sound good. i been trying to look in to it but the code that i found well the location is the only one i see that do a different if i nop it it tells me i dont have any items here the location might help
Code: Select all
ShadowOfWar.exe+17B491E - 4C 03 98 58090000 - add r11,[rax+00000958]
and as a AOB scan script not edited
Code: Select all
{ Game : ShadowOfWar.exe
Version:
Date : 2017-10-10
Author : djdru
This script does blah blah blah
}
[ENABLE]
aobscanmodule(INJECT,ShadowOfWar.exe,4C 03 98 58 09 00 00 4D 89 5D) // should be unique
alloc(newmem,$1000,"ShadowOfWar.exe"+17B491E)
label(code)
label(return)
newmem:
code:
add r11,[rax+00000958]
jmp return
INJECT:
jmp newmem
nop
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db 4C 03 98 58 09 00 00
unregistersymbol(INJECT)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "ShadowOfWar.exe"+17B491E
"ShadowOfWar.exe"+17B48FC: 84 C0 - test al,al
"ShadowOfWar.exe"+17B48FE: 74 32 - je ShadowOfWar.exe+17B4932
"ShadowOfWar.exe"+17B4900: 4D 8B 5D 20 - mov r11,[r13+20]
"ShadowOfWar.exe"+17B4904: 8B 17 - mov edx,[rdi]
"ShadowOfWar.exe"+17B4906: 49 8B CC - mov rcx,r12
"ShadowOfWar.exe"+17B4909: E8 AA E2 CC FF - call ShadowOfWar.exe+1482BB8
"ShadowOfWar.exe"+17B490E: 48 83 C7 04 - add rdi,04
"ShadowOfWar.exe"+17B4912: 48 8D 55 77 - lea rdx,[rbp+77]
"ShadowOfWar.exe"+17B4916: 48 8D 4D 67 - lea rcx,[rbp+67]
"ShadowOfWar.exe"+17B491A: 48 89 7D 67 - mov [rbp+67],rdi
// ---------- INJECTING HERE ----------
"ShadowOfWar.exe"+17B491E: 4C 03 98 58 09 00 00 - add r11,[rax+00000958]
// ---------- DONE INJECTING ----------
"ShadowOfWar.exe"+17B4925: 4D 89 5D 20 - mov [r13+20],r11
"ShadowOfWar.exe"+17B4929: E8 96 13 DD FF - call ShadowOfWar.exe+1585CC4
"ShadowOfWar.exe"+17B492E: 84 C0 - test al,al
"ShadowOfWar.exe"+17B4930: 75 D2 - jne ShadowOfWar.exe+17B4904
"ShadowOfWar.exe"+17B4932: 48 8D 4D B7 - lea rcx,[rbp-49]
"ShadowOfWar.exe"+17B4936: E8 09 A4 6A FF - call ShadowOfWar.exe+E5ED44
"ShadowOfWar.exe"+17B493B: 49 8B D7 - mov rdx,r15
"ShadowOfWar.exe"+17B493E: 48 8B 9C 24 D8 00 00 00 - mov rbx,[rsp+000000D8]
"ShadowOfWar.exe"+17B4946: 48 81 C4 90 00 00 00 - add rsp,00000090
"ShadowOfWar.exe"+17B494D: 41 5F - pop r15
}