36
"Working scripts"
1
1
"Infinite ammo"
Auto Assembler Script
{ Game : metro.exe
Version: 1.0.3
Date : 2017-07-19
Author : Bakfiets
This script fills your magazine with the max amount each time you shoot.
}
[ENABLE]
aobscanmodule(INF_AMMO,metro.exe,44 89 B6 48 04 00 00) // should be unique
alloc(INF_AMMO_MEM,128,metro.exe)
label(return)
INF_AMMO_MEM:
mov r14d, [rsi+00000450]
mov [rsi+00000448],r14d
jmp return
INF_AMMO:
jmp INF_AMMO_MEM
nop
nop
return:
registersymbol(INF_AMMO)
[DISABLE]
INF_AMMO:
db 44 89 B6 48 04 00 00
unregistersymbol(INF_AMMO)
dealloc(INF_AMMO_MEM)
{
// ORIGINAL CODE - INJECTION POINT: "metro.exe"+2C0B2F
"metro.exe"+2C0B11: 0F B6 C8 - movzx ecx,al
"metro.exe"+2C0B14: 41 0F B6 C6 - movzx eax,r14l
"metro.exe"+2C0B18: 2B D1 - sub edx,ecx
"metro.exe"+2C0B1A: 2A C1 - sub al,cl
"metro.exe"+2C0B1C: C1 FA 1F - sar edx,1F
"metro.exe"+2C0B1F: 22 D0 - and dl,al
"metro.exe"+2C0B21: 02 D1 - add dl,cl
"metro.exe"+2C0B23: 0F B6 C2 - movzx eax,dl
"metro.exe"+2C0B26: 88 86 38 0B 00 00 - mov [rsi+00000B38],al
"metro.exe"+2C0B2C: 44 2B F0 - sub r14d,eax
// ---------- INJECTING HERE ----------
"metro.exe"+2C0B2F: 44 89 B6 48 04 00 00 - mov [rsi+00000448],r14d
// ---------- DONE INJECTING ----------
"metro.exe"+2C0B36: 48 8B 5C 24 40 - mov rbx,[rsp+40]
"metro.exe"+2C0B3B: 48 8B 6C 24 48 - mov rbp,[rsp+48]
"metro.exe"+2C0B40: 48 8B 74 24 50 - mov rsi,[rsp+50]
"metro.exe"+2C0B45: 48 83 C4 20 - add rsp,20
"metro.exe"+2C0B49: 41 5F - pop r15
"metro.exe"+2C0B4B: 41 5E - pop r14
"metro.exe"+2C0B4D: 5F - pop rdi
"metro.exe"+2C0B4E: C3 - ret
"metro.exe"+2C0B4F: 48 8B 03 - mov rax,[rbx]
"metro.exe"+2C0B52: 41 8B D6 - mov edx,r14d
}
27
"Infinite filter-time"
Auto Assembler Script
{ Game : metro.exe
Version: 1.0.3
Date : 2017-07-19
Author : Bakfiets
This script sets the filter time to 5 minutes each frame
}
[ENABLE]
aobscanmodule(INF_FILTER_TIME,metro.exe,F3 0F 11 87 4C 04 00 00 0F) // should be unique
alloc(INF_FILTER_TIME_MEM,128,metro.exe)
label(return)
INF_FILTER_TIME_MEM:
mov [rdi+0000044C],(float)300
jmp return
INF_FILTER_TIME:
jmp INF_FILTER_TIME_MEM
nop
nop
nop
return:
registersymbol(INF_FILTER_TIME)
[DISABLE]
inf_filter_time:
db F3 0F 11 87 4C 04 00 00
unregistersymbol(INF_FILTER_TIME)
dealloc(INF_FILTER_TIME_MEM)
{
// ORIGINAL CODE - INJECTION POINT: "metro.exe"+33FCE9
"metro.exe"+33FCB5: F3 0F 11 45 77 - movss [rbp+77],xmm0
"metro.exe"+33FCBA: EB 07 - jmp metro.exe+33FCC3
"metro.exe"+33FCBC: C7 45 77 00 00 00 00 - mov [rbp+77],00000000
"metro.exe"+33FCC3: F3 0F 10 05 A9 1E 8E 00 - movss xmm0,[metro.exe+C21B74]
"metro.exe"+33FCCB: F3 0F 10 55 67 - movss xmm2,[rbp+67]
"metro.exe"+33FCD0: F3 0F 11 45 7F - movss [rbp+7F],xmm0
"metro.exe"+33FCD5: F3 0F 5D 55 7F - minss xmm2,[rbp+7F]
"metro.exe"+33FCDA: F3 0F 5F 55 77 - maxss xmm2,[rbp+77]
"metro.exe"+33FCDF: F3 0F 11 55 67 - movss [rbp+67],xmm2
"metro.exe"+33FCE4: F3 0F 10 45 67 - movss xmm0,[rbp+67]
// ---------- INJECTING HERE ----------
"metro.exe"+33FCE9: F3 0F 11 87 4C 04 00 00 - movss [rdi+0000044C],xmm0
// ---------- DONE INJECTING ----------
"metro.exe"+33FCF1: 0F 54 C6 - andps xmm0,xmm6
"metro.exe"+33FCF4: 0F 2F 05 5D 18 8E 00 - comiss xmm0,[metro.exe+C21558]
"metro.exe"+33FCFB: 73 7E - jae metro.exe+33FD7B
"metro.exe"+33FCFD: 0F 2F BB 08 03 00 00 - comiss xmm7,[rbx+00000308]
"metro.exe"+33FD04: 73 75 - jae metro.exe+33FD7B
"metro.exe"+33FD06: 48 8B CF - mov rcx,rdi
"metro.exe"+33FD09: E8 22 37 00 00 - call metro.exe+343430
"metro.exe"+33FD0E: 48 85 C0 - test rax,rax
"metro.exe"+33FD11: 74 14 - je metro.exe+33FD27
"metro.exe"+33FD13: F3 0F 10 80 80 06 00 00 - movss xmm0,[rax+00000680]
}
30
"GODMODE"
Auto Assembler Script
{ Game : metro.exe
Version: 1.0.3
Date : 2017-07-19
Author : Bakfiets
This script godmodes Artyom, the man himself.
}
[ENABLE]
aobscanmodule(INF_HEALTH,metro.exe,F3 41 0F 11 10 44 8B 89) // should be unique
alloc(INF_HEALTH_MEM,128,metro.exe)
alloc(player_identifier,4,metro.exe)
label(return)
player_identifier:
dw 00000200
INF_HEALTH_MEM:
push rax
mov rax, [rcx+20] //0001001000000200 something like that, need bottom half
cmp eax, [player_identifier] //512, seems to identify player. Monsters were 256, also found a 0
pop rax
jne @f
mov [r8], (float)1.0 //set player health
jmp return
@@:
movss [r8],xmm2 //set health. 0 for one-shot probably
jmp return
INF_HEALTH:
jmp INF_HEALTH_MEM
return:
registersymbol(INF_HEALTH)
[DISABLE]
HEALTH_2:
db F3 41 0F 11 10
unregistersymbol(INF_HEALTH)
dealloc(INF_HEALTH_MEM)
dealloc(player_identifier)
{
// ORIGINAL CODE - INJECTION POINT: "metro.exe"+23394D
"metro.exe"+233939: CC - int 3
"metro.exe"+23393A: CC - int 3
"metro.exe"+23393B: CC - int 3
"metro.exe"+23393C: CC - int 3
"metro.exe"+23393D: CC - int 3
"metro.exe"+23393E: CC - int 3
"metro.exe"+23393F: CC - int 3
"metro.exe"+233940: F3 41 0F 10 18 - movss xmm3,[r8]
"metro.exe"+233945: 0F 28 D3 - movaps xmm2,xmm3
"metro.exe"+233948: F3 0F 5C 52 14 - subss xmm2,[rdx+14]
// ---------- INJECTING HERE ----------
"metro.exe"+23394D: F3 41 0F 11 10 - movss [r8],xmm2
// ---------- DONE INJECTING ----------
"metro.exe"+233952: 44 8B 89 20 01 00 00 - mov r9d,[rcx+00000120]
"metro.exe"+233959: 41 F6 C1 01 - test r9l,01
"metro.exe"+23395D: 75 14 - jne metro.exe+233973
"metro.exe"+23395F: 0F B7 42 36 - movzx eax,word ptr [rdx+36]
"metro.exe"+233963: A8 04 - test al,04
"metro.exe"+233965: 75 37 - jne metro.exe+23399E
"metro.exe"+233967: 41 BA 00 01 00 00 - mov r10d,00000100
"metro.exe"+23396D: 66 41 85 C2 - test r10w,ax
"metro.exe"+233971: 75 2B - jne metro.exe+23399E
"metro.exe"+233973: 80 7A 32 02 - cmp byte ptr [rdx+32],02
}
37
"Pointers"
1
10
"Current Ammo"
4 Bytes
"metro.exe"+00D361E0
440
110
1B0
33
"health"
Float
"metro.exe"+00CFA748
300
450
34
"health"
Float
"metro.exe"+00D23550
2A8
8
35
"health"
Float
"metro.exe"+00D01EA8
308
30
18
"NOT_WORKING_GODMODE"
Auto Assembler Script
{ Game : metro.exe
Version:
Date : 2017-07-18
Author : Bakfiets
This script enables you to have infinite health
}
[ENABLE]
aobscanmodule(INF_HEALTH,metro.exe,F3 0F 11 49 08 72) // should be unique
alloc(mem_inf_health,1000,"metro.exe"+23388C)
label(mem_inf_health_code)
label(return)
mem_inf_health_code:
mov [rcx+08],(float)1
jmp return
INF_HEALTH:
jmp mem_inf_health
return:
registersymbol(INF_HEALTH)
[DISABLE]
INF_HEALTH:
db F3 0F 11 49 08
unregistersymbol(INF_HEALTH)
dealloc(mem_inf_health)
{
// ORIGINAL CODE - INJECTION POINT: "metro.exe"+23388C
"metro.exe"+23386D: CC - int 3
"metro.exe"+23386E: CC - int 3
"metro.exe"+23386F: CC - int 3
"metro.exe"+233870: 40 53 - push rbx
"metro.exe"+233872: 48 83 EC 20 - sub rsp,20
"metro.exe"+233876: F3 0F 10 81 1C 01 00 00 - movss xmm0,[rcx+0000011C]
"metro.exe"+23387E: F3 0F 10 51 08 - movss xmm2,[rcx+08]
"metro.exe"+233883: 0F 57 DB - xorps xmm3,xmm3
"metro.exe"+233886: 48 8B D9 - mov rbx,rcx
"metro.exe"+233889: 0F 2F C3 - comiss xmm0,xmm3
// ---------- INJECTING HERE ----------
"metro.exe"+23388C: F3 0F 11 49 08 - movss [rcx+08],xmm1
// ---------- DONE INJECTING ----------
"metro.exe"+233891: 72 0F - jb metro.exe+2338A2
"metro.exe"+233893: 0F 2F C8 - comiss xmm1,xmm0
"metro.exe"+233896: 76 0A - jna metro.exe+2338A2
"metro.exe"+233898: 0F 2F D0 - comiss xmm2,xmm0
"metro.exe"+23389B: 77 05 - ja metro.exe+2338A2
"metro.exe"+23389D: F3 0F 11 41 08 - movss [rcx+08],xmm0
"metro.exe"+2338A2: F3 0F 10 41 08 - movss xmm0,[rcx+08]
"metro.exe"+2338A7: 0F 2F C3 - comiss xmm0,xmm3
"metro.exe"+2338AA: 72 5F - jb metro.exe+23390B
"metro.exe"+2338AC: 0F 2F D0 - comiss xmm2,xmm0
}