(MOV ECX, EDX) ===> How to get ECX and EDX please?

Memory scanning, code injection, debugger internals and other gamemodding related discussion
Sodruza
Noobzor
Noobzor
Posts: 12
Joined: Fri Mar 03, 2017 5:40 pm
Reputation: 0

(MOV ECX, EDX) ===> How to get ECX and EDX please?

Post by Sodruza » Fri Mar 03, 2017 5:47 pm

Hello everyone,


Do you guys please have some piece of code/tips to what is asked in the title ? If you want a bit more precision, there are links below :

https://puu.sh/usC7v/b08e84c23c.png
https://puu.sh/usB1d/b39ab89253.png

Thanks in advance, last time I asked something in this forum I got the perfect answer I expected, let's hope it works again this time :)

predprey
Cheater
Cheater
Posts: 42
Joined: Thu Mar 02, 2017 8:46 pm
Reputation: 8

Re: (MOV ECX, EDX) ===> How to get ECX and EDX please?

Post by predprey » Fri Mar 03, 2017 6:57 pm

EDX is exactly what is shown in the register in the second screenshot when you reach the breakpoint, 0x44E2FBB6. That EDX value is stored at the memory address,0xE8B2C6C, as denoted by [ECX]. The brackets means to use the value stored in ECX as a pointer.

Sodruza
Noobzor
Noobzor
Posts: 12
Joined: Fri Mar 03, 2017 5:40 pm
Reputation: 0

Re: (MOV ECX, EDX) ===> How to get ECX and EDX please?

Post by Sodruza » Fri Mar 03, 2017 7:08 pm

0xE8B2C6C, as denoted by [ECX]
Exactly. The thing is Id like to create some kind of hook/function to get all the values in ECX (actually EDX dont matter much) after this particular instruction is called....

Gotta say I struggle quite a lot.

Thanks for your help.

predprey
Cheater
Cheater
Posts: 42
Joined: Thu Mar 02, 2017 8:46 pm
Reputation: 8

Re: (MOV ECX, EDX) ===> How to get ECX and EDX please?

Post by predprey » Fri Mar 03, 2017 7:36 pm

Goto the address in CE memory viewer, right click and select "Find out what addresses this instruction accesses". That would give you all the addresses ECX points to when the instruction is called. To get EDX for each case, right click the addresses that appear and click "Show registers".

Sodruza
Noobzor
Noobzor
Posts: 12
Joined: Fri Mar 03, 2017 5:40 pm
Reputation: 0

Re: (MOV ECX, EDX) ===> How to get ECX and EDX please?

Post by Sodruza » Fri Mar 03, 2017 8:20 pm

Goto the address in CE memory viewer, right click and select "Find out what addresses this instruction accesses".
Everything you are saying is true. But I already did this before, this is how I know what I want.

But look at what i said :
The thing is Id like to create some kind of hook/function
What I wanna get is a code to do this automatically. And this is where im stuck

Still thanks for the help, I apologize for not being clear enough.

User avatar
++METHOS
Administration
Administration
Posts: 204
Joined: Thu Mar 02, 2017 9:02 pm
Reputation: 27

Re: (MOV ECX, EDX) ===> How to get ECX and EDX please?

Post by ++METHOS » Fri Mar 03, 2017 8:36 pm

With the instruction highlighted inside of memory viewer, select 'Tools' from the drop-down menu. Click on 'Auto Assemble'. A new window will pop up. Select 'Template' from the drop-down menu. Click on 'Aob Injection'. Copy/paste everything here so that someone can help.

Depending on what you are trying to do, you may need to establish some conditions inside of your script so that you can segregate the addresses and set up identifiers for them so that you know what you are manipulating/reading.

Sodruza
Noobzor
Noobzor
Posts: 12
Joined: Fri Mar 03, 2017 5:40 pm
Reputation: 0

Re: (MOV ECX, EDX) ===> How to get ECX and EDX please?

Post by Sodruza » Fri Mar 03, 2017 9:00 pm

Wow dude. Im amazed at how fast you reply and you seem to be skilled at once. Once again, thanks.

Im really sorry, the code is quite long. The only thing I wanna do is getting the ECX when this function get called. That's only it.

Code: Select all

{ Game   : BF42
  Version: 
  Date   : 2017-03-03
  Author : 

  This script does blah blah blah
}

[ENABLE]

aobscanmodule(INJECT,BF1942.exe,89 11 D9 59 08 8B 8D) // should be unique
alloc(newmem,$1000)

label(code)
label(return)

newmem:

code:
  mov [ecx],edx
  fstp dword ptr [ecx+08]
  jmp return

INJECT:
  jmp code
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db 89 11 D9 59 08

unregistersymbol(INJECT)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "BF1942.exe"+FCD7B

"BF1942.exe"+FCD59: FF 52 3C                       -  call dword ptr [edx+3C]
"BF1942.exe"+FCD5C: D9 40 38                       -  fld dword ptr [eax+38]
"BF1942.exe"+FCD5F: 8B 8D 58 01 00 00              -  mov ecx,[ebp+00000158]
"BF1942.exe"+FCD65: D9 40 34                       -  fld dword ptr [eax+34]
"BF1942.exe"+FCD68: 8B 50 30                       -  mov edx,[eax+30]
"BF1942.exe"+FCD6B: 83 C0 30                       -  add eax,30
"BF1942.exe"+FCD6E: 83 C1 1D                       -  add ecx,1D
"BF1942.exe"+FCD71: 8D 0C 49                       -  lea ecx,[ecx+ecx*2]
"BF1942.exe"+FCD74: 8D 4C 8D 00                    -  lea ecx,[ebp+ecx*4+00]
"BF1942.exe"+FCD78: D9 59 04                       -  fstp dword ptr [ecx+04]
// ---------- INJECTING HERE ----------
"BF1942.exe"+FCD7B: 89 11                          -  mov [ecx],edx
"BF1942.exe"+FCD7D: D9 59 08                       -  fstp dword ptr [ecx+08]
// ---------- DONE INJECTING  ----------
"BF1942.exe"+FCD80: 8B 8D 58 01 00 00              -  mov ecx,[ebp+00000158]
"BF1942.exe"+FCD86: 41                             -  inc ecx
"BF1942.exe"+FCD87: 8B C1                          -  mov eax,ecx
"BF1942.exe"+FCD89: 83 F8 10                       -  cmp eax,10
"BF1942.exe"+FCD8C: 89 8D 58 01 00 00              -  mov [ebp+00000158],ecx
"BF1942.exe"+FCD92: 75 0A                          -  jne BF1942.exe+FCD9E
"BF1942.exe"+FCD94: C7 85 58 01 00 00 00 00 00 00  -  mov [ebp+00000158],00000000
"BF1942.exe"+FCD9E: F6 45 04 01                    -  test byte ptr [ebp+04],01
"BF1942.exe"+FCDA2: 0F 85 0A 11 00 00              -  jne BF1942.exe+FDEB2
"BF1942.exe"+FCDA8: 53                             -  push ebx
}

User avatar
++METHOS
Administration
Administration
Posts: 204
Joined: Thu Mar 02, 2017 9:02 pm
Reputation: 27

Re: (MOV ECX, EDX) ===> How to get ECX and EDX please?

Post by ++METHOS » Fri Mar 03, 2017 9:12 pm

What are you trying to do, exactly? What does this instruction handle? Does this instruction access multiple addresses? We can help you better if we know more.

For example:

Code: Select all

[ENABLE]

aobscanmodule(aob_address,BF1942.exe,89 11 D9 59 08 8B 8D) // should be unique
alloc(newmem,$1000)

label(return)
label(address)

registersymbol(aob_address)
registersymbol(address)

//==============================================//

newmem:
push edi
lea edi,[ecx]
mov [address],edi
pop edi

code:
mov [ecx],edx
fstp dword ptr [ecx+08]
jmp return

address:
dd 0 

aob_address:
jmp newmem
return:

//==============================================//

[DISABLE]

dealloc(newmem)
aob_address:
db 89 11 D9 59 08

unregistersymbol(aob_address)
unregistersymbol(address)
Will allow you to add a custom pointer address to your cheat table after the script is activated, called address. But if the instruction in question is accessing multiple addresses, then this will not do you much good until you appropriately segregate the addresses.

Sodruza
Noobzor
Noobzor
Posts: 12
Joined: Fri Mar 03, 2017 5:40 pm
Reputation: 0

Re: (MOV ECX, EDX) ===> How to get ECX and EDX please?

Post by Sodruza » Fri Mar 03, 2017 9:21 pm

Code: Select all

What are you trying to do, exactly?
Im trying to extract all the XYZ from every player (for a radar).

I know I could have done it with pointer scan (I tried). But even the pointers are dynamic (i mean they change quite often in the same round).

Therefore I went to an X coord => find what writes in this address (found the MOV ECX, EDX).
Then I went to ollydbg, I put a breakpoint on that particular function, and pressed play many times in a row => found out that ECX gives the address where the X is. Y and Z are right next to it.

To be honest I have no idea what you did. I m gonna try to retrieve some addresses then.

Im very grateful.

User avatar
++METHOS
Administration
Administration
Posts: 204
Joined: Thu Mar 02, 2017 9:02 pm
Reputation: 27

Re: (MOV ECX, EDX) ===> How to get ECX and EDX please?

Post by ++METHOS » Fri Mar 03, 2017 9:43 pm

If you have not already done so, you can complete the last step of the CE tutorial that covers data structure dissection for a better understanding of what you will need to do.

Alternative methods for finding a unique ID for code segregation:
  • You can use a pointer address for your filter, inside of your script, for the value that you are trying to manipulate.
  • You can use pointer trees inside of the data structure to find something viable.
  • You can shift the data structure (+ or -) and/or expand its size to find something useful.
  • You can use the structure spider to find workable strings and/or for comparative analysis.
  • You can check the register values by attaching the debugger or setting a breakpoint to see if something can be used for your filter.
  • You can check to see if there are any instructions that are exclusive to the address/value that you are trying to manipulate and store the address for your filter by creating a second injection point.
  • You can check to see if there are any instructions that are exclusive to any other address/value inside of the data structure for the address/value that you are trying to manipulate and store the address for your filter by creating a second injection point.
  • You can analyze assembly code to see if an identifier is being checked or assigned somewhere.
    Et al.

Sodruza
Noobzor
Noobzor
Posts: 12
Joined: Fri Mar 03, 2017 5:40 pm
Reputation: 0

Re: (MOV ECX, EDX) ===> How to get ECX and EDX please?

Post by Sodruza » Fri Mar 03, 2017 9:49 pm

Thanks for the list, I ll keep for when I reach your level ^^

By the way, you gave me a piece of code, can I use it outside cheat engine?

Because my goal is to create a .exe (with VB.net / c# / C++ ), and I dont see how I can use your code outside cheat engine.

predprey
Cheater
Cheater
Posts: 42
Joined: Thu Mar 02, 2017 8:46 pm
Reputation: 8

Re: (MOV ECX, EDX) ===> How to get ECX and EDX please?

Post by predprey » Fri Mar 03, 2017 9:53 pm

If the pointers themselves are dynamic, I believe you would have to find the player ID near the XYZ values too. You can use Structure Dissect for that. You should have a stack to store the XYZ values and their matching player ID. After hooking into that instruction, you should compare the player ID to any existing player ID in your stack. If not, add the player ID to the stack. If player ID already exists then, update the XYZ.

Your external .exe should do the hooking and allocation of stack itself then read off the stack and update on a GUI as necessary.

Sodruza
Noobzor
Noobzor
Posts: 12
Joined: Fri Mar 03, 2017 5:40 pm
Reputation: 0

Re: (MOV ECX, EDX) ===> How to get ECX and EDX please?

Post by Sodruza » Fri Mar 03, 2017 10:07 pm

You can use Structure Dissect for that
I gotta say this is one weird game im trying to hack here (already hacked many). I exactly did what you said (dissect data structure) and couldnt find the player ID either. The only thing I could do was getting the XYZ and the team (which is enough).

The only missing part of the puzzle is reading ECX (after that particular MOV instruction)

Apparently I need to do some instruction hooking (already googled that) and I couldnt find a good example (I already did some API hooking with the SendTo function to deal with packets). But I never did "instruction hooking" if it's called so. Do you think this is where I should dig to do what I want ? (I would like to make the radar in c# because im much better than C++)

User avatar
++METHOS
Administration
Administration
Posts: 204
Joined: Thu Mar 02, 2017 9:02 pm
Reputation: 27

Re: (MOV ECX, EDX) ===> How to get ECX and EDX please?

Post by ++METHOS » Fri Mar 03, 2017 10:19 pm

The example code that I previously posted is the code that is used for your hook. You need to determine a way to segregate the coordinate addresses using filters so that you can manage that data appropriately (methods provided in my previous post).

CE can create a standalone .exe, allowing you to mimic what CE does in the form of a trainer. You can edit and create the interface manually, using Lua, or by using the trainer generator inside of CE.

Sodruza
Noobzor
Noobzor
Posts: 12
Joined: Fri Mar 03, 2017 5:40 pm
Reputation: 0

Re: (MOV ECX, EDX) ===> How to get ECX and EDX please?

Post by Sodruza » Fri Mar 03, 2017 10:26 pm

Thanks a lot for your sharing.

I guess you gave me what I needed.

But isnt there a way to do it in c# or c++ ? because I really want to deal with the datas in c# because I will not make all my trainers using Lua (I dont know what it is) or the CE trainer generator. Do you see what I mean.

Once again, thanks for your sharing, ill reply tomorrow, gotta sleep :)

Post Reply

Who is online

Users browsing this forum: No registered users