Page 3 of 4
Re: Help seperating me from enimes
Posted: Thu Oct 04, 2018 2:13 pm
by pharaon
ShyTwig16 wrote: ↑Thu Oct 04, 2018 12:25 pm
^ Find out where
ebp+08
gets it value from. Something puts it on the stack, so try to find when it gets pushed.
i mention it in my previous post
mov edx,[ebp-14]
mov [esp],edx
call>>>
push ebp
mov ebp,esp
push ebx
push edi
mov eax,esi
fld dword ptr [ebp+08]
so do you think it been modified before the call of fld dword ptr [ebp+08] ?
Re: Help seperating me from enimes
Posted: Thu Oct 04, 2018 2:22 pm
by TimFun13
pharaon wrote: ↑Thu Oct 04, 2018 2:13 pm
...
i mention it in my previous post
Code: Select all
mov edx,[ebp-14]
mov [esp],edx
call>>>
push ebp
mov ebp,esp
push ebx
push edi
mov eax,esi
fld dword ptr [ebp+08]
so do you think it been modified before the call of fld dword ptr [ebp+08] ?
First, temporarily disable your internet connection (disconnect the wire), and make sure it's not coming from a server. Then "see what accesses this address".
Before
fld dword ptr [ebp+08]
Yes, it has to be; something has to set it. Before the
call
, no idea; looks like it might be set a little bit before loading the dword to the FPU registry. You'll be looking for an instruction that looks like
??? [esp+??],???
,
??? [ebp+??],???
, or just a
push ???
in the right spot. But you'll want to keep back tracing tell to find where the address is coming from.
But have you looked for a different instruction, you said you used "see what writes" did you try "see what accesses"; it just seems to me that "player gold" would be accessed somewhere else that doesn't access anything else.
Re: Help seperating me from enimes
Posted: Thu Oct 04, 2018 2:33 pm
by pharaon
the function have those opcode before that call is made
mov edx,[ebp-14]
mov [esp],edx
so do you think it's one of them??
and if so then which address should i be looking for ?
Re: Help seperating me from enimes
Posted: Thu Oct 04, 2018 2:47 pm
by TimFun13
pharaon wrote: ↑Thu Oct 04, 2018 2:33 pm
the function have those opcode before that call is made
mov edx,[ebp-14]
mov [esp],edx
so do you think it's one of them??
and if so then which address should i be looking for ?
Could be, but you're the only one you can know which address to look for (your gold address); You should have needed it to find this address.
Let's back up a bit.
So you found your gold address with scanning and you can freeze it with a working effect in game, correct?
If yes, then see what
accesses this address (make sure to view menus, buy stuff, sell stuff, pickup gold, and any other actions with gold), and post the results.
Re: Help seperating me from enimes
Posted: Thu Oct 04, 2018 2:58 pm
by pharaon
ShyTwig16 wrote: ↑Thu Oct 04, 2018 2:47 pm
Let's back up a bit.
So you found your gold address with scanning and you can freeze it with a working effect in game, correct?
ok let me explain my situation and i'm asking for kindly some focus
this game have encrypted value
i search for increase/decrease value till i get the address with encrypted value of gold of course the value is different than the displaying since it's encrypted
second step i did was to find out what write tot hat address i got the opcode
mov [edx+ecx*4],eax<<<<which write the encrypted value
so the [ebp+08] is before encryption but i can't separate myself of enemies
that's why i don't know what address i should be looking for in the stack because i don't know exactly what is the address of Gold before encryption
Re: Help seperating me from enimes
Posted: Thu Oct 04, 2018 3:12 pm
by TimFun13
pharaon wrote: ↑Thu Oct 04, 2018 2:58 pm
...
ok let me explain my situation and i'm asking for kindly some focus
this game have encrypted value
i search for increase/decrease value till i get the address with encrypted value of gold of course the value is different than the displaying since it's encrypted
second step i did was to find out what write tot hat address i got the opcode
mov [edx+ecx*4],eax<<<<which write the encrypted value
so the [ebp+08] is before encryption but i can't separate myself of enemies
that's why i don't know what address i should be looking for in the stack because i don't know exactly what is the address of Gold before encryption
This is the first time you mentioned encrypted values, so I kindly ask for all relevant information.
But big question is do you have the right address, even if it's encrypted you should be able to freeze it with an effect in game.
And it might be easier to reverse the encryption and just decrypt the value somewhere else. If you have the decrypted value you should be able to step though the code and see how it's encrypted.
Re: Help seperating me from enimes
Posted: Thu Oct 04, 2018 6:48 pm
by pharaon
This is the first time you mentioned encrypted values, so I kindly ask for all relevant information
what relevant information do you want and i'll provide
But big question is do you have the right address, even if it's encrypted you should be able to freeze it with an effect in game
yes it's the right address and when i change it's value i get totally different value in the display amount of Gold
And it might be easier to reverse the encryption and just decrypt the value somewhere else. If you have the decrypted value you should be able to step though the code and see how it's encrypted
this is the game code
Code: Select all
// ---------- INJECTING HERE ----------
"StrongholdBase.dll"+2CE041: 8B 45 08 - mov eax,[ebp+08] <<<< this is where my gold and enemies gold is set
"StrongholdBase.dll"+2CE044: 8B 49 78 - mov ecx,[ecx+78]
// ---------- DONE INJECTING ----------
"StrongholdBase.dll"+2CE047: 33 C2 - xor eax,edx <<<<< i think here is where it get encryptet
"StrongholdBase.dll"+2CE049: 8B 97 2C 01 00 00 - mov edx,[edi+0000012C]
"StrongholdBase.dll"+2CE04F: 5F - pop edi
"StrongholdBase.dll"+2CE050: 84 DB - test bl,bl
"StrongholdBase.dll"+2CE052: 89 04 8A - mov [edx+ecx*4],eax <<<< this is what write to the address of encrypted Gold value
Re: Help seperating me from enimes
Posted: Fri Oct 05, 2018 12:28 am
by TimFun13
pharaon wrote: ↑Thu Oct 04, 2018 6:48 pm
...
what relevant information do you want and i'll provide
...
Like if the value is encrypted, like I said in that sentence. Or if your online. Main thing was you asked for focus, but you seem to be not focusing on what your trying to do. I just throw a similar statement back at you, mostly just fuckin with you.
pharaon wrote: ↑Thu Oct 04, 2018 6:48 pm
...
But big question is do you have the right address, even if it's encrypted you should be able to freeze it with an effect in game
yes it's the right address and when i change it's value i get totally different value in the display amount of Gold
So, did you freeze the value, does this freeze the value in game?
pharaon wrote: ↑Thu Oct 04, 2018 6:48 pm
...
this is the game code
Code: Select all
// ---------- INJECTING HERE ----------
"StrongholdBase.dll"+2CE041: 8B 45 08 - mov eax,[ebp+08] <<<< this is where my gold and enemies gold is set
"StrongholdBase.dll"+2CE044: 8B 49 78 - mov ecx,[ecx+78]
// ---------- DONE INJECTING ----------
"StrongholdBase.dll"+2CE047: 33 C2 - xor eax,edx <<<<< i think here is where it get encryptet
"StrongholdBase.dll"+2CE049: 8B 97 2C 01 00 00 - mov edx,[edi+0000012C]
"StrongholdBase.dll"+2CE04F: 5F - pop edi
"StrongholdBase.dll"+2CE050: 84 DB - test bl,bl
"StrongholdBase.dll"+2CE052: 89 04 8A - mov [edx+ecx*4],eax <<<< this is what write to the address of encrypted Gold value
So find out what edx is, then you just xor it; like the game is doing. Then find where it reads the value and see how it get's decrypted.
Re: Help seperating me from enimes
Posted: Fri Oct 05, 2018 1:40 am
by pharaon
this opcode
mov eax,[ebp+08]
before the XOR is writing to one address the Gold amount of me and enemies
and i don't know how to the game separate it
when i break point this code i find it each time i step into it write to the same address the Gold amount of each player
i want to know how to separate
Re: Help seperating me from enimes
Posted: Fri Oct 05, 2018 1:27 pm
by pharaon
how can i get advantage of FPU
when i check on the one address that all the gold amount of me and enemies been written to
i find my value on the FPU register
1500 is my gold
Re: Help seperating me from enimes
Posted: Fri Oct 05, 2018 3:12 pm
by pharaon
So find out what edx is, then you just xor it; like the game is doing. Then find where it reads the value and see how it get's decrypted
can you tell me how to
1- xor edx
2- find where it reads the value
3- see how it get's decrypted
i think i'm not that advanced
Re: Help seperating me from enimes
Posted: Fri Oct 05, 2018 4:24 pm
by TimFun13
pharaon wrote: ↑Fri Oct 05, 2018 3:12 pm
So find out what edx is, then you just xor it; like the game is doing. Then find where it reads the value and see how it get's decrypted
can you tell me how to
1- xor edx
2- find where it reads the value
3- see how it get's decrypted
i think i'm not that advanced
1:
xor edx,???
(learn to use google), but this isn't what I said to do; I said to xor your gold with what's in edx, like the game is doing.
2:
Again, "SEE WHAT ACCESSES THIS ADDRESS"; you keep doing see what writes, and I keep telling you to see what accesses.
3: See answer #2, then look with your eye holes, and find what gets xored with it.
ShyTwig16 wrote: ↑Tue Oct 02, 2018 1:22 pm
... I think you need to step back and take the time to learn some ASM and the basics of programming. Have you done the CE tutorial yet?
...
Re: Help seperating me from enimes
Posted: Fri Oct 05, 2018 4:34 pm
by pharaon
... I think you need to step back and take the time to learn some ASM and the basics of programming. Have you done the CE tutorial yet?
i swear i done it
those are what accessing the address of encrypted gold value
6D06DEF9 - 8B 0C 8F - mov ecx,[edi+ecx*4]
6D06E052 - 89 04 8A - mov [edx+ecx*4],eax
so can i get any use of mov ecx,[edi+ecx*4]?
Re: Help seperating me from enimes
Posted: Fri Oct 05, 2018 4:54 pm
by TimFun13
^ You asked me how to "xor edx", so no you clearly didn't take any time to learn any ASM. And you seem to be purposely not posting much of any information; until I explicitly tell you to post it, and even then it seems to take a few tries before you finally post it.
Now that you have to read instruction, see what it's xored with; like I already said to do.
Re: Help seperating me from enimes
Posted: Fri Oct 05, 2018 5:16 pm
by pharaon
ShyTwig16 wrote: ↑Fri Oct 05, 2018 4:54 pm
^ You asked me how to "xor edx", so no you clearly didn't take any time to learn any ASM. And you seem to be purposely not posting much of any information; until I explicitly tell you to post it, and even then it seems to take a few tries before you finally post it.
Now that you have to read instruction, see what it's xored with; like I already said to do.
dear ShyTwig16
i'm not noob neither professional, still learning
i know xor eax,edx can be reversed by xor
like xor 5,6 =2
so xor 5,2=6
xor 6,2=5
the point i want to understand from you is the purpose of doing with xor opcode?
so after i get EAX before it being xored that will let me get addresses of gold for all the play so i can change only mine or it wont
because i already have the opcode before it's being xored
the only problem i face since i'm not that professional is that the opcode write to shared address
all the values been written to same address one by time
and the only way i know to separate from enemies is using addresses for each player and do compare in offset throw dissect data or by registers or by stack
i don't know how to separate from one address because i don't know what to compare to