(MOV ECX, EDX) ===> How to get ECX and EDX please?

Memory scanning, code injection, debugger internals and other gamemodding related discussion
User avatar
TheyCallMeTim13
Cheater
Cheater
Posts: 31
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 1

Re: (MOV ECX, EDX) ===> How to get ECX and EDX please?

Post by TheyCallMeTim13 » Fri Mar 03, 2017 10:34 pm

You can do it in C# but you will need to use some C or C++ porting, of the 'kernel32.dll'

Code: Select all

[DllImport("kernel32.dll")]
public static extern bool ReadProcessMemory(int hProcess, int lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesRead);

[DllImport("kernel32.dll", SetLastError = true)]
static extern bool WriteProcessMemory(int hProcess, int lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesWritten);
Here is a good tutorial I used for the same reason, though it was for learning because when you learn CE you will find it's awesomeness is undeniable.
https://www.codeproject.com/articles/67 ... ess-memory
Last edited by TheyCallMeTim13 on Fri Mar 03, 2017 10:51 pm, edited 1 time in total.
Code Happy, Code Freely, Be Awesome.

User avatar
TheyCallMeTim13
Cheater
Cheater
Posts: 31
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 1

Re: (MOV ECX, EDX) ===> How to get ECX and EDX please?

Post by TheyCallMeTim13 » Fri Mar 03, 2017 10:37 pm

And form there you would need to write your own AOB scanner, find a compatible ASM compiler or write raw bytes to inject.
Code Happy, Code Freely, Be Awesome.

predprey
Cheater
Cheater
Posts: 31
Joined: Thu Mar 02, 2017 8:46 pm
Reputation: 5

Re: (MOV ECX, EDX) ===> How to get ECX and EDX please?

Post by predprey » Fri Mar 03, 2017 10:45 pm

Sodruza wrote:
Fri Mar 03, 2017 10:07 pm
You can use Structure Dissect for that
I gotta say this is one weird game im trying to hack here (already hacked many). I exactly did what you said (dissect data structure) and couldnt find the player ID either. The only thing I could do was getting the XYZ and the team (which is enough).

The only missing part of the puzzle is reading ECX (after that particular MOV instruction)

Apparently I need to do some instruction hooking (already googled that) and I couldnt find a good example (I already did some API hooking with the SendTo function to deal with packets). But I never did "instruction hooking" if it's called so. Do you think this is where I should dig to do what I want ? (I would like to make the radar in c# because im much better than C++)
The player ID is needed to properly segregate the addresses as ++METHOS has already said. Try changing the data type around and see if you can find it? Or read through the instructions around the mov [ecx],edx and see where it gets ecx from? You could possibly use ecx as the identifier but you said ecx itself is dynamic and changes for each player even during the same match, so I'm not sure if it would work.

As for hooking, I'm not sure if this is the same as API hooking as you want to specifically hook into the mov instruction. You can try looking at Minimalistic API Hooking Library to see if it can do it? Or you can manually do it with WriteProcessMemory and VirtualAlloc.

Sodruza
Noobzor
Noobzor
Posts: 12
Joined: Fri Mar 03, 2017 5:40 pm
Reputation: 0

Re: (MOV ECX, EDX) ===> How to get ECX and EDX please?

Post by Sodruza » Sat Mar 04, 2017 8:51 am

Hello,
You can do it in C# but you will need to use some C or C++ porting, of the 'kernel32.dll'
I know these functions (read/write process memory) , I use them to change some values and for pointers. The thing is I dont see how they can help me in this case....
Id like to code something like:

1 Hook the instruction "MOV" in 4FCD7B.
2 Return the ECX value every time the MOV instruction is called.

If I could code such a thing, well I can do the radar afterwards.

Try changing the data type around and see if you can find it
Trust me, I really tried this before and I guarantee the ID is not close from the XYZ pos in this game. But I dont care. In my radar I want to be able to get the XYZ and the team (blue or red) and I can do both manually (I can even get the name, but not the ID, but it's worthless), unfortunately, not with code yet.

WriteProcessMemory
Writing is worthless in this case, isnt it? What i wanna do is reading only.

User avatar
TheyCallMeTim13
Cheater
Cheater
Posts: 31
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 1

Re: (MOV ECX, EDX) ===> How to get ECX and EDX please?

Post by TheyCallMeTim13 » Sat Mar 04, 2017 9:05 am

Sodruza wrote:
Fri Mar 03, 2017 10:26 pm
But isnt there a way to do it in c# or c++ ? because I really want to deal with the datas in c# because I will not make all my trainers using Lua (I dont know what it is) or the CE trainer generator. Do you see what I mean.
Sodruza wrote:
Sat Mar 04, 2017 8:51 am
You can do it in C# but you will need to use some C or C++ porting, of the 'kernel32.dll'
I know these functions (read/write process memory) , I use them to change some values and for pointers. The thing is I dont see how they can help me in this case....
Id like to code something like:

1 Hook the instruction "MOV" in 4FCD7B.
2 Return the ECX value every time the MOV instruction is called.

...
WriteProcessMemory
Writing is worthless in this case, isnt it? What i wanna do is reading only.
So if you want to do this in C# You will need to:
  • hook to process.
  • Find a code cave for hooks and storing values. (reading)
  • Then find your injection point, AOB scan is best. (reading)
  • write the new code (in the code cave) that dose the mov then stores the value and jumps back to injection point. (writing)(reading)
  • Then inject the new jmp to the new code in the code cave. (writing)
Which requires reading and writing.

Unless I misread, which happens, that's what your looking for.
I hope this helps.
Code Happy, Code Freely, Be Awesome.

User avatar
++METHOS
Administration
Administration
Posts: 203
Joined: Thu Mar 02, 2017 9:02 pm
Reputation: 27

Re: (MOV ECX, EDX) ===> How to get ECX and EDX please?

Post by ++METHOS » Sat Mar 04, 2017 9:13 am

Sodruza wrote:
Sat Mar 04, 2017 8:51 am
Trust me, I really tried this before and I guarantee the ID is not close from the XYZ pos in this game.
-Anything can be used for an ID as long as it is reliable. See my previous post regarding alternative methods for finding a unique ID for code segregation. Typically, with coordinate values, an instruction can be used that accesses one of those XYZ values, exclusively (e.g. for hero character). Even if that is not the case, you can probably find a value inside of the same data structure that will serve your needs; it does not have to be a value that is even related to the coordinate values.

For example, coordinate X may be at [base+70], but you might find that some random value at [base+44] is being accessed by an instruction that is exclusive to that structure (or blue team structures) etc..

For that matter, a value that is several levels deep inside of a pointer tree may be viable and you are just not seeing it because you have not manually changed the element at those particular offsets.

Sodruza
Noobzor
Noobzor
Posts: 12
Joined: Fri Mar 03, 2017 5:40 pm
Reputation: 0

Re: (MOV ECX, EDX) ===> How to get ECX and EDX please?

Post by Sodruza » Sat Mar 04, 2017 10:02 am

So if you want to do this in C# You will need to:
hook to process.
Find a code cave for hooks and storing values. (reading)
Then find your injection point, AOB scan is best. (reading)
write the new code (in the code cave) that dose the mov then stores the value and jumps back to injection point. (writing)(reading)
Then inject the new jmp to the new code in the code cave. (writing)
This is the exact answer I expected. Damn I didnt think it would be SO COMPLICATED and recquired write process memory (which would mean it can be detected in some games, can it?)
For that matter, a value that is several levels deep inside of a pointer tree may be viable and you are just not seeing it because you have not manually changed the element at those particular offsets.
You must be right.... I think I will dig more then. Trying to get the ECX value right after a certain instruction is called is way to difficult (as long as I dont have a proper example). I already did API hooking thanks to an example, I think guidelines are just not enough in this case because I dont have your pro level.


Im very grateful for your helps guys.

User avatar
TheyCallMeTim13
Cheater
Cheater
Posts: 31
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 1

Re: (MOV ECX, EDX) ===> How to get ECX and EDX please?

Post by TheyCallMeTim13 » Sat Mar 04, 2017 10:15 am

But if you stick with it you may find a sweet new tool/toy.
Code Happy, Code Freely, Be Awesome.

predprey
Cheater
Cheater
Posts: 31
Joined: Thu Mar 02, 2017 8:46 pm
Reputation: 5

Re: (MOV ECX, EDX) ===> How to get ECX and EDX please?

Post by predprey » Sat Mar 04, 2017 2:49 pm

Sodruza wrote:
Sat Mar 04, 2017 10:02 am
So if you want to do this in C# You will need to:
hook to process.
Find a code cave for hooks and storing values. (reading)
Then find your injection point, AOB scan is best. (reading)
write the new code (in the code cave) that dose the mov then stores the value and jumps back to injection point. (writing)(reading)
Then inject the new jmp to the new code in the code cave. (writing)
This is the exact answer I expected. Damn I didnt think it would be SO COMPLICATED and recquired write process memory (which would mean it can be detected in some games, can it?)
For that matter, a value that is several levels deep inside of a pointer tree may be viable and you are just not seeing it because you have not manually changed the element at those particular offsets.
You must be right.... I think I will dig more then. Trying to get the ECX value right after a certain instruction is called is way to difficult (as long as I dont have a proper example). I already did API hooking thanks to an example, I think guidelines are just not enough in this case because I dont have your pro level.


Im very grateful for your helps guys.
Well...if you want to hook into the executable you would have to modify its executable code somehow, even for API hooking, so yea I guess its detectable. Alternatively, if you do not want to do that you would have to backtrace the pointers, I do not know how dynamic they are but there has to be a static address where it starts from? You can just use ReadProcessMemory to trace from the start to some array I imagine that the game uses to store all the ECX values then read from there.

For scanning you can use ReadProcessMemory to scan, or if you know that the executable code is always loaded at the same position in memory then just write directly to it straight. As for finding code caves in game hacking, it was necessary back when I was ASM hacking consoles as that was executable modification while memory hacking offers no way to allocate memory. But for Windows I think you can just use VirtualAlloc to allocate you some memory to write your new code.

User avatar
++METHOS
Administration
Administration
Posts: 203
Joined: Thu Mar 02, 2017 9:02 pm
Reputation: 27

Re: (MOV ECX, EDX) ===> How to get ECX and EDX please?

Post by ++METHOS » Sat Mar 04, 2017 9:31 pm

If you are worried about detection, one possible alternative would be to make use of the SE plugin and just hook the function in memory to read the value after execution. You will still need a way to segregate the code. Worst-case scenario, as previously described as one of the methods for finding unique ID's for code segregation, would be to incorporate pointers inside of your script and just compare against that.

So, find your XYZ values (and XYZ of everyone else), and perform a pointer scan on each X value. Once you have reliable pointers for each, just incorporate those inside of your script and compare the register address/value against each one.

Post Reply

Who is online

Users browsing this forum: No registered users