James Puleo drunderscore

Bowl Storage

A memory corrpution bug triggered in part by a dangling pointer

Dangling Pointer

After initializing the scene, whilst initializing the player, there is a code path that will initialize a global containing the incrediball model instance: xModelInstance* s_incrediball_model_instance. It achieves this by searching for a loaded asset with the hash incrediball_ball. If it is found, it will allocate an xModelInstance from it and store it into s_incrediball_model_instance. If it is not found, s_incrediball_model_instance will be set to null.

The aforementioned code path is ONLY taken when the scene player mapping contains at least one of the player tags listed in the table below. This means that for scenes with none of these player tags, s_incrediball_model_instance will not be initialized.

All research here is done on patch 1.47, ScriptHook gameversion 50. This should still all be true for other versions, even previous. However, GLOBAL ADDRESSES WILL CHANGE.

Values are in decimal, unless prefixed with 0x for hexadecimal.

Bitfields listed in this document are all zero indexed, starting from the least significant bit.

Some globals are accessed through multiple global objects. If that's the case, they will be formatted like so:

0x5 + 0x2 + 0x8 (0xF), where each part is the offset from the previous object, and the parentheses contains the final global address.

YSC script understanding prerequisites

Arrays in memory are prefixed with the capacity of that array. (capacity meaning the maximum count of elements that can be in that array)

Notifications in GTA V

Ofcourse, all credits to finding this go to SimplySarc: https://www.youtube.com/watch?v=aZp9olUXvOY

My video demonstration: https://www.youtube.com/watch?v=76XobG9QdOs

What is happening: When the Ravager attacks an entity, and that entity is shielding, he has a 50% chance to roar. For the first two seconds, he is stunned. After another 0.5 seconds, he roars, knocking back players within 4 blocks of him.

The math to apply the knockback is as follows:

	using TerrariaApi.Server;

	public class Scheduler : IDisposable
	{
	public const long TicksPerSecond = 60;
	public long TotalTicks { get; private set; }
	private readonly TerrariaPlugin _plugin;
	private readonly List<Task> _tasks = new();

	public Scheduler(TerrariaPlugin plugin)

	SDL: Brought up SDL
	SDL: Registering window with id 1745173632
	corrupted size vs. prev_size

	Program received signal SIGABRT, Aborted.
	0x00007ffff74ced22 in raise () from /usr/lib/libc.so.6
	(gdb) bt
	#0 0x00007ffff74ced22 in raise () from /usr/lib/libc.so.6
	#1 0x00007ffff74b8862 in abort () from /usr/lib/libc.so.6
	#2 0x00007ffff7510d28 in __libc_message () from /usr/lib/libc.so.6

	#include <LibCore/EventLoop.h>
	#include <LibCore/Stream.h>
	#include <LibHTTP/HttpRequest.h>
	#include <LibHTTP/HttpsJob.h>
	#include <LibMain/Main.h>

	ErrorOr<int> serenity_main(Main::Arguments)
	{
	Core::EventLoop event_loop;
	HTTP::HttpRequest request;

	#include <LibCore/EventLoop.h>
	#include <LibCore/Stream.h>
	#include <LibCore/TCPServer.h>
	#include <LibMain/Main.h>

	class Client
	{
	public:
	explicit Client(NonnullOwnPtr<Core::Stream::TCPSocket> socket) : m_socket(move(socket))
	{

	public class SpigotInteractBug extends JavaPlugin implements Listener
	{
	@Override
	public void onEnable()
	{
	getServer().getPluginManager().registerEvents( this, this );
	}

	@EventHandler
	public void onInteractEntity( PlayerInteractEntityEvent e )

	#region Local Var
	var uLocal_0 = 0;
	var uLocal_1 = 0;
	int iLocal_2 = 0;
	int iLocal_3 = 0;
	int iLocal_4 = 0;
	int iLocal_5 = 0;
	int iLocal_6 = 0;
	int iLocal_7 = 0;
	int iLocal_8 = 0;

	# James Puleo (2019)
	# I hate Python. This code is bad, and thats okay.
	from pathlib import Path
	import sys


	def main():
	if len(sys.argv) < 2:
	return
	d = sys.argv[1]