Hello a newbie here approaching making tables!

Apr 19, 2017
39
4
8
#1
Hiii to all i have some points to discuss with everyone here and hope someone can help.
I'm trying to hack a game followed some tutorial and now i'm here.
I''m trying to find mana.
1)find the address.
2)see what access this value and move around a bit, use mana.
3) there are multiple fld instruction, on esi+30 and one fstp instruction on esi+30.
4)check the value of the register esi
5)open memory viewer ctrl+d and dissect the structure with register address.
6)the dissect is successful, i see my offset (30) and others that point to max etc.

Now that is the problem... what i have to do from here?
I know i'm nob but... i don't really understand what to do now.
 

Squall8

RCE Fanatics
Talents
Mar 3, 2017
343
54
28
#2
That depends. If you want to simply stop the value from decreasing, debug with 'what writes' and nop the instruction that pops up when you use some mana.

If you want to make a pointer, you're better off finding an instruction that constantly updates. That way as soon as you activate your script your pointers will populate.

Also make sure your instruction is exclusive to the player, meaning no other addresses access the instruction. You can right-click in the debugger window and select 'check if found opcodes also access other addresses'. Its pretty self explanatory form there.

Once you found a good instruction let me know.
 
Apr 19, 2017
39
4
8
#3
Hi. i will detail it a bit better.
The game in question is midboss, and i'm hacking mana which is float.
The fld instruction is called frequently and is unique, the fstp only when it decrese or increase.
Now the question is: how do i compile a script.. or a pointer for this value?
I don't understand how to finalize my findings.
Thanks for all the help
 

Squall8

RCE Fanatics
Talents
Mar 3, 2017
343
54
28
#4
Paste an unmodified aob injection template of the instruction you found.
 
Apr 19, 2017
39
4
8
#5
here it is
Code:
{ Game   : MidBoss.exe
  Version: 1.1.6
  Date   : 2017-07-17
  Author : LegendZero

  This script does blah blah blah
}

[ENABLE]

aobscan(mana,D9 5E 30 D9 46 30 8B CE D9 5D F8) // should be unique
alloc(newmem,$1000)

label(code)
label(return)

newmem:

code:
  fstp dword ptr [esi+30]
  fld dword ptr [esi+30]
  jmp return

mana:
  jmp newmem
  nop
return:
registersymbol(mana)

[DISABLE]

mana:
  db D9 5E 30 D9 46 30

unregistersymbol(mana)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: 0E1A7D02

""+E1A7CED: 00 00                 -  add [eax],al
""+E1A7CEF: 00 78 DF              -  add [eax-21],bh
""+E1A7CF2: EF                    -  out dx,eax
""+E1A7CF3: 0D 60 63 63 0D        -  or eax,D636360
""+E1A7CF8: 55                    -  push ebp
""+E1A7CF9: 8B EC                 -  mov ebp,esp
""+E1A7CFB: 56                    -  push esi
""+E1A7CFC: 50                    -  push eax
""+E1A7CFD: 8B F1                 -  mov esi,ecx
""+E1A7CFF: D9 45 08              -  fld dword ptr [ebp+08]
// ---------- INJECTING HERE ----------
""+E1A7D02: D9 5E 30              -  fstp dword ptr [esi+30]
""+E1A7D05: D9 46 30              -  fld dword ptr [esi+30]
// ---------- DONE INJECTING  ----------
""+E1A7D08: 8B CE                 -  mov ecx,esi
""+E1A7D0A: D9 5D F8              -  fstp dword ptr [ebp-08]
""+E1A7D0D: 8B 01                 -  mov eax,[ecx]
""+E1A7D0F: 8B 40 28              -  mov eax,[eax+28]
""+E1A7D12: FF 50 10              -  call dword ptr [eax+10]
""+E1A7D15: D9 45 F8              -  fld dword ptr [ebp-08]
""+E1A7D18: DB 46 28              -  fild dword ptr [esi+28]
""+E1A7D1B: D9 5D F8              -  fstp dword ptr [ebp-08]
""+E1A7D1E: D9 45 F8              -  fld dword ptr [ebp-08]
""+E1A7D21: DF F1                 -  fcomip st(0),st(1)
}
 

Squall8

RCE Fanatics
Talents
Mar 3, 2017
343
54
28
#6
Pointer:
Code:
[ENABLE]

aobscan(mana,D9 5E 30 D9 46 30 8B CE D9 5D F8)
alloc(newmem,$1000)

label(code)
label(return)
label(manapointer)  //Add this.

registersymbol(mana)
registersymbol(manapointer) //And this.

newmem:
  mov [manapointer],esi //And this. Your symbol that you can use outside of the script. Pretty self explanatory.

code:
  fstp dword ptr [esi+30]
  fld dword ptr [esi+30]
  jmp return
  
manapointer: //Your label
  dd 0  // dd for 32bit, dq for 64bit/

mana:
  jmp newmem
  nop
return:

[DISABLE]

mana:
  db D9 5E 30 D9 46 30

unregistersymbol(mana)
unregistersymbol(manapointer)
dealloc(newmem)
Lets just say you used 'what writes' to find this instruction. To nop it:
Code:
[ENABLE]

aobscan(mana,D9 5E 30 D9 46 30 8B CE D9 5D F8)
registersymbol(mana)

mana:
  db 90 90 90 // Length in bytes of original instruction.

[DISABLE]

mana:
  db D9 5E 30 //Notice I got rid of the last 3 bytes. 

unregistersymbol(mana)
 
Apr 19, 2017
39
4
8
#7
both scripts not worked... probably i missed something or have done things wrong... uhm...
Thanks anyway :D
 
Apr 19, 2017
39
4
8
#8
i understood the problem. i ahve done other scripts but i cant do helath mana or stamini because the instruzion and bytes are the same for all the three... how i can resolve?
 

Squall8

RCE Fanatics
Talents
Mar 3, 2017
343
54
28
#9
If you're talking about 3 different instructions that have a similar byte pattern in assembly then you need to find a difference somewhere and include that in your array.

If you're talking about one instruction sharing these 3 addresses you will be better off using 'what accesses' to find an instruction accessing only health, mana or stamina. From there you can push the max value into the current or something, get creative.
Or if you're feeling lazy just nop the instruction and call the cheat Max Stats :lol: !
 
Apr 19, 2017
39
4
8
#10
i have been able to create a pointer with aob injection for mana.
but when i try to create it for health and stamina, it gets back the mana value for all of them, because the instruction fld and fstp are always on the same bytes...
why it gives me back alway mana...?


ps: i tried what you said... i tried even backtracking... but i'm no good with it.
for what acess this adress are the same two istruction for everyone in the same bytes.
 

Squall8

RCE Fanatics
Talents
Mar 3, 2017
343
54
28
#11
Still not sure what you mean.. Take a screenshot of the debugger windows for health mana and stamina. Use what accesses, and in the debugger window right click and choose 'check if found opcodes access other addresses'. Just upload one screenshot with all 3 side by side. Snippets of the assembly region wouldn't hurt either.

Also have you tried adding pointers with different offsets that point to health or stamina? As long as they are in the same data structure and the instruction you used for mana isn't shared you will be able to.
 

Squall8

RCE Fanatics
Talents
Mar 3, 2017
343
54
28
#12
I took a look into the game myself. Its a bit more complicated than I was anticipating. Anyways here is what I came up with:
Code:
{ Game   : MidBoss.exe
  Version: 
  Date   : 2017-07-21
  Author : Squall8
}

[ENABLE]

aobscan(infhealth,D9 46 30 DF F1 DD D8 7A 06 0F 84 7D)
alloc(newmem,$1000,MidBoss.exe)

label(code)
label(return)

newmem:
  push eax               //Basically what it says. 
  mov eax,[esi+14]       //Moves 4 Byte Max Health value into eax.
  cvtsi2ss xmm0,eax      //Converts value in eax to a float value in xmm0.
  movss [esi+30],xmm0    //Moves "Max Health into Current Health".
  pop eax

code:
  fld dword ptr [esi+30]
  fcomip st(0),st(1)
  jmp return

infhealth:
  jmp newmem
return:
registersymbol(infhealth)

[DISABLE]

infhealth:
  db D9 46 30 DF F1

unregistersymbol(infhealth)
dealloc(newmem)
https://ibb.co/mQ1b25

You should be able to figure out what I did here. You will basically have to do the same thing for mana and stamina. Let me know if you need anymore help.
 
Apr 19, 2017
39
4
8
#13
i think i understood what you did there.
Simply thing you dissected the structure for health, moved in eax converted and then replaced current health.
So i think i will have to do the same thing for mana and stamina... i will try to do it as soon as possible...

ps: and of course you have taken the address with only one access.

Thanks i think i will do it in the afternoon and post my result here, hoping i succed with it.
 
Apr 19, 2017
39
4
8
#14
Okay i did almost all of the scripts but i have two problems:
1)if i activate first inf health the inf mana doesn't work, if i activate inf mana first the inf health works.
2)For infinite stamina... there isn't an instruction that access only stamina, so i can't do the script... :(

The a little question:
If in form points for exemple we have 0/30, and i put the script to mov the max then it will not add the ability.
So... how can i put the max -1(in this case 29) in the script? I will post all scripts below.
inf mana
Code:
{ Game   : MidBoss.exe
  Version: 1.1.6
  Date   : 2017-07-22
  Author : LegendZero88

  This script let you have inifnite mana (activate first).
  Many thanks to Squall8, without him i would not post this.
}

[ENABLE]

aobscan(infmana,D9 46 30 DF F1) // should be unique
alloc(mana,$1000)

label(code)
label(return)

mana:
  push eax
  mov eax, [esi+14]
  cvtsi2ss xmm1,eax
  movss [esi+30],xmm1
  pop eax


code:
  fld dword ptr [esi+30]
  fcomip st(0),st(1)
  jmp return

infmana:
  jmp mana
return:
registersymbol(infmana)

[DISABLE]

infmana:
  db D9 46 30 DF F1

unregistersymbol(infmana)
dealloc(mana)

{
// ORIGINAL CODE - INJECTION POINT: 0EEF7E5D

""+EEF7E3B: E8 F0 69 FE 4E        -  call clr.dll+E830
""+EEF7E40: 8B C8                 -  mov ecx,eax
""+EEF7E42: FF 15 44 11 67 01     -  call dword ptr [01671144]
""+EEF7E48: 3B C6                 -  cmp eax,esi
""+EEF7E4A: 0F 85 A9 00 00 00     -  jne 0EEF7EF9
""+EEF7E50: 8B CE                 -  mov ecx,esi
""+EEF7E52: 8B 01                 -  mov eax,[ecx]
""+EEF7E54: 8B 40 28              -  mov eax,[eax+28]
""+EEF7E57: FF 50 10              -  call dword ptr [eax+10]
""+EEF7E5A: D9 45 F8              -  fld dword ptr [ebp-08]
// ---------- INJECTING HERE ----------
""+EEF7E5D: D9 46 30              -  fld dword ptr [esi+30]
""+EEF7E60: DF F1                 -  fcomip st(0),st(1)
// ---------- DONE INJECTING  ----------
""+EEF7E62: DD D8                 -  fstp st(0)
""+EEF7E64: 7A 06                 -  jp 0EEF7E6C
""+EEF7E66: 0F 84 8D 00 00 00     -  je 0EEF7EF9
""+EEF7E6C: 8B CE                 -  mov ecx,esi
""+EEF7E6E: 8B 01                 -  mov eax,[ecx]
""+EEF7E70: 8B 40 28              -  mov eax,[eax+28]
""+EEF7E73: FF 50 10              -  call dword ptr [eax+10]
""+EEF7E76: D9 46 30              -  fld dword ptr [esi+30]
""+EEF7E79: D9 5D F4              -  fstp dword ptr [ebp-0C]
""+EEF7E7C: 8B CE                 -  mov ecx,esi
}
inf health
Code:
{ Game   : MidBoss.exe
  Version: 1.1.6
  Date   : 2017-07-22
  Author : LegendZero88

  This script let you have infinite health
  Many thanks to Squall8, without him i would not post this.
}

[ENABLE]

aobscan(infinitehealth,D9 46 30 DF F1 DD D8 7A 06 0F 84 7D) // should be unique
alloc(inhealth,$1000)

label(code)
label(return)

inhealth:
  push eax
  mov eax,[esi+14]
  cvtsi2ss xmm0,eax
  movss [esi+30],xmm0
  pop eax


code:
  fld dword ptr [esi+30]
  fcomip st(0),st(1)
  jmp return

infinitehealth:
  jmp inhealth
return:
registersymbol(infinitehealth)

[DISABLE]

infinitehealth:
  db D9 46 30 DF F1

unregistersymbol(infinitehealth)
dealloc(inhealth)

{
// ORIGINAL CODE - INJECTION POINT: 0F771DFD

""+F771DDB: E8 50 CA 76 4E        -  call clr.dll+E830
""+F771DE0: 8B C8                 -  mov ecx,eax
""+F771DE2: FF 15 3C 05 48 10     -  call dword ptr [1048053C]
""+F771DE8: 3B C6                 -  cmp eax,esi
""+F771DEA: 0F 85 99 00 00 00     -  jne 0F771E89
""+F771DF0: 8B CE                 -  mov ecx,esi
""+F771DF2: 8B 01                 -  mov eax,[ecx]
""+F771DF4: 8B 40 28              -  mov eax,[eax+28]
""+F771DF7: FF 50 10              -  call dword ptr [eax+10]
""+F771DFA: D9 45 F8              -  fld dword ptr [ebp-08]
// ---------- INJECTING HERE ----------
""+F771DFD: D9 46 30              -  fld dword ptr [esi+30]
""+F771E00: DF F1                 -  fcomip st(0),st(1)
// ---------- DONE INJECTING  ----------
""+F771E02: DD D8                 -  fstp st(0)
""+F771E04: 7A 06                 -  jp 0F771E0C
""+F771E06: 0F 84 7D 00 00 00     -  je 0F771E89
""+F771E0C: 8B CE                 -  mov ecx,esi
""+F771E0E: 8B 01                 -  mov eax,[ecx]
""+F771E10: 8B 40 28              -  mov eax,[eax+28]
""+F771E13: FF 50 10              -  call dword ptr [eax+10]
""+F771E16: D9 46 30              -  fld dword ptr [esi+30]
""+F771E19: 8B CE                 -  mov ecx,esi
""+F771E1B: D9 5D F4              -  fstp dword ptr [ebp-0C]
}
increase stat points
Code:
{ Game   : MidBoss.exe
  Version: 1.1.6
  Date   : 2017-07-22
  Author : LegendZero88

  This script will increase your stat points instead of decreasing them.
  Many thanks to Squall8, without him i would not post this.
}

[ENABLE]

aobscan(statpoints,8B 46 48 48 89 46 48) // should be unique
alloc(spoints,$1000)

label(code)
label(return)

spoints:

code:
  mov eax,[esi+48]
  inc eax
  mov [esi+48],eax
  jmp return

statpoints:
  jmp spoints
  nop
  nop
return:
registersymbol(statpoints)

[DISABLE]

statpoints:
  db 8B 46 48 48 89 46 48

unregistersymbol(statpoints)
dealloc(spoints)

{
// ORIGINAL CODE - INJECTION POINT: 056DC1E5

""+56DC1BE: 8B F9              -  mov edi,ecx
""+56DC1C0: 8B DA              -  mov ebx,edx
""+56DC1C2: B9 24 47 35 05     -  mov ecx,05354724
""+56DC1C7: E8 BC B1 F0 08     -  call 0E5E7388
""+56DC1CC: 8B C8              -  mov ecx,eax
""+56DC1CE: 33 D2              -  xor edx,edx
""+56DC1D0: E8 9B B2 F0 08     -  call 0E5E7470
""+56DC1D5: 8B B7 A8 01 00 00  -  mov esi,[edi+000001A8]
""+56DC1DB: 83 7E 48 00        -  cmp dword ptr [esi+48],00
""+56DC1DF: 0F 8E 50 01 00 00  -  jng 056DC335
// ---------- INJECTING HERE ----------
""+56DC1E5: 8B 46 48           -  mov eax,[esi+48]
""+56DC1E8: 48                 -  dec eax
""+56DC1E9: 89 46 48           -  mov [esi+48],eax
// ---------- DONE INJECTING  ----------
""+56DC1EC: 85 DB              -  test ebx,ebx
""+56DC1EE: 74 1C              -  je 056DC20C
""+56DC1F0: 81 3B 34 07 A5 0D  -  cmp [ebx],0DA50734
""+56DC1F6: 75 04              -  jne 056DC1FC
""+56DC1F8: 8B CB              -  mov ecx,ebx
""+56DC1FA: EB 0E              -  jmp 056DC20A
""+56DC1FC: 8B D3              -  mov edx,ebx
""+56DC1FE: B9 34 07 A5 0D     -  mov ecx,0DA50734
""+56DC203: E8 48 CE 80 58     -  call clr.dll+19050
""+56DC208: 8B C8              -  mov ecx,eax
}
form points to max (this doen't work too good because it doesn't give the ability)
Code:
{ Game   : MidBoss.exe
  Version: 1.1.6
  Date   : 2017-07-22
  Author : LegendZero88

  This script let tou have max for points when killing a monster, but does not give you abilities.
  Many thanks to Squall8, without him i would not post this.
}

[ENABLE]

aobscan(formpoints,8B 46 2C 03 C7) // should be unique
alloc(fpoints,$1000)

label(code)
label(return)

fpoints:

code:
  mov eax,[esi+2C]
  mov eax,[esi+30]
  jmp return

formpoints:
  jmp fpoints
return:
registersymbol(formpoints)

[DISABLE]

formpoints:
  db 8B 46 2C 03 C7

unregistersymbol(formpoints)
dealloc(fpoints)

{
// ORIGINAL CODE - INJECTION POINT: 0F77D8FB

""+F77D8E6: E8 E5 53 48 4C     -  call mscorlib.ni.dll+452CD0
""+F77D8EB: 8B F0              -  mov esi,eax
""+F77D8ED: 80 7E 34 00        -  cmp byte ptr [esi+34],00
""+F77D8F1: 74 08              -  je 0F77D8FB
""+F77D8F3: 59                 -  pop ecx
""+F77D8F4: 5B                 -  pop ebx
""+F77D8F5: 5E                 -  pop esi
""+F77D8F6: 5F                 -  pop edi
""+F77D8F7: 5D                 -  pop ebp
""+F77D8F8: C2 04 00           -  ret 0004
// ---------- INJECTING HERE ----------
""+F77D8FB: 8B 46 2C           -  mov eax,[esi+2C]
""+F77D8FE: 03 C7              -  add eax,edi
// ---------- DONE INJECTING  ----------
""+F77D900: 89 46 2C           -  mov [esi+2C],eax
""+F77D903: 0F B6 45 08        -  movzx eax,byte ptr [ebp+08]
""+F77D907: 85 C0              -  test eax,eax
""+F77D909: 75 5A              -  jne 0F77D965
""+F77D90B: 8B 45 F0           -  mov eax,[ebp-10]
""+F77D90E: 8B 48 24           -  mov ecx,[eax+24]
""+F77D911: 8B D7              -  mov edx,edi
""+F77D913: 39 09              -  cmp [ecx],ecx
""+F77D915: FF 15 B8 FC 70 01  -  call dword ptr [0170FCB8]
""+F77D91B: EB 48              -  jmp 0F77D965
}
form point pointer
Code:
{ Game   : MidBoss.exe
  Version: 1.1.6
  Date   : 2017-07-22
  Author : LegendZero88

  This script take the pointer for form points.
  Many thanks to Squall8, without him i would not post this.
}

[ENABLE]

aobscan(formpoints,8B 46 2C 03 C7) // should be unique
alloc(fpoints,$1000)

label(code)
label(return)
label(formpointer)

registersymbol(formpointer)

fpoints:
mov [formpointer],esi

code:
  mov eax,[esi+2C]
  add eax,edi
  jmp return

  formpointer:
  dq 0

formpoints:
  jmp fpoints
return:
registersymbol(formpoints)

[DISABLE]

formpoints:
  db 8B 46 2C 03 C7

unregistersymbol(formpoints)
unregistersymbol(formpointer)
dealloc(fpoints)

{
// ORIGINAL CODE - INJECTION POINT: 0F77D8FB

""+F77D8E6: E8 E5 53 48 4C     -  call mscorlib.ni.dll+452CD0
""+F77D8EB: 8B F0              -  mov esi,eax
""+F77D8ED: 80 7E 34 00        -  cmp byte ptr [esi+34],00
""+F77D8F1: 74 08              -  je 0F77D8FB
""+F77D8F3: 59                 -  pop ecx
""+F77D8F4: 5B                 -  pop ebx
""+F77D8F5: 5E                 -  pop esi
""+F77D8F6: 5F                 -  pop edi
""+F77D8F7: 5D                 -  pop ebp
""+F77D8F8: C2 04 00           -  ret 0004
// ---------- INJECTING HERE ----------
""+F77D8FB: 8B 46 2C           -  mov eax,[esi+2C]
""+F77D8FE: 03 C7              -  add eax,edi
// ---------- DONE INJECTING  ----------
""+F77D900: 89 46 2C           -  mov [esi+2C],eax
""+F77D903: 0F B6 45 08        -  movzx eax,byte ptr [ebp+08]
""+F77D907: 85 C0              -  test eax,eax
""+F77D909: 75 5A              -  jne 0F77D965
""+F77D90B: 8B 45 F0           -  mov eax,[ebp-10]
""+F77D90E: 8B 48 24           -  mov ecx,[eax+24]
""+F77D911: 8B D7              -  mov edx,edi
""+F77D913: 39 09              -  cmp [ecx],ecx
""+F77D915: FF 15 B8 FC 70 01  -  call dword ptr [0170FCB8]
""+F77D91B: EB 48              -  jmp 0F77D965
}
 

Squall8

RCE Fanatics
Talents
Mar 3, 2017
343
54
28
#15
You'll have to find a more unique array for inf mana so that it differs from inf health. This should do:
Code:
aobscan(infmana,D9 46 30 DF F1 DD D8 7A 06 0F 84 8D) //Notice the last byte in the health array is 7D.
For inf stamina you'll need to filter out all other addresses except stamina. I'll go over that more later if you need help with it.

For max points use 'what writes' so it only executes when you gain a point. Then set it up like this:
Code:
fpoints:
  push [esi+2C]  //This Should Be The Max Value
  pop [esi+30]   //Into Current Value

code:
  // whatever original code was
I'll look into the game again later today for stamina.
 
Apr 19, 2017
39
4
8
#16
understood i fix i will fix some things tomorrow.
For form points i understood, but how can i put max-1 and not max?
something like this?
Code:
push eax
dec [esi+2c] //it will decrement the value by one right?
mov eax, [esi+2c]
mov [esi+30], eax
pop eax
thanks again for instructing me :D
 

Squall8

RCE Fanatics
Talents
Mar 3, 2017
343
54
28
#17
Debug form points with 'what writes'. Simply change the instruction that pops up from a mov to add. And add by some high number. No skills get skipped over and you level up every kill.
Code:
code:
  add [esi+2C],#99
  movzx eax,byte ptr [ebp+08]
  jmp return
 
Top Bottom