[Solved] Steel Division: Normandy 44

May 24, 2017
13
0
1
#1
Hello everbody,

Wrapping my head around CE/Assembly is hard :lol:

I'm trying to create a script that gives me unlimited units; you get a value on a certain troops and if you used that up you cannot spawn it anymore.

Now i found: 14126CFFE - FF 48 38 - dec [rax+38] and 14126D37F - 44 01 60 38 - add [rax+38],r12d. I tried this for my script:

After spawning a new unit the game crashed :lol: What i'm trying to do with my script is: After spawning a unit increase value by 1.
Code:
[ENABLE]

aobscanmodule(INJECT,SteelDivision.exe,FF 48 38 F7 45 28 FF FF FF 07) // should be unique
alloc(newmem,$1000,"SteelDivision.exe"+126CFFE)

label(code)
label(return)

newmem:
push eax
mov eax,[rax+38]
add eax,1
jmp return


code:
  dec [rax+38]
  test [rbp+28],7FFFFFF
  jmp return

INJECT:
  jmp newmem
  nop
  nop
  nop
  nop
  nop
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db FF 48 38 F7 45 28 FF FF FF 07

unregistersymbol(INJECT)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "SteelDivision.exe"+126CFFE

"SteelDivision.exe"+126CFE4: 39 48 2C                 -  cmp [rax+2C],ecx
"SteelDivision.exe"+126CFE7: 75 0D                    -  jne SteelDivision.exe+126CFF6
"SteelDivision.exe"+126CFE9: 8B 4B 30                 -  mov ecx,[rbx+30]
"SteelDivision.exe"+126CFEC: 83 F9 FF                 -  cmp ecx,-01
"SteelDivision.exe"+126CFEF: 74 0D                    -  je SteelDivision.exe+126CFFE
"SteelDivision.exe"+126CFF1: 3B 48 30                 -  cmp ecx,[rax+30]
"SteelDivision.exe"+126CFF4: 74 08                    -  je SteelDivision.exe+126CFFE
"SteelDivision.exe"+126CFF6: 33 D2                    -  xor edx,edx
"SteelDivision.exe"+126CFF8: 48 83 C0 40              -  add rax,40
"SteelDivision.exe"+126CFFC: EB 82                    -  jmp SteelDivision.exe+126CF80
// ---------- INJECTING HERE ----------
"SteelDivision.exe"+126CFFE: FF 48 38                 -  dec [rax+38]
"SteelDivision.exe"+126D001: F7 45 28 FF FF FF 07     -  test [rbp+28],7FFFFFF
// ---------- DONE INJECTING  ----------
"SteelDivision.exe"+126D008: 0F 84 7D 00 00 00        -  je SteelDivision.exe+126D08B
"SteelDivision.exe"+126D00E: 48 8B CB                 -  mov rcx,rbx
"SteelDivision.exe"+126D011: E8 0A EB FF FF           -  call SteelDivision.exe+126BB20
"SteelDivision.exe"+126D016: 4C 8B C0                 -  mov r8,rax
"SteelDivision.exe"+126D019: 4C 8D 4C 24 30           -  lea r9,[rsp+30]
"SteelDivision.exe"+126D01E: 48 8B D3                 -  mov rdx,rbx
"SteelDivision.exe"+126D021: 48 8D 4D 28              -  lea rcx,[rbp+28]
"SteelDivision.exe"+126D025: E8 D6 C2 2E FF           -  call SteelDivision.exe+559300
"SteelDivision.exe"+126D02A: 4C 8B 4C 24 30           -  mov r9,[rsp+30]
"SteelDivision.exe"+126D02F: 4D 85 C9                 -  test r9,r9
}
Can you guys give me some tips?

Thanks a lot
 

NotJustSomeGuy

What is cheating?
May 22, 2017
3
0
1
#2
Yeah no that code isn't supposed to be directly bellow newmem (I don't think anyway). (I could be completely wrong about this but every script i've made is like this) You can make a label like this:

Code:
[ENABLE]

aobscanmodule(INJECT,SteelDivision.exe,FF 48 38 F7 45 28 FF FF FF 07) // should be unique
alloc(newmem,$1000,"SteelDivision.exe"+126CFFE)

label(code)
label(return)
label(hax)

newmem:


hax:
 add [rax+38],1
 jmp return //This should be the format anyway.

code:
  dec [rax+38]
  test [rbp+28],7FFFFFF
  jmp return

INJECT:
  jmp newmem
  nop
  nop
  nop
  nop
  nop
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db FF 48 38 F7 45 28 FF FF FF 07

unregistersymbol(INJECT)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "SteelDivision.exe"+126CFFE

"SteelDivision.exe"+126CFE4: 39 48 2C                 -  cmp [rax+2C],ecx
"SteelDivision.exe"+126CFE7: 75 0D                    -  jne SteelDivision.exe+126CFF6
"SteelDivision.exe"+126CFE9: 8B 4B 30                 -  mov ecx,[rbx+30]
"SteelDivision.exe"+126CFEC: 83 F9 FF                 -  cmp ecx,-01
"SteelDivision.exe"+126CFEF: 74 0D                    -  je SteelDivision.exe+126CFFE
"SteelDivision.exe"+126CFF1: 3B 48 30                 -  cmp ecx,[rax+30]
"SteelDivision.exe"+126CFF4: 74 08                    -  je SteelDivision.exe+126CFFE
"SteelDivision.exe"+126CFF6: 33 D2                    -  xor edx,edx
"SteelDivision.exe"+126CFF8: 48 83 C0 40              -  add rax,40
"SteelDivision.exe"+126CFFC: EB 82                    -  jmp SteelDivision.exe+126CF80
// ---------- INJECTING HERE ----------
"SteelDivision.exe"+126CFFE: FF 48 38                 -  dec [rax+38]
"SteelDivision.exe"+126D001: F7 45 28 FF FF FF 07     -  test [rbp+28],7FFFFFF
// ---------- DONE INJECTING  ----------
"SteelDivision.exe"+126D008: 0F 84 7D 00 00 00        -  je SteelDivision.exe+126D08B
"SteelDivision.exe"+126D00E: 48 8B CB                 -  mov rcx,rbx
"SteelDivision.exe"+126D011: E8 0A EB FF FF           -  call SteelDivision.exe+126BB20
"SteelDivision.exe"+126D016: 4C 8B C0                 -  mov r8,rax
"SteelDivision.exe"+126D019: 4C 8D 4C 24 30           -  lea r9,[rsp+30]
"SteelDivision.exe"+126D01E: 48 8B D3                 -  mov rdx,rbx
"SteelDivision.exe"+126D021: 48 8D 4D 28              -  lea rcx,[rbp+28]
"SteelDivision.exe"+126D025: E8 D6 C2 2E FF           -  call SteelDivision.exe+559300
"SteelDivision.exe"+126D02A: 4C 8B 4C 24 30           -  mov r9,[rsp+30]
"SteelDivision.exe"+126D02F: 4D 85 C9                 -  test r9,r9
}
 

STN

Pleb
Staff member
Administrator
Mar 2, 2017
3,106
102
63
#3
just do this
code:
inc [rax+38]
test [rbp+28],7FFFFFF

it was crashing btw because you didn't pop eax. But even if you had popped eax, it wasn't going to do anything (you forgot to write back to game address).

PS: This game has encrypted values, i forgot if units values was encrypted but income was.
 
May 24, 2017
13
0
1
#4
STN post_id=9567 time=1495740853 user_id=48 said:
just do this
code:
inc [rax+38]
test [rbp+28],7FFFFFF

it was crashing btw because you didn't pop eax. But even if you had popped eax, it wasn't going to do anything (you forgot to write back to game address).

PS: This game has encrypted values, i forgot if units values was encrypted but income was.
Ahh it was that easy ha! That also fixed my problem with multiple unit spawns at once, it adds it automatically back with this ;) Thanks a lot.
 
Top Bottom