Assassins Creed Black Flag Script explanation

Memory scanning, code injection, debugger internals and other gamemodding related discussion
Post Reply
Schnikonos
What is cheating?
What is cheating?
Posts: 1
Joined: Thu Dec 21, 2017 5:59 pm
Reputation: 0

Assassins Creed Black Flag Script explanation

Post by Schnikonos »

Hello,
I've recently downloaded the table offered here viewtopic.php?t=553
and tried to understand how the scripts were working. I'm currently stuck on the Infinite Moneys script from Steve Andrew

Code: Select all

//Assassin's Creed 4: Black Flag
//Infinite Money, wood, metal, cloth, rum, sugar, etc...
//Steve Andrew
[enable]
alloc(InfiniteMoneyEtc,1024)
aobscan(MoneyEtcAddress,cc cc cc cc cc cc cc cc cc cc 8b 41 0c c3 cc cc cc cc cc cc cc cc cc cc cc cc 56 57 8b c1 be)
label(SetMoney)
...
label(Exit)
registersymbol(InfiniteMoneyEtc)
registersymbol(MoneyEtcAddress)

InfiniteMoneyEtc+200:
readmem(MoneyEtcAddress+0a,5)

InfiniteMoneyEtc:
push ebx
mov ebx,InfiniteMoneyEtc
movzx ebx,byte [ebx+202]
cmp esi,1 //money
je SetMoney
cmp esi,23//Sleeping Darts
je SetDarts
cmp esi,24//Berserk Darts
je SetDarts
...
cmp esi,29
jb Exit
cmp esi,31
ja Exit
//wood, metal, cloth, rum, sugar, unknown, heavy shot ammo,
//mortar shot ammo, & fire barrels!! :D
mov eax,#9999
mov [ecx+ebx],eax
pop ebx
ret

Exit:
mov eax,[ecx+ebx]
pop ebx
ret

SetMoney:
mov eax,#999999999
mov [ecx+ebx],eax
pop ebx
ret

...

MoneyEtcAddress+0a:
jmp InfiniteMoneyEtc

[disable]

MoneyEtcAddress+0a:
readmem(InfiniteMoneyEtc+200,5)
//db 8b 41 0c c3 cc
//mov eax,[ecx+0c]
//ret
//int 3

dealloc(InfiniteMoneyEtc)
unregistersymbol(InfiniteMoneyEtc)
unregistersymbol(MoneyEtcAddress)
Following several tutorials, I got how the address was found (I updated it to match my game version), and I added the hack for sleeping/berserk darts.

However I must admit I understand less than half of what is done here...

Could someone please tell me what mean those lines ?
InfiniteMoneyEtc+200:
readmem(MoneyEtcAddress+0a,5)

InfiniteMoneyEtc:
push ebx
mov ebx,InfiniteMoneyEtc
movzx ebx,byte [ebx+202]


What is esi in
cmp esi,1 ?

And does anyone can guess how was the value determined for money (-> 1), dart (-> 23), ... ? When I check in the assembler what '8b 41 0c c3' access, I get different memory addresses that indeed point to money, ... but I don't get on what this comparison is made, or how the value was found (for finding darts, I just tried every values until I got to 23, which is not really efficient).

Thx a lot !

Acido
Table Makers
Table Makers
Posts: 348
Joined: Wed Dec 20, 2017 2:11 am
Reputation: 360

Re: Assassins Creed Black Flag Script explanation

Post by Acido »

Schnikonos wrote:
Thu Dec 21, 2017 6:19 pm
However I must admit I understand less than half of what is done here...

Could someone please tell me what mean those lines ?
InfiniteMoneyEtc+200:
readmem(MoneyEtcAddress+0a,5)
512 bytes after the pointer to InfiniteMoneyEtc write 5 bytes from MoneyEtcAddress (10 bytes from the start)
Basically InfiniteMoneyEtc[200->204] = MoneyEtcAddress[0A->0E] Which would copy the following bytes: 8b 41 0c c3 cc so it becomes:
InfiniteMoneyEtc[200] = 8b
InfiniteMoneyEtc[201] = 41
InfiniteMoneyEtc[202] = 0c
InfiniteMoneyEtc[203] = c3
InfiniteMoneyEtc[204] = cc
Schnikonos wrote:
Thu Dec 21, 2017 6:19 pm

InfiniteMoneyEtc:
push ebx
mov ebx,InfiniteMoneyEtc
movzx ebx,byte [ebx+202]
push content of register ebx to the stack so we can use the register for whatever we want while being able to restore it to original later when we're done with it, copy 1 byte at InfiniteMoneyEtc[202] into ebx register (which we know from before is 0x0c) and zero the rest of the register to keep only that 1 byte, discarding the rest.
Schnikonos wrote:
Thu Dec 21, 2017 6:19 pm
What is esi in
cmp esi,1 ?
esi is a register, the content of it is whatever happens to be in it when the code is run in the function where the injection takes place.
Schnikonos wrote:
Thu Dec 21, 2017 6:19 pm
And does anyone can guess how was the value determined for money (-> 1), dart (-> 23), ... ? When I check in the assembler what '8b 41 0c c3' access, I get different memory addresses that indeed point to money, ... but I don't get on what this comparison is made, or how the value was found (for finding darts, I just tried every values until I got to 23, which is not really efficient).

Thx a lot !
The function appears to be used for multiple things, when esi is 1 its money when its 23 its darts etc as for actually finding the correct value of what esi corresponds to its usually just analyzing the code and see what it does and you can figure it out quite quickly what value corresponds to what.

If i had to guess its the function to add an item to your inventory and what the type of item is depends how its called. So for instance in c++ code it might look something like this: void AddToInventory(int type, int id, int amount) { ... } where type would then be the content of your esi register.

Post Reply

Who is online

Users browsing this forum: No registered users