SimAirpot

Memory scanning, code injection, debugger internals and other gamemodding related discussion
Post Reply
User avatar
Kalas
Expert Cheater
Expert Cheater
Posts: 131
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 7

SimAirpot

Post by Kalas » Fri Mar 10, 2017 7:58 pm

This is my code for money:

Code: Select all

[ENABLE]

aobscan(aobMoney,DD 5E 20 8B 05 78 8F 88 06)
alloc(newmem,$100)

label(code)
label(return)

alloc(Money,4)

newmem:

Money:
  dq (double)9999999

code:
  fld qword ptr [Money]
  fstp qword ptr [esi+20]
  mov eax,[06888F78]
  jmp return

aobMoney:
  jmp newmem
  nop
  nop
  nop
  nop
return:
registersymbol(aobMoney)

[DISABLE]

aobMoney:
  db DD 5E 20 8B 05 78 8F 88 06

unregistersymbol(aobMoney)
dealloc(newmem)
dealloc(Money)

{
// ORIGINAL CODE - INJECTION POINT: 46A0319C

""+46A03167: 8B 75 08              -  mov esi,[ebp+08]
""+46A0316A: C7 45 CC 00 00 00 00  -  mov [ebp-34],00000000
""+46A03171: C7 45 D0 00 00 00 00  -  mov [ebp-30],00000000
""+46A03178: C7 45 D4 00 00 00 00  -  mov [ebp-2C],00000000
""+46A0317F: C7 45 D8 00 00 00 00  -  mov [ebp-28],00000000
""+46A03186: C7 45 DC 00 00 00 00  -  mov [ebp-24],00000000
""+46A0318D: C7 45 E0 00 00 00 00  -  mov [ebp-20],00000000
""+46A03194: DD 46 20              -  fld qword ptr [esi+20]
""+46A03197: DD 45 0C              -  fld qword ptr [ebp+0C]
""+46A0319A: DE C1                 -  faddp 
// ---------- INJECTING HERE ----------
""+46A0319C: DD 5E 20              -  fstp qword ptr [esi+20]
""+46A0319F: 8B 05 78 8F 88 06     -  mov eax,[06888F78]
// ---------- DONE INJECTING  ----------
""+46A031A5: 0F B6 80 D8 00 00 00  -  movzx eax,byte ptr [eax+000000D8]
""+46A031AC: 85 C0                 -  test eax,eax
""+46A031AE: 0F 85 BB 00 00 00     -  jne 46A0326F
""+46A031B4: 8D 46 40              -  lea eax,[esi+40]
""+46A031B7: 8B 08                 -  mov ecx,[eax]
""+46A031B9: 89 4D CC              -  mov [ebp-34],ecx
""+46A031BC: 8B 40 04              -  mov eax,[eax+04]
""+46A031BF: 89 45 D0              -  mov [ebp-30],eax
""+46A031C2: 0F B6 45 D0           -  movzx eax,byte ptr [ebp-30]
""+46A031C6: 85 C0                 -  test eax,eax
}

The Script crashes my game instantly, I wanted to ask is my Script wrong? Or could it be that everything is accessing the same instruction such like in Shadow Warrior 2 so I need to use String to make a Script here?

User avatar
Kalas
Expert Cheater
Expert Cheater
Posts: 131
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 7

Re: SimAirpot

Post by Kalas » Fri Mar 10, 2017 8:07 pm

How can I move 9999999 to this code:

Code: Select all

[ENABLE]

aobscan(aobMoney,DD 5E 20 8B 05 78 8F A2 06)
alloc(newmem,$100)

label(code)
label(return)

newmem:

code:
  fstp qword ptr [esi+20]
  mov eax,[06A28F78]
  jmp return

aobMoney:
  jmp newmem
  nop
  nop
  nop
  nop
return:
registersymbol(aobMoney)

[DISABLE]

aobMoney:
  db DD 5E 20 8B 05 78 8F A2 06

unregistersymbol(aobMoney)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: 46ABE744

""+46ABE70F: 8B 75 08              -  mov esi,[ebp+08]
""+46ABE712: C7 45 CC 00 00 00 00  -  mov [ebp-34],00000000
""+46ABE719: C7 45 D0 00 00 00 00  -  mov [ebp-30],00000000
""+46ABE720: C7 45 D4 00 00 00 00  -  mov [ebp-2C],00000000
""+46ABE727: C7 45 D8 00 00 00 00  -  mov [ebp-28],00000000
""+46ABE72E: C7 45 DC 00 00 00 00  -  mov [ebp-24],00000000
""+46ABE735: C7 45 E0 00 00 00 00  -  mov [ebp-20],00000000
""+46ABE73C: DD 46 20              -  fld qword ptr [esi+20]
""+46ABE73F: DD 45 0C              -  fld qword ptr [ebp+0C]
""+46ABE742: DE C1                 -  faddp 
// ---------- INJECTING HERE ----------
""+46ABE744: DD 5E 20              -  fstp qword ptr [esi+20]
""+46ABE747: 8B 05 78 8F A2 06     -  mov eax,[06A28F78]
// ---------- DONE INJECTING  ----------
""+46ABE74D: 0F B6 80 D8 00 00 00  -  movzx eax,byte ptr [eax+000000D8]
""+46ABE754: 85 C0                 -  test eax,eax
""+46ABE756: 0F 85 BB 00 00 00     -  jne 46ABE817
""+46ABE75C: 8D 46 40              -  lea eax,[esi+40]
""+46ABE75F: 8B 08                 -  mov ecx,[eax]
""+46ABE761: 89 4D CC              -  mov [ebp-34],ecx
""+46ABE764: 8B 40 04              -  mov eax,[eax+04]
""+46ABE767: 89 45 D0              -  mov [ebp-30],eax
""+46ABE76A: 0F B6 45 D0           -  movzx eax,byte ptr [ebp-30]
""+46ABE76E: 85 C0                 -  test eax,eax
}

Schnitzelmaker
Expert Cheater
Expert Cheater
Posts: 60
Joined: Fri Mar 03, 2017 6:18 pm
Reputation: 15

Re: SimAirpot

Post by Schnitzelmaker » Fri Mar 10, 2017 8:14 pm

Move your money label after the jmp return.

Btw: mov eax,[06A28F78] might cause compatibility issue. It could be different each time you start the game or each time the game is updated.

Code: Select all

[ENABLE]

aobscan(aobMoney,DD 5E 20 8B 05 78 8F A2 06)
alloc(newmem,$100)

label(code)
label(return)
label(Money)

newmem:

code:
  fld qword ptr [Money]
  fstp qword ptr [esi+20]
  mov eax,[06A28F78]
  jmp return

Money:
  dq (double)9999999

aobMoney:
  jmp newmem
  nop
  nop
  nop
  nop
return:
registersymbol(aobMoney)

[DISABLE]

aobMoney:
  db DD 5E 20 8B 05 78 8F A2 06

unregistersymbol(aobMoney)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: 46ABE744

""+46ABE70F: 8B 75 08              -  mov esi,[ebp+08]
""+46ABE712: C7 45 CC 00 00 00 00  -  mov [ebp-34],00000000
""+46ABE719: C7 45 D0 00 00 00 00  -  mov [ebp-30],00000000
""+46ABE720: C7 45 D4 00 00 00 00  -  mov [ebp-2C],00000000
""+46ABE727: C7 45 D8 00 00 00 00  -  mov [ebp-28],00000000
""+46ABE72E: C7 45 DC 00 00 00 00  -  mov [ebp-24],00000000
""+46ABE735: C7 45 E0 00 00 00 00  -  mov [ebp-20],00000000
""+46ABE73C: DD 46 20              -  fld qword ptr [esi+20]
""+46ABE73F: DD 45 0C              -  fld qword ptr [ebp+0C]
""+46ABE742: DE C1                 -  faddp 
// ---------- INJECTING HERE ----------
""+46ABE744: DD 5E 20              -  fstp qword ptr [esi+20]
""+46ABE747: 8B 05 78 8F A2 06     -  mov eax,[06A28F78]
// ---------- DONE INJECTING  ----------
""+46ABE74D: 0F B6 80 D8 00 00 00  -  movzx eax,byte ptr [eax+000000D8]
""+46ABE754: 85 C0                 -  test eax,eax
""+46ABE756: 0F 85 BB 00 00 00     -  jne 46ABE817
""+46ABE75C: 8D 46 40              -  lea eax,[esi+40]
""+46ABE75F: 8B 08                 -  mov ecx,[eax]
""+46ABE761: 89 4D CC              -  mov [ebp-34],ecx
""+46ABE764: 8B 40 04              -  mov eax,[eax+04]
""+46ABE767: 89 45 D0              -  mov [ebp-30],eax
""+46ABE76A: 0F B6 45 D0           -  movzx eax,byte ptr [ebp-30]
""+46ABE76E: 85 C0                 -  test eax,eax
}

User avatar
Kalas
Expert Cheater
Expert Cheater
Posts: 131
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 7

Re: SimAirpot

Post by Kalas » Fri Mar 10, 2017 8:22 pm

I simply did that:

Code: Select all

[ENABLE]

aobscan(aobMoney,DD 5E 20 8B 05 78 8F ?? ??)
alloc(newmem,$100)

label(code)
label(return)

alloc(Money,4)
registersymbol(Money)

newmem:

code:
  push rbx
  lea rbx,[esi+20]
  mov [Money],rbx
  pop rbx
  fstp qword ptr [esi+20]
  mov eax,[06A28F78]
  jmp return

aobMoney:
  jmp newmem
  nop
  nop
  nop
  nop
return:
registersymbol(aobMoney)

[DISABLE]

aobMoney:
  db DD 5E 20 8B 05 78 8F A2 06

unregistersymbol(aobMoney)
unregistersymbol(Money)
dealloc(newmem)
dealloc(Money)
{
// ORIGINAL CODE - INJECTION POINT: 46ABE744

""+46ABE70F: 8B 75 08              -  mov esi,[ebp+08]
""+46ABE712: C7 45 CC 00 00 00 00  -  mov [ebp-34],00000000
""+46ABE719: C7 45 D0 00 00 00 00  -  mov [ebp-30],00000000
""+46ABE720: C7 45 D4 00 00 00 00  -  mov [ebp-2C],00000000
""+46ABE727: C7 45 D8 00 00 00 00  -  mov [ebp-28],00000000
""+46ABE72E: C7 45 DC 00 00 00 00  -  mov [ebp-24],00000000
""+46ABE735: C7 45 E0 00 00 00 00  -  mov [ebp-20],00000000
""+46ABE73C: DD 46 20              -  fld qword ptr [esi+20]
""+46ABE73F: DD 45 0C              -  fld qword ptr [ebp+0C]
""+46ABE742: DE C1                 -  faddp 
// ---------- INJECTING HERE ----------
""+46ABE744: DD 5E 20              -  fstp qword ptr [esi+20]
""+46ABE747: 8B 05 78 8F A2 06     -  mov eax,[06A28F78]
// ---------- DONE INJECTING  ----------
""+46ABE74D: 0F B6 80 D8 00 00 00  -  movzx eax,byte ptr [eax+000000D8]
""+46ABE754: 85 C0                 -  test eax,eax
""+46ABE756: 0F 85 BB 00 00 00     -  jne 46ABE817
""+46ABE75C: 8D 46 40              -  lea eax,[esi+40]
""+46ABE75F: 8B 08                 -  mov ecx,[eax]
""+46ABE761: 89 4D CC              -  mov [ebp-34],ecx
""+46ABE764: 8B 40 04              -  mov eax,[eax+04]
""+46ABE767: 89 45 D0              -  mov [ebp-30],eax
""+46ABE76A: 0F B6 45 D0           -  movzx eax,byte ptr [ebp-30]
""+46ABE76E: 85 C0                 -  test eax,eax
}
Added address manually, pointer title Money, now everytime I restart game I must lose money and then I can activate and then lose more money and then the value will pop up and will be changeable.

FreeER
Novice Cheater
Novice Cheater
Posts: 20
Joined: Fri Mar 10, 2017 7:11 pm
Reputation: 0
Contact:

Re: SimAirpot

Post by FreeER » Fri Mar 10, 2017 8:43 pm

Alternatively you can change the "jmp newmem", which is not assembly code you want executed due to the double value, to "jmp code", which is. Then you can use "newmem" instead creating another label for "Money" (admittedly creating a label that describes it is more "self-documenting"...).

Also, since it whatever value was on the FPU stack that was going to be stored would also have beenpopped you'll probably want to do two "fstp"s; One to pop the intended value and then, after loading the new value, to store and pop yours. Or use "fstp st(0)" to pop the intended value without storing it anywhere in memory (probably slightly more efficient); Or prevent the load.

(after preview and seeing your update) Hm, though simply storing the address works too. Often the register, esi in this case, points to some "player info" "struct" with several other useful values nearby, so you might want to just store esi instead of esi+20 (look at it in the data dissector and see if you can find any other useful values you can see Geri's tutorial here https://web.archive.org/web/20160331215 ... structures if you don't know how, or do a search on youtube, I recall there being a couple video tutorials). And then you could use that value as part of address to each of the different values you cared about, for example Base+20 for Money and (just a random example) Base+10 for XP.

User avatar
Kalas
Expert Cheater
Expert Cheater
Posts: 131
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 7

Re: SimAirpot

Post by Kalas » Fri Mar 10, 2017 8:48 pm

Actually at the end I figured out that the Array of byte keeps changing in this location:

Code: Select all

DD 5E 20 8B 05 78 8F ?? 06
You see where I add "??", this byte I guess you call it keeps changing as I've checked, so this is basically "fixed" the issue, the full script I used is this:

Code: Select all

[ENABLE]

aobscan(aobMoneyv2,DD 5E 20 8B 05 78 8F ?? 06)
alloc(newmem,$100)

label(code)
label(return)

alloc(Moneyv2,4)

newmem:

code:
  fld qword ptr [Moneyv2]
  fstp qword ptr [esi+20]
  mov eax,[06AB8F78]
  jmp return

Moneyv2:
  dq (double)9999999

aobMoneyv2:
  jmp newmem
  nop
  nop
  nop
  nop
return:
registersymbol(aobMoneyv2)

[DISABLE]

aobMoneyv2:
  db DD 5E 20 8B 05 78 8F AB 06

unregistersymbol(aobMoneyv2)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: 46FF071C

""+46FF06E7: 8B 75 08              -  mov esi,[ebp+08]
""+46FF06EA: C7 45 CC 00 00 00 00  -  mov [ebp-34],00000000
""+46FF06F1: C7 45 D0 00 00 00 00  -  mov [ebp-30],00000000
""+46FF06F8: C7 45 D4 00 00 00 00  -  mov [ebp-2C],00000000
""+46FF06FF: C7 45 D8 00 00 00 00  -  mov [ebp-28],00000000
""+46FF0706: C7 45 DC 00 00 00 00  -  mov [ebp-24],00000000
""+46FF070D: C7 45 E0 00 00 00 00  -  mov [ebp-20],00000000
""+46FF0714: DD 46 20              -  fld qword ptr [esi+20]
""+46FF0717: DD 45 0C              -  fld qword ptr [ebp+0C]
""+46FF071A: DE C1                 -  faddp 
// ---------- INJECTING HERE ----------
""+46FF071C: DD 5E 20              -  fstp qword ptr [esi+20]
""+46FF071F: 8B 05 78 8F AB 06     -  mov eax,[06AB8F78]
// ---------- DONE INJECTING  ----------
""+46FF0725: 0F B6 80 D8 00 00 00  -  movzx eax,byte ptr [eax+000000D8]
""+46FF072C: 85 C0                 -  test eax,eax
""+46FF072E: 0F 85 BB 00 00 00     -  jne 46FF07EF
""+46FF0734: 8D 46 40              -  lea eax,[esi+40]
""+46FF0737: 8B 08                 -  mov ecx,[eax]
""+46FF0739: 89 4D CC              -  mov [ebp-34],ecx
""+46FF073C: 8B 40 04              -  mov eax,[eax+04]
""+46FF073F: 89 45 D0              -  mov [ebp-30],eax
""+46FF0742: 0F B6 45 D0           -  movzx eax,byte ptr [ebp-30]
""+46FF0746: 85 C0                 -  test eax,eax
}

Post Reply

Who is online

Users browsing this forum: No registered users