SimAirpot

Kalas

Kalas

Cat'n America!
Fearless Donors
#1
Mar 3, 2017
478
4
18
#1
This is my code for money:
Code: 
[ENABLE]

aobscan(aobMoney,DD 5E 20 8B 05 78 8F 88 06)
alloc(newmem,$100)

label(code)
label(return)

alloc(Money,4)

newmem:

Money:
  dq (double)9999999

code:
  fld qword ptr [Money]
  fstp qword ptr [esi+20]
  mov eax,[06888F78]
  jmp return

aobMoney:
  jmp newmem
  nop
  nop
  nop
  nop
return:
registersymbol(aobMoney)

[DISABLE]

aobMoney:
  db DD 5E 20 8B 05 78 8F 88 06

unregistersymbol(aobMoney)
dealloc(newmem)
dealloc(Money)

{
// ORIGINAL CODE - INJECTION POINT: 46A0319C

""+46A03167: 8B 75 08              -  mov esi,[ebp+08]
""+46A0316A: C7 45 CC 00 00 00 00  -  mov [ebp-34],00000000
""+46A03171: C7 45 D0 00 00 00 00  -  mov [ebp-30],00000000
""+46A03178: C7 45 D4 00 00 00 00  -  mov [ebp-2C],00000000
""+46A0317F: C7 45 D8 00 00 00 00  -  mov [ebp-28],00000000
""+46A03186: C7 45 DC 00 00 00 00  -  mov [ebp-24],00000000
""+46A0318D: C7 45 E0 00 00 00 00  -  mov [ebp-20],00000000
""+46A03194: DD 46 20              -  fld qword ptr [esi+20]
""+46A03197: DD 45 0C              -  fld qword ptr [ebp+0C]
""+46A0319A: DE C1                 -  faddp 
// ---------- INJECTING HERE ----------
""+46A0319C: DD 5E 20              -  fstp qword ptr [esi+20]
""+46A0319F: 8B 05 78 8F 88 06     -  mov eax,[06888F78]
// ---------- DONE INJECTING  ----------
""+46A031A5: 0F B6 80 D8 00 00 00  -  movzx eax,byte ptr [eax+000000D8]
""+46A031AC: 85 C0                 -  test eax,eax
""+46A031AE: 0F 85 BB 00 00 00     -  jne 46A0326F
""+46A031B4: 8D 46 40              -  lea eax,[esi+40]
""+46A031B7: 8B 08                 -  mov ecx,[eax]
""+46A031B9: 89 4D CC              -  mov [ebp-34],ecx
""+46A031BC: 8B 40 04              -  mov eax,[eax+04]
""+46A031BF: 89 45 D0              -  mov [ebp-30],eax
""+46A031C2: 0F B6 45 D0           -  movzx eax,byte ptr [ebp-30]
""+46A031C6: 85 C0                 -  test eax,eax
}

The Script crashes my game instantly, I wanted to ask is my Script wrong? Or could it be that everything is accessing the same instruction such like in Shadow Warrior 2 so I need to use String to make a Script here?
 
Kalas

Kalas

Cat'n America!
Fearless Donors
#2
Mar 3, 2017
478
4
18
#2
How can I move 9999999 to this code:
Code: 
[ENABLE]

aobscan(aobMoney,DD 5E 20 8B 05 78 8F A2 06)
alloc(newmem,$100)

label(code)
label(return)

newmem:

code:
  fstp qword ptr [esi+20]
  mov eax,[06A28F78]
  jmp return

aobMoney:
  jmp newmem
  nop
  nop
  nop
  nop
return:
registersymbol(aobMoney)

[DISABLE]

aobMoney:
  db DD 5E 20 8B 05 78 8F A2 06

unregistersymbol(aobMoney)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: 46ABE744

""+46ABE70F: 8B 75 08              -  mov esi,[ebp+08]
""+46ABE712: C7 45 CC 00 00 00 00  -  mov [ebp-34],00000000
""+46ABE719: C7 45 D0 00 00 00 00  -  mov [ebp-30],00000000
""+46ABE720: C7 45 D4 00 00 00 00  -  mov [ebp-2C],00000000
""+46ABE727: C7 45 D8 00 00 00 00  -  mov [ebp-28],00000000
""+46ABE72E: C7 45 DC 00 00 00 00  -  mov [ebp-24],00000000
""+46ABE735: C7 45 E0 00 00 00 00  -  mov [ebp-20],00000000
""+46ABE73C: DD 46 20              -  fld qword ptr [esi+20]
""+46ABE73F: DD 45 0C              -  fld qword ptr [ebp+0C]
""+46ABE742: DE C1                 -  faddp 
// ---------- INJECTING HERE ----------
""+46ABE744: DD 5E 20              -  fstp qword ptr [esi+20]
""+46ABE747: 8B 05 78 8F A2 06     -  mov eax,[06A28F78]
// ---------- DONE INJECTING  ----------
""+46ABE74D: 0F B6 80 D8 00 00 00  -  movzx eax,byte ptr [eax+000000D8]
""+46ABE754: 85 C0                 -  test eax,eax
""+46ABE756: 0F 85 BB 00 00 00     -  jne 46ABE817
""+46ABE75C: 8D 46 40              -  lea eax,[esi+40]
""+46ABE75F: 8B 08                 -  mov ecx,[eax]
""+46ABE761: 89 4D CC              -  mov [ebp-34],ecx
""+46ABE764: 8B 40 04              -  mov eax,[eax+04]
""+46ABE767: 89 45 D0              -  mov [ebp-30],eax
""+46ABE76A: 0F B6 45 D0           -  movzx eax,byte ptr [ebp-30]
""+46ABE76E: 85 C0                 -  test eax,eax
}
 
S

Schnitzelmaker

Novice Cheater
#3
Mar 3, 2017
105
0
16
#3
Move your money label after the jmp return.

Btw: mov eax,[06A28F78] might cause compatibility issue. It could be different each time you start the game or each time the game is updated.
Code: 
[ENABLE]

aobscan(aobMoney,DD 5E 20 8B 05 78 8F A2 06)
alloc(newmem,$100)

label(code)
label(return)
label(Money)

newmem:

code:
  fld qword ptr [Money]
  fstp qword ptr [esi+20]
  mov eax,[06A28F78]
  jmp return

Money:
  dq (double)9999999

aobMoney:
  jmp newmem
  nop
  nop
  nop
  nop
return:
registersymbol(aobMoney)

[DISABLE]

aobMoney:
  db DD 5E 20 8B 05 78 8F A2 06

unregistersymbol(aobMoney)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: 46ABE744

""+46ABE70F: 8B 75 08              -  mov esi,[ebp+08]
""+46ABE712: C7 45 CC 00 00 00 00  -  mov [ebp-34],00000000
""+46ABE719: C7 45 D0 00 00 00 00  -  mov [ebp-30],00000000
""+46ABE720: C7 45 D4 00 00 00 00  -  mov [ebp-2C],00000000
""+46ABE727: C7 45 D8 00 00 00 00  -  mov [ebp-28],00000000
""+46ABE72E: C7 45 DC 00 00 00 00  -  mov [ebp-24],00000000
""+46ABE735: C7 45 E0 00 00 00 00  -  mov [ebp-20],00000000
""+46ABE73C: DD 46 20              -  fld qword ptr [esi+20]
""+46ABE73F: DD 45 0C              -  fld qword ptr [ebp+0C]
""+46ABE742: DE C1                 -  faddp 
// ---------- INJECTING HERE ----------
""+46ABE744: DD 5E 20              -  fstp qword ptr [esi+20]
""+46ABE747: 8B 05 78 8F A2 06     -  mov eax,[06A28F78]
// ---------- DONE INJECTING  ----------
""+46ABE74D: 0F B6 80 D8 00 00 00  -  movzx eax,byte ptr [eax+000000D8]
""+46ABE754: 85 C0                 -  test eax,eax
""+46ABE756: 0F 85 BB 00 00 00     -  jne 46ABE817
""+46ABE75C: 8D 46 40              -  lea eax,[esi+40]
""+46ABE75F: 8B 08                 -  mov ecx,[eax]
""+46ABE761: 89 4D CC              -  mov [ebp-34],ecx
""+46ABE764: 8B 40 04              -  mov eax,[eax+04]
""+46ABE767: 89 45 D0              -  mov [ebp-30],eax
""+46ABE76A: 0F B6 45 D0           -  movzx eax,byte ptr [ebp-30]
""+46ABE76E: 85 C0                 -  test eax,eax
}
 
Kalas

Kalas

Cat'n America!
Fearless Donors
#4
Mar 3, 2017
478
4
18
#4
I simply did that:
Code: 
[ENABLE]

aobscan(aobMoney,DD 5E 20 8B 05 78 8F ?? ??)
alloc(newmem,$100)

label(code)
label(return)

alloc(Money,4)
registersymbol(Money)

newmem:

code:
  push rbx
  lea rbx,[esi+20]
  mov [Money],rbx
  pop rbx
  fstp qword ptr [esi+20]
  mov eax,[06A28F78]
  jmp return

aobMoney:
  jmp newmem
  nop
  nop
  nop
  nop
return:
registersymbol(aobMoney)

[DISABLE]

aobMoney:
  db DD 5E 20 8B 05 78 8F A2 06

unregistersymbol(aobMoney)
unregistersymbol(Money)
dealloc(newmem)
dealloc(Money)
{
// ORIGINAL CODE - INJECTION POINT: 46ABE744

""+46ABE70F: 8B 75 08              -  mov esi,[ebp+08]
""+46ABE712: C7 45 CC 00 00 00 00  -  mov [ebp-34],00000000
""+46ABE719: C7 45 D0 00 00 00 00  -  mov [ebp-30],00000000
""+46ABE720: C7 45 D4 00 00 00 00  -  mov [ebp-2C],00000000
""+46ABE727: C7 45 D8 00 00 00 00  -  mov [ebp-28],00000000
""+46ABE72E: C7 45 DC 00 00 00 00  -  mov [ebp-24],00000000
""+46ABE735: C7 45 E0 00 00 00 00  -  mov [ebp-20],00000000
""+46ABE73C: DD 46 20              -  fld qword ptr [esi+20]
""+46ABE73F: DD 45 0C              -  fld qword ptr [ebp+0C]
""+46ABE742: DE C1                 -  faddp 
// ---------- INJECTING HERE ----------
""+46ABE744: DD 5E 20              -  fstp qword ptr [esi+20]
""+46ABE747: 8B 05 78 8F A2 06     -  mov eax,[06A28F78]
// ---------- DONE INJECTING  ----------
""+46ABE74D: 0F B6 80 D8 00 00 00  -  movzx eax,byte ptr [eax+000000D8]
""+46ABE754: 85 C0                 -  test eax,eax
""+46ABE756: 0F 85 BB 00 00 00     -  jne 46ABE817
""+46ABE75C: 8D 46 40              -  lea eax,[esi+40]
""+46ABE75F: 8B 08                 -  mov ecx,[eax]
""+46ABE761: 89 4D CC              -  mov [ebp-34],ecx
""+46ABE764: 8B 40 04              -  mov eax,[eax+04]
""+46ABE767: 89 45 D0              -  mov [ebp-30],eax
""+46ABE76A: 0F B6 45 D0           -  movzx eax,byte ptr [ebp-30]
""+46ABE76E: 85 C0                 -  test eax,eax
}
Added address manually, pointer title Money, now everytime I restart game I must lose money and then I can activate and then lose more money and then the value will pop up and will be changeable.
 
FreeER

FreeER

RCE Fanatics
Talents
#5
Mar 10, 2017
78
0
6
#5
Alternatively you can change the "jmp newmem", which is not assembly code you want executed due to the double value, to "jmp code", which is. Then you can use "newmem" instead creating another label for "Money" (admittedly creating a label that describes it is more "self-documenting"...).

Also, since it whatever value was on the FPU stack that was going to be stored would also have beenpopped you'll probably want to do two "fstp"s; One to pop the intended value and then, after loading the new value, to store and pop yours. Or use "fstp st(0)" to pop the intended value without storing it anywhere in memory (probably slightly more efficient); Or prevent the load.

(after preview and seeing your update) Hm, though simply storing the address works too. Often the register, esi in this case, points to some "player info" "struct" with several other useful values nearby, so you might want to just store esi instead of esi+20 (look at it in the data dissector and see if you can find any other useful values you can see Geri's tutorial here https://web.archive.org/web/20160331215632/http://www.szemelyesintegracio.hu/cheats/41-game-hacking-articles/230-dissect-data-structures if you don't know how, or do a search on youtube, I recall there being a couple video tutorials). And then you could use that value as part of address to each of the different values you cared about, for example Base+20 for Money and (just a random example) Base+10 for XP.
 
Kalas

Kalas

Cat'n America!
Fearless Donors
#6
Mar 3, 2017
478
4
18
#6
Actually at the end I figured out that the Array of byte keeps changing in this location:
Code: 
DD 5E 20 8B 05 78 8F ?? 06
You see where I add "??", this byte I guess you call it keeps changing as I've checked, so this is basically "fixed" the issue, the full script I used is this:
Code: 
[ENABLE]

aobscan(aobMoneyv2,DD 5E 20 8B 05 78 8F ?? 06)
alloc(newmem,$100)

label(code)
label(return)

alloc(Moneyv2,4)

newmem:

code:
  fld qword ptr [Moneyv2]
  fstp qword ptr [esi+20]
  mov eax,[06AB8F78]
  jmp return

Moneyv2:
  dq (double)9999999

aobMoneyv2:
  jmp newmem
  nop
  nop
  nop
  nop
return:
registersymbol(aobMoneyv2)

[DISABLE]

aobMoneyv2:
  db DD 5E 20 8B 05 78 8F AB 06

unregistersymbol(aobMoneyv2)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: 46FF071C

""+46FF06E7: 8B 75 08              -  mov esi,[ebp+08]
""+46FF06EA: C7 45 CC 00 00 00 00  -  mov [ebp-34],00000000
""+46FF06F1: C7 45 D0 00 00 00 00  -  mov [ebp-30],00000000
""+46FF06F8: C7 45 D4 00 00 00 00  -  mov [ebp-2C],00000000
""+46FF06FF: C7 45 D8 00 00 00 00  -  mov [ebp-28],00000000
""+46FF0706: C7 45 DC 00 00 00 00  -  mov [ebp-24],00000000
""+46FF070D: C7 45 E0 00 00 00 00  -  mov [ebp-20],00000000
""+46FF0714: DD 46 20              -  fld qword ptr [esi+20]
""+46FF0717: DD 45 0C              -  fld qword ptr [ebp+0C]
""+46FF071A: DE C1                 -  faddp 
// ---------- INJECTING HERE ----------
""+46FF071C: DD 5E 20              -  fstp qword ptr [esi+20]
""+46FF071F: 8B 05 78 8F AB 06     -  mov eax,[06AB8F78]
// ---------- DONE INJECTING  ----------
""+46FF0725: 0F B6 80 D8 00 00 00  -  movzx eax,byte ptr [eax+000000D8]
""+46FF072C: 85 C0                 -  test eax,eax
""+46FF072E: 0F 85 BB 00 00 00     -  jne 46FF07EF
""+46FF0734: 8D 46 40              -  lea eax,[esi+40]
""+46FF0737: 8B 08                 -  mov ecx,[eax]
""+46FF0739: 89 4D CC              -  mov [ebp-34],ecx
""+46FF073C: 8B 40 04              -  mov eax,[eax+04]
""+46FF073F: 89 45 D0              -  mov [ebp-30],eax
""+46FF0742: 0F B6 45 D0           -  movzx eax,byte ptr [ebp-30]
""+46FF0746: 85 C0                 -  test eax,eax
}
 
You must log in or register to reply here.