Page 1 of 1

Script Question

Posted: Sun Sep 10, 2017 4:21 pm
by lllccc
so im trying to mod an old game "Leisure Suit Larry 7 - Love for Sail!" and i got the script i put the script pointing lines
i found out the pointer is 4 in the struc but when i enable the script every goes good but its always 1-2 address under i move the pointer to lower it but even putting it at 0 its still lower i tired changing the [ebx] to any other but here is to high or to low lol is anyone can help this is the script i am looking at


aobscanmodule(INJECT,SIERW5.EXE,C9 FC FF 8B 5B 04 01 CB 0F BF 03 0F B6 5E 01) // should be unique
alloc(newmem,$1000)
alloc(myvar,4)
registersymbol(myvar)
label(code)
label(return)

newmem:

code:
mov [myvar],esi
movsx eax,word ptr [ebx]
movzx ebx,byte ptr [esi+01]
jmp return

INJECT+08:
jmp newmem
nop
nop
return:
registersymbol(INJECT)

Re: Script Question

Posted: Mon Sep 11, 2017 7:10 am
by ++METHOS
Not sure what you're asking, but you can have negative offsets:

[ebx-2]

Re: Script Question

Posted: Tue Sep 12, 2017 2:10 am
by lllccc
i didnt know you could have a negative offset and now i do lol thank you so much i will give that a try first thing after work lol

was asking hot i could fix it to get the pointer to grab the right address but now i know negative offset can be done should make things easier

Re: Script Question

Posted: Tue Sep 12, 2017 3:13 pm
by seikur0
I'm not exactly sure, what you want, but try this:

Code: Select all

aobscanmodule(INJECT,SIERW5.EXE,C9 FC FF 8B 5B 04 01 CB 0F BF 03 0F B6 5E 01) // should be unique
alloc(newmem,$1000)
label(myvar)
registersymbol(myvar)
label(code)
label(return)

newmem:

lea eax,[esi+01]
mov [myvar],eax

code:
movsx eax,word ptr [ebx]
movzx ebx,byte ptr [esi+01]
jmp return

myvar:
dd 0

INJECT+08:
jmp newmem
nop
nop
return:
registersymbol(INJECT)
And in your table add myvar as pointer and change the type to byte. (Assuming you want the value that gets written into ebx.)

I also removed the memory allocation for myvar and put it as symbol at the end of newmem instead. As a general rule there's likely no need to allocate memory more than once in one script.

Re: Script Question

Posted: Tue Sep 12, 2017 4:07 pm
by SunBeam
I think he wants the base pointer. So all in all, move EAX to myvar BEFORE the LEA.

Re: Script Question

Posted: Tue Sep 12, 2017 9:44 pm
by lllccc
hmm maybe i could of worded this better sorry guys

what i wanted to know is why after getting the pointers its ether higher or lower then the address i am getting example money is 030898E8 but if i put in 04 as it says in strucs its 030898E6 or if i go to 00 its still to low but if i change ebx to eax is higher and just wanted know how i can fix it to get the right address with that script

EXAMPLE
http://i675.photobucket.com/albums/vv11 ... ke4opw.png

top one is the found 1 and the bottom one is the pointer from the script thats eax and its way higher (that's pointer 04)

Re: Script Question

Posted: Wed Sep 13, 2017 3:59 pm
by seikur0
I can't see that image anymore (100% third party hosting usage), can you reupload it?

So you found the money manually and then you did "Find out what accesses this address", right?
Which of the lines did access the address then?
This one: movsx eax,word ptr [ebx]
or that one: movzx ebx,byte ptr [esi+01]