Help with changing address
Posted: Fri Jun 05, 2020 9:46 pm
You can manually scan for the AOB to check it; just set the value type to "array of bytes" and set the "writable", "executable", and "copyOnWrite" flags to be both (i.e.: the full box, not checked or unchecked). This will allow you to check that your AOBs only have one result.
And for the script you posted. Make sure that if you PUSH something (like EAX), that you POP when you're done else you throw off the stack and likely get a crash or odd behavior at the very least. And in the disable section use the original code or the original bytes but not both as you'll override the bytes after the injection point. And it's better to use the bytes as the code could be assembled differently and be a different length. And make sure you include the original code in the injected script else you'll have a registry not set correctly, not sure if leaving out the [c]mov eax,00000001[/c] is intentional but if not you need to have that to set EAX to what it needs to be.
[CODE=cea][ENABLE]
aobscan(expmult,89 11 B8 01 00 00 00 83 3D ?? ?? ?? 01 00 72 10 77 0C 81 3D ) // should be unique
alloc(newmem,$1000)
label(code)
label(returnhere)
label(exit)
newmem:
pushf
mov eax,[ecx]
sub edx,eax
imul edx,5
add edx,eax
code:
mov [ecx],edx
mov eax,00000001
popf
exit:
jmp returnhere
expmult:
jmp newmem
nop 2
returnhere:
registersymbol(expmult)
[DISABLE]
expmult:
db 89 11 B8 01 00 00 00
unregistersymbol(expmult)
dealloc(newmem)[/CODE]
And for the script you posted. Make sure that if you PUSH something (like EAX), that you POP when you're done else you throw off the stack and likely get a crash or odd behavior at the very least. And in the disable section use the original code or the original bytes but not both as you'll override the bytes after the injection point. And it's better to use the bytes as the code could be assembled differently and be a different length. And make sure you include the original code in the injected script else you'll have a registry not set correctly, not sure if leaving out the [c]mov eax,00000001[/c] is intentional but if not you need to have that to set EAX to what it needs to be.
[CODE=cea][ENABLE]
aobscan(expmult,89 11 B8 01 00 00 00 83 3D ?? ?? ?? 01 00 72 10 77 0C 81 3D ) // should be unique
alloc(newmem,$1000)
label(code)
label(returnhere)
label(exit)
newmem:
pushf
mov eax,[ecx]
sub edx,eax
imul edx,5
add edx,eax
code:
mov [ecx],edx
mov eax,00000001
popf
exit:
jmp returnhere
expmult:
jmp newmem
nop 2
returnhere:
registersymbol(expmult)
[DISABLE]
expmult:
db 89 11 B8 01 00 00 00
unregistersymbol(expmult)
dealloc(newmem)[/CODE]