Hello, to avoid using the injection code I found in my game a location where there are only zero (00 00 00 00 00 00 00 00)
I used HxD hex editor to put my code. and after I made a jmp to this one. but the moment my game executes the code it crashes. Why ?
Do you need to add something before or after ?
To avoid the injection code
-
mgr.inz.Player
- Cheater
- Posts: 37
- Joined: Fri Mar 03, 2017 8:41 am
- Reputation: 42
To avoid the injection code
Find a cave filled with "90" or "cc" as close as possible.
You can also find caves filled with many kinds of nop with "Assemblyscan" (memory viewer -> search -> find assembly code)
Use a call instead of jump. Last instruction should be ret.
Example with Tutorial-x86_64.exe. There is nice spot with multibyte NOP:
[CODE=cea]Tutorial-x86_64.exe+3161 - 66 66 66 0F1F 84 00 00000000 - nop word ptr [rax+rax+00000000]
Tutorial-x86_64.exe+316C - 0F1F 40 00 - nop dword ptr [rax+00][/CODE]
Fortunately there is a jump which skips whole NOP'ed area:
[CODE=cea]Tutorial-x86_64.exe+315F - EB 21 - jmp Tutorial-x86_64.exe+3182[/CODE]
And Dissect code shows there are no jumps to "Tutorial-x86_64.exe+3161" and "Tutorial-x86_64.exe+316C"
We can use whole 15 bytes... Lets do a hack for tutorial step 2. We will bring health to 999, so it will be still 990 something after hit.
First, test it with AA script:
[CODE=cea]define(address,"Tutorial-x86_64.exe"+2B0EE)
define(bytes,83 BB F0 07 00 00 00)
[ENABLE]
// cave with 15 bytes
Tutorial-x86_64.exe+3161:
code:
mov dword ptr [rbx+000007F0],#999
ret
address:
call Tutorial-x86_64.exe+3161
nop
nop
[DISABLE]
address:
db bytes
// cmp dword ptr [rbx+000007F0],00
//cave's orig bytes
Tutorial-x86_64.exe+3161:
db 66 66 66 0F 1F 84 00 00 00 00 00
db 0F 1F 40 00
// Tutorial-x86_64.exe+3161 - 66 66 66 0F1F 84 00 00000000 - nop word ptr [rax+rax+00000000]
// Tutorial-x86_64.exe+316C - 0F1F 40 00 - nop dword ptr [rax+00][/CODE]
[B]Edit:[/B]
Someone could say 15 bytes is not that much. This already takes 10bytes (of course plus 1 byte for ret)
[code=cea]C7 83 F0070000 E7030000 - mov [rbx+000007F0],#999[/code]
What if you want to change other addresses at the same time, e.g. armor, lets say at [rbx+000007FC]?
[code=cea]C7 83 F0070000 E7030000 - mov [rbx+000007F0],#999 // health
C7 83 FC070000 E7030000 - mov [rbx+000007FC],#999 //armor
ret[/code]
That's 21 bytes.
Maybe 999 is too fancy, lets try 99:
[code=cea]C7 83 F0070000 63000000 - mov [rbx+000007F0],#99 // health
C7 83 FC070000 63000000 - mov [rbx+000007FC],#99 //armor
ret[/code]
Nope, still 21 bytes. We can go around that. You can analyze the code and check which CPU registers you can alter.
For example RAX and RCX registers are free - in your case those can be different registers. This changes previous codes to this:
[CODE=cea]B1 63 - mov cl,#99 // 2 bytes
48 8D 83 F0070000 - lea rax,[rbx+000007F0] // 7 bytes
88 08 - mov [rax],cl // 2 bytes
88 48 0C - mov [rax+0C],cl // 3 bytes
// 14 bytes total
[/CODE]
14 bytes plus 1 byte for ret = 15
You can also find caves filled with many kinds of nop with "Assemblyscan" (memory viewer -> search -> find assembly code)
Use a call instead of jump. Last instruction should be ret.
Example with Tutorial-x86_64.exe. There is nice spot with multibyte NOP:
[CODE=cea]Tutorial-x86_64.exe+3161 - 66 66 66 0F1F 84 00 00000000 - nop word ptr [rax+rax+00000000]
Tutorial-x86_64.exe+316C - 0F1F 40 00 - nop dword ptr [rax+00][/CODE]
Fortunately there is a jump which skips whole NOP'ed area:
[CODE=cea]Tutorial-x86_64.exe+315F - EB 21 - jmp Tutorial-x86_64.exe+3182[/CODE]
And Dissect code shows there are no jumps to "Tutorial-x86_64.exe+3161" and "Tutorial-x86_64.exe+316C"
We can use whole 15 bytes... Lets do a hack for tutorial step 2. We will bring health to 999, so it will be still 990 something after hit.
First, test it with AA script:
[CODE=cea]define(address,"Tutorial-x86_64.exe"+2B0EE)
define(bytes,83 BB F0 07 00 00 00)
[ENABLE]
// cave with 15 bytes
Tutorial-x86_64.exe+3161:
code:
mov dword ptr [rbx+000007F0],#999
ret
address:
call Tutorial-x86_64.exe+3161
nop
nop
[DISABLE]
address:
db bytes
// cmp dword ptr [rbx+000007F0],00
//cave's orig bytes
Tutorial-x86_64.exe+3161:
db 66 66 66 0F 1F 84 00 00 00 00 00
db 0F 1F 40 00
// Tutorial-x86_64.exe+3161 - 66 66 66 0F1F 84 00 00000000 - nop word ptr [rax+rax+00000000]
// Tutorial-x86_64.exe+316C - 0F1F 40 00 - nop dword ptr [rax+00][/CODE]
[B]Edit:[/B]
Someone could say 15 bytes is not that much. This already takes 10bytes (of course plus 1 byte for ret)
[code=cea]C7 83 F0070000 E7030000 - mov [rbx+000007F0],#999[/code]
What if you want to change other addresses at the same time, e.g. armor, lets say at [rbx+000007FC]?
[code=cea]C7 83 F0070000 E7030000 - mov [rbx+000007F0],#999 // health
C7 83 FC070000 E7030000 - mov [rbx+000007FC],#999 //armor
ret[/code]
That's 21 bytes.
Maybe 999 is too fancy, lets try 99:
[code=cea]C7 83 F0070000 63000000 - mov [rbx+000007F0],#99 // health
C7 83 FC070000 63000000 - mov [rbx+000007FC],#99 //armor
ret[/code]
Nope, still 21 bytes. We can go around that. You can analyze the code and check which CPU registers you can alter.
For example RAX and RCX registers are free - in your case those can be different registers. This changes previous codes to this:
[CODE=cea]B1 63 - mov cl,#99 // 2 bytes
48 8D 83 F0070000 - lea rax,[rbx+000007F0] // 7 bytes
88 08 - mov [rax],cl // 2 bytes
88 48 0C - mov [rax+0C],cl // 3 bytes
// 14 bytes total
[/CODE]
14 bytes plus 1 byte for ret = 15
Last edited by mgr.inz.Player on Sat May 23, 2020 4:34 pm, edited 8 times in total.
To avoid the injection code
Thank you very much for your explanation. If I understood correctly you can write code only on 90 and CC?
On 00 is it impossible?
On 00 is it impossible?
-
mgr.inz.Player
- Cheater
- Posts: 37
- Joined: Fri Mar 03, 2017 8:41 am
- Reputation: 42
To avoid the injection code
It is possible to use code caves filled with 0x00. But:
- it can happen you just found a structure with many vars and those vars are initialized with zeros. Altering it will cause unpredictable behavior.
- when you found code cave filled with 0x00 in memory, let's say cave size is 300-500 bytes, it can happen that this cave is few times smaller in the EXE file.
Usually the number of CC bytes or multibyte NOP doesn't change. E.g. in memory you see twelve CC between two functions - there are very high chances it will still be twelve CC in EXE file opened with hex editor.
[QUOTE="KevinDA, post: 136749, member: 39812"]
code only on 90
[/QUOTE]
NOP aren't just 90. There are also multibyte NOPs. You can scan for them with Assemblyscan and this pattern:
[code=cea]nop*[rax+rax+00][/code]
and this
[code=cea]nop*[rax+rax+00000000][/code]
The second one I used to find code cave inside Tutorial-x86_64.exe.
I also saw other "fillers" used by compilers.
e.g.
[code=cea]lea rsi,[rsi+00]
lea rdi,[rdi+00000000]
lea rsi,[rsi+00000000][/code]
- it can happen you just found a structure with many vars and those vars are initialized with zeros. Altering it will cause unpredictable behavior.
- when you found code cave filled with 0x00 in memory, let's say cave size is 300-500 bytes, it can happen that this cave is few times smaller in the EXE file.
Usually the number of CC bytes or multibyte NOP doesn't change. E.g. in memory you see twelve CC between two functions - there are very high chances it will still be twelve CC in EXE file opened with hex editor.
[QUOTE="KevinDA, post: 136749, member: 39812"]
code only on 90
[/QUOTE]
NOP aren't just 90. There are also multibyte NOPs. You can scan for them with Assemblyscan and this pattern:
[code=cea]nop*[rax+rax+00][/code]
and this
[code=cea]nop*[rax+rax+00000000][/code]
The second one I used to find code cave inside Tutorial-x86_64.exe.
I also saw other "fillers" used by compilers.
e.g.
[code=cea]lea rsi,[rsi+00]
lea rdi,[rdi+00000000]
lea rsi,[rsi+00000000][/code]
Last edited by mgr.inz.Player on Wed May 27, 2020 1:14 am, edited 2 times in total.
Who is online
Users browsing this forum: No registered users