Page 2 of 2

Re: Absolute beginner: Your first ammo script

Posted: Tue Feb 18, 2020 11:15 am
by TimFun13
Lord Blade wrote:
Tue Feb 18, 2020 2:34 am
So having it set up as you showed would basically stop the tracking from working then? How do you know how many 90's you need?
I'm still confused with all this stuff. :p
You just want to replace the original instruction. And the original MOV is 6 bytes long, thus 6 NOPs.

Re: Absolute beginner: Your first ammo script

Posted: Tue Feb 18, 2020 6:08 pm
by Lord Blade
I think I get it.

Re: Absolute beginner: Your first ammo script

Posted: Tue Feb 18, 2020 6:45 pm
by Lord Blade
So, I tried it and the script seems to work great.

Now my question is how do you know what the change is supposed to be?
Meaning how do you know to change this:

Code: Select all

aobscanmodule(Tracking,COGMIND.exe,FC FF FF 89 82 88 00 00 00 C7) // should be unique
alloc(Tracking,$1000)

label(return)

Tracking:

mov [edx+00000088],eax
jmp return

Tracking+03:
jmp Tracking
nop
return:
registersymbol(Tracking)

[DISABLE]

Tracking+03:
db 89 82 88 00 00 00

unregistersymbol(Tracking)
dealloc(Tracking)
Into this:

Code: Select all

aobscanmodule(Tracking,COGMIND.exe,FC FF FF 89 82 88 00 00 00 C7) // should be unique
Tracking+03:
  db 90 90 90 90 90 90
registersymbol(Tracking)

[DISABLE]
Tracking+03:
  db 89 82 88 00 00 00

unregistersymbol(Tracking)
Because the tutorials I found didn't really explain much.

Re: Absolute beginner: Your first ammo script

Posted: Tue Feb 18, 2020 7:31 pm
by Lord Blade
So I have a similar thing the overall alert level in the game (which goes up when stuff happens to draw attention, like you shooting or enemies spotting you).

Code: Select all

{ Game   : COGMIND.exe
  Version: 
  Date   : 2020-02-18
  Author : Adam Taylor

  This script does blah blah blah
}

[ENABLE]

aobscanmodule(Alert,COGMIND.exe,89 10 83 3D BC 27 AF 00 00) // should be unique
alloc(newmem,$1000)

label(code)
label(return)

newmem:

code:
  mov [eax],edx
  cmp dword ptr [COGMIND.exe+6F27BC],00
  jmp return

Alert:
  jmp newmem
  nop 4
return:
registersymbol(Alert)

[DISABLE]

Alert:
  db 89 10 83 3D BC 27 AF 00 00

unregistersymbol(Alert)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "COGMIND.exe"+1A5F1E

"COGMIND.exe"+1A5EF9: C7 45 FC FF FF FF FF  -  mov [ebp-04],FFFFFFFF
"COGMIND.exe"+1A5F00: 8D 4D D4              -  lea ecx,[ebp-2C]
"COGMIND.exe"+1A5F03: E8 98 AB 27 00        -  call COGMIND.exe+420AA0
"COGMIND.exe"+1A5F08: 83 7D D0 00           -  cmp dword ptr [ebp-30],00
"COGMIND.exe"+1A5F0C: 74 05                 -  je COGMIND.exe+1A5F13
"COGMIND.exe"+1A5F0E: E9 86 00 00 00        -  jmp COGMIND.exe+1A5F99
"COGMIND.exe"+1A5F13: 8B 4D CC              -  mov ecx,[ebp-34]
"COGMIND.exe"+1A5F16: 8B 11                 -  mov edx,[ecx]
"COGMIND.exe"+1A5F18: 03 55 08              -  add edx,[ebp+08]
"COGMIND.exe"+1A5F1B: 8B 45 CC              -  mov eax,[ebp-34]
// ---------- INJECTING HERE ----------
"COGMIND.exe"+1A5F1E: 89 10                 -  mov [eax],edx
"COGMIND.exe"+1A5F20: 83 3D BC 27 AF 00 00  -  cmp dword ptr [COGMIND.exe+6F27BC],00
// ---------- DONE INJECTING  ----------
"COGMIND.exe"+1A5F27: 74 62                 -  je COGMIND.exe+1A5F8B
"COGMIND.exe"+1A5F29: 8B 0D BC 27 AF 00     -  mov ecx,[COGMIND.exe+6F27BC]
"COGMIND.exe"+1A5F2F: 89 4D C8              -  mov [ebp-38],ecx
"COGMIND.exe"+1A5F32: 83 7D C8 02           -  cmp dword ptr [ebp-38],02
"COGMIND.exe"+1A5F36: 74 08                 -  je COGMIND.exe+1A5F40
"COGMIND.exe"+1A5F38: 83 7D C8 05           -  cmp dword ptr [ebp-38],05
"COGMIND.exe"+1A5F3C: 74 28                 -  je COGMIND.exe+1A5F66
"COGMIND.exe"+1A5F3E: EB 4B                 -  jmp COGMIND.exe+1A5F8B
"COGMIND.exe"+1A5F40: 83 7D 08 05           -  cmp dword ptr [ebp+08],05
"COGMIND.exe"+1A5F44: 7E 1E                 -  jle COGMIND.exe+1A5F64
}
So I get this far, but the code at the start looks different. The other code for the tacking stuff showed up as Tracking+03, but this isn't showing the same.

Re: Absolute beginner: Your first ammo script

Posted: Tue Feb 18, 2020 9:07 pm
by TimFun13
Lord Blade wrote:
Tue Feb 18, 2020 7:31 pm
...

Basically it sounds like you just need to zero the value, you could just use a MOV (i.e.: mov edx,0). But I tend to use XOR (i.e.: xor edx,edx), it's just less bytes. And basically if you xor any number by it self it will always be zero (i.e.: 100 xor 100 = 0).

Code: Select all

{ Game   : COGMIND.exe
  Version: 
  Date   : 2020-02-18
  Author : Adam Taylor

  This script does blah blah blah
}

[ENABLE]

aobscanmodule(Alert,COGMIND.exe,89 10 83 3D BC 27 AF 00 00) // should be unique
alloc(newmem,$1000)

label(code)
label(return)

newmem:

code:
  xor edx,edx // xor any number by it self and it will always be zero. So this just zeros the value.
  // mov edx,(int)100 // use this if the value decreases as alert level increases and set it to what the game's value is.
  mov [eax],edx
  cmp dword ptr [COGMIND.exe+6F27BC],00
  jmp return

Alert:
  jmp newmem
  nop 4
return:
registersymbol(Alert)

[DISABLE]

Alert:
  db 89 10 83 3D BC 27 AF 00 00

unregistersymbol(Alert)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "COGMIND.exe"+1A5F1E

"COGMIND.exe"+1A5EF9: C7 45 FC FF FF FF FF  -  mov [ebp-04],FFFFFFFF
"COGMIND.exe"+1A5F00: 8D 4D D4              -  lea ecx,[ebp-2C]
"COGMIND.exe"+1A5F03: E8 98 AB 27 00        -  call COGMIND.exe+420AA0
"COGMIND.exe"+1A5F08: 83 7D D0 00           -  cmp dword ptr [ebp-30],00
"COGMIND.exe"+1A5F0C: 74 05                 -  je COGMIND.exe+1A5F13
"COGMIND.exe"+1A5F0E: E9 86 00 00 00        -  jmp COGMIND.exe+1A5F99
"COGMIND.exe"+1A5F13: 8B 4D CC              -  mov ecx,[ebp-34]
"COGMIND.exe"+1A5F16: 8B 11                 -  mov edx,[ecx]
"COGMIND.exe"+1A5F18: 03 55 08              -  add edx,[ebp+08]
"COGMIND.exe"+1A5F1B: 8B 45 CC              -  mov eax,[ebp-34]
// ---------- INJECTING HERE ----------
"COGMIND.exe"+1A5F1E: 89 10                 -  mov [eax],edx
"COGMIND.exe"+1A5F20: 83 3D BC 27 AF 00 00  -  cmp dword ptr [COGMIND.exe+6F27BC],00
// ---------- DONE INJECTING  ----------
"COGMIND.exe"+1A5F27: 74 62                 -  je COGMIND.exe+1A5F8B
"COGMIND.exe"+1A5F29: 8B 0D BC 27 AF 00     -  mov ecx,[COGMIND.exe+6F27BC]
"COGMIND.exe"+1A5F2F: 89 4D C8              -  mov [ebp-38],ecx
"COGMIND.exe"+1A5F32: 83 7D C8 02           -  cmp dword ptr [ebp-38],02
"COGMIND.exe"+1A5F36: 74 08                 -  je COGMIND.exe+1A5F40
"COGMIND.exe"+1A5F38: 83 7D C8 05           -  cmp dword ptr [ebp-38],05
"COGMIND.exe"+1A5F3C: 74 28                 -  je COGMIND.exe+1A5F66
"COGMIND.exe"+1A5F3E: EB 4B                 -  jmp COGMIND.exe+1A5F8B
"COGMIND.exe"+1A5F40: 83 7D 08 05           -  cmp dword ptr [ebp+08],05
"COGMIND.exe"+1A5F44: 7E 1E                 -  jle COGMIND.exe+1A5F64
}

Re: Absolute beginner: Your first ammo script

Posted: Fri Feb 21, 2020 1:53 am
by Lord Blade
So, I'm trying that code you listed, but I keep getting errors. Like while scanning AOB Alert, not all found and such.

Re: Absolute beginner: Your first ammo script

Posted: Fri Feb 21, 2020 11:42 pm
by TimFun13
Lord Blade wrote:
Fri Feb 21, 2020 1:53 am
So, I'm trying that code you listed, but I keep getting errors. Like while scanning AOB Alert, not all found and such.
That's the AOB you posted, so it sounds like the game got an update since then. You'll just have to find the injection point again, and then try to zero the registry.

Re: Absolute beginner: Your first ammo script

Posted: Thu Sep 10, 2020 10:38 pm
by darkh2o
So I guess I qualify as the absolute beginner. I have been able to find the address I need to stop or change a timer. I followed this guide to try to make a CT file so I dont have to look for the address on every game launch.
I seem to get lost after the script creation. After the script is made how do I export as a CT file? Did I miss that part?

*Edit* I figured it out.