 (spanning roughly say 20-30 bytes) and if that data is editable through a map. EUD DB doesn't seem to give any info on that address.

EDIT: Same with MTXM Section Pointer, I'll check TRIG Section Ptr tomorrow.

Post has been edited 1 time(s), last time on Jul 30 2014, 2:17 am by yoonkwun.

None.

Jul 30 2014, 3:03 am

jjf28 Post #29

Cartography Artisan

Already tested zeroing all the values required to set the string section pointer (you have to work back from a significant distance) with the 4-byte set method; it's stable enough to leave them zero'd though knowing what they're actually for would be nice.

TheNitesWhoSay - Clan Aura - github

Reached the top of StarCraft theory crafting 2:12 AM CST, August 2nd, 2014.

Jul 30 2014, 4:52 am trgk Post #30

SCMC seems great

***There is no geek level***

Hello World!

Post has been edited 5 time(s), last time on Jul 30 2014, 4:57 pm by trgk.

EUD

Jul 30 2014, 5:28 am

jjf28 Post #31

Cartography Artisan

We don't have a good way to add 33 there unfortunately, standard EUP gives don't work before the death table (and don't go high enough to wrap around).

I'll adjust the theory if some tests go well with that.

TheNitesWhoSay - Clan Aura - github

Reached the top of StarCraft theory crafting 2:12 AM CST, August 2nd, 2014.

Jul 30 2014, 11:56 am

Cinolt Post #32

*cough*

Also, I re-coded another mapping library from scratch and am calling it libscm. It has a much less "workaround"y feel to it, and gives more control over every bit in the CHK. I'll release it when it's complete.

Post has been edited 5 time(s), last time on Jul 31 2014, 7:50 pm by yoonkwun.

None.

Jul 30 2014, 3:00 pm

Cinolt Post #33

OFFICIALLY VERIFIED that custom executable code can be run from a map on unmodded 1.16.1. I'm probably not going to release it publicly, but it is 100% verified that running maps have the same potential as running any arbitrary .exe.

EDIT: Obviously I can't force anything, but anyone else who discovers a method for running executable code should not be releasing it to the public. Normally I'm for open-source, but most people here won't know what to do with it, and it will only facilitate script kiddies to make malicious maps. Maybe it should be a SEN policy thing as well?

Post has been edited 2 time(s), last time on Jul 30 2014, 4:30 pm by yoonkwun.

None.

Jul 30 2014, 4:39 pm

jjf28 Post #34

Cartography Artisan

So I don't lose it: 0x004402A4 (context withheld for the moment)

I recommend a temporary SEN ban on public releases so we can relatively safely distribute it to well known mappers/programmers while we decide how to handle this in the long run.

The ban should cover distributing: maps launching exe (with and without protection), step-by-step instructions (like make this trigger, place this unit; what's already available is quite advanced and... already available

), and any map generation code to the end of launching exes.

Post has been edited 3 time(s), last time on Jul 30 2014, 9:41 pm by jjf28.

TheNitesWhoSay - Clan Aura - github

Reached the top of StarCraft theory crafting 2:12 AM CST, August 2nd, 2014.

Jul 30 2014, 9:12 pm iCCup.xboi209 Post #35

So like can anyone copy and paste triggers and their exe will run? Or do the triggers have to be modified for every exe?

None.

Aug 2 2014, 12:28 am twin34 Post #36

Usually I would be against the idea of preventing useful knowledge from being spread to everyone, especially when it comes to better maps being made and played in battle.net, but after actually experiencing a map (malicious) named X, hosted by Y, that utilizes this (or another method to run executable code), I strongly agree that a ban is more than just necessary, it is almost mandatory. I believe this potentially could "put the nail in the coffin" for Starcraft, if viruses are easily transmitted by going past the start button on the mission briefing. There would literally be no way to tell if a map contains arbitrary code that will harm the computer or not.

None.

Aug 2 2014, 1:06 am

Cinolt Post #37

Lol I admit that was me earlier today. It is, however, far from "malicious" as it just opens a web browser to a .swf and displays a command prompt. Other than that it deletes the map in question and renames StarCraft.exe (which you can just rename back). Compared to what COULD be done it's hardly malicious.

I'm semi-bored of it by now, and I won't be releasing it on here. What this does show, however, is a genuine exploit in StarCraft maps which can be easily prevented by running a utility that introduces bounds-checking for preplaced units (what blizzard should have done). Maybe I'll release such a utility some day.

None.

Aug 2 2014, 3:16 am

jjf28 Post #38

Cartography Artisan

Quote

Other than that it deletes the map in question

Nice touch xD

TheNitesWhoSay - Clan Aura - github

Reached the top of StarCraft theory crafting 2:12 AM CST, August 2nd, 2014.

Aug 2 2014, 3:46 am iCCup.xboi209 Post #39

Could someone answermy question please?

Also my suggestion for a utility is to just open the map as a mpq file and look for .exe files...if the filelist isnt screwed up yet

Post has been edited 1 time(s), last time on Aug 2 2014, 3:59 am by iCCup.xboi209.

None.

Aug 2 2014, 3:58 am sigsaucy Post #40

i just played a map where it alt tabbed brood war and opened this website

http://thebest404pageever.com/swf/SECRETSLIIIIDE.swf

the game host, cinolt, then proceeded to talk about how much he owned me.

it sounds like yoonkwun's map has already gotten out and it seems like the trolls of bnet are sadly taking advantage of it.

Options

Pages: < 1 2 3 4 >

Back to forum
Please log in to reply to this topic or to report it.
Members in this topic: None.

Global Shoutbox

[05:05 pm]

Vrael -- Its simple, just send all minerals to Vrael until you have 0 minerals then your account is gone

[04:31 pm]

Zoan -- where's the option to delete my account

[04:30 pm]

Zoan -- goodbye forever

[04:30 pm]

Zoan -- it's over, I've misclicked my top right magic box spot

[2024-4-14. : 9:21 pm]

O)FaRTy1billion[MM] -- there are some real members mixed in those latter pages, but the *vast* majority are spam accounts

[2024-4-14. : 9:21 pm]

O)FaRTy1billion[MM] -- there are almost 3k pages

[2024-4-14. : 9:21 pm]

O)FaRTy1billion[MM] -- the real members stop around page 250

[2024-4-14. : 9:20 pm]

O)FaRTy1billion[MM] -- look at the members list

[2024-4-12. : 12:52 pm]

Oh_Man -- da real donwano

da real donwano shouted: This is the first time I've seen spam bots like this on SEN. But then again, for the last 15 years I haven't been very active.

it's pretty common

[2024-4-11. : 9:53 pm]

da real donwano -- This is the first time I've seen spam bots like this on SEN. But then again, for the last 15 years I haven't been very active.

Please log in to shout.

Members Online:

jjf28,

Roy