Code: Select all
{ Game : KingdomCome.exe
Version:
Date : 2018-02-18
This script enables the KCD console for variables and functions that were dev disabled
}
[ENABLE]
aobscanmodule(VariableExec,WHGame.DLL,81 E3 02 00 00 03) // should be unique
alloc(newmem,$1000,"WHGame.DLL"+6F7882)
label(code)
label(return)
newmem:
code:
and ebx,03000000
jmp return
VariableExec:
jmp newmem
nop
return:
registersymbol(VariableExec)
aobscanmodule(FunctionExec,WHGame.DLL,F7 47 18 02 00 00 03) // should be unique
alloc(newmem2,$1000,"WHGame.DLL"+6F7AF8)
label(code2)
label(return2)
newmem2:
code2:
test [rdi+18],3000000
jmp return2
FunctionExec:
jmp newmem2
nop
nop
return2:
registersymbol(FunctionExec)
[DISABLE]
VariableExec:
db 81 E3 02 00 00 03
unregistersymbol(VariableExec)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "WHGame.DLL"+6F7882
"WHGame.DLL"+6F7861: 4D 8B F8 - mov r15,r8
"WHGame.DLL"+6F7864: 48 8B FA - mov rdi,rdx
"WHGame.DLL"+6F7867: FF 90 88 00 00 00 - call qword ptr [rax+00000088]
"WHGame.DLL"+6F786D: 4C 8B 0F - mov r9,[rdi]
"WHGame.DLL"+6F7870: 48 8B CF - mov rcx,rdi
"WHGame.DLL"+6F7873: 40 8A E8 - mov bpl,al
"WHGame.DLL"+6F7876: 41 FF 51 60 - call qword ptr [r9+60]
"WHGame.DLL"+6F787A: 4C 8B 07 - mov r8,[rdi]
"WHGame.DLL"+6F787D: 48 8B CF - mov rcx,rdi
"WHGame.DLL"+6F7880: 8B D8 - mov ebx,eax
// ---------- INJECTING HERE ----------
"WHGame.DLL"+6F7882: 81 E3 02 00 00 03 - and ebx,03000002
// ---------- DONE INJECTING ----------
"WHGame.DLL"+6F7888: 41 0F 95 C4 - setne r12l
"WHGame.DLL"+6F788C: 41 FF 50 60 - call qword ptr [r8+60]
"WHGame.DLL"+6F7890: 48 8B 17 - mov rdx,[rdi]
"WHGame.DLL"+6F7893: 48 8B CF - mov rcx,rdi
"WHGame.DLL"+6F7896: 44 8B F0 - mov r14d,eax
"WHGame.DLL"+6F7899: 41 81 E6 00 08 00 00 - and r14d,00000800
"WHGame.DLL"+6F78A0: 41 0F 95 C5 - setne r13l
"WHGame.DLL"+6F78A4: FF 52 60 - call qword ptr [rdx+60]
"WHGame.DLL"+6F78A7: 25 00 00 00 40 - and eax,40000000
"WHGame.DLL"+6F78AC: 0F 95 84 24 80 00 00 00 - setne byte ptr [rsp+00000080]
}
FunctionExec:
db F7 47 18 02 00 00 03
unregistersymbol(FunctionExec)
dealloc(newmem2)
{
// ORIGINAL CODE - INJECTION POINT: "WHGame.DLL"+6F7AF8
"WHGame.DLL"+6F7ACC: 48 8B 51 08 - mov rdx,[rcx+08]
"WHGame.DLL"+6F7AD0: 0F B6 05 31 06 77 01 - movzx eax,byte ptr [WHGame.DLL+1E68108]
"WHGame.DLL"+6F7AD7: 44 0F B6 02 - movzx r8d,byte ptr [rdx]
"WHGame.DLL"+6F7ADB: 44 2B C0 - sub r8d,eax
"WHGame.DLL"+6F7ADE: 75 0F - jne WHGame.DLL+6F7AEF
"WHGame.DLL"+6F7AE0: 44 0F B6 42 01 - movzx r8d,byte ptr [rdx+01]
"WHGame.DLL"+6F7AE5: 0F B6 05 1D 06 77 01 - movzx eax,byte ptr [WHGame.DLL+1E68109]
"WHGame.DLL"+6F7AEC: 44 2B C0 - sub r8d,eax
"WHGame.DLL"+6F7AEF: 45 85 C0 - test r8d,r8d
"WHGame.DLL"+6F7AF2: 0F 84 DA F3 A0 00 - je WHGame.DLL+1106ED2
// ---------- INJECTING HERE ----------
"WHGame.DLL"+6F7AF8: F7 47 18 02 00 00 03 - test [rdi+18],3000002
// ---------- DONE INJECTING ----------
"WHGame.DLL"+6F7AFF: 0F 85 E2 F3 A0 00 - jne WHGame.DLL+1106EE7
"WHGame.DLL"+6F7B05: 48 8B 47 20 - mov rax,[rdi+20]
"WHGame.DLL"+6F7B09: 48 85 C0 - test rax,rax
"WHGame.DLL"+6F7B0C: 0F 84 17 F4 A0 00 - je WHGame.DLL+1106F29
"WHGame.DLL"+6F7B12: 48 8D 0D 97 08 78 01 - lea rcx,[WHGame.DLL+1E783B0]
"WHGame.DLL"+6F7B19: 48 89 75 07 - mov [rbp+07],rsi
"WHGame.DLL"+6F7B1D: 48 89 4D F7 - mov [rbp-09],rcx
"WHGame.DLL"+6F7B21: 48 8D 4D D7 - lea rcx,[rbp-29]
"WHGame.DLL"+6F7B25: 48 89 4D FF - mov [rbp-01],rcx
"WHGame.DLL"+6F7B29: 48 8D 4D F7 - lea rcx,[rbp-09]
}