(MOV ECX, EDX) ===> How to get ECX and EDX please?

Mar 3, 2017
12
0
1
#1
Hello everyone,


Do you guys please have some piece of code/tips to what is asked in the title ? If you want a bit more precision, there are links below :

https://puu.sh/usC7v/b08e84c23c.png
https://puu.sh/usB1d/b39ab89253.png

Thanks in advance, last time I asked something in this forum I got the perfect answer I expected, let's hope it works again this time :)
 
Mar 2, 2017
48
0
6
#2
EDX is exactly what is shown in the register in the second screenshot when you reach the breakpoint, 0x44E2FBB6. That EDX value is stored at the memory address,0xE8B2C6C, as denoted by [ECX]. The brackets means to use the value stored in ECX as a pointer.
 
Mar 3, 2017
12
0
1
#3
0xE8B2C6C, as denoted by [ECX]
Exactly. The thing is Id like to create some kind of hook/function to get all the values in ECX (actually EDX dont matter much) after this particular instruction is called....

Gotta say I struggle quite a lot.

Thanks for your help.
 
Mar 2, 2017
48
0
6
#4
Goto the address in CE memory viewer, right click and select "Find out what addresses this instruction accesses". That would give you all the addresses ECX points to when the instruction is called. To get EDX for each case, right click the addresses that appear and click "Show registers".
 
Mar 3, 2017
12
0
1
#5
Goto the address in CE memory viewer, right click and select "Find out what addresses this instruction accesses".
Everything you are saying is true. But I already did this before, this is how I know what I want.

But look at what i said :
The thing is Id like to create some kind of hook/function
What I wanna get is a code to do this automatically. And this is where im stuck

Still thanks for the help, I apologize for not being clear enough.
 

++METHOS

Expert Cheater
Mar 2, 2017
202
1
18
#6
With the instruction highlighted inside of memory viewer, select 'Tools' from the drop-down menu. Click on 'Auto Assemble'. A new window will pop up. Select 'Template' from the drop-down menu. Click on 'Aob Injection'. Copy/paste everything here so that someone can help.

Depending on what you are trying to do, you may need to establish some conditions inside of your script so that you can segregate the addresses and set up identifiers for them so that you know what you are manipulating/reading.
 
Mar 3, 2017
12
0
1
#7
Wow dude. Im amazed at how fast you reply and you seem to be skilled at once. Once again, thanks.

Im really sorry, the code is quite long. The only thing I wanna do is getting the ECX when this function get called. That's only it.
Code:
{ Game   : BF42
  Version: 
  Date   : 2017-03-03
  Author : 

  This script does blah blah blah
}

[ENABLE]

aobscanmodule(INJECT,BF1942.exe,89 11 D9 59 08 8B 8D) // should be unique
alloc(newmem,$1000)

label(code)
label(return)

newmem:

code:
  mov [ecx],edx
  fstp dword ptr [ecx+08]
  jmp return

INJECT:
  jmp code
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db 89 11 D9 59 08

unregistersymbol(INJECT)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "BF1942.exe"+FCD7B

"BF1942.exe"+FCD59: FF 52 3C                       -  call dword ptr [edx+3C]
"BF1942.exe"+FCD5C: D9 40 38                       -  fld dword ptr [eax+38]
"BF1942.exe"+FCD5F: 8B 8D 58 01 00 00              -  mov ecx,[ebp+00000158]
"BF1942.exe"+FCD65: D9 40 34                       -  fld dword ptr [eax+34]
"BF1942.exe"+FCD68: 8B 50 30                       -  mov edx,[eax+30]
"BF1942.exe"+FCD6B: 83 C0 30                       -  add eax,30
"BF1942.exe"+FCD6E: 83 C1 1D                       -  add ecx,1D
"BF1942.exe"+FCD71: 8D 0C 49                       -  lea ecx,[ecx+ecx*2]
"BF1942.exe"+FCD74: 8D 4C 8D 00                    -  lea ecx,[ebp+ecx*4+00]
"BF1942.exe"+FCD78: D9 59 04                       -  fstp dword ptr [ecx+04]
// ---------- INJECTING HERE ----------
"BF1942.exe"+FCD7B: 89 11                          -  mov [ecx],edx
"BF1942.exe"+FCD7D: D9 59 08                       -  fstp dword ptr [ecx+08]
// ---------- DONE INJECTING  ----------
"BF1942.exe"+FCD80: 8B 8D 58 01 00 00              -  mov ecx,[ebp+00000158]
"BF1942.exe"+FCD86: 41                             -  inc ecx
"BF1942.exe"+FCD87: 8B C1                          -  mov eax,ecx
"BF1942.exe"+FCD89: 83 F8 10                       -  cmp eax,10
"BF1942.exe"+FCD8C: 89 8D 58 01 00 00              -  mov [ebp+00000158],ecx
"BF1942.exe"+FCD92: 75 0A                          -  jne BF1942.exe+FCD9E
"BF1942.exe"+FCD94: C7 85 58 01 00 00 00 00 00 00  -  mov [ebp+00000158],00000000
"BF1942.exe"+FCD9E: F6 45 04 01                    -  test byte ptr [ebp+04],01
"BF1942.exe"+FCDA2: 0F 85 0A 11 00 00              -  jne BF1942.exe+FDEB2
"BF1942.exe"+FCDA8: 53                             -  push ebx
}
 

++METHOS

Expert Cheater
Mar 2, 2017
202
1
18
#8
What are you trying to do, exactly? What does this instruction handle? Does this instruction access multiple addresses? We can help you better if we know more.

For example:
Code:
[ENABLE]

aobscanmodule(aob_address,BF1942.exe,89 11 D9 59 08 8B 8D) // should be unique
alloc(newmem,$1000)

label(return)
label(address)

registersymbol(aob_address)
registersymbol(address)

//==============================================//

newmem:
push edi
lea edi,[ecx]
mov [address],edi
pop edi

code:
mov [ecx],edx
fstp dword ptr [ecx+08]
jmp return

address:
dd 0 

aob_address:
jmp newmem
return:

//==============================================//

[DISABLE]

dealloc(newmem)
aob_address:
db 89 11 D9 59 08

unregistersymbol(aob_address)
unregistersymbol(address)
Will allow you to add a custom pointer address to your cheat table after the script is activated, called address. But if the instruction in question is accessing multiple addresses, then this will not do you much good until you appropriately segregate the addresses.
 
Mar 3, 2017
12
0
1
#9
Code:
What are you trying to do, exactly?
Im trying to extract all the XYZ from every player (for a radar).

I know I could have done it with pointer scan (I tried). But even the pointers are dynamic (i mean they change quite often in the same round).

Therefore I went to an X coord => find what writes in this address (found the MOV ECX, EDX).
Then I went to ollydbg, I put a breakpoint on that particular function, and pressed play many times in a row => found out that ECX gives the address where the X is. Y and Z are right next to it.

To be honest I have no idea what you did. I m gonna try to retrieve some addresses then.

Im very grateful.
 

++METHOS

Expert Cheater
Mar 2, 2017
202
1
18
#10
If you have not already done so, you can complete the last step of the CE tutorial that covers data structure dissection for a better understanding of what you will need to do.

Alternative methods for finding a unique ID for code segregation:
  • You can use a pointer address for your filter, inside of your script, for the value that you are trying to manipulate.
  • You can use pointer trees inside of the data structure to find something viable.
  • You can shift the data structure (+ or -) and/or expand its size to find something useful.
  • You can use the structure spider to find workable strings and/or for comparative analysis.
  • You can check the register values by attaching the debugger or setting a breakpoint to see if something can be used for your filter.
  • You can check to see if there are any instructions that are exclusive to the address/value that you are trying to manipulate and store the address for your filter by creating a second injection point.
  • You can check to see if there are any instructions that are exclusive to any other address/value inside of the data structure for the address/value that you are trying to manipulate and store the address for your filter by creating a second injection point.
  • You can analyze assembly code to see if an identifier is being checked or assigned somewhere.
    Et al.
 
Mar 3, 2017
12
0
1
#11
Thanks for the list, I ll keep for when I reach your level ^^

By the way, you gave me a piece of code, can I use it outside cheat engine?

Because my goal is to create a .exe (with VB.net / c# / C++ ), and I dont see how I can use your code outside cheat engine.
 
Mar 2, 2017
48
0
6
#12
If the pointers themselves are dynamic, I believe you would have to find the player ID near the XYZ values too. You can use Structure Dissect for that. You should have a stack to store the XYZ values and their matching player ID. After hooking into that instruction, you should compare the player ID to any existing player ID in your stack. If not, add the player ID to the stack. If player ID already exists then, update the XYZ.

Your external .exe should do the hooking and allocation of stack itself then read off the stack and update on a GUI as necessary.
 
Mar 3, 2017
12
0
1
#13
You can use Structure Dissect for that
I gotta say this is one weird game im trying to hack here (already hacked many). I exactly did what you said (dissect data structure) and couldnt find the player ID either. The only thing I could do was getting the XYZ and the team (which is enough).

The only missing part of the puzzle is reading ECX (after that particular MOV instruction)

Apparently I need to do some instruction hooking (already googled that) and I couldnt find a good example (I already did some API hooking with the SendTo function to deal with packets). But I never did "instruction hooking" if it's called so. Do you think this is where I should dig to do what I want ? (I would like to make the radar in c# because im much better than C++)
 

++METHOS

Expert Cheater
Mar 2, 2017
202
1
18
#14
The example code that I previously posted is the code that is used for your hook. You need to determine a way to segregate the coordinate addresses using filters so that you can manage that data appropriately (methods provided in my previous post).

CE can create a standalone .exe, allowing you to mimic what CE does in the form of a trainer. You can edit and create the interface manually, using Lua, or by using the trainer generator inside of CE.
 
Mar 3, 2017
12
0
1
#15
Thanks a lot for your sharing.

I guess you gave me what I needed.

But isnt there a way to do it in c# or c++ ? because I really want to deal with the datas in c# because I will not make all my trainers using Lua (I dont know what it is) or the CE trainer generator. Do you see what I mean.

Once again, thanks for your sharing, ill reply tomorrow, gotta sleep :)
 

TheyCallMeTim13

Wiki Monster
Talents
Fearless Donors
Mar 3, 2017
428
47
28
#16
You can do it in C# but you will need to use some C or C++ porting, of the 'kernel32.dll'
Code:
[DllImport("kernel32.dll")]
public static extern bool ReadProcessMemory(int hProcess, int lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesRead);

[DllImport("kernel32.dll", SetLastError = true)]
static extern bool WriteProcessMemory(int hProcess, int lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesWritten);
Here is a good tutorial I used for the same reason, though it was for learning because when you learn CE you will find it's awesomeness is undeniable.
https://www.codeproject.com/articles/670373/csharp-read-write-another-process-memory
 

TheyCallMeTim13

Wiki Monster
Talents
Fearless Donors
Mar 3, 2017
428
47
28
#17
And form there you would need to write your own AOB scanner, find a compatible ASM compiler or write raw bytes to inject.
 
Mar 2, 2017
48
0
6
#18
Sodruza post_id=320 time=1488578860 user_id=430 said:
You can use Structure Dissect for that
I gotta say this is one weird game im trying to hack here (already hacked many). I exactly did what you said (dissect data structure) and couldnt find the player ID either. The only thing I could do was getting the XYZ and the team (which is enough).

The only missing part of the puzzle is reading ECX (after that particular MOV instruction)

Apparently I need to do some instruction hooking (already googled that) and I couldnt find a good example (I already did some API hooking with the SendTo function to deal with packets). But I never did "instruction hooking" if it's called so. Do you think this is where I should dig to do what I want ? (I would like to make the radar in c# because im much better than C++)
The player ID is needed to properly segregate the addresses as ++METHOS has already said. Try changing the data type around and see if you can find it? Or read through the instructions around the mov [ecx],edx and see where it gets ecx from? You could possibly use ecx as the identifier but you said ecx itself is dynamic and changes for each player even during the same match, so I'm not sure if it would work.

As for hooking, I'm not sure if this is the same as API hooking as you want to specifically hook into the mov instruction. You can try looking at Minimalistic API Hooking Library to see if it can do it? Or you can manually do it with WriteProcessMemory and VirtualAlloc.
 
Mar 3, 2017
12
0
1
#19
Hello,
You can do it in C# but you will need to use some C or C++ porting, of the 'kernel32.dll'
I know these functions (read/write process memory) , I use them to change some values and for pointers. The thing is I dont see how they can help me in this case....
Id like to code something like:

1 Hook the instruction "MOV" in 4FCD7B.
2 Return the ECX value every time the MOV instruction is called.

If I could code such a thing, well I can do the radar afterwards.

Try changing the data type around and see if you can find it
Trust me, I really tried this before and I guarantee the ID is not close from the XYZ pos in this game. But I dont care. In my radar I want to be able to get the XYZ and the team (blue or red) and I can do both manually (I can even get the name, but not the ID, but it's worthless), unfortunately, not with code yet.

WriteProcessMemory
Writing is worthless in this case, isnt it? What i wanna do is reading only.
 

TheyCallMeTim13

Wiki Monster
Talents
Fearless Donors
Mar 3, 2017
428
47
28
#20
Sodruza post_id=328 time=1488579983 user_id=430 said:
But isnt there a way to do it in c# or c++ ? because I really want to deal with the datas in c# because I will not make all my trainers using Lua (I dont know what it is) or the CE trainer generator. Do you see what I mean.
Sodruza post_id=448 time=1488617508 user_id=430 said:
You can do it in C# but you will need to use some C or C++ porting, of the 'kernel32.dll'
I know these functions (read/write process memory) , I use them to change some values and for pointers. The thing is I dont see how they can help me in this case....
Id like to code something like:

1 Hook the instruction "MOV" in 4FCD7B.
2 Return the ECX value every time the MOV instruction is called.

...
WriteProcessMemory
Writing is worthless in this case, isnt it? What i wanna do is reading only.
So if you want to do this in C# You will need to:
  • hook to process.
  • Find a code cave for hooks and storing values. (reading)
  • Then find your injection point, AOB scan is best. (reading)
  • write the new code (in the code cave) that dose the mov then stores the value and jumps back to injection point. (writing)(reading)
  • Then inject the new jmp to the new code in the code cave. (writing)

Which requires reading and writing.

Unless I misread, which happens, that's what your looking for.
I hope this helps.
 
Top Bottom