Page 1 of 1
opcode int 3 crash anti-cheat??
Posted: Mon Nov 25, 2019 5:06 pm
by mlengka93
tried some script for RPGmaker game RGSS104E.dll
it's for pokemon rejuv, what i did is : create AOB for that eviv and then even with only original code (unmodified) the game crash and pointed out at this int 3 memory location. Is it somekind of anti cheat debug or did i do something wrong? help me
Re: opcode int 3 crash anti-cheat??
Posted: Mon Nov 25, 2019 5:08 pm
by mlengka93
with the same kind method it's working for Pokemon reborn tho..
Re: opcode int 3 crash anti-cheat??
Posted: Thu Nov 28, 2019 2:11 pm
by mlengka93
the idea is when accessing inventory this
mov eax,[eax+ecx*4] get eax address for the item
Code: Select all
[ENABLE]
aobscanmodule(aob_itemedit,RGSS104E.dll,8B 04 88 5D C3) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
globalalloc(p_isSome,4)
newmem:
mov [p_isSome],eax
code:
mov eax,[eax+ecx*4]
pop ebp
ret
jmp return
aob_itemedit:
jmp newmem
return:
registersymbol(aob_itemedit)
[DISABLE]
aob_itemedit:
db 8B 04 88 5D C3
unregistersymbol(aob_itemedit)
unregistersymbol(p_isSome)
dealloc(newmem)
Re: opcode int 3 crash anti-cheat??
Posted: Thu Nov 28, 2019 2:23 pm
by cfemen
Looks like you return to the INT3 coz you are using the overriden ret in your allocated memory.
easiest solution : Inject at 8B 4D 0C/+2A2C3 = ret stays and will jump correctly back.
Re: opcode int 3 crash anti-cheat??
Posted: Thu Nov 28, 2019 3:03 pm
by mlengka93
cfemen wrote: ↑Thu Nov 28, 2019 2:23 pm
Looks like you return to the INT3 coz you are using the overriden
ret in your allocated memory.
easiest solution : Inject at 8B 4D 0C/+2A2C3 =
ret stays and will jump correctly back.
hehehe it works. By any chance do you know why this one cause the game crash, its for filtering, next step of finding the base address. Anyway, thanks a lot for your help
Code: Select all
push ebx
mov ebx,[health]
cmp [eax+ecx*4],ebx
pop ebx
jne evive_orig
crash point at cmp [eax+ecx*4],ebx part/line
Re: opcode int 3 crash anti-cheat??
Posted: Thu Nov 28, 2019 3:10 pm
by cfemen
mlengka93 wrote: ↑Thu Nov 28, 2019 3:03 pm
cfemen wrote: ↑Thu Nov 28, 2019 2:23 pm
Looks like you return to the INT3 coz you are using the overriden
ret in your allocated memory.
easiest solution : Inject at 8B 4D 0C/+2A2C3 =
ret stays and will jump correctly back.
hehehe it works. By any chance do you know why this one cause the game crash, its for filtering, next step of finding the base address. Anyway, thanks a lot for your help
Code: Select all
push ebx
mov ebx,[health]
cmp [eax+ecx*4],ebx
pop ebx
jne evive_orig
crash point at cmp [eax+ecx*4],ebx part/line
mh you could try something like:
Code: Select all
push edx
mov edx, [eax+ecx*4]
cmp edx, ebx
pop edx
if its still crash then use a breakpoint and check the values of eax and ecx
Re: opcode int 3 crash anti-cheat??
Posted: Thu Nov 28, 2019 3:22 pm
by mlengka93
cfemen wrote: ↑Thu Nov 28, 2019 3:10 pm
mlengka93 wrote: ↑Thu Nov 28, 2019 3:03 pm
cfemen wrote: ↑Thu Nov 28, 2019 2:23 pm
Looks like you return to the INT3 coz you are using the overriden
ret in your allocated memory.
easiest solution : Inject at 8B 4D 0C/+2A2C3 =
ret stays and will jump correctly back.
hehehe it works. By any chance do you know why this one cause the game crash, its for filtering, next step of finding the base address. Anyway, thanks a lot for your help
Code: Select all
push ebx
mov ebx,[health]
cmp [eax+ecx*4],ebx
pop ebx
jne evive_orig
crash point at cmp [eax+ecx*4],ebx part/line
mh you could try something like:
Code: Select all
push edx
mov edx, [eax+ecx*4]
cmp edx, ebx
pop edx
if its still crash then use a breakpoint and check the values of eax and ecx
[/quote]
still crash at the part mov ebx, [eax+ecx*4] can't i even do anything with [eax+ecx*4] code haha, can't even cmp them and mov
Re: opcode int 3 crash anti-cheat??
Posted: Thu Nov 28, 2019 3:26 pm
by cfemen
use breakpoint to check eax and ecx to see the values, looks like eax does not have a correct address.
Edit : you do this compare in aob_itemedit?
if yes:
Before or after:
mov eax,[eax+ecx*4]
?
Re: opcode int 3 crash anti-cheat??
Posted: Thu Nov 28, 2019 3:35 pm
by mlengka93
cfemen wrote: ↑Thu Nov 28, 2019 3:26 pm
use breakpoint to check eax and ecx to see the values, looks like eax does not have a correct address.
Edit : you do this compare in
aob_itemedit?
edx is right but ebx is 0, and
yes, i mean its aobeviv but share the same code, i put the wrong one there
here is the script
is it a bad idea do a cmp in aob?
Code: Select all
[ENABLE]
aobscanmodule(aob_eviv,RGSS104E.dll,8B 4D 0C 8B 04 88) // should be unique
alloc(newmem,128,RGSS104E.dll)
label(code)
label(return)
label(findEvivPointer) //Find EV & IV Pointer
label(findEvivPointer_status)
registersymbol(findEvivPointer_status)
label(health) //HP
registersymbol(health)
label(attack) //Attack
registersymbol(attack)
label(defense) //Defense
registersymbol(defense)
label(specialAttack) //Special Attack
registersymbol(specialAttack)
label(specialDefense) //Special Defense
registersymbol(specialDefense)
label(speed) //Speed
registersymbol(speed)
globalalloc(p_isEviv,4) //EV & IV Pointer
//---------------------//
newmem:
cmp [findEvivPointer_status],1
je findEvivPointer
jmp code
//--------------------//
findEvivPointer:
push edx
push ebx
mov edx,[health]
mov ebx,[eax+ecx*4]
cmp edx,ebx
pop edx
pop ebx
jne code
push edx
mov edx,[attack]
cmp [eax+ecx*4],edx
pop edx
jne code
push edx
mov edx,[defense]
cmp [eax+ecx*4],edx
pop edx
jne code
push edx
mov edx,[speed]
cmp [eax+ecx*4],edx
pop edx
jne code
push edx
mov edx,[specialAttack]
cmp [eax+ecx*4],edx
pop edx
jne code
push edx
mov edx,[specialDefense]
cmp [eax+ecx*4],edx
pop edx
jne code
mov [p_isEviv],eax
mov ecx,[ebp+0C]
mov eax,[eax+ecx*4]
mov [findEvivPointer_status],0
jmp return
findEvivPointer_status:
dd 0
health:
dd 0
attack:
dd 0
defense:
dd 0
specialAttack:
dd 0
specialDefense:
dd 0
speed:
dd 0
code:
mov ecx,[ebp+0C]
mov eax,[eax+ecx*4]
jmp return
aob_eviv:
jmp newmem
nop
return:
registersymbol(aob_eviv)
[DISABLE]
aob_eviv:
db 8B 4D 0C 8B 04 88
unregistersymbol(aob_eviv)
dealloc(newmem)
unregistersymbol(findEvivPointer_status)
unregistersymbol(health)
unregistersymbol(attack)
unregistersymbol(defense)
unregistersymbol(specialAttack)
unregistersymbol(specialDefense)
unregistersymbol(speed)
unregistersymbol(p_isEviv)
Re: opcode int 3 crash anti-cheat??
Posted: Thu Nov 28, 2019 3:49 pm
by cfemen
no its ok, it would only be a problem(if you dont restore the flags) when you using a cmp if there is an conditial jump after the Inject.
i cant tell why its crashing.
but you have a logic error in your script:
its the wrong order ^^
first pop ebx then edx, coz you pushed edx first.
like i said, i cant tell why its crashing without debugging it myself :/
Re: opcode int 3 crash anti-cheat??
Posted: Thu Nov 28, 2019 3:54 pm
by cfemen
Wait i maybe see the problem
mov ebx,[eax+ecx*4]
ecx cant have the right value.
do a mov ecx,[ebp+0C] before
Re: opcode int 3 crash anti-cheat??
Posted: Thu Nov 28, 2019 4:11 pm
by mlengka93
cfemen wrote: ↑Thu Nov 28, 2019 3:54 pm
Wait i maybe see the problem
mov ebx,[eax+ecx*4]
ecx cant have the right value.
do a mov ecx,[ebp+0C] before
Well well well, finaly!!!! YEAAAAHH!!! THANK YOU
phew, now i can rest hehehehehehehe