Help seperating me from enimes

Memory scanning, code injection, debugger internals and other gamemodding related discussion
pharaon
Expert Cheater
Expert Cheater
Posts: 93
Joined: Sat Aug 05, 2017 1:42 pm
Reputation: 0

Help seperating me from enimes

Post by pharaon »

game is Stronghold Crusader 2 - The Jackal and The Khan

the opcode that write my Gold and enemies Gold is

Code: Select all

StrongholdBase.StrongholdBase::Estate::GetKeep+2A09 - fmul dword ptr [ebp-14]
and that opcode write to only one address that it's value changing continuously
so i can't compare addressee's offsets to separate me from enemies

and when i find our what writes to this address there were too many opcodes that write to this address

Code: Select all

71A1AD77 - 52 - push edx
72802F1F - CC - int 3 
727C6BB3 - 56 - push esi
71A1AC7D - 52 - push edx
727C8E3F - CC - int 3 
71A1AC9C - 6A 00 - push 00
71A1ACC5 - 6A 01 - push 01
71A1ACE8 - 6A 03 - push 03
71A1ACF7 - 6A 04 - push 04
71A1AD1D - 57 - push edi
73569953 - 89 5C 24 24  - mov [esp+24],ebx
71A1AD3C - C7 04 24  00000000 - mov [esp],00000000
71842744 - 57 - push edi
6FF8FF1F - 89 45 FC  - mov [ebp-04],eax
6FF8D1BB - 56 - push esi
6FFA825F - CC - int 3 
6FFABDD8 - 89 45 EC  - mov [ebp-14],eax
725F7A9C - F3 0F11 45 D4  - movss [ebp-2C],xmm0
7276C92F - D9 58 24  - fstp dword ptr [eax+24]
72808738 - F3 0F11 45 E4  - movss [ebp-1C],xmm0
728083C0 - 50 - push eax
727C5394 - 50 - push eax
72812C29 - 57 - push edi
728087EF - CC - int 3 
727BAC58 - 89 45 F8  - mov [ebp-08],eax
727BAC98 - D9 5D F8  - fstp dword ptr [ebp-08]
727C90F9 - F3 0F11 42 24  - movss [edx+24],xmm0
6F66E0F0 - 55 - push ebp
6FF7CC26 - 57 - push edi
6FFABDB9 - 50 - push eax
6FF8D1C8 - 89 45 F4  - mov [ebp-0C],eax
6FF8D1A8 - 55 - push ebp
6FF7CC4C - FF 75 14  - push [ebp+14]
6FF7D5F0 - 57 - push edi
728086E3 - 8D 7D 80  - lea edi,[ebp-80]
7280D543 - F3 0F11 42 30  - movss [edx+30],xmm0
728035B7 - 53 - push ebx
728035AF - CC - int 3 
6FF84EA6 - 57 - push edi
6FFABDC9 - 53 - push ebx
72810033 - 53 - push ebx
72810B23 - 53 - push ebx
72810E6A - 56 - push esi
72812EA2 - F3 0F11 45 F4  - movss [ebp-0C],xmm0
6FF7CF12 - 55 - push ebp
6FF859A0 - 6A 10 - push 10
6FFABDCC - 89 28  - mov [eax],ebp
6FFABCFA - 51 - push ecx
6FF7CF20 - 6A 0C - push 0C
72807790 - 55 - push ebp
6FF84E5B - 57 - push edi
7280D3EF - F3 0F11 42 18  - movss [edx+18],xmm0
6FF7CE72 - 51 - push ecx
6FF859FC - 89 45 E8  - mov [ebp-18],eax
728078CF - 52 - push edx
6FF8FF12 - 55 - push ebp
6FF7CC4F - FF 75 10  - push [ebp+10]
6FF8D869 - 55 - push ebp
6F66C3C0 - 55 - push ebp
7004A5AE - 89 45 C0  - mov [ebp-40],eax
70051440 - C7 45 BC E4520870 - mov [ebp-44],700852E4
6FFA673F - CC - int 3 
6F66C66F - CC - int 3 
6FF8D88F - 89 7D F8  - mov [ebp-08],edi
6F66C3CA - 56 - push esi
6F66C3E3 - 57 - push edi
6FFABDCB - 57 - push edi
6FF8CF7F - 89 75 F4  - mov [ebp-0C],esi
770791CD - 74 06 - je 770791D5
6F66EADD - 56 - push esi
6FF84E43 - 89 55 E0  - mov [ebp-20],edx
73534890 - 56 - push esi
6FFABDCA - 56 - push esi
6FF84EE3 - 50 - push eax
727C9132 - F3 0F11 42 28  - movss [edx+28],xmm0
7276C935 - D9 58 28  - fstp dword ptr [eax+28]
72808742 - F3 0F11 45 E8  - movss [ebp-18],xmm0
728083BB - 68 38458472 - push 72844538
727C1B53 - 8D 7D A8  - lea edi,[ebp-58]
7276D2A1 - F3 0F11 61 2C  - movss [ecx+2C],xmm4
72787F69 - 8D 7D CC  - lea edi,[ebp-34]
727A7898 - 50 - push eax
72F50EB8 - 57 - push edi
727C5393 - 57 - push edi
72812BF8 - 56 - push esi
727C30DA - 52 - push edx
6FF7A9A3 - 51 - push ecx
6FF7A9AB - 89 45 FC  - mov [ebp-04],eax
6FF7C76B - 57 - push edi
6FF88CDE - 89 45 FC  - mov [ebp-04],eax
6FF7E9A5 - 51 - push ecx
6FF7E9AD - 89 45 FC  - mov [ebp-04],eax
6FF85B9C - 56 - push esi
6FF7F5A4 - DF 7D DC  - fistp qword ptr [ebp-24]
6FF7CC12 - 55 - push ebp
727A9860 - 56 - push esi
727BB49C - 50 - push eax
727B9B2F - CC - int 3 
6FF8FF0E - 03 CC  - add ecx,esp
6FF84EA8 - 51 - push ecx
6FF8FF29 - 57 - push edi
70065199 - 56 - push esi
72808FAD - D9 5C 24 04  - fstp dword ptr [esp+04]
7280903A - 51 - push ecx
728111A6 - 56 - push esi
728027EF - CC - int 3 
728090C0 - 50 - push eax
72800B1F - CC - int 3 
6FF8FF71 - 50 - push eax
6FF8FF72 - FF B7 A4030000  - push [edi+000003A4]
6FF84E5D - 56 - push esi
6FFA670F - B9 08000000 - mov ecx,00000008
6FF8D76E - FF 32  - push [edx]
727B9DE0 - 55 - push ebp
72800BEE - 51 - push ecx
6FF7A3B0 - 51 - push ecx
6FF7A3B8 - 89 45 FC  - mov [ebp-04],eax
6FF7F438 - 55 - push ebp
7276D57C - D9 58 04  - fstp dword ptr [eax+04]
6FF7CC15 - 51 - push ecx
6FF7CC1E - 89 45 FC  - mov [ebp-04],eax
6FFABDDE - FF 75 FC  - push [ebp-04]
6FF84EA5 - 53 - push ebx
6FFABD06 - E9 DDFFFFFF - jmp 6FFABCE8
6FF8FF78 - 89 55 F4  - mov [ebp-0C],edx
6FF8F1B5 - 51 - push ecx
6FF8F1C9 - 89 55 F8  - mov [ebp-08],edx
6F66C6D7 - 56 - push esi
6FF8FF25 - 56 - push esi
6FF7E9BF - 6A 06 - push 06
6FF7F435 - C3 - ret 
7276D585 - D9 58 08  - fstp dword ptr [eax+08]
6FFABDD7 - 50 - push eax
6F66C6D6 - 53 - push ebx
6FF8FF65 - 89 75 F0  - mov [ebp-10],esi
6FF7A4D7 - 6A 00 - push 00
6FF7A4FC - FF 75 0C  - push [ebp+0C]
6FF8CF1F - 89 45 FC  - mov [ebp-04],eax
728049AB - D9 1E  - fstp dword ptr [esi]
72802831 - F3 0F11 08  - movss [eax],xmm1
6FF84DC0 - 6A 20 - push 20
719844A8 - 89 94 24 EC000000  - mov [esp+000000EC],edx
71F14454 - 89 74 24 24  - mov [esp+24],esi
70CC5960 - 55 - push ebp
70BBC439 - 50 - push eax
70BBC458 - 52 - push edx
70CBB9EF - CC - int 3 
70BBB819 - 50 - push eax
70BBB838 - 52 - push edx
70BBDCAA - 51 - push ecx
70BBDCDE - 50 - push eax
70BEC276 - 53 - push ebx
70BEC26F - CC - int 3 
70BBC34A - 52 - push edx
70CCABCD - 57 - push edi
70CCABC7 - 56 - push esi
775DEABF - CC - int 3 
764C5368 - 89 65 E8  - mov [ebp-18],esp
775A20FB - 53 - push ebx
73CFEF20 - 68 80E7CF73 - push 73CFE780
7759DEF2 - 55 - push ebp
74238790 - 6A 00 - push 00
742387B3 - 53 - push ebx
7759DB62 - 55 - push ebp
74238799 - 68 14082974 - push 74290814
742387D1 - 68 10270000 - push 00002710
7759DB68 - 53 - push ebx
70BD3AD0 - 55 - push ebp
70BD38EF - CC - int 3 
70BD3AF0 - 55 - push ebp
7759DEEF - CC - int 3 
734B449F - CC - int 3 
7759DB5F - CC - int 3 
6FFAAFE6 - 56 - push esi
1001F99B - 60 - pushad 
7409F6BC - 89 7D DC  - mov [ebp-24],edi
735B5478 - 6A 00 - push 00
735B592F - CC - int 3 
7409F6C4 - 66 89 45 DA  - mov [ebp-26],ax
775A21D5 - 89 54 24 20  - mov [esp+20],edx
775B7AB2 - 56 - push esi
71EF6329 - 89 54 24 14  - mov [esp+14],edx
71F4B66C - FF 25 140D0972  - jmp dword ptr [72090D14]
775A486E - 57 - push edi
719A1A68 - 68 C9D7A771 - push 71A7D7C9
728331F1 - 89 7E 58  - mov [esi+58],edi
72832506 - 89 46 58  - mov [esi+58],eax
72832616 - 89 5E 58  - mov [esi+58],ebx
72829CBA - F3 0F11 45 A0  - movss [ebp-60],xmm0
727AB118 - F3 0F11 5D 98  - movss [ebp-68],xmm3
727A63AE - 53 - push ebx
727BA655 - 57 - push edi
727BA6C7 - 56 - push esi
727BAA0F - CC - int 3 
727BB86D - 52 - push edx
727C0CDD - C2 1400 - ret 0014
72787D44 - F3 A5 - repe movsd 
727BB648 - F3 0F11 45 FC  - movss [ebp-04],xmm0
727C9016 - F3 0F11 42 14  - movss [edx+14],xmm0
6FF8D0D2 - 89 75 F4  - mov [ebp-0C],esi
72804344 - 89 55 B8  - mov [ebp-48],edx
728046B7 - F3 0F11 45 B8  - movss [ebp-48],xmm0
727C975F - 50 - push eax
727C8EBF - CC - int 3 
727C9787 - 50 - push eax
6FF84DBF - CC - int 3 
727C8EC0 - 55 - push ebp
72813147 - F3 0F11 4D A8  - movss [ebp-58],xmm1
735A3BA2 - F3 0F11 58 20  - movss [eax+20],xmm3
7351B0EF - CC - int 3 
73592ACF - 53 - push ebx
770E8EBF - CC - int 3 
735652D9 - 56 - push esi
7356534E - 50 - push eax
73565358 - 56 - push esi
735B6A96 - 52 - push edx
735652C8 - 55 - push ebp
770D7FD8 - 50 - push eax
727C8FDD - F3 0F11 42 10  - movss [edx+10],xmm0
71FB673A - D9 9D 6CFFFFFF  - fstp dword ptr [ebp-00000094]
73540C9F - CC - int 3 
727FB2D0 - 50 - push eax
727FB382 - 52 - push edx
727FB3C9 - 57 - push edi
7276D5B2 - D9 58 1C  - fstp dword ptr [eax+1C]
727FB497 - 89 55 E8  - mov [ebp-18],edx
727FB723 - 89 55 E8  - mov [ebp-18],edx
727FB7E3 - FF 4D E8  - dec [ebp-18]
727FB821 - 89 45 E8  - mov [ebp-18],eax
727FB922 - FF 4D E8  - dec [ebp-18]
727FB963 - 89 45 E8  - mov [ebp-18],eax
727FBA44 - FF 4D E8  - dec [ebp-18]
7261B003 - 51 - push ecx
7261B00C - 89 4D FC  - mov [ebp-04],ecx
72622705 - 68 70676472 - push 72646770
727B7666 - 50 - push eax
7258B572 - F3 0F11 45 FC  - movss [ebp-04],xmm0
7262F830 - 55 - push ebp
727B7686 - 50 - push eax
7283316F - CC - int 3 
728311AE - 52 - push edx
728311C1 - 50 - push eax
72832580 - 55 - push ebp
728323D3 - 56 - push esi
72832943 - 56 - push esi
72829254 - F3 0F11 A5 30FFFFFF  - movss [ebp-000000D0],xmm4
770791CF - F3 AB - repe stosd 
6FFD6CA4 - 89 4C 24 48  - mov [esp+48],ecx
6FF9896A - 89 4C 24 48  - mov [esp+48],ecx
6F5A2810 - 55 - push ebp
6FF98A55 - 89 4C 24 48  - mov [esp+48],ecx
72831215 - 51 - push ecx
72831216 - D9 1C 24   - fstp dword ptr [esp]
72831229 - 57 - push edi
72769153 - 8D 7D D0  - lea edi,[ebp-30]
727691C3 - 8D 7D D0  - lea edi,[ebp-30]
735AC468 - 55 - push ebp
6FFABDBA - 64 FF 35 00000000  - push fs:[00000000]
6FF8D876 - 89 45 FC  - mov [ebp-04],eax
6F66C3C9 - 53 - push ebx
6FFABD5D - 53 - push ebx
6F66C670 - 55 - push ebp
7004FA85 - 57 - push edi
6FF7CC16 - 51 - push ecx
7188CC32 - 53 - push ebx
71A61C68 - C2 0400 - ret 0004
728083AF - CC - int 3 
7262444A - C6 45 FF 00 - mov byte ptr [ebp-01],00
726244F5 - C6 45 FF 01 - mov byte ptr [ebp-01],01
72624654 - 6A 02 - push 02
7262C670 - 53 - push ebx
71A1ADE0 - 52 - push edx
71A1AE16 - 6A 00 - push 00
71A1AE32 - 52 - push edx
71A1AEDC - 52 - push edx
70CB7CFF - CC - int 3 
7277FA10 - 55 - push ebp
73517DD0 - 6A FF - push -01
73517DFF - 89 44 24 1C  - mov [esp+1C],eax
70CCA8F4 - 53 - push ebx
71778643 - 57 - push edi
71F1E5EF - 57 - push edi
735B5914 - 50 - push eax
72EE25D9 - C3 - ret 
72EE0150 - 55 - push ebp
775A2104 - 57 - push edi
71EF6303 - 89 5C 24 2C  - mov [esp+2C],ebx
71935372 - 89 5D FC  - mov [ebp-04],ebx
71F3B5CE - 89 56 68  - mov [esi+68],edx
71F3D955 - 89 46 68  - mov [esi+68],eax
71F38C94 - 89 51 18  - mov [ecx+18],edx
71F38C8D - 89 41 18  - mov [ecx+18],eax
7352682F - CC - int 3 
719CEFF9 - 51 - push ecx
775A4AD0 - 89 55 F8  - mov [ebp-08],edx
727ADBEC - 57 - push edi
775A47FF - CC - int 3 
775B10E1 - 57 - push edi
719E2546 - 89 7C 24 3C  - mov [esp+3C],edi
719ADBF6 - 89 94 24 84000000  - mov [esp+00000084],edx
718BF995 - 53 - push ebx
718BF770 - 55 - push ebp
71994C30 - 55 - push ebp
718437DF - CC - int 3 
719C49E6 - 51 - push ecx
719C49E7 - C7 04 24  9A3F1C46 - mov [esp],461C3F9A
719AE672 - 89 4D 08  - mov [ebp+08],ecx
719A0E29 - 57 - push edi
718E324F - CC - int 3 
72F61243 - 68 3F130000 - push 0000133F
72F612D8 - 57 - push edi
719A0FAA - 88 54 24 14  - mov [esp+14],dl
719A101F - C6 44 24 14 00 - mov byte ptr [esp+14],00
73526837 - 57 - push edi
717746B2 - 53 - push ebx
727F98C0 - 55 - push ebp
719A1039 - 68 98EFC571 - push 71C5EF98
71A622E2 - DD 1C 24   - fstp qword ptr [esp]
7190972F - CC - int 3 
717C5D40 - 89 55 FC  - mov [ebp-04],edx
718E7527 - 56 - push esi
719BE86F - CC - int 3 
72EE25E9 - FF 75 08  - push [ebp+08]
72EE015C - 6A 00 - push 00
717746B0 - 50 - push eax
775A4891 - C7 45 E8 00000000 - mov [ebp-18],00000000
775A4913 - C7 45 E8 02000000 - mov [ebp-18],00000002
1001F97D - 53 - push ebx
100200A1 - 87 7C 24 0C  - xchg [esp+0C],edi
1001FFBE - 87 7C 24 40  - xchg [esp+40],edi
7409F692 - 68 70CF1574 - push 7415CF70
740D6186 - 31 45 FC  - xor [ebp-04],eax
740D6198 - C7 45 FC FEFFFFFF - mov [ebp-04],FFFFFFFE
7409F6E8 - 89 7D FC  - mov [ebp-04],edi
7409F727 - C7 45 FC FEFFFFFF - mov [ebp-04],FFFFFFFE
7279905F - 57 - push edi
735B53C8 - 52 - push edx
735B590F - CC - int 3 
6F65FD28 - 6A 01 - push 01
775BD593 - 89 54 24 18  - mov [esp+18],edx
775A485E - 55 - push ebp
72EE0238 - 53 - push ebx
775B10CF - CC - int 3 
775A4B9D - 89 45 E8  - mov [ebp-18],eax
735B547A - 6A 00 - push 00
735B5934 - 50 - push eax
727E0EB9 - 56 - push esi
71F21BB3 - 6A FF - push -01
71F20F9F - CC - int 3 
7199FE64 - 89 74 24 1C  - mov [esp+1C],esi
719E0B2F - CC - int 3 
71F4B696 - FF 25 180C0972  - jmp dword ptr [72090C18]
7182205F - CC - int 3 
71F4A18F - CC - int 3 
719E6D3F - CC - int 3 
7182848F - CC - int 3 
727AE106 - 56 - push esi
727ADC04 - 89 55 FC  - mov [ebp-04],edx
7186803C - 50 - push eax
72EE25EE - FF 35 B048F872  - push [72F848B0]
741F551F - CC - int 3 
71EE37B4 - 56 - push esi
727ADF76 - 53 - push ebx
72ED2303 - 57 - push edi
72EE25DC - 55 - push ebp
72EE0159 - FF 75 08  - push [ebp+08]
727E123F - 57 - push edi
775A2240 - C7 44 24 28 00000000 - mov [esp+28],00000000
727ADF7D - 56 - push esi
71EE0F13 - 53 - push ebx
727E123C - 56 - push esi
775A21AB - 89 4C 24 18  - mov [esp+18],ecx
71F1E810 - 55 - push ebp
741F70EF - CC - int 3 
71F1DBD3 - 56 - push esi
71F20AC4 - 56 - push esi
71F1B3B3 - 6A FF - push -01
71F1B52A - C7 45 FC 02000000 - mov [ebp-04],00000002
71F1F175 - 56 - push esi
727AC098 - 51 - push ecx
727AC09D - 89 75 F0  - mov [ebp-10],esi
73517DF7 - 89 44 24 10  - mov [esp+10],eax
727A7E08 - 51 - push ecx
727A7E0C - 89 75 F0  - mov [ebp-10],esi
727A84D8 - 51 - push ecx
727A84DD - 89 5D F0  - mov [ebp-10],ebx
727E1240 - 89 75 F0  - mov [ebp-10],esi
71F1E940 - 89 4D F8  - mov [ebp-08],ecx
71F1DBFF - CC - int 3 
735B56DF - CC - int 3 
72EE0364 - E9 41FEFFFF - jmp 72EE01AA
71F2052E - 56 - push esi
71EEAD9C - 89 B4 24 FC000000  - mov [esp+000000FC],esi
71F3F1E0 - 89 58 18  - mov [eax+18],ebx
71F3F228 - D9 58 18  - fstp dword ptr [eax+18]
71F3F24B - D9 58 F8  - fstp dword ptr [eax-08]
7184A8BA - 50 - push eax
72EE0232 - C3 - ret 
72EE25EC - 6A 00 - push 00
727ADB85 - 68 7B0A8472 - push 72840A7B
71F1F66E - 89 75 F8  - mov [ebp-08],esi
71F1E1E3 - 6A FF - push -01
71F1E485 - C7 45 FC 03000000 - mov [ebp-04],00000003
71F1E59D - C7 45 FC FFFFFFFF - mov [ebp-04],FFFFFFFF
718D8D45 - 68 4841A671 - push 71A64148
719AE434 - 52 - push edx
719AEA9F - CC - int 3 
719AE888 - 51 - push ecx
719AE892 - 89 0C 24   - mov [esp],ecx
735B58AF - CC - int 3 
719BE741 - 53 - push ebx
7194B849 - 57 - push edi
719BE881 - 51 - push ecx
719BE898 - 89 75 F0  - mov [ebp-10],esi
7283212A - 57 - push edi
7283247A - 57 - push edi
775A4809 - 56 - push esi
6FF7A9B5 - 57 - push edi
6FF88F37 - FF 75 10  - push [ebp+10]
73517DE8 - 55 - push ebp
775A4836 - FF 75 0C  - push [ebp+0C]
770E7F95 - 6A FE - push -02
770E81EA - C7 45 FC 00000000 - mov [ebp-04],00000000
770E8352 - C7 45 FC FEFFFFFF - mov [ebp-04],FFFFFFFE
7759DB6A - 57 - push edi
770EBE43 - 56 - push esi
772888F7 - 68 08A33277 - push 7732A308
77288910 - 31 45 F8  - xor [ebp-08],eax
770E7EC6 - FF 75 14  - push [ebp+14]
770E7EC5 - 52 - push edx
772862D3 - 56 - push esi
7729F1BF - CC - int 3 
7729F853 - CC - int 3 
7729F88C - 89 45 F8  - mov [ebp-08],eax
72EE015E - FF 35 B048F872  - push [72F848B0]
7283259D - 57 - push edi
7282402E - 50 - push eax
72824048 - 50 - push eax
72824066 - 50 - push eax
775A21CD - C7 44 24 30 00000000 - mov [esp+30],00000000
71F21C63 - 6A FF - push -01
71F210CF - CC - int 3 
71F488D3 - 6A FF - push -01
775A48CF - 89 4D E0  - mov [ebp-20],ecx
72EE014D - C3 - ret 
727E121F - CC - int 3 
727ADC07 - 53 - push ebx
73517DCF - CC - int 3 
7283B770 - 55 - push ebp
73593FBE - 89 44 24 18  - mov [esp+18],eax
7359447C - 53 - push ebx
7359419D - C2 0800 - ret 0008
7283C0C4 - 56 - push esi
735944DE - 50 - push eax
7359451B - 55 - push ebp
73594598 - 50 - push eax
727E1B9B - 57 - push edi
7283E1CB - 56 - push esi
725CAD02 - 88 02  - mov [edx],al
734F9ACA - 56 - push esi
734F9B18 - 56 - push esi
734FA60D - 57 - push edi
734FAB56 - 56 - push esi
775D08C3 - 74 06 - je 775D08CB
740C9722 - 55 - push ebp
700C10B5 - 51 - push ecx
72EEC24E - 53 - push ebx
71FA3F69 - 89 45 FC  - mov [ebp-04],eax
71F8E5DD - 6A 00 - push 00
72EEC250 - 57 - push edi
775A4852 - 53 - push ebx
734E937B - 56 - push esi
734F99B1 - 89 45 F4  - mov [ebp-0C],eax
719B08AB - 89 44 24 14  - mov [esp+14],eax
71A3C808 - 89 4D EC  - mov [ebp-14],ecx
71A3E35E - D9 5D EC  - fstp dword ptr [ebp-14]
71A3E377 - D9 5D EC  - fstp dword ptr [ebp-14]
71A3E3E8 - 89 55 EC  - mov [ebp-14],edx
71A3E888 - 89 75 EC  - mov [ebp-14],esi
71A3E6F5 - C7 07 00000000 - mov [edi],00000000
71A3E795 - D9 1F  - fstp dword ptr [edi]
71A3E8B5 - D9 5D EC  - fstp dword ptr [ebp-14]
71A3E924 - 89 4D EC  - mov [ebp-14],ecx
71A3E962 - 89 55 EC  - mov [ebp-14],edx
71A3EBB9 - 89 5D F0  - mov [ebp-10],ebx
71A3EA32 - C7 01 00000000 - mov [ecx],00000000
71A3EA88 - 89 01  - mov [ecx],eax
71A3EC03 - D9 5D F0  - fstp dword ptr [ebp-10]
718E7DD3 - 89 08  - mov [eax],ecx
71A3EEA9 - 89 5D F0  - mov [ebp-10],ebx
71A3ED15 - C7 01 00000000 - mov [ecx],00000000
71A3ED6B - 89 01  - mov [ecx],eax
71A3EEF3 - D9 5D F0  - fstp dword ptr [ebp-10]
71835584 - 89 4D EC  - mov [ebp-14],ecx
71A3F32F - 89 4D EC  - mov [ebp-14],ecx
71A3EFCF - CC - int 3 
71EF8219 - 53 - push ebx
727A45EF - CC - int 3 
71EF8248 - 51 - push ecx
71EF825D - 50 - push eax
71EF827C - 53 - push ebx
719FE49D - DD 5D DC  - fstp qword ptr [ebp-24]
719FE330 - 55 - push ebp
7181741F - CC - int 3 
718FB140 - 55 - push ebp
718E7240 - 55 - push ebp
718CA213 - 6A FF - push -01
718CA39F - C7 45 FC 00000000 - mov [ebp-04],00000000
718CA3AB - C7 45 FC FFFFFFFF - mov [ebp-04],FFFFFFFF
735B5470 - 56 - push esi
727E0EA3 - 6A FF - push -01
727E0EC8 - C7 45 FC 00000000 - mov [ebp-04],00000000
71F1F72F - CC - int 3 
775B10D2 - 55 - push ebp
775B10D9 - 53 - push ebx
718D8DAE - 52 - push edx
719A0BBA - 50 - push eax
719A6960 - 56 - push esi
735B542F - CC - int 3 
727E0EA0 - 55 - push ebp
719BEAB9 - 50 - push eax
7194BE86 - 68 48F9BC71 - push 71BCF948
719B6EBF - CC - int 3 
735B56EF - 56 - push esi
735B5746 - 6A 00 - push 00
719BE880 - 50 - push eax
735B537F - CC - int 3 
735B5748 - 56 - push esi
71796A3F - CC - int 3 
71850F1F - CC - int 3 
719AE406 - 56 - push esi
718FC70A - 68 4498AA71 - push 71AA9844
718FC75D - 50 - push eax
718FC7B1 - 51 - push ecx
717C7D9F - CC - int 3 
718FC823 - 6A 01 - push 01
71796633 - 51 - push ecx
7179664B - 89 45 FC  - mov [ebp-04],eax
7179665F - 89 7D FC  - mov [ebp-04],edi
717CCD83 - 53 - push ebx
7177412F - C3 - ret 
719A11DF - CC - int 3 
7199BFAF - CC - int 3 
71789E0F - CC - int 3 
717957F9 - 50 - push eax
719A0E27 - 53 - push ebx
72EE025B - 6A 00 - push 00
6F660A40 - 51 - push ecx
70CBACD4 - 56 - push esi
70BED393 - 51 - push ecx
70BED39D - 88 4D FF  - mov [ebp-01],cl
70BED3EB - C6 45 FF 01 - mov byte ptr [ebp-01],01
70BEFF74 - D9 55 F8  - fst dword ptr [ebp-08]
70BEC23B - 56 - push esi
70BE38CF - CC - int 3 
71F20AC3 - 51 - push ecx
71F1B3B0 - 55 - push ebp
71F219CF - CC - int 3 
71F1F850 - 55 - push ebp
71F20633 - 53 - push ebx
71F1F176 - 57 - push edi
71F1FB9F - CC - int 3 
741F70F2 - 55 - push ebp
71F21FBF - CC - int 3 
71F1EA2C - 50 - push eax
71F1DC13 - 57 - push edi
71F1B3CE - 50 - push eax
71F1F97B - 56 - push esi
71EE0673 - 57 - push edi
71F20AC0 - 55 - push ebp
71F1B3AF - CC - int 3 
727ADBE6 - 56 - push esi
71A61A92 - FF 25 9419AA71  - jmp dword ptr [71AA1994]
71F1F84F - CC - int 3 
71F1F17E - 50 - push eax
741F714F - CC - int 3 
71EEFA7F - CC - int 3 
71EF48F3 - 56 - push esi
7199A5C9 - 57 - push edi
71A5C5A0 - FF 25 4828AA71  - jmp dword ptr [71AA2848]
727ADF6F - CC - int 3 
741F5522 - 55 - push ebp
775A20F2 - 55 - push ebp
7182214F - CC - int 3 
719E6D6F - CC - int 3 
71868075 - 51 - push ecx
71868094 - 57 - push edi
727E1313 - 56 - push esi
71EF3696 - 53 - push ebx
72ED2304 - 56 - push esi
727ADBDF - CC - int 3 
7352688F - CC - int 3 
727E1314 - 57 - push edi
71EF3697 - 56 - push esi
71EE0F14 - 56 - push esi
71EF1EE4 - 53 - push ebx
73518096 - 57 - push edi
71F21D40 - 55 - push ebp
7279AE2B - 56 - push esi
7277A8D9 - 57 - push edi
7277A5B5 - 57 - push edi
727AF490 - 50 - push eax
727AA1E9 - 89 75 EC  - mov [ebp-14],esi
719AE9E8 - 6A 01 - push 01
71A064AF - CC - int 3 
71F24480 - 55 - push ebp
727E0EB0 - 50 - push eax
735B5476 - 6A FF - push -01
735B54C8 - 56 - push esi
71F1EF45 - 68 81780872 - push 72087881
719BE9B3 - 51 - push ecx
719BE9BC - 89 4D FC  - mov [ebp-04],ecx
7179AB00 - 55 - push ebp
719C0BEF - CC - int 3 
71948AE6 - 56 - push esi
719AEA7D - 6A 04 - push 04
719AEA8B - 6A 01 - push 01
71948965 - 68 78D2A771 - push 71A7D278
719C4233 - 6A FF - push -01
719C42AC - 89 45 FC  - mov [ebp-04],eax
719C4560 - C6 45 FC 01 - mov byte ptr [ebp-04],01
719C4594 - C6 45 FC 00 - mov byte ptr [ebp-04],00
719C46E9 - C7 45 FC FFFFFFFF - mov [ebp-04],FFFFFFFF
719B9087 - 53 - push ebx
719444E7 - 53 - push ebx
71F1EF3F - CC - int 3 
717A1AF0 - 55 - push ebp
719B2443 - 56 - push esi
735B547C - 57 - push edi
719C3C95 - 68 96F7A671 - push 71A6F796
719BF930 - 50 - push eax
6F65FDE0 - 55 - push ebp
6F65FCE0 - 56 - push esi
719AEA70 - 56 - push esi
719BE870 - 55 - push ebp
718BC2FF - CC - int 3 
71F1F630 - 56 - push esi
71ED5A88 - 6A 01 - push 01
727E1220 - 55 - push ebp
7177469D - C2 0400 - ret 0004
71868FBF - CC - int 3 
719A0FC4 - 6A 00 - push 00
719A1030 - 6A 00 - push 00
71A07C31 - C6 45 23 01 - mov byte ptr [ebp+23],01
71A07FB6 - 89 55 20  - mov [ebp+20],edx
71A0663F - CC - int 3 
7199BF6F - CC - int 3 
71816DEF - CC - int 3 
71F1F82E - 50 - push eax
71F1F83B - 51 - push ecx
734E9576 - 56 - push esi
734E93A0 - 89 5D 08  - mov [ebp+08],ebx
734F998F - CC - int 3 
775CA2DF - 90 - nop 
6F660B9F - CC - int 3 
718DFA1D - 89 5C 24 54  - mov [esp+54],ebx
71F1F660 - 55 - push ebp
71F1E1DF - CC - int 3 
718B82E1 - 56 - push esi
740C91D2 - 55 - push ebp
71F8C7CF - CC - int 3 
71F8CAD2 - 50 - push eax
7181D480 - 55 - push ebp
71A61A25 - CC - int 3 
71948DCB - 89 41 0C  - mov [ecx+0C],eax
719B1FE8 - 68 48D2A771 - push 71A7D248
6F65FDF9 - 89 45 F8  - mov [ebp-08],eax
70CBACC0 - 55 - push ebp
70BBB7E9 - 50 - push eax
70BBB7FA - 52 - push edx
70CCBCCE - 89 4D F8  - mov [ebp-08],ecx
70CCBD61 - 89 45 F8  - mov [ebp-08],eax
70CC59B0 - 55 - push ebp
70CB3DD0 - 55 - push ebp
70CCBA83 - 6A 01 - push 01
70C01AFC - 89 10  - mov [eax],edx
70CB8969 - 6A 01 - push 01
735B5471 - 57 - push edi
71883E00 - 55 - push ebp
6F65FD26 - 6A 00 - push 00
7194BF03 - 68 81000000 - push 00000081
7194BF14 - 68 81000000 - push 00000081
7194BF25 - 6A 34 - push 34
7194BF2B - 68 B0000000 - push 000000B0
7194BF4B - 56 - push esi
7194BF6D - 68 00000080 - push 80000000
71F1F740 - 50 - push eax
718D8E65 - 68 4841A671 - push 71A64148
719AE88C - D9 5D F4  - fstp dword ptr [ebp-0C]
719AE89A - D9 5D F4  - fstp dword ptr [ebp-0C]
719C4400 - C7 45 FC FFFFFFFF - mov [ebp-04],FFFFFFFF
6F65FDEC - 56 - push esi
71F42C30 - 56 - push esi
719A1106 - 51 - push ecx
719AE983 - 56 - push esi
719AE836 - 53 - push ebx
719AEB19 - 56 - push esi
71EE043F - CC - int 3 
71948A1D - 6A 01 - push 01
71EE0290 - 89 45 14  - mov [ebp+14],eax
72EE0235 - 55 - push ebp
719C3CB6 - 6A FD - push -03
719BE7CB - 89 45 0C  - mov [ebp+0C],eax
719BF935 - 57 - push edi
718D8D43 - 6A FF - push -01
717CF7FA - 89 95 70FFFFFF  - mov [ebp-00000090],edx
717CF9E8 - 89 85 70FFFFFF  - mov [ebp-00000090],eax
775DDC8F - CC - int 3 
719A1066 - 50 - push eax
719B24F3 - 56 - push esi
719AE400 - 55 - push ebp
727E0EB8 - 51 - push ecx
727E0EBC - 89 75 F0  - mov [ebp-10],esi
71F1EF50 - 50 - push eax
719C3C60 - 55 - push ebp
734E9825 - 51 - push ecx
72ED30D5 - 89 42 14  - mov [edx+14],eax
734E936F - CC - int 3 
734F9990 - 55 - push ebp
71A3C6B5 - 89 4D EC  - mov [ebp-14],ecx
6F65FDF0 - 89 45 FC  - mov [ebp-04],eax
7263F0A6 - FF 25 D4DA6472  - jmp dword ptr [7264DAD4]
725CB0AF - CC - int 3 
725CB2BF - 57 - push edi
725CB3DD - 6A 01 - push 01
725CB326 - 57 - push edi
725CB403 - 53 - push ebx
725CB493 - 50 - push eax
725CB526 - 57 - push edi
725CB546 - 57 - push edi
725CB6C0 - 57 - push edi
7263F0AC - FF 25 D8DA6472  - jmp dword ptr [7264DAD8]
71797158 - 89 4D D4  - mov [ebp-2C],ecx
719B221C - 50 - push eax
770E79E2 - 55 - push ebp
740C91D5 - FF 75 10  - push [ebp+10]
70BE6C30 - 51 - push ecx
70BE6C37 - D9 1C 24   - fstp dword ptr [esp]
718D8DE0 - 50 - push eax
717970B5 - 68 9829A871 - push 71A82998
719B21FF - CC - int 3 
727A665C - D9 5D F4  - fstp dword ptr [ebp-0C]
7178A0A0 - 55 - push ebp
72ED1E80 - 55 - push ebp
727A59E0 - 55 - push ebp
7277AC81 - 57 - push edi
7277001F - CC - int 3 
70D1565C - 57 - push edi
727C070D - D9 1C 24   - fstp dword ptr [esp]
727C0710 - 50 - push eax
727BA690 - 57 - push edi
70044FB0 - 6A 38 - push 38
727BB873 - 52 - push edx
727C0D20 - F3 0F11 45 F8  - movss [ebp-08],xmm0
72787D41 - 8D 7D DC  - lea edi,[ebp-24]
727BB620 - F3 0F11 4D F0  - movss [ebp-10],xmm1
6FF7A99C - EB AF - jmp 6FF7A94D
6FF85B84 - 55 - push ebp
727C8F6D - F3 0F11 42 08  - movss [edx+08],xmm0
6FF8D0A6 - 56 - push esi
72804333 - 89 55 AC  - mov [ebp-54],edx
72804696 - F3 0F11 45 AC  - movss [ebp-54],xmm0
6FFABDB8 - C3 - ret 
6FFABDE1 - C7 45 FC FFFFFFFF - mov [ebp-04],FFFFFFFF
6FF84E27 - 83 65 FC 00 - and dword ptr [ebp-04],00
6FF84E6E - 83 4D FC FF - or dword ptr [ebp-04],-01
7281311D - F3 0F11 4D 9C  - movss [ebp-64],xmm1
71A1BBFA - D9 58 08  - fstp dword ptr [eax+08]
727CD850 - 50 - push eax
727CD740 - 55 - push ebp
7356993A - 89 5C 24 14  - mov [esp+14],ebx
73569966 - 01 5C 24 14  - add [esp+14],ebx
735699A4 - 89 5C 24 1C  - mov [esp+1C],ebx
735652E4 - 6A 14 - push 14
770E8ED2 - 89 75 FC  - mov [ebp-04],esi
770E8EE1 - 89 75 FC  - mov [ebp-04],esi
735652DE - 52 - push edx
770E5FF4 - 88 55 FF  - mov [ebp-01],dl
727C8F35 - F3 0F11 42 04  - movss [edx+04],xmm0
6FF90017 - 57 - push edi
718C2685 - 51 - push ecx
718C27E5 - D9 5D 08  - fstp dword ptr [ebp+08]
718C281F - D9 5D 08  - fstp dword ptr [ebp+08]
718C2833 - D9 5D 08  - fstp dword ptr [ebp+08]
719AEAF0 - 55 - push ebp
719B2203 - 6A FF - push -01
719B225E - C7 45 FC 00000000 - mov [ebp-04],00000000
719B2290 - C7 45 FC FFFFFFFF - mov [ebp-04],FFFFFFFF
717D77A7 - 89 4C 24 58  - mov [esp+58],ecx
72779EC2 - F3 0F11 85 5CFFFFFF  - movss [ebp-000000A4],xmm0
72779FA6 - F3 0F11 58 F8  - movss [eax-08],xmm3
72798DBD - C2 1000 - ret 0010
727F98D4 - 57 - push edi
71A07822 - 56 - push esi
718FDE34 - 53 - push ebx
7277B844 - 57 - push edi
71A0817D - 89 45 E8  - mov [ebp-18],eax
71A081F8 - 89 4D E8  - mov [ebp-18],ecx
71A077A1 - 51 - push ecx
71A077C2 - 89 45 F0  - mov [ebp-10],eax
719ACCE4 - 53 - push ebx
6EEFAB17 - 57 - push edi
6EEFCC63 - 51 - push ecx
6EEFCC6D - 89 45 FC  - mov [ebp-04],eax
6EE5C026 - 89 4D F8  - mov [ebp-08],ecx
6EE5C05A - 89 55 F8  - mov [ebp-08],edx
6EEFAB10 - 55 - push ebp
6EF04E82 - EB F2 - jmp 6EF04E76
6EEA3BF1 - 52 - push edx
6EEA3BFF - 50 - push eax
6EEA3C0D - 52 - push edx
6EEA3C1B - 50 - push eax
6EE9AA9F - CC - int 3 
6EE995A0 - 55 - push ebp
71F1F62F - CC - int 3 
719BE8CC - 57 - push edi
71ED5A7F - CC - int 3 
6EEFAB8B - 51 - push ecx
6EEFABB1 - 52 - push edx
6EEC645F - CC - int 3 
6EF0425F - CC - int 3 
719436E5 - 68 17B5A671 - push 71A6B517
719BF920 - 55 - push ebp
718C2772 - D9 5D 08  - fstp dword ptr [ebp+08]
718C2781 - D9 5D 08  - fstp dword ptr [ebp+08]
718C2795 - D9 5D 08  - fstp dword ptr [ebp+08]
718C27A8 - D9 5D 08  - fstp dword ptr [ebp+08]
718E3570 - 53 - push ebx
71832F73 - 53 - push ebx
718E3320 - 55 - push ebp
719FE26B - C7 45 EC 00000000 - mov [ebp-14],00000000
719FE280 - 89 75 EC  - mov [ebp-14],esi
719A27CE - DD 5D E0  - fstp qword ptr [ebp-20]
71946D40 - 55 - push ebp
719485C0 - 55 - push ebp
73595692 - 57 - push edi
71F1B3C6 - 57 - push edi
71F1F97A - 53 - push ebx
71F1FC76 - 57 - push edi
71EE0670 - 56 - push esi
727E123B - 53 - push ebx
717C7F57 - 89 16  - mov [esi],edx
719E2639 - C7 44 24 14 00000000 - mov [esp+14],00000000
719E2751 - C7 44 24 14 00000000 - mov [esp+14],00000000
719E286E - 89 4C 24 14  - mov [esp+14],ecx
718D9002 - 53 - push ebx
719B23BD - C7 44 24 20 00000000 - mov [esp+20],00000000
719C4391 - C7 45 FC FFFFFFFF - mov [ebp-04],FFFFFFFF
719A1AE0 - 89 54 24 4C  - mov [esp+4C],edx
6F660A41 - 56 - push esi
717C7EDF - CC - int 3 
7194C036 - 6A 01 - push 01
71796A7F - CC - int 3 
719E2E8F - CC - int 3 
7194C0B1 - 6A 02 - push 02
7194C10C - 6A 02 - push 02
717D713D - C2 0C00 - ret 000C
7194C12E - 68 AC000000 - push 000000AC
7194C14B - 6A FF - push -01
7194C181 - 68 00000080 - push 80000000
719F1FCF - CC - int 3 
7004A5D8 - 89 7D D4  - mov [ebp-2C],edi
727A65F1 - F3 0F11 45 C0  - movss [ebp-40],xmm0
7199A0FE - 57 - push edi
71F2200B - 50 - push eax
719D3CCF - CC - int 3 
719D3C2E - 50 - push eax
719D3C3F - 56 - push esi
717B403F - CC - int 3 
719D3B72 - 50 - push eax
71F2890D - 50 - push eax
6EEFCC6C - 50 - push eax
6EEFCC82 - 56 - push esi
6EEFCC89 - 56 - push esi
6EEFCCBF - 51 - push ecx
719A32F0 - 55 - push ebp
719A67AE - C7 45 F8 0000803F - mov [ebp-08],3F800000
719AE3B3 - 56 - push esi
718420D2 - 6A 02 - push 02
71948E60 - 56 - push esi
7177565F - CC - int 3 
727ADB90 - 50 - push eax
71F1F68A - 89 45 F4  - mov [ebp-0C],eax
71F1E1E5 - 68 047F0872 - push 72087F04
7179D370 - 53 - push ebx
719AE855 - 89 5D F8  - mov [ebp-08],ebx
719AE8B8 - 89 45 F8  - mov [ebp-08],eax
719BE74B - 50 - push eax
719BF934 - 56 - push esi
719B1EFC - 89 5C 24 38  - mov [esp+38],ebx
727A6950 - D9 58 04  - fstp dword ptr [eax+04]
719B23CD - C7 44 24 18 00000000 - mov [esp+18],00000000
719A2FC4 - 89 11  - mov [ecx],edx
71EF824B - 50 - push eax
71EF825E - 50 - push eax
775A4A72 - 55 - push ebp
71EECBBF - CC - int 3 
719A3820 - 55 - push ebp
719A326F - CC - int 3 
718437E0 - 55 - push ebp
719A0E10 - 55 - push ebp
719B087C - 57 - push edi
71F1EA85 - 68 BA780872 - push 720878BA
718C16EC - 57 - push edi
719B1107 - 56 - push esi
719A56FF - CC - int 3 
717B4410 - 55 - push ebp
719E480F - CC - int 3 
719E4DFF - CC - int 3 
719E4EEF - CC - int 3 
71EF0EF0 - 55 - push ebp
719A559F - CC - int 3 
719353F2 - 89 4D F8  - mov [ebp-08],ecx
6EF04260 - 55 - push ebp
775BA5D0 - 6A 1C - push 1C
775DDE68 - 89 6C 24 10  - mov [esp+10],ebp
775DDEAF - 51 - push ecx
6EEDBE97 - 50 - push eax
6EEDBECC - 50 - push eax
6EEDBEFE - 50 - push eax
71796630 - 55 - push ebp
71A39B94 - 89 44 24 14  - mov [esp+14],eax
71D6A818 - FF 25 44C4D671  - jmp dword ptr [71D6C444]
70CCAB41 - 88 19  - mov [ecx],bl
70CC4A69 - 57 - push edi
77288931 - C7 45 E0 00000000 - mov [ebp-20],00000000
77288C35 - 89 45 E0  - mov [ebp-20],eax
700C1149 - 89 7D FC  - mov [ebp-04],edi
700B58A1 - C7 06 00000000 - mov [esi],00000000
71F1E5DF - CC - int 3 
71F1DD60 - 53 - push ebx
71F2049F - CC - int 3 
71F48890 - 55 - push ebp
70CE1984 - 56 - push esi
70BBFD10 - 55 - push ebp
70BBF040 - 55 - push ebp
70CDCE37 - 57 - push edi
70CDCE56 - 6A 00 - push 00
70CDD774 - FF 25 0CF3CE70  - jmp dword ptr [70CEF30C]
719A0BBD - 89 5D EC  - mov [ebp-14],ebx
719A0E8E - 89 54 24 2C  - mov [esp+2C],edx
7424F4FF - CC - int 3 
770EA9DD - 50 - push eax
770EBF1F - CC - int 3 
700C10AF - CC - int 3 
770E7F8F - CC - int 3 
7759DB69 - 56 - push esi
770EBE40 - 55 - push ebp
775A49C3 - 57 - push edi
775A32D1 - 89 75 D8  - mov [ebp-28],esi
775A3591 - 89 75 D8  - mov [ebp-28],esi
775A3614 - 89 4D D8  - mov [ebp-28],ecx
775A373F - 89 4D D8  - mov [ebp-28],ecx
775A491A - 57 - push edi
718FDF91 - 57 - push edi
7184A9D1 - C7 44 24 18 00803B45 - mov [esp+18],453B8000
71935BD4 - 89 0E  - mov [esi],ecx
734FA49B - 57 - push edi
Image
Image

TimFun13
Expert Cheater
Expert Cheater
Posts: 1354
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 6

Re: Help seperating me from enimes

Post by TimFun13 »

Try looking at the registries, or use the structure dissect tool on a base address in a registry; but in the end there's now magic trick to it. You just have to find a way to tell the 2 apart. You can try backtracing the function to find a better spot to hook it.

You can do the CE tutorial (step 9) for an example.
[Link]
[Link]

pharaon
Expert Cheater
Expert Cheater
Posts: 93
Joined: Sat Aug 05, 2017 1:42 pm
Reputation: 0

Re: Help seperating me from enimes

Post by pharaon »

that doesn't work because the opcode write to only one address

TimFun13
Expert Cheater
Expert Cheater
Posts: 1354
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 6

Re: Help seperating me from enimes

Post by TimFun13 »

pharaon wrote:
Wed Sep 12, 2018 10:31 pm
that doesn't work because the opcode write to only one address
Try a different instruction.

pharaon
Expert Cheater
Expert Cheater
Posts: 93
Joined: Sat Aug 05, 2017 1:42 pm
Reputation: 0

Re: Help seperating me from enimes

Post by pharaon »

i tried and this script make the game crash

Code: Select all


[ENABLE]

aobscanmodule(INJECT,StrongholdBase.dll,8B 45 08 8B 49 78) // should be unique
alloc(newmem,$1000)

label(code)
label(return)
label(enimy)
label(hero)

enimy:
mov eax,[ebp+08]
mov ecx,[ecx+78]
jmp return

hero:
mov [ebp+08],(float)9999
mov ecx,[ecx+78]
jmp return

newmem:
cmp [ebp+AD0],0
je enimy
jmp hero

code:
  mov eax,[ebp+08]
  mov ecx,[ecx+78]
  jmp return

INJECT:
  jmp newmem
  nop
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db 8B 45 08 8B 49 78

unregistersymbol(INJECT)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "StrongholdBase.dll"+2CE041

"StrongholdBase.dll"+2CE021: 8B 52 78           -  mov edx,[edx+78]
"StrongholdBase.dll"+2CE024: 8B 14 91           -  mov edx,[ecx+edx*4]
"StrongholdBase.dll"+2CE027: 8B 08              -  mov ecx,[eax]
"StrongholdBase.dll"+2CE029: 8B 40 04           -  mov eax,[eax+04]
"StrongholdBase.dll"+2CE02C: 2B C1              -  sub eax,ecx
"StrongholdBase.dll"+2CE02E: C1 F8 02           -  sar eax,02
"StrongholdBase.dll"+2CE031: 83 F8 1E           -  cmp eax,1E
"StrongholdBase.dll"+2CE034: 77 0B              -  ja StrongholdBase.dll+2CE041
"StrongholdBase.dll"+2CE036: 68 38 B9 F9 71     -  push StrongholdBase.dll+34B938
"StrongholdBase.dll"+2CE03B: FF 15 34 11 F8 71  -  call dword ptr [StrongholdBase.dll+331134]
// ---------- INJECTING HERE ----------
"StrongholdBase.dll"+2CE041: 8B 45 08           -  mov eax,[ebp+08]
"StrongholdBase.dll"+2CE044: 8B 49 78           -  mov ecx,[ecx+78]
// ---------- DONE INJECTING  ----------
"StrongholdBase.dll"+2CE047: 33 C2              -  xor eax,edx
"StrongholdBase.dll"+2CE049: 8B 97 2C 01 00 00  -  mov edx,[edi+0000012C]
"StrongholdBase.dll"+2CE04F: 5F                 -  pop edi
"StrongholdBase.dll"+2CE050: 84 DB              -  test bl,bl
"StrongholdBase.dll"+2CE052: 89 04 8A           -  mov [edx+ecx*4],eax
"StrongholdBase.dll"+2CE055: 5B                 -  pop ebx
"StrongholdBase.dll"+2CE056: 74 1A              -  je StrongholdBase.dll+2CE072
"StrongholdBase.dll"+2CE058: 80 7D 0C 00        -  cmp byte ptr [ebp+0C],00
"StrongholdBase.dll"+2CE05C: 75 14              -  jne StrongholdBase.dll+2CE072
"StrongholdBase.dll"+2CE05E: A1 90 F2 13 72     -  mov eax,[StrongholdBase.dll+4EF290]
}


User avatar
Betcha
Table Makers
Table Makers
Posts: 115
Joined: Sun Nov 26, 2017 5:39 pm
Reputation: 115

Re: Help seperating me from enimes

Post by Betcha »

Code: Select all

[ENABLE]

aobscanmodule(INJECT,StrongholdBase.dll,8B 45 08 8B 49 78)
alloc(newmem,$1000)
label(return)
label(enimy)
label(hero)

newmem:
cmp [ebp+AD0],0
je enimy

hero:
mov [ebp+08],(float)9999
mov eax,[ebp+08]
mov ecx,[ecx+78]
jmp return

enimy:
mov eax,[ebp+08]
mov ecx,[ecx+78]
jmp return

INJECT:
  jmp newmem
  nop
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db 8B 45 08 8B 49 78

unregistersymbol(INJECT)
dealloc(newmem)

TimFun13
Expert Cheater
Expert Cheater
Posts: 1354
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 6

Re: Help seperating me from enimes

Post by TimFun13 »

pharaon wrote:
Fri Sep 14, 2018 11:13 am
i tried and this script make the game crash

Code: Select all


[ENABLE]

aobscanmodule(INJECT,StrongholdBase.dll,8B 45 08 8B 49 78) // should be unique
alloc(newmem,$1000)

label(code)
label(return)
label(enimy)
label(hero)

enimy:
mov eax,[ebp+08]
mov ecx,[ecx+78]
jmp return

hero:
mov [ebp+08],(float)9999
mov ecx,[ecx+78]
jmp return

newmem:
cmp [ebp+AD0],0
je enimy
jmp hero

code:
  mov eax,[ebp+08]
  mov ecx,[ecx+78]
  jmp return

INJECT:
  jmp newmem
  nop
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db 8B 45 08 8B 49 78

unregistersymbol(INJECT)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "StrongholdBase.dll"+2CE041

"StrongholdBase.dll"+2CE021: 8B 52 78           -  mov edx,[edx+78]
"StrongholdBase.dll"+2CE024: 8B 14 91           -  mov edx,[ecx+edx*4]
"StrongholdBase.dll"+2CE027: 8B 08              -  mov ecx,[eax]
"StrongholdBase.dll"+2CE029: 8B 40 04           -  mov eax,[eax+04]
"StrongholdBase.dll"+2CE02C: 2B C1              -  sub eax,ecx
"StrongholdBase.dll"+2CE02E: C1 F8 02           -  sar eax,02
"StrongholdBase.dll"+2CE031: 83 F8 1E           -  cmp eax,1E
"StrongholdBase.dll"+2CE034: 77 0B              -  ja StrongholdBase.dll+2CE041
"StrongholdBase.dll"+2CE036: 68 38 B9 F9 71     -  push StrongholdBase.dll+34B938
"StrongholdBase.dll"+2CE03B: FF 15 34 11 F8 71  -  call dword ptr [StrongholdBase.dll+331134]
// ---------- INJECTING HERE ----------
"StrongholdBase.dll"+2CE041: 8B 45 08           -  mov eax,[ebp+08]
"StrongholdBase.dll"+2CE044: 8B 49 78           -  mov ecx,[ecx+78]
// ---------- DONE INJECTING  ----------
"StrongholdBase.dll"+2CE047: 33 C2              -  xor eax,edx
"StrongholdBase.dll"+2CE049: 8B 97 2C 01 00 00  -  mov edx,[edi+0000012C]
"StrongholdBase.dll"+2CE04F: 5F                 -  pop edi
"StrongholdBase.dll"+2CE050: 84 DB              -  test bl,bl
"StrongholdBase.dll"+2CE052: 89 04 8A           -  mov [edx+ecx*4],eax
"StrongholdBase.dll"+2CE055: 5B                 -  pop ebx
"StrongholdBase.dll"+2CE056: 74 1A              -  je StrongholdBase.dll+2CE072
"StrongholdBase.dll"+2CE058: 80 7D 0C 00        -  cmp byte ptr [ebp+0C],00
"StrongholdBase.dll"+2CE05C: 75 14              -  jne StrongholdBase.dll+2CE072
"StrongholdBase.dll"+2CE05E: A1 90 F2 13 72     -  mov eax,[StrongholdBase.dll+4EF290]
}

Sorry must have missed your post.
Like Betcha showed, you never set EAX in the "hero" code. That's probably the reason for the crash, make sure to always set all registories that the original code sets.

pharaon
Expert Cheater
Expert Cheater
Posts: 93
Joined: Sat Aug 05, 2017 1:42 pm
Reputation: 0

Re: Help seperating me from enimes

Post by pharaon »

well i got problem the offsite values keep changing

TimFun13
Expert Cheater
Expert Cheater
Posts: 1354
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 6

Re: Help seperating me from enimes

Post by TimFun13 »

pharaon wrote:
Mon Sep 24, 2018 9:02 pm
well i got problem the offsite values keep changing
If you mean "offset", then you can use readMem or reassemble to deal with stuff like that.
[Link]
[Link]

But you might want to find a different instruction that writes, so you can just set the registry that's used before it writes to your value.

pharaon
Expert Cheater
Expert Cheater
Posts: 93
Joined: Sat Aug 05, 2017 1:42 pm
Reputation: 0

Re: Help seperating me from enimes

Post by pharaon »

any tutorial for you using those
never done it before and not sure what to be looking for

TimFun13
Expert Cheater
Expert Cheater
Posts: 1354
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 6

Re: Help seperating me from enimes

Post by TimFun13 »

pharaon wrote:
Sun Sep 30, 2018 2:10 pm
any tutorial for you using those
never done it before and not sure what to be looking for
No, they're a bit too basic to make a tutorial just for them. The reassemble shouldn't be too hard to figure out.
Did you look at the wiki pages? What do you not understand, that you need a tutorial?
You should really take the time to learn some basics of programming, like reading documentation for one. And reversing requires you to figure stuff like this out, without documentation.
And readMem just reads bytes, tell it where and how many.

But again, you can just find an instruction that writes to the address and inject before it (so you don't need to have the offset in the script) and set the registry that's used to write to the value.

pharaon
Expert Cheater
Expert Cheater
Posts: 93
Joined: Sat Aug 05, 2017 1:42 pm
Reputation: 0

Re: Help seperating me from enimes

Post by pharaon »

i done this which crash the game

Code: Select all

[ENABLE]

aobscanmodule(INJECT,StrongholdBase.dll,8B 45 08 8B 49 78) // should be unique
alloc(newmem,$1000)
alloc(memTestMemory, 0x400)
registerSymbol(memTestMemory)

label(code)
label(return)

newmem:
memTestMemory:
  reassemble("StrongholdBase.dll"+2CE041)
  reassemble("StrongholdBase.dll"+2CE044)

code:
  mov eax,[ebp+08]
  mov ecx,[ecx+78]
  jmp return

INJECT:
  jmp newmem
  nop
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db 8B 45 08 8B 49 78

unregistersymbol(INJECT)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "StrongholdBase.dll"+2CE041

"StrongholdBase.dll"+2CE021: 8B 52 78           -  mov edx,[edx+78]
"StrongholdBase.dll"+2CE024: 8B 14 91           -  mov edx,[ecx+edx*4]
"StrongholdBase.dll"+2CE027: 8B 08              -  mov ecx,[eax]
"StrongholdBase.dll"+2CE029: 8B 40 04           -  mov eax,[eax+04]
"StrongholdBase.dll"+2CE02C: 2B C1              -  sub eax,ecx
"StrongholdBase.dll"+2CE02E: C1 F8 02           -  sar eax,02
"StrongholdBase.dll"+2CE031: 83 F8 1E           -  cmp eax,1E
"StrongholdBase.dll"+2CE034: 77 0B              -  ja StrongholdBase.dll+2CE041
"StrongholdBase.dll"+2CE036: 68 38 B9 44 72     -  push StrongholdBase.dll+34B938
"StrongholdBase.dll"+2CE03B: FF 15 34 11 43 72  -  call dword ptr [StrongholdBase.dll+331134]
// ---------- INJECTING HERE ----------
"StrongholdBase.dll"+2CE041: 8B 45 08           -  mov eax,[ebp+08]
"StrongholdBase.dll"+2CE044: 8B 49 78           -  mov ecx,[ecx+78]
// ---------- DONE INJECTING  ----------
"StrongholdBase.dll"+2CE047: 33 C2              -  xor eax,edx
"StrongholdBase.dll"+2CE049: 8B 97 2C 01 00 00  -  mov edx,[edi+0000012C]
"StrongholdBase.dll"+2CE04F: 5F                 -  pop edi
"StrongholdBase.dll"+2CE050: 84 DB              -  test bl,bl
"StrongholdBase.dll"+2CE052: 89 04 8A           -  mov [edx+ecx*4],eax
"StrongholdBase.dll"+2CE055: 5B                 -  pop ebx
"StrongholdBase.dll"+2CE056: 74 1A              -  je StrongholdBase.dll+2CE072
"StrongholdBase.dll"+2CE058: 80 7D 0C 00        -  cmp byte ptr [ebp+0C],00
"StrongholdBase.dll"+2CE05C: 75 14              -  jne StrongholdBase.dll+2CE072
"StrongholdBase.dll"+2CE05E: A1 90 F2 5E 72     -  mov eax,[StrongholdBase.dll+4EF290]
how how to get advantage of memTestMemory

TimFun13
Expert Cheater
Expert Cheater
Posts: 1354
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 6

Re: Help seperating me from enimes

Post by TimFun13 »

Here try this:

Code: Select all

[ENABLE]

aobscanmodule(injCheat1,StrongholdBase.dll,8B 45 08 8B 49 78) // should be unique
registersymbol(injCheat1)

alloc(memCheat1, 0x400)
registerSymbol(memCheat1)

label(code)
label(return)

memCheat1:
  readMem(injCheat1, 3)
  readMem(injCheat1+3, 3)
  code:
    // mov eax,[ebp+08]
    // mov ecx,[ecx+78]
  jmp return

injCheat1:
  jmp memCheat1
  nop
  return:

[DISABLE]

injCheat1:
  readMem(memCheat1, 3)
  readMem(memCheat1+3, 3)

unregistersymbol(injCheat1)
unregistersymbol(memCheat1)
dealloc(memCheat1)

{
// ORIGINAL CODE - INJECTION POINT: "StrongholdBase.dll"+2CE041

"StrongholdBase.dll"+2CE021: 8B 52 78           -  mov edx,[edx+78]
"StrongholdBase.dll"+2CE024: 8B 14 91           -  mov edx,[ecx+edx*4]
"StrongholdBase.dll"+2CE027: 8B 08              -  mov ecx,[eax]
"StrongholdBase.dll"+2CE029: 8B 40 04           -  mov eax,[eax+04]
"StrongholdBase.dll"+2CE02C: 2B C1              -  sub eax,ecx
"StrongholdBase.dll"+2CE02E: C1 F8 02           -  sar eax,02
"StrongholdBase.dll"+2CE031: 83 F8 1E           -  cmp eax,1E
"StrongholdBase.dll"+2CE034: 77 0B              -  ja StrongholdBase.dll+2CE041
"StrongholdBase.dll"+2CE036: 68 38 B9 44 72     -  push StrongholdBase.dll+34B938
"StrongholdBase.dll"+2CE03B: FF 15 34 11 43 72  -  call dword ptr [StrongholdBase.dll+331134]
// ---------- INJECTING HERE ----------
"StrongholdBase.dll"+2CE041: 8B 45 08           -  mov eax,[ebp+08]
"StrongholdBase.dll"+2CE044: 8B 49 78           -  mov ecx,[ecx+78]
// ---------- DONE INJECTING  ----------
"StrongholdBase.dll"+2CE047: 33 C2              -  xor eax,edx
"StrongholdBase.dll"+2CE049: 8B 97 2C 01 00 00  -  mov edx,[edi+0000012C]
"StrongholdBase.dll"+2CE04F: 5F                 -  pop edi
"StrongholdBase.dll"+2CE050: 84 DB              -  test bl,bl
"StrongholdBase.dll"+2CE052: 89 04 8A           -  mov [edx+ecx*4],eax
"StrongholdBase.dll"+2CE055: 5B                 -  pop ebx
"StrongholdBase.dll"+2CE056: 74 1A              -  je StrongholdBase.dll+2CE072
"StrongholdBase.dll"+2CE058: 80 7D 0C 00        -  cmp byte ptr [ebp+0C],00
"StrongholdBase.dll"+2CE05C: 75 14              -  jne StrongholdBase.dll+2CE072
"StrongholdBase.dll"+2CE05E: A1 90 F2 5E 72     -  mov eax,[StrongholdBase.dll+4EF290]
But you had 2 different calls to alloc for some reason, and you used reassemble but you also hard coded the original code; thus you set ECX from ECX+?? then tried to set ECX from ECX+78 again and that's where it was probably crashing. And you tend to need to read back the original bytes when disabling, if the bytes are changing (like the offsets).

But this is a read instruction so your going to have a hard time setting it here, if the offsets are changing.
But if the offsets are changing then how on earth is that AOB working?

pharaon
Expert Cheater
Expert Cheater
Posts: 93
Joined: Sat Aug 05, 2017 1:42 pm
Reputation: 0

Re: Help seperating me from enimes

Post by pharaon »

But if the offsets are changing then how on earth is that AOB working?

thats what drive me crazy

TimFun13
Expert Cheater
Expert Cheater
Posts: 1354
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 6

Re: Help seperating me from enimes

Post by TimFun13 »

You can use wild cards.
8B45xx8B49xx33C28B97xxxxxxxx5F84DB
or
8B 45 xx 8B 49 xx 33 C2 8B 97 xx xx xx xx 5F 84 DB
or
8B 45 ?? 8B 49 ?? 33 C2 8B 97 ?? ?? ?? ?? 5F 84 DB

Post Reply

Who is online

Users browsing this forum: No registered users