Absolute beginner: Your first ammo script

TheyCallMeTim13

TheyCallMeTim13

Enchanter
Staff member
Administrator
Fearless Donors
Talents
Joined
Mar 3, 2017
Messages
1,792
Lord Blade said:
So having it set up as you showed would basically stop the tracking from working then? How do you know how many 90's you need?
I'm still confused with all this stuff. :p
You just want to replace the original instruction. And the original MOV is 6 bytes long, thus 6 NOPs.
 
Lord Blade

Lord Blade

Expert Cheater
Joined
Mar 9, 2017
Messages
841
I think I get it.
 
Lord Blade

Lord Blade

Expert Cheater
Joined
Mar 9, 2017
Messages
841
So, I tried it and the script seems to work great.

Now my question is how do you know what the change is supposed to be?
Meaning how do you know to change this:
Code:
aobscanmodule(Tracking,COGMIND.exe,FC FF FF 89 82 88 00 00 00 C7) // should be unique
alloc(Tracking,$1000)

label(return)

Tracking:

mov [edx+00000088],eax
jmp return

Tracking+03:
jmp Tracking
nop
return:
registersymbol(Tracking)

[DISABLE]

Tracking+03:
db 89 82 88 00 00 00

unregistersymbol(Tracking)
dealloc(Tracking)
Into this:
Code:
aobscanmodule(Tracking,COGMIND.exe,FC FF FF 89 82 88 00 00 00 C7) // should be unique
Tracking+03:
  db 90 90 90 90 90 90
registersymbol(Tracking)

[DISABLE]
Tracking+03:
  db 89 82 88 00 00 00

unregistersymbol(Tracking)
Because the tutorials I found didn't really explain much.
 
Lord Blade

Lord Blade

Expert Cheater
Joined
Mar 9, 2017
Messages
841
So I have a similar thing the overall alert level in the game (which goes up when stuff happens to draw attention, like you shooting or enemies spotting you).
Code:
{ Game   : COGMIND.exe
  Version: 
  Date   : 2020-02-18
  Author : Adam Taylor

  This script does blah blah blah
}

[ENABLE]

aobscanmodule(Alert,COGMIND.exe,89 10 83 3D BC 27 AF 00 00) // should be unique
alloc(newmem,$1000)

label(code)
label(return)

newmem:

code:
  mov [eax],edx
  cmp dword ptr [COGMIND.exe+6F27BC],00
  jmp return

Alert:
  jmp newmem
  nop 4
return:
registersymbol(Alert)

[DISABLE]

Alert:
  db 89 10 83 3D BC 27 AF 00 00

unregistersymbol(Alert)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "COGMIND.exe"+1A5F1E

"COGMIND.exe"+1A5EF9: C7 45 FC FF FF FF FF  -  mov [ebp-04],FFFFFFFF
"COGMIND.exe"+1A5F00: 8D 4D D4              -  lea ecx,[ebp-2C]
"COGMIND.exe"+1A5F03: E8 98 AB 27 00        -  call COGMIND.exe+420AA0
"COGMIND.exe"+1A5F08: 83 7D D0 00           -  cmp dword ptr [ebp-30],00
"COGMIND.exe"+1A5F0C: 74 05                 -  je COGMIND.exe+1A5F13
"COGMIND.exe"+1A5F0E: E9 86 00 00 00        -  jmp COGMIND.exe+1A5F99
"COGMIND.exe"+1A5F13: 8B 4D CC              -  mov ecx,[ebp-34]
"COGMIND.exe"+1A5F16: 8B 11                 -  mov edx,[ecx]
"COGMIND.exe"+1A5F18: 03 55 08              -  add edx,[ebp+08]
"COGMIND.exe"+1A5F1B: 8B 45 CC              -  mov eax,[ebp-34]
// ---------- INJECTING HERE ----------
"COGMIND.exe"+1A5F1E: 89 10                 -  mov [eax],edx
"COGMIND.exe"+1A5F20: 83 3D BC 27 AF 00 00  -  cmp dword ptr [COGMIND.exe+6F27BC],00
// ---------- DONE INJECTING  ----------
"COGMIND.exe"+1A5F27: 74 62                 -  je COGMIND.exe+1A5F8B
"COGMIND.exe"+1A5F29: 8B 0D BC 27 AF 00     -  mov ecx,[COGMIND.exe+6F27BC]
"COGMIND.exe"+1A5F2F: 89 4D C8              -  mov [ebp-38],ecx
"COGMIND.exe"+1A5F32: 83 7D C8 02           -  cmp dword ptr [ebp-38],02
"COGMIND.exe"+1A5F36: 74 08                 -  je COGMIND.exe+1A5F40
"COGMIND.exe"+1A5F38: 83 7D C8 05           -  cmp dword ptr [ebp-38],05
"COGMIND.exe"+1A5F3C: 74 28                 -  je COGMIND.exe+1A5F66
"COGMIND.exe"+1A5F3E: EB 4B                 -  jmp COGMIND.exe+1A5F8B
"COGMIND.exe"+1A5F40: 83 7D 08 05           -  cmp dword ptr [ebp+08],05
"COGMIND.exe"+1A5F44: 7E 1E                 -  jle COGMIND.exe+1A5F64
}
So I get this far, but the code at the start looks different. The other code for the tacking stuff showed up as Tracking+03, but this isn't showing the same.
 
TheyCallMeTim13

TheyCallMeTim13

Enchanter
Staff member
Administrator
Fearless Donors
Talents
Joined
Mar 3, 2017
Messages
1,792
Lord Blade said:

Basically it sounds like you just need to zero the value, you could just use a MOV (i.e.: mov edx,0). But I tend to use XOR (i.e.: xor edx,edx), it's just less bytes. And basically if you xor any number by it self it will always be zero (i.e.: 100 xor 100 = 0).
Code:
{ Game   : COGMIND.exe
  Version: 
  Date   : 2020-02-18
  Author : Adam Taylor

  This script does blah blah blah
}

[ENABLE]

aobscanmodule(Alert,COGMIND.exe,89 10 83 3D BC 27 AF 00 00) // should be unique
alloc(newmem,$1000)

label(code)
label(return)

newmem:

code:
  xor edx,edx // xor any number by it self and it will always be zero. So this just zeros the value.
  // mov edx,(int)100 // use this if the value decreases as alert level increases and set it to what the game's value is.
  mov [eax],edx
  cmp dword ptr [COGMIND.exe+6F27BC],00
  jmp return

Alert:
  jmp newmem
  nop 4
return:
registersymbol(Alert)

[DISABLE]

Alert:
  db 89 10 83 3D BC 27 AF 00 00

unregistersymbol(Alert)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "COGMIND.exe"+1A5F1E

"COGMIND.exe"+1A5EF9: C7 45 FC FF FF FF FF  -  mov [ebp-04],FFFFFFFF
"COGMIND.exe"+1A5F00: 8D 4D D4              -  lea ecx,[ebp-2C]
"COGMIND.exe"+1A5F03: E8 98 AB 27 00        -  call COGMIND.exe+420AA0
"COGMIND.exe"+1A5F08: 83 7D D0 00           -  cmp dword ptr [ebp-30],00
"COGMIND.exe"+1A5F0C: 74 05                 -  je COGMIND.exe+1A5F13
"COGMIND.exe"+1A5F0E: E9 86 00 00 00        -  jmp COGMIND.exe+1A5F99
"COGMIND.exe"+1A5F13: 8B 4D CC              -  mov ecx,[ebp-34]
"COGMIND.exe"+1A5F16: 8B 11                 -  mov edx,[ecx]
"COGMIND.exe"+1A5F18: 03 55 08              -  add edx,[ebp+08]
"COGMIND.exe"+1A5F1B: 8B 45 CC              -  mov eax,[ebp-34]
// ---------- INJECTING HERE ----------
"COGMIND.exe"+1A5F1E: 89 10                 -  mov [eax],edx
"COGMIND.exe"+1A5F20: 83 3D BC 27 AF 00 00  -  cmp dword ptr [COGMIND.exe+6F27BC],00
// ---------- DONE INJECTING  ----------
"COGMIND.exe"+1A5F27: 74 62                 -  je COGMIND.exe+1A5F8B
"COGMIND.exe"+1A5F29: 8B 0D BC 27 AF 00     -  mov ecx,[COGMIND.exe+6F27BC]
"COGMIND.exe"+1A5F2F: 89 4D C8              -  mov [ebp-38],ecx
"COGMIND.exe"+1A5F32: 83 7D C8 02           -  cmp dword ptr [ebp-38],02
"COGMIND.exe"+1A5F36: 74 08                 -  je COGMIND.exe+1A5F40
"COGMIND.exe"+1A5F38: 83 7D C8 05           -  cmp dword ptr [ebp-38],05
"COGMIND.exe"+1A5F3C: 74 28                 -  je COGMIND.exe+1A5F66
"COGMIND.exe"+1A5F3E: EB 4B                 -  jmp COGMIND.exe+1A5F8B
"COGMIND.exe"+1A5F40: 83 7D 08 05           -  cmp dword ptr [ebp+08],05
"COGMIND.exe"+1A5F44: 7E 1E                 -  jle COGMIND.exe+1A5F64
}
 
Lord Blade

Lord Blade

Expert Cheater
Joined
Mar 9, 2017
Messages
841
So, I'm trying that code you listed, but I keep getting errors. Like while scanning AOB Alert, not all found and such.
 
TheyCallMeTim13

TheyCallMeTim13

Enchanter
Staff member
Administrator
Fearless Donors
Talents
Joined
Mar 3, 2017
Messages
1,792
Lord Blade said:
So, I'm trying that code you listed, but I keep getting errors. Like while scanning AOB Alert, not all found and such.
That's the AOB you posted, so it sounds like the game got an update since then. You'll just have to find the injection point again, and then try to zero the registry.
 
Top