CODE INJECTION HELP

Memory scanning, code injection, debugger internals and other gamemodding related discussion
Post Reply
KevinDA
Cheater
Cheater
Posts: 34
Joined: Thu Apr 16, 2020 12:28 pm
Reputation: 0

CODE INJECTION HELP

Post by KevinDA »

Good evening, in my injection code instead of API_x64.exe+FCDC50 I would like to put the future address of the line where there is lea eax, [rcx + 09] (the last line of my script)

How to do ?



[CODE=cea]alloc(newmem,2048,"API_x64.exe"+FCDC50)

label(returnhere)

label(originalcode)

label(exit)



newmem: //this is allocated memory, you have read,write,execute access

ja API_x64.exe+FCDC50

cmp ecx,01

cmove eax,r8d

cmp eax,3F

ja API_x64.exe+FCDC50

mov rdx,[r9+rax*8]

test rdx,rdx

je API_x64.exe+FCDC50

cmp [rdx+00000118],r12d

je API_x64.exe+FCDC50

cmp [rdx+0000011C],r12d

je API_x64.exe+FCDC50

mov eax,ebx

mov [rbp+rax*8+000012D0],rdx

mov ebx,[rbp-70]

inc ebx

mov [rbp-70],ebx

lea eax,[rcx+09]





originalcode:

lea eax,[rcx+08]

cmp eax,09



exit:

jmp returnhere



"API_x64.exe"+FCDC50:

jmp newmem

nop

returnhere:[/CODE]
Last edited by KevinDA on Thu Jan 01, 1970 12:00 am, edited 1 time in total.

User avatar
TheyCallMeTim13
Administration
Administration
Posts: 1480
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 736

CODE INJECTION HELP

Post by TheyCallMeTim13 »

Use and [URL='https://fearlessrevolution.com/threads/6637/'][U]AOB scan[/U][/URL].

[CODE=cea]aobScanModule(injectionPoint, API_x64.exe, )

registerSymbol(injectionPoint)



alloc(newmem,2048, injectionPoint)

label(returnhere)

label(originalcode)

label(exit)



newmem: //this is allocated memory, you have read,write,execute access

ja injectionPoint

cmp ecx,01

cmove eax,r8d

cmp eax,3F

ja injectionPoint

mov rdx,[r9+rax*8]

test rdx,rdx

je injectionPoint

cmp [rdx+00000118],r12d

je injectionPoint

cmp [rdx+0000011C],r12d

je injectionPoint

mov eax,ebx

mov [rbp+rax*8+000012D0],rdx

mov ebx,[rbp-70]

inc ebx

mov [rbp-70],ebx

lea eax,[rcx+09]





originalcode:

lea eax,[rcx+08]

cmp eax,09



exit:

jmp returnhere



injectionPoint:

jmp newmem

nop

returnhere:[/CODE]

KevinDA
Cheater
Cheater
Posts: 34
Joined: Thu Apr 16, 2020 12:28 pm
Reputation: 0

CODE INJECTION HELP

Post by KevinDA »

I entered the following request and it crashed the application. do I have to add something else?

User avatar
TheyCallMeTim13
Administration
Administration
Posts: 1480
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 736

CODE INJECTION HELP

Post by TheyCallMeTim13 »

Where is says "" you need to add an AOB signature. I linked a post about AOB signatures above.

KevinDA
Cheater
Cheater
Posts: 34
Joined: Thu Apr 16, 2020 12:28 pm
Reputation: 0

CODE INJECTION HELP

Post by KevinDA »

This way is it good ?

I put "API_x64.exe" + FCDC50

and 8D 41 09 corresponds to this: lea eax, [rcx + 09]



aobScanModule(injectionPoint, "API_x64.exe"+FCDC50 , 8D 41 09)

registerSymbol(injectionPoint)



alloc(newmem,2048, injectionPoint)

label(returnhere)

label(originalcode)

label(exit)



newmem: //this is allocated memory, you have read,write,execute access

ja injectionPoint

cmp ecx,01

cmove eax,r8d

cmp eax,3F

ja injectionPoint

mov rdx,[r9+rax*8]

test rdx,rdx

je injectionPoint

cmp [rdx+00000118],r12d

je injectionPoint

cmp [rdx+0000011C],r12d

je injectionPoint

mov eax,ebx

mov [rbp+rax*8+000012D0],rdx

mov ebx,[rbp-70]

inc ebx

mov [rbp-70],ebx

lea eax,[rcx+09]





originalcode:

lea eax,[rcx+08]

cmp eax,09



exit:

jmp returnhere



injectionPoint:

jmp newmem

nop

returnhere:

User avatar
TheyCallMeTim13
Administration
Administration
Posts: 1480
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 736

CODE INJECTION HELP

Post by TheyCallMeTim13 »

You should add a few more bytes, you need it to be unique. And you want the second parameter to be a module not an address.

[CODE=cea]...

aobScanModule(injectionPoint, API_x64.exe, 8D 41 09 ?? ?? ?? ??)

...[/CODE]
Last edited by TheyCallMeTim13 on Thu Jan 01, 1970 12:00 am, edited 1 time in total.

Post Reply

Who is online

Users browsing this forum: jia6655