You can manually scan for the AOB to check it; just set the value type to "array of bytes" and set the "writable", "executable", and "copyOnWrite" flags to be both (i.e.: the full box, not checked or unchecked). This will allow you to check that your AOBs only have one result.
And for the script you posted. Make sure that if you PUSH something (like EAX), that you POP when you're done else you throw off the stack and likely get a crash or odd behavior at the very least. And in the disable section use the original code or the original bytes but not both as you'll override the bytes after the injection point. And it's better to use the bytes as the code could be assembled differently and be a different length. And make sure you include the original code in the injected script else you'll have a registry not set correctly, not sure if leaving out the [c]mov eax,00000001[/c] is intentional but if not you need to have that to set EAX to what it needs to be.
[CODE=cea][ENABLE]
aobscan(expmult,89 11 B8 01 00 00 00 83 3D ?? ?? ?? 01 00 72 10 77 0C 81 3D ) // should be unique
alloc(newmem,$1000)
label(code)
label(returnhere)
label(exit)
newmem:
pushf
mov eax,[ecx]
sub edx,eax
imul edx,5
add edx,eax
code:
mov [ecx],edx
mov eax,00000001
popf
exit:
jmp returnhere
expmult:
jmp newmem
nop 2
returnhere:
registersymbol(expmult)
[DISABLE]
expmult:
db 89 11 B8 01 00 00 00
unregistersymbol(expmult)
dealloc(newmem)[/CODE]
Help with changing address
Help with changing address
Last edited by TimFun13 on Thu Jan 01, 1970 12:00 am, edited 2 times in total.
Help with changing address
[automerge]1591467075[/automerge]
[QUOTE="ShyTwig16, post: 138407, member: 91"]
You can manually scan for the AOB to check it; just set the value type to "array of bytes" and set the "writable", "executable", and "copyOnWrite" flags to be both (i.e.: the full box, not checked or unchecked). This will allow you to check that your AOBs only have one result.
[/QUOTE]
In my case the AOB ended up with too many ?? by my 4th run through and when I checked it that's when it found 2 instances of it.
I don't think I fully understand AOB code, like what happens if you're using AOB in a script enabled and the bytes changes whilst playing? Will it crash? How can you account for data that can change?
Thanks man
[QUOTE="ShyTwig16, post: 138407, member: 91"]
You can manually scan for the AOB to check it; just set the value type to "array of bytes" and set the "writable", "executable", and "copyOnWrite" flags to be both (i.e.: the full box, not checked or unchecked). This will allow you to check that your AOBs only have one result.
[/QUOTE]
In my case the AOB ended up with too many ?? by my 4th run through and when I checked it that's when it found 2 instances of it.
I don't think I fully understand AOB code, like what happens if you're using AOB in a script enabled and the bytes changes whilst playing? Will it crash? How can you account for data that can change?
Thanks man
Last edited by kidalot on Sat Jun 06, 2020 6:12 pm, edited 2 times in total.
Help with changing address
AOBs are meant to be used with executable code, which doesn't really change when running. Even with jitted code it will only be created when it's needed, but once it's jitted it tends to stay. If the executable code is changing with it running then you'd have to figure out what writes to the code and figure out how to change it there, but that's something I've never seen before. But yes, if the code is being changed in ways that creates bad code it would likely case some issues like crashes.
Who is online
Users browsing this forum: No registered users