The disassembler output had some arrows not included in my earlier posts.
Code: Select all
this line :
"************************.exe"+25B8E6: EB 03 - jmp ************************.exe+25B8EB
goes to this line ( green arrow ) :
"************************.exe"+25B8EB: 76 05 - jna ************************.exe+25B8F2
goes to this line ( red arrow ) :
"************************.exe"+25B8F2: 8B 4D F4 - mov ecx,[ebp-0C]
Code: Select all
"************************.exe"+25B8E3: 0F 2F C1 - comiss xmm0,xmm1
"************************.exe"+25B8E6: EB 03 - jmp ************************.exe+25B8EB
"************************.exe"+25B8E8: 0F 2F D1 - comiss xmm2,xmm1
"************************.exe"+25B8EB: 76 05 - jna ************************.exe+25B8F2
"************************.exe"+25B8ED: F3 0F 11 4F 40 - movss [edi+40],xmm1
"************************.exe"+25B8F2: 8B 4D F4 - mov ecx,[ebp-0C]
"************************.exe"+25B8F5: 64 89 0D 00 00 00 00 - mov fs:[00000000],ecx
I may have tried the suggested injection point earlier, but don't remember clearly.
The 'replace with code that does nothing' always goes back to this line :
Code: Select all
"************************.exe"+25B8E6: EB 03 - jmp ************************.exe+25B8EB
This does work properly ( tested ) :
Code: Select all
Version:
Date : 2017-07-08
Author : 3oddbits
This script does [REDACTED]
}
define(address,"************************.exe"+25B8EB)
define(bytes,76 05 F3 0F 11 4F 40)
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
assert(address,bytes)
alloc(newmem,$1000)
label(code)
label(return)
newmem:
nop
nop
movss [edi+40],xmm1
jmp return
code:
jna ************************.exe+25B8F2
movss [edi+40],xmm1
jmp return
address:
jmp newmem
nop
nop
return:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
address:
db bytes
// jna ************************.exe+25B8F2
// movss [edi+40],xmm1
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "************************.exe"+25B8EB
"************************.exe"+25B8C2: F3 0F 58 C2 - addss xmm0,xmm2
"************************.exe"+25B8C6: F3 0F 11 47 40 - movss [edi+40],xmm0
"************************.exe"+25B8CB: EB 25 - jmp ************************.exe+25B8F2
"************************.exe"+25B8CD: F3 0F 10 47 34 - movss xmm0,[edi+34]
"************************.exe"+25B8D2: F3 0F 59 05 24 92 54 01 - mulss xmm0,[************************.exe+499224]
"************************.exe"+25B8DA: F3 0F 58 C2 - addss xmm0,xmm2
"************************.exe"+25B8DE: F3 0F 11 47 40 - movss [edi+40],xmm0
"************************.exe"+25B8E3: 0F 2F C1 - comiss xmm0,xmm1
"************************.exe"+25B8E6: EB 03 - jmp ************************.exe+25B8EB
"************************.exe"+25B8E8: 0F 2F D1 - comiss xmm2,xmm1
// ---------- INJECTING HERE ----------
"************************.exe"+25B8EB: 76 05 - jna ************************.exe+25B8F2
"************************.exe"+25B8ED: F3 0F 11 4F 40 - movss [edi+40],xmm1
// ---------- DONE INJECTING ----------
"************************.exe"+25B8F2: 8B 4D F4 - mov ecx,[ebp-0C]
"************************.exe"+25B8F5: 64 89 0D 00 00 00 00 - mov fs:[00000000],ecx
"************************.exe"+25B8FC: 59 - pop ecx
"************************.exe"+25B8FD: 5F - pop edi
"************************.exe"+25B8FE: 5E - pop esi
"************************.exe"+25B8FF: 5B - pop ebx
"************************.exe"+25B900: 8B 4D F0 - mov ecx,[ebp-10]
"************************.exe"+25B903: 33 CD - xor ecx,ebp
"************************.exe"+25B905: E8 F8 C0 0E 00 - call ************************.exe+347A02
"************************.exe"+25B90A: 8B E5 - mov esp,ebp
}
The same approach also worked on the other '
nop' I wanted to script :
Code: Select all
Version:
Date : 2017-07-08
Author : 3oddbits
This script does [REDACTED]
}
define(address,"************************.exe"+2B889E)
define(bytes,FF 48 0C FF 4D 90)
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
assert(address,bytes)
alloc(newmem,$1000)
label(code)
label(return)
newmem:
nop
nop
nop
dec [ebp-70]
jmp return
code:
dec [eax+0C]
dec [ebp-70]
jmp return
address:
jmp newmem
nop
return:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
address:
db bytes
// dec [eax+0C]
// dec [ebp-70]
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "************************.exe"+2B889E
"************************.exe"+2B8880: E8 AB 45 FC FF - call ************************.exe+27CE30
"************************.exe"+2B8885: 83 C4 20 - add esp,20
"************************.exe"+2B8888: 8B 85 44 FF FF FF - mov eax,[ebp-000000BC]
"************************.exe"+2B888E: 40 - inc eax
"************************.exe"+2B888F: 89 45 90 - mov [ebp-70],eax
"************************.exe"+2B8892: 85 C0 - test eax,eax
"************************.exe"+2B8894: 7E 17 - jle ************************.exe+2B88AD
"************************.exe"+2B8896: 56 - push esi
"************************.exe"+2B8897: 8B CF - mov ecx,edi
"************************.exe"+2B8899: E8 12 F4 D5 FF - call ************************.exe+17CB0
// ---------- INJECTING HERE ----------
"************************.exe"+2B889E: FF 48 0C - dec [eax+0C]
"************************.exe"+2B88A1: FF 4D 90 - dec [ebp-70]
// ---------- DONE INJECTING ----------
"************************.exe"+2B88A4: C7 40 10 00 00 00 00 - mov [eax+10],00000000
"************************.exe"+2B88AB: 75 E9 - jne ************************.exe+2B8896
"************************.exe"+2B88AD: 8B 85 54 FF FF FF - mov eax,[ebp-000000AC]
"************************.exe"+2B88B3: 0F B7 C0 - movzx eax,ax
"************************.exe"+2B88B6: BA 1B 00 00 00 - mov edx,0000001B
"************************.exe"+2B88BB: 50 - push eax
"************************.exe"+2B88BC: 8D 4A ED - lea ecx,[edx-13]
"************************.exe"+2B88BF: 89 B5 4C FF FF FF - mov [ebp-000000B4],esi
"************************.exe"+2B88C5: E8 B6 C0 E9 FF - call ************************.exe+154980
"************************.exe"+2B88CA: 8B 7D 94 - mov edi,[ebp-6C]
}
Your help got my mental gears turning.
Thank You.
[ PS : you can change the thread header from [HELP] to [SOLVED], or anything you think appropriate. ]