What are the special JASS functions that enable this file writing vulnerability, and how do they work?

The three key functions are `PreloadGenClear()`, `PreloadGenStart()`, and `PreloadGenEnd(string filename)`. `PreloadGenClear()` resets the log, `PreloadGenStart()` begins recording all `Preload()` calls, and `PreloadGenEnd()` writes the recorded content to the specified file. By calling `Preload()` with strings containing newline characters (`\n`) and setting the filename to a `.bat` path, an attacker can inject arbitrary batch commands. This is similar to how log injection works in other vulnerabilities like Analysis of CVE-2017-8360 (Keylogger in HP Audio Driver) Exploitation.