Page 1 of 2
Hello a newbie here approaching making tables!
Posted: Mon Jul 17, 2017 12:52 pm
by LegendZero88
Hiii to all i have some points to discuss with everyone here and hope someone can help.
I'm trying to hack a game followed some tutorial and now i'm here.
I''m trying to find mana.
1)find the address.
2)see what access this value and move around a bit, use mana.
3) there are multiple fld instruction, on esi+30 and one fstp instruction on esi+30.
4)check the value of the register esi
5)open memory viewer ctrl+d and dissect the structure with register address.
6)the dissect is successful, i see my offset (30) and others that point to max etc.
Now that is the problem... what i have to do from here?
I know i'm nob but... i don't really understand what to do now.
Re: Hello a newbie here approaching making tables!
Posted: Mon Jul 17, 2017 5:09 pm
by Squall8
That depends. If you want to simply stop the value from decreasing, debug with 'what writes' and nop the instruction that pops up when you use some mana.
If you want to make a pointer, you're better off finding an instruction that constantly updates. That way as soon as you activate your script your pointers will populate.
Also make sure your instruction is exclusive to the player, meaning no other addresses access the instruction. You can right-click in the debugger window and select 'check if found opcodes also access other addresses'. Its pretty self explanatory form there.
Once you found a good instruction let me know.
Re: Hello a newbie here approaching making tables!
Posted: Mon Jul 17, 2017 5:19 pm
by LegendZero88
Hi. i will detail it a bit better.
The game in question is midboss, and i'm hacking mana which is float.
The fld instruction is called frequently and is unique, the fstp only when it decrese or increase.
Now the question is: how do i compile a script.. or a pointer for this value?
I don't understand how to finalize my findings.
Thanks for all the help
Re: Hello a newbie here approaching making tables!
Posted: Mon Jul 17, 2017 5:46 pm
by Squall8
Paste an unmodified aob injection template of the instruction you found.
Re: Hello a newbie here approaching making tables!
Posted: Mon Jul 17, 2017 6:11 pm
by LegendZero88
here it is
Code: Select all
{ Game : MidBoss.exe
Version: 1.1.6
Date : 2017-07-17
Author : LegendZero
This script does blah blah blah
}
[ENABLE]
aobscan(mana,D9 5E 30 D9 46 30 8B CE D9 5D F8) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
fstp dword ptr [esi+30]
fld dword ptr [esi+30]
jmp return
mana:
jmp newmem
nop
return:
registersymbol(mana)
[DISABLE]
mana:
db D9 5E 30 D9 46 30
unregistersymbol(mana)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: 0E1A7D02
""+E1A7CED: 00 00 - add [eax],al
""+E1A7CEF: 00 78 DF - add [eax-21],bh
""+E1A7CF2: EF - out dx,eax
""+E1A7CF3: 0D 60 63 63 0D - or eax,D636360
""+E1A7CF8: 55 - push ebp
""+E1A7CF9: 8B EC - mov ebp,esp
""+E1A7CFB: 56 - push esi
""+E1A7CFC: 50 - push eax
""+E1A7CFD: 8B F1 - mov esi,ecx
""+E1A7CFF: D9 45 08 - fld dword ptr [ebp+08]
// ---------- INJECTING HERE ----------
""+E1A7D02: D9 5E 30 - fstp dword ptr [esi+30]
""+E1A7D05: D9 46 30 - fld dword ptr [esi+30]
// ---------- DONE INJECTING ----------
""+E1A7D08: 8B CE - mov ecx,esi
""+E1A7D0A: D9 5D F8 - fstp dword ptr [ebp-08]
""+E1A7D0D: 8B 01 - mov eax,[ecx]
""+E1A7D0F: 8B 40 28 - mov eax,[eax+28]
""+E1A7D12: FF 50 10 - call dword ptr [eax+10]
""+E1A7D15: D9 45 F8 - fld dword ptr [ebp-08]
""+E1A7D18: DB 46 28 - fild dword ptr [esi+28]
""+E1A7D1B: D9 5D F8 - fstp dword ptr [ebp-08]
""+E1A7D1E: D9 45 F8 - fld dword ptr [ebp-08]
""+E1A7D21: DF F1 - fcomip st(0),st(1)
}
Re: Hello a newbie here approaching making tables!
Posted: Mon Jul 17, 2017 8:14 pm
by Squall8
Pointer:
Code: Select all
[ENABLE]
aobscan(mana,D9 5E 30 D9 46 30 8B CE D9 5D F8)
alloc(newmem,$1000)
label(code)
label(return)
label(manapointer) //Add this.
registersymbol(mana)
registersymbol(manapointer) //And this.
newmem:
mov [manapointer],esi //And this. Your symbol that you can use outside of the script. Pretty self explanatory.
code:
fstp dword ptr [esi+30]
fld dword ptr [esi+30]
jmp return
manapointer: //Your label
dd 0 // dd for 32bit, dq for 64bit/
mana:
jmp newmem
nop
return:
[DISABLE]
mana:
db D9 5E 30 D9 46 30
unregistersymbol(mana)
unregistersymbol(manapointer)
dealloc(newmem)
Lets just say you used 'what writes' to find this instruction. To nop it:
Code: Select all
[ENABLE]
aobscan(mana,D9 5E 30 D9 46 30 8B CE D9 5D F8)
registersymbol(mana)
mana:
db 90 90 90 // Length in bytes of original instruction.
[DISABLE]
mana:
db D9 5E 30 //Notice I got rid of the last 3 bytes.
unregistersymbol(mana)
Re: Hello a newbie here approaching making tables!
Posted: Tue Jul 18, 2017 2:54 pm
by LegendZero88
both scripts not worked... probably i missed something or have done things wrong... uhm...
Thanks anyway
Re: Hello a newbie here approaching making tables!
Posted: Fri Jul 21, 2017 9:14 am
by LegendZero88
i understood the problem. i ahve done other scripts but i cant do helath mana or stamini because the instruzion and bytes are the same for all the three... how i can resolve?
Re: Hello a newbie here approaching making tables!
Posted: Fri Jul 21, 2017 10:44 am
by Squall8
If you're talking about 3 different instructions that have a similar byte pattern in assembly then you need to find a difference somewhere and include that in your array.
If you're talking about one instruction sharing these 3 addresses you will be better off using 'what accesses' to find an instruction accessing only health, mana or stamina. From there you can push the max value into the current or something, get creative.
Or if you're feeling lazy just nop the instruction and call the cheat Max Stats
!
Re: Hello a newbie here approaching making tables!
Posted: Fri Jul 21, 2017 2:11 pm
by LegendZero88
i have been able to create a pointer with aob injection for mana.
but when i try to create it for health and stamina, it gets back the mana value for all of them, because the instruction fld and fstp are always on the same bytes...
why it gives me back alway mana...?
ps: i tried what you said... i tried even backtracking... but i'm no good with it.
for what acess this adress are the same two istruction for everyone in the same bytes.
Re: Hello a newbie here approaching making tables!
Posted: Fri Jul 21, 2017 6:18 pm
by Squall8
Still not sure what you mean.. Take a screenshot of the debugger windows for health mana and stamina. Use what accesses, and in the debugger window right click and choose 'check if found opcodes access other addresses'. Just upload one screenshot with all 3 side by side. Snippets of the assembly region wouldn't hurt either.
Also have you tried adding pointers with different offsets that point to health or stamina? As long as they are in the same data structure and the instruction you used for mana isn't shared you will be able to.
Re: Hello a newbie here approaching making tables!
Posted: Sat Jul 22, 2017 3:32 am
by Squall8
I took a look into the game myself. Its a bit more complicated than I was anticipating. Anyways here is what I came up with:
Code: Select all
{ Game : MidBoss.exe
Version:
Date : 2017-07-21
Author : Squall8
}
[ENABLE]
aobscan(infhealth,D9 46 30 DF F1 DD D8 7A 06 0F 84 7D)
alloc(newmem,$1000,MidBoss.exe)
label(code)
label(return)
newmem:
push eax //Basically what it says.
mov eax,[esi+14] //Moves 4 Byte Max Health value into eax.
cvtsi2ss xmm0,eax //Converts value in eax to a float value in xmm0.
movss [esi+30],xmm0 //Moves "Max Health into Current Health".
pop eax
code:
fld dword ptr [esi+30]
fcomip st(0),st(1)
jmp return
infhealth:
jmp newmem
return:
registersymbol(infhealth)
[DISABLE]
infhealth:
db D9 46 30 DF F1
unregistersymbol(infhealth)
dealloc(newmem)
You should be able to figure out what I did here. You will basically have to do the same thing for mana and stamina. Let me know if you need anymore help.
Re: Hello a newbie here approaching making tables!
Posted: Sat Jul 22, 2017 6:15 am
by LegendZero88
i think i understood what you did there.
Simply thing you dissected the structure for health, moved in eax converted and then replaced current health.
So i think i will have to do the same thing for mana and stamina... i will try to do it as soon as possible...
ps: and of course you have taken the address with only one access.
Thanks i think i will do it in the afternoon and post my result here, hoping i succed with it.
Re: Hello a newbie here approaching making tables!
Posted: Sat Jul 22, 2017 3:32 pm
by LegendZero88
Okay i did almost all of the scripts but i have two problems:
1)if i activate first inf health the inf mana doesn't work, if i activate inf mana first the inf health works.
2)For infinite stamina... there isn't an instruction that access only stamina, so i can't do the script...
The a little question:
If in form points for exemple we have 0/30, and i put the script to mov the max then it will not add the ability.
So... how can i put the max -1(in this case 29) in the script? I will post all scripts below.
inf mana
Code: Select all
{ Game : MidBoss.exe
Version: 1.1.6
Date : 2017-07-22
Author : LegendZero88
This script let you have inifnite mana (activate first).
Many thanks to Squall8, without him i would not post this.
}
[ENABLE]
aobscan(infmana,D9 46 30 DF F1) // should be unique
alloc(mana,$1000)
label(code)
label(return)
mana:
push eax
mov eax, [esi+14]
cvtsi2ss xmm1,eax
movss [esi+30],xmm1
pop eax
code:
fld dword ptr [esi+30]
fcomip st(0),st(1)
jmp return
infmana:
jmp mana
return:
registersymbol(infmana)
[DISABLE]
infmana:
db D9 46 30 DF F1
unregistersymbol(infmana)
dealloc(mana)
{
// ORIGINAL CODE - INJECTION POINT: 0EEF7E5D
""+EEF7E3B: E8 F0 69 FE 4E - call clr.dll+E830
""+EEF7E40: 8B C8 - mov ecx,eax
""+EEF7E42: FF 15 44 11 67 01 - call dword ptr [01671144]
""+EEF7E48: 3B C6 - cmp eax,esi
""+EEF7E4A: 0F 85 A9 00 00 00 - jne 0EEF7EF9
""+EEF7E50: 8B CE - mov ecx,esi
""+EEF7E52: 8B 01 - mov eax,[ecx]
""+EEF7E54: 8B 40 28 - mov eax,[eax+28]
""+EEF7E57: FF 50 10 - call dword ptr [eax+10]
""+EEF7E5A: D9 45 F8 - fld dword ptr [ebp-08]
// ---------- INJECTING HERE ----------
""+EEF7E5D: D9 46 30 - fld dword ptr [esi+30]
""+EEF7E60: DF F1 - fcomip st(0),st(1)
// ---------- DONE INJECTING ----------
""+EEF7E62: DD D8 - fstp st(0)
""+EEF7E64: 7A 06 - jp 0EEF7E6C
""+EEF7E66: 0F 84 8D 00 00 00 - je 0EEF7EF9
""+EEF7E6C: 8B CE - mov ecx,esi
""+EEF7E6E: 8B 01 - mov eax,[ecx]
""+EEF7E70: 8B 40 28 - mov eax,[eax+28]
""+EEF7E73: FF 50 10 - call dword ptr [eax+10]
""+EEF7E76: D9 46 30 - fld dword ptr [esi+30]
""+EEF7E79: D9 5D F4 - fstp dword ptr [ebp-0C]
""+EEF7E7C: 8B CE - mov ecx,esi
}
inf health
Code: Select all
{ Game : MidBoss.exe
Version: 1.1.6
Date : 2017-07-22
Author : LegendZero88
This script let you have infinite health
Many thanks to Squall8, without him i would not post this.
}
[ENABLE]
aobscan(infinitehealth,D9 46 30 DF F1 DD D8 7A 06 0F 84 7D) // should be unique
alloc(inhealth,$1000)
label(code)
label(return)
inhealth:
push eax
mov eax,[esi+14]
cvtsi2ss xmm0,eax
movss [esi+30],xmm0
pop eax
code:
fld dword ptr [esi+30]
fcomip st(0),st(1)
jmp return
infinitehealth:
jmp inhealth
return:
registersymbol(infinitehealth)
[DISABLE]
infinitehealth:
db D9 46 30 DF F1
unregistersymbol(infinitehealth)
dealloc(inhealth)
{
// ORIGINAL CODE - INJECTION POINT: 0F771DFD
""+F771DDB: E8 50 CA 76 4E - call clr.dll+E830
""+F771DE0: 8B C8 - mov ecx,eax
""+F771DE2: FF 15 3C 05 48 10 - call dword ptr [1048053C]
""+F771DE8: 3B C6 - cmp eax,esi
""+F771DEA: 0F 85 99 00 00 00 - jne 0F771E89
""+F771DF0: 8B CE - mov ecx,esi
""+F771DF2: 8B 01 - mov eax,[ecx]
""+F771DF4: 8B 40 28 - mov eax,[eax+28]
""+F771DF7: FF 50 10 - call dword ptr [eax+10]
""+F771DFA: D9 45 F8 - fld dword ptr [ebp-08]
// ---------- INJECTING HERE ----------
""+F771DFD: D9 46 30 - fld dword ptr [esi+30]
""+F771E00: DF F1 - fcomip st(0),st(1)
// ---------- DONE INJECTING ----------
""+F771E02: DD D8 - fstp st(0)
""+F771E04: 7A 06 - jp 0F771E0C
""+F771E06: 0F 84 7D 00 00 00 - je 0F771E89
""+F771E0C: 8B CE - mov ecx,esi
""+F771E0E: 8B 01 - mov eax,[ecx]
""+F771E10: 8B 40 28 - mov eax,[eax+28]
""+F771E13: FF 50 10 - call dword ptr [eax+10]
""+F771E16: D9 46 30 - fld dword ptr [esi+30]
""+F771E19: 8B CE - mov ecx,esi
""+F771E1B: D9 5D F4 - fstp dword ptr [ebp-0C]
}
increase stat points
Code: Select all
{ Game : MidBoss.exe
Version: 1.1.6
Date : 2017-07-22
Author : LegendZero88
This script will increase your stat points instead of decreasing them.
Many thanks to Squall8, without him i would not post this.
}
[ENABLE]
aobscan(statpoints,8B 46 48 48 89 46 48) // should be unique
alloc(spoints,$1000)
label(code)
label(return)
spoints:
code:
mov eax,[esi+48]
inc eax
mov [esi+48],eax
jmp return
statpoints:
jmp spoints
nop
nop
return:
registersymbol(statpoints)
[DISABLE]
statpoints:
db 8B 46 48 48 89 46 48
unregistersymbol(statpoints)
dealloc(spoints)
{
// ORIGINAL CODE - INJECTION POINT: 056DC1E5
""+56DC1BE: 8B F9 - mov edi,ecx
""+56DC1C0: 8B DA - mov ebx,edx
""+56DC1C2: B9 24 47 35 05 - mov ecx,05354724
""+56DC1C7: E8 BC B1 F0 08 - call 0E5E7388
""+56DC1CC: 8B C8 - mov ecx,eax
""+56DC1CE: 33 D2 - xor edx,edx
""+56DC1D0: E8 9B B2 F0 08 - call 0E5E7470
""+56DC1D5: 8B B7 A8 01 00 00 - mov esi,[edi+000001A8]
""+56DC1DB: 83 7E 48 00 - cmp dword ptr [esi+48],00
""+56DC1DF: 0F 8E 50 01 00 00 - jng 056DC335
// ---------- INJECTING HERE ----------
""+56DC1E5: 8B 46 48 - mov eax,[esi+48]
""+56DC1E8: 48 - dec eax
""+56DC1E9: 89 46 48 - mov [esi+48],eax
// ---------- DONE INJECTING ----------
""+56DC1EC: 85 DB - test ebx,ebx
""+56DC1EE: 74 1C - je 056DC20C
""+56DC1F0: 81 3B 34 07 A5 0D - cmp [ebx],0DA50734
""+56DC1F6: 75 04 - jne 056DC1FC
""+56DC1F8: 8B CB - mov ecx,ebx
""+56DC1FA: EB 0E - jmp 056DC20A
""+56DC1FC: 8B D3 - mov edx,ebx
""+56DC1FE: B9 34 07 A5 0D - mov ecx,0DA50734
""+56DC203: E8 48 CE 80 58 - call clr.dll+19050
""+56DC208: 8B C8 - mov ecx,eax
}
form points to max (this doen't work too good because it doesn't give the ability)
Code: Select all
{ Game : MidBoss.exe
Version: 1.1.6
Date : 2017-07-22
Author : LegendZero88
This script let tou have max for points when killing a monster, but does not give you abilities.
Many thanks to Squall8, without him i would not post this.
}
[ENABLE]
aobscan(formpoints,8B 46 2C 03 C7) // should be unique
alloc(fpoints,$1000)
label(code)
label(return)
fpoints:
code:
mov eax,[esi+2C]
mov eax,[esi+30]
jmp return
formpoints:
jmp fpoints
return:
registersymbol(formpoints)
[DISABLE]
formpoints:
db 8B 46 2C 03 C7
unregistersymbol(formpoints)
dealloc(fpoints)
{
// ORIGINAL CODE - INJECTION POINT: 0F77D8FB
""+F77D8E6: E8 E5 53 48 4C - call mscorlib.ni.dll+452CD0
""+F77D8EB: 8B F0 - mov esi,eax
""+F77D8ED: 80 7E 34 00 - cmp byte ptr [esi+34],00
""+F77D8F1: 74 08 - je 0F77D8FB
""+F77D8F3: 59 - pop ecx
""+F77D8F4: 5B - pop ebx
""+F77D8F5: 5E - pop esi
""+F77D8F6: 5F - pop edi
""+F77D8F7: 5D - pop ebp
""+F77D8F8: C2 04 00 - ret 0004
// ---------- INJECTING HERE ----------
""+F77D8FB: 8B 46 2C - mov eax,[esi+2C]
""+F77D8FE: 03 C7 - add eax,edi
// ---------- DONE INJECTING ----------
""+F77D900: 89 46 2C - mov [esi+2C],eax
""+F77D903: 0F B6 45 08 - movzx eax,byte ptr [ebp+08]
""+F77D907: 85 C0 - test eax,eax
""+F77D909: 75 5A - jne 0F77D965
""+F77D90B: 8B 45 F0 - mov eax,[ebp-10]
""+F77D90E: 8B 48 24 - mov ecx,[eax+24]
""+F77D911: 8B D7 - mov edx,edi
""+F77D913: 39 09 - cmp [ecx],ecx
""+F77D915: FF 15 B8 FC 70 01 - call dword ptr [0170FCB8]
""+F77D91B: EB 48 - jmp 0F77D965
}
form point pointer
Code: Select all
{ Game : MidBoss.exe
Version: 1.1.6
Date : 2017-07-22
Author : LegendZero88
This script take the pointer for form points.
Many thanks to Squall8, without him i would not post this.
}
[ENABLE]
aobscan(formpoints,8B 46 2C 03 C7) // should be unique
alloc(fpoints,$1000)
label(code)
label(return)
label(formpointer)
registersymbol(formpointer)
fpoints:
mov [formpointer],esi
code:
mov eax,[esi+2C]
add eax,edi
jmp return
formpointer:
dq 0
formpoints:
jmp fpoints
return:
registersymbol(formpoints)
[DISABLE]
formpoints:
db 8B 46 2C 03 C7
unregistersymbol(formpoints)
unregistersymbol(formpointer)
dealloc(fpoints)
{
// ORIGINAL CODE - INJECTION POINT: 0F77D8FB
""+F77D8E6: E8 E5 53 48 4C - call mscorlib.ni.dll+452CD0
""+F77D8EB: 8B F0 - mov esi,eax
""+F77D8ED: 80 7E 34 00 - cmp byte ptr [esi+34],00
""+F77D8F1: 74 08 - je 0F77D8FB
""+F77D8F3: 59 - pop ecx
""+F77D8F4: 5B - pop ebx
""+F77D8F5: 5E - pop esi
""+F77D8F6: 5F - pop edi
""+F77D8F7: 5D - pop ebp
""+F77D8F8: C2 04 00 - ret 0004
// ---------- INJECTING HERE ----------
""+F77D8FB: 8B 46 2C - mov eax,[esi+2C]
""+F77D8FE: 03 C7 - add eax,edi
// ---------- DONE INJECTING ----------
""+F77D900: 89 46 2C - mov [esi+2C],eax
""+F77D903: 0F B6 45 08 - movzx eax,byte ptr [ebp+08]
""+F77D907: 85 C0 - test eax,eax
""+F77D909: 75 5A - jne 0F77D965
""+F77D90B: 8B 45 F0 - mov eax,[ebp-10]
""+F77D90E: 8B 48 24 - mov ecx,[eax+24]
""+F77D911: 8B D7 - mov edx,edi
""+F77D913: 39 09 - cmp [ecx],ecx
""+F77D915: FF 15 B8 FC 70 01 - call dword ptr [0170FCB8]
""+F77D91B: EB 48 - jmp 0F77D965
}
Re: Hello a newbie here approaching making tables!
Posted: Sat Jul 22, 2017 7:12 pm
by Squall8
You'll have to find a more unique array for inf mana so that it differs from inf health. This should do:
Code: Select all
aobscan(infmana,D9 46 30 DF F1 DD D8 7A 06 0F 84 8D) //Notice the last byte in the health array is 7D.
For inf stamina you'll need to filter out all other addresses except stamina. I'll go over that more later if you need help with it.
For max points use 'what writes' so it only executes when you gain a point. Then set it up like this:
Code: Select all
fpoints:
push [esi+2C] //This Should Be The Max Value
pop [esi+30] //Into Current Value
code:
// whatever original code was
I'll look into the game again later today for stamina.