Values ​​in "Code" that change at each restart

Section's for general approaches on hacking various options in games. No online-related discussions/posts OR warez!
Post Reply
User avatar
SilverRabbit90
Table Makers
Table Makers
Posts: 214
Joined: Fri Jan 15, 2021 12:01 am
Reputation: 191

Values ​​in "Code" that change at each restart

Post by SilverRabbit90 »

In this script when I restart the game there are values ​​in "Code" that change every time the game is restarted.
Spoiler
Image

I tried removing the two lines of code, which change at every restart, but the game crashes.

jmp 2B9032EB0A7
mov rax,00007FF6D4192C64
Spoiler

Code: Select all

{ Game   : Ryujinx.exe
  Version: 
  Date   : 2023-10-05
  Author : C0MPUTER

  This script does blah blah blah
}

[ENABLE]

aobscanregion(StorageItemQuantityListA,10000000000,40000000000,48 83 EC 40 48 89 CB 48 8B 2B 48 8B B3 F0 00 00 00 8B 83 10 04 00 00 85 C0 74 1F 83 E8 01 89 83 10 04 00 00 48 B8 00 00 ?? ?? ?? 0? 00 00    8B 44 28 10  48 89 03 48 89 F0 EB 12 48 B8 ?4 ?? ?? ?? F? 7F 00 00 FF D0 85 C0 75 DA 31 C0 48 83 C4 40 5E 5D 5B C3 00 53 55 56 57 41 54 41 55 41 56 41 57 48 83 EC 68) // should be unique
                                                               //48 83 EC 40 48 89 CB 48 8B 2B 48 8B B3 F0 00 00 00 8B 83 10 04 00 00 85 C0 74 1F 83 E8 01 89 83 10 04 00 00 48 B8 00 00 89 9A 99 02 00 00    8B 44 28 10  48 89 03 48 89 F0 EB 12 48 B8 24 32 35 0B F7 7F 00 00 FF D0 85 C0 75 DA 31 C0 48 83 C4 40 5E
                                                               //48 83 EC 40 48 89 CB 48 8B 2B 48 8B B3 F0 00 00 00 8B 83 10 04 00 00 85 C0 74 1F 83 E8 01 89 83 10 04 00 00 48 B8 00 00 4B D7 C3 01 00 00    8B 44 28 10  48 89 03 48 89 F0 EB 12 48 B8 64 34 16 D4 F6 7F 00 00 FF D0 85 C0 75 DA 31 C0 48 83 C4 40 5E 5D 5B C3 00 53 55 56 57 41 54 41 55 41 56 41 57 48 83 EC 68
alloc(newmem,$1000)

label(code)
label(return)

label(seeCurStorItQuanV1)
registersymbol(seeCurStorItQuanV1)

newmem:

push rbx
lea rbx,[rax+rbp+10]
mov [seeCurStorItQuanV1],rbx
pop rbx

code:
  mov eax,[rax+rbp+10]
  mov [rbx],rax
  mov rax,rsi

  jmp return

  seeCurStorItQuanV1:

StorageItemQuantityListA+2E:
  jmp far newmem
  nop 8
return:
registersymbol(StorageItemQuantityListA)

[DISABLE]

StorageItemQuantityListA+2E:
  db 8B 44 28 10 48 89 03 48 89 F0 EB 12 48 B8

unregistersymbol(*)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: 3A21D60CDED

3A21D60CDBF: 48 83 EC 40                    - sub rsp,40
3A21D60CDC3: 48 89 CB                       - mov rbx,rcx
3A21D60CDC6: 48 8B 2B                       - mov rbp,[rbx]
3A21D60CDC9: 48 8B B3 F0 00 00 00           - mov rsi,[rbx+000000F0]
3A21D60CDD0: 8B 83 10 04 00 00              - mov eax,[rbx+00000410]
3A21D60CDD6: 85 C0                          - test eax,eax
3A21D60CDD8: 74 1F                          - je 3A21D60CDF9
3A21D60CDDA: 83 E8 01                       - sub eax,01
3A21D60CDDD: 89 83 10 04 00 00              - mov [rbx+00000410],eax
3A21D60CDE3: 48 B8 00 00 6C 12 A2 02 00 00  - mov rax,000002A2126C0000
// ---------- INJECTING HERE ----------
3A21D60CDED: 8B 44 28 10                    - mov eax,[rax+rbp+10]
// ---------- DONE INJECTING  ----------
3A21D60CDF1: 48 89 03                       - mov [rbx],rax
3A21D60CDF4: 48 89 F0                       - mov rax,rsi
3A21D60CDF7: EB 12                          - jmp 3A21D60CE0B
3A21D60CDF9: 48 B8 64 2C 19 D4 F6 7F 00 00  - mov rax,00007FF6D4192C64
3A21D60CE03: FF D0                          - call rax
3A21D60CE05: 85 C0                          - test eax,eax
3A21D60CE07: 75 DA                          - jne 3A21D60CDE3
3A21D60CE09: 31 C0                          - xor eax,eax
3A21D60CE0B: 48 83 C4 40                    - add rsp,40
3A21D60CE0F: 5E                             - pop rsi
}

By manually changing those two lines of code the script works perfectly (that means searching for the value all over again or using AOB scan). Is there a way to make those values ​​change automatically? or is there a way to ignore those two lines of code without crashing the game?

Thx
Top
imjustmaxie
Expert Cheater
Expert Cheater
Posts: 242
Joined: Mon Aug 06, 2018 6:00 pm
Reputation: 208

Re: Values ​​in "Code" that change at each restart

Post by imjustmaxie »

SilverRabbit90 wrote:
Thu Oct 05, 2023 10:49 pm
 In this script when I restart the game there are values ​​in "Code" that change every time the game is restarted.

I tried removing the two lines of code, which change at every restart, but the game crashes.

jmp 2B9032EB0A7
mov rax,00007FF6D4192C64

By manually changing those two lines of code the script works perfectly (that means searching for the value all over again or using AOB scan). Is there a way to make those values ​​change automatically? or is there a way to ignore those two lines of code without crashing the game?

Thx
The reason being it crashing because the memory location is not the same on every load.
The best possible way to solve it is to store a backup of the current AoB, use reassemble() on those two lines and restore the whole thing on disable.
Spoiler

Code: Select all

// readmem() : reads the memory location with exact bytes
// reassemble() : reads the memory location while adjusting the correct RIP

[ENABLE]

aobscanregion(StorageItemQuantityListA,10000000000,40000000000,48 83 EC 40 48 89 CB 48 8B 2B 48 8B B3 F0 00 00 00 8B 83 10 04 00 00 85 C0 74 1F 83 E8 01 89 83 10 04 00 00 48 B8 00 00 ?? ?? ?? 0? 00 00    8B 44 28 10  48 89 03 48 89 F0 EB 12 48 B8 ?4 ?? ?? ?? F? 7F 00 00 FF D0 85 C0 75 DA 31 C0 48 83 C4 40 5E 5D 5B C3 00 53 55 56 57 41 54 41 55 41 56 41 57 48 83 EC 68) // should be unique
                                                               //48 83 EC 40 48 89 CB 48 8B 2B 48 8B B3 F0 00 00 00 8B 83 10 04 00 00 85 C0 74 1F 83 E8 01 89 83 10 04 00 00 48 B8 00 00 89 9A 99 02 00 00    8B 44 28 10  48 89 03 48 89 F0 EB 12 48 B8 24 32 35 0B F7 7F 00 00 FF D0 85 C0 75 DA 31 C0 48 83 C4 40 5E
                                                               //48 83 EC 40 48 89 CB 48 8B 2B 48 8B B3 F0 00 00 00 8B 83 10 04 00 00 85 C0 74 1F 83 E8 01 89 83 10 04 00 00 48 B8 00 00 4B D7 C3 01 00 00    8B 44 28 10  48 89 03 48 89 F0 EB 12 48 B8 64 34 16 D4 F6 7F 00 00 FF D0 85 C0 75 DA 31 C0 48 83 C4 40 5E 5D 5B C3 00 53 55 56 57 41 54 41 55 41 56 41 57 48 83 EC 68
alloc(newmem,$1000)

label(code)
label(return)

registersymbol(StorageItemQuantityListA)
registersymbol(bkpStorageItemQuantityListA)
registersymbol(seeCurStorItQuanV1)

newmem:

  push rbx
  lea rbx,[rax+rbp+10]
  mov [seeCurStorItQuanV1],rbx
  pop rbx

  code:  // Indented the label because 'code' is inside 'newmem'
  readmem(StorageItemQuantityListA,10)
  {mov eax,[rax+rbp+10]
  mov [rbx],rax
  mov rax,rsi}
  reassemble(StorageItemQuantityListA+A)
  //jmp 2B9032EB0A7
  reassemble(StorageItemQuantityListA+C)
  //mov rax,00007FF6D4192C64

  jmp return

  align 10,CC  // alignment

  bkpStorageItemQuantityListA:
  readmem(StorageItemQuantityListA,20)

  align 10,CC // alignment

  seeCurStorItQuanV1:
  dq 0

StorageItemQuantityListA+2E:
  jmp far newmem
  nop 8
return:


[DISABLE]

StorageItemQuantityListA+2E:
  readmem(bkpStorageItemQuantityListA,20)
  //db 8B 44 28 10 48 89 03 48 89 F0 EB 12 48 B8

unregistersymbol(*)
dealloc(*)
Top
Paul44
RCE Fanatics
RCE Fanatics
Posts: 887
Joined: Thu Jul 27, 2017 9:02 am
Reputation: 566

Re: Values ​​in "Code" that change at each restart

Post by Paul44 »

@SilverRabbit90: first and foremost, you are in the wrong section; this topic is about Tutorials. Unfortunately, others have started doing this as well (and #admin should move these to their proper section)...

that said: I noticed the 'jump far' instruction. If you can create a standard injection, then use a 'trampoline' (see my tutorial - yep - a bit lower in the list).
Or: find a pointer(chain) to the address you want to collect, and hopefully some related opcode solves that problem.
Tip: I tend you build a pointerscan, have it "cleaned out" spanning some days; and then 'F5' their origin addresses (iow I'm hoping to find some hardcoded addresses this way...)
ps: no experience whatsoever with these emulators.
ps2: a good/practical example: [ viewtopic.php?t=22204 ] (COD Advanced Warfare)
it is a small table, but uses several trampolines; thus giving you a good idea on how to approach this. Need some assistance, then just pm me.
Top
User avatar
SilverRabbit90
Table Makers
Table Makers
Posts: 214
Joined: Fri Jan 15, 2021 12:01 am
Reputation: 191

Re: Values ​​in "Code" that change at each restart

Post by SilverRabbit90 »

imjustmaxie wrote:
Fri Oct 06, 2023 4:20 am
SilverRabbit90 wrote:
Thu Oct 05, 2023 10:49 pm
 In this script when I restart the game there are values ​​in "Code" that change every time the game is restarted.

I tried removing the two lines of code, which change at every restart, but the game crashes.

jmp 2B9032EB0A7
mov rax,00007FF6D4192C64

By manually changing those two lines of code the script works perfectly (that means searching for the value all over again or using AOB scan). Is there a way to make those values ​​change automatically? or is there a way to ignore those two lines of code without crashing the game?

Thx
The reason being it crashing because the memory location is not the same on every load.
The best possible way to solve it is to store a backup of the current AoB, use reassemble() on those two lines and restore the whole thing on disable.
Spoiler

Code: Select all

// readmem() : reads the memory location with exact bytes
// reassemble() : reads the memory location while adjusting the correct RIP

[ENABLE]

aobscanregion(StorageItemQuantityListA,10000000000,40000000000,48 83 EC 40 48 89 CB 48 8B 2B 48 8B B3 F0 00 00 00 8B 83 10 04 00 00 85 C0 74 1F 83 E8 01 89 83 10 04 00 00 48 B8 00 00 ?? ?? ?? 0? 00 00    8B 44 28 10  48 89 03 48 89 F0 EB 12 48 B8 ?4 ?? ?? ?? F? 7F 00 00 FF D0 85 C0 75 DA 31 C0 48 83 C4 40 5E 5D 5B C3 00 53 55 56 57 41 54 41 55 41 56 41 57 48 83 EC 68) // should be unique
                                                               //48 83 EC 40 48 89 CB 48 8B 2B 48 8B B3 F0 00 00 00 8B 83 10 04 00 00 85 C0 74 1F 83 E8 01 89 83 10 04 00 00 48 B8 00 00 89 9A 99 02 00 00    8B 44 28 10  48 89 03 48 89 F0 EB 12 48 B8 24 32 35 0B F7 7F 00 00 FF D0 85 C0 75 DA 31 C0 48 83 C4 40 5E
                                                               //48 83 EC 40 48 89 CB 48 8B 2B 48 8B B3 F0 00 00 00 8B 83 10 04 00 00 85 C0 74 1F 83 E8 01 89 83 10 04 00 00 48 B8 00 00 4B D7 C3 01 00 00    8B 44 28 10  48 89 03 48 89 F0 EB 12 48 B8 64 34 16 D4 F6 7F 00 00 FF D0 85 C0 75 DA 31 C0 48 83 C4 40 5E 5D 5B C3 00 53 55 56 57 41 54 41 55 41 56 41 57 48 83 EC 68
alloc(newmem,$1000)

label(code)
label(return)

registersymbol(StorageItemQuantityListA)
registersymbol(bkpStorageItemQuantityListA)
registersymbol(seeCurStorItQuanV1)

newmem:

  push rbx
  lea rbx,[rax+rbp+10]
  mov [seeCurStorItQuanV1],rbx
  pop rbx

  code:  // Indented the label because 'code' is inside 'newmem'
  readmem(StorageItemQuantityListA,10)
  {mov eax,[rax+rbp+10]
  mov [rbx],rax
  mov rax,rsi}
  reassemble(StorageItemQuantityListA+A)
  //jmp 2B9032EB0A7
  reassemble(StorageItemQuantityListA+C)
  //mov rax,00007FF6D4192C64

  jmp return

  align 10,CC  // alignment

  bkpStorageItemQuantityListA:
  readmem(StorageItemQuantityListA,20)

  align 10,CC // alignment

  seeCurStorItQuanV1:
  dq 0

StorageItemQuantityListA+2E:
  jmp far newmem
  nop 8
return:


[DISABLE]

StorageItemQuantityListA+2E:
  readmem(bkpStorageItemQuantityListA,20)
  //db 8B 44 28 10 48 89 03 48 89 F0 EB 12 48 B8

unregistersymbol(*)
dealloc(*)

I finally took a while to solve xD
I tried this method on another game (in the "code:" Change offset to each update) and works perfectly.

My try:

Code: Select all

[ENABLE]

aobscanmodule(MoneyZa,MT2.exe,0F B6 81 ?? 00 00 00 84 C0 75 0D 48 8B 81 ?? 00 00 00 39 50 ?? 0F 9D C0 C3 90 66 0F 1F 44 00 00 48 8B 81 ?? 00 00 00 8B 40 ?? C3 90 0F 1F 40 00) // should be unique
alloc(newmem,$1000,MoneyZa)

alloc(bkpMoneyZa,20)
registersymbol(MoneyZa)
registersymbol(bkpMoneyZa)

label(seeMoney)
registersymbol(seeMoney)

label(code)
label(return)

newmem:

mov [seeMoney],rax

code:
  readmem(MoneyZa+27,10)
 // mov eax,[rax+14]
 // ret 
  //nop
    reassemble(MoneyZa+A)
  jmp return

  align 10,CC  // alignment

  bkpMoneyZa:
  readmem(MoneyZa+27,20)

  align 10,CC // alignment

  seeMoney:
  dq 0


MoneyZa+27:
  jmp newmem
return:
registersymbol(MoneyZa)

[DISABLE]


MoneyZa+27:
  readmem(bkpMoneyZa,20)
  //db 8B 44 28 10 48 89 03 48 89 F0 EB 12 48 B8

unregistersymbol(*)
dealloc(*)

{
// ORIGINAL CODE - INJECTION POINT: MT2.exe+33E57

MT2.exe+33E30: 0F B6 81 D0 00 00 00  - movzx eax,byte ptr [rcx+000000D0]
MT2.exe+33E37: 84 C0                 - test al,al
MT2.exe+33E39: 75 0D                 - jne MT2.exe+33E48
MT2.exe+33E3B: 48 8B 81 E0 00 00 00  - mov rax,[rcx+000000E0]
MT2.exe+33E42: 39 50 14              - cmp [rax+14],edx
MT2.exe+33E45: 0F 9D C0              - setge al
MT2.exe+33E48: C3                    - ret 
MT2.exe+33E49: 90                    - nop 
MT2.exe+33E4A: 66 0F 1F 44 00 00     - nop word ptr [rax+rax+00]
MT2.exe+33E50: 48 8B 81 E0 00 00 00  - mov rax,[rcx+000000E0]
// ---------- INJECTING HERE ----------
MT2.exe+33E57: 8B 40 14              - mov eax,[rax+14]
// ---------- DONE INJECTING  ----------
MT2.exe+33E5A: C3                    - ret 
MT2.exe+33E5B: 90                    - nop 
MT2.exe+33E5C: 0F 1F 40 00           - nop dword ptr [rax+00]
MT2.exe+33E60: 41 BA 01 00 00 00     - mov r10d,00000001
MT2.exe+33E66: 66 41 0F 6E C2        - movd xmm0,r10d
MT2.exe+33E6B: 48 8B 81 E0 00 00 00  - mov rax,[rcx+000000E0]
MT2.exe+33E72: 44 8B 48 14           - mov r9d,[rax+14]
MT2.exe+33E76: 01 50 1C              - add [rax+1C],edx
MT2.exe+33E79: 4D 63 C0              - movsxd  r8,r8d
MT2.exe+33E7C: 41 01 D1              - add r9d,edx
}
[/super]



But:

Before Game Update:
Spoiler

Code: Select all

[ENABLE]

aobscanmodule(BeforeUpdate_MoneyTest,MT2.exe,8B 40 1C C3 90) // should be unique
alloc(newmem,$1000,BeforeUpdate_MoneyTest)

label(code)
label(return)

newmem:

code:
  mov eax,[rax+1C]
  ret 
  nop 
  jmp return

BeforeUpdate_MoneyTest:
  jmp newmem
return:
registersymbol(BeforeUpdate_MoneyTest)

[DISABLE]

BeforeUpdate_MoneyTest:
  db 8B 40 1C C3 90

unregistersymbol(BeforeUpdate_MoneyTest)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: MT2.exe+2D527

MT2.exe+2D500: 0F B6 81 D8 00 00 00  - movzx eax,byte ptr [rcx+000000D8]
MT2.exe+2D507: 84 C0                 - test al,al
MT2.exe+2D509: 75 0D                 - jne MT2.exe+2D518
MT2.exe+2D50B: 48 8B 81 E8 00 00 00  - mov rax,[rcx+000000E8]
MT2.exe+2D512: 39 50 1C              - cmp [rax+1C],edx
MT2.exe+2D515: 0F 9D C0              - setge al
MT2.exe+2D518: C3                    - ret 
MT2.exe+2D519: 90                    - nop 
MT2.exe+2D51A: 66 0F 1F 44 00 00     - nop word ptr [rax+rax+00]
MT2.exe+2D520: 48 8B 81 E8 00 00 00  - mov rax,[rcx+000000E8]
// ---------- INJECTING HERE ----------
MT2.exe+2D527: 8B 40 1C              - mov eax,[rax+1C]
// ---------- DONE INJECTING  ----------
MT2.exe+2D52A: C3                    - ret 
MT2.exe+2D52B: 90                    - nop 
MT2.exe+2D52C: 0F 1F 40 00           - nop dword ptr [rax+00]
MT2.exe+2D530: 48 8B 81 E8 00 00 00  - mov rax,[rcx+000000E8]
MT2.exe+2D537: 44 8B 48 1C           - mov r9d,[rax+1C]
MT2.exe+2D53B: 01 50 24              - add [rax+24],edx
MT2.exe+2D53E: 4D 63 C0              - movsxd  r8,r8d
MT2.exe+2D541: 41 01 D1              - add r9d,edx
MT2.exe+2D544: 49 C1 E0 05           - shl r8,05
MT2.exe+2D548: 44 89 48 1C           - mov [rax+1C],r9d
After Game Update:
Spoiler

Code: Select all

[ENABLE]

aobscanmodule(AfterUpdate_MoneyTest,MT2.exe,8B 40 14 C3 90) // should be unique
alloc(newmem,$1000,AfterUpdate_MoneyTest)

label(code)
label(return)

newmem:

code:
  mov eax,[rax+14]
  ret 
  nop 
  jmp return

AfterUpdate_MoneyTest:
  jmp newmem
return:
registersymbol(AfterUpdate_MoneyTest)

[DISABLE]

AfterUpdate_MoneyTest:
  db 8B 40 14 C3 90

unregistersymbol(AfterUpdate_MoneyTest)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: MT2.exe+33E57

MT2.exe+33E30: 0F B6 81 D0 00 00 00  - movzx eax,byte ptr [rcx+000000D0]
MT2.exe+33E37: 84 C0                 - test al,al
MT2.exe+33E39: 75 0D                 - jne MT2.exe+33E48
MT2.exe+33E3B: 48 8B 81 E0 00 00 00  - mov rax,[rcx+000000E0]
MT2.exe+33E42: 39 50 14              - cmp [rax+14],edx
MT2.exe+33E45: 0F 9D C0              - setge al
MT2.exe+33E48: C3                    - ret 
MT2.exe+33E49: 90                    - nop 
MT2.exe+33E4A: 66 0F 1F 44 00 00     - nop word ptr [rax+rax+00]
MT2.exe+33E50: 48 8B 81 E0 00 00 00  - mov rax,[rcx+000000E0]
// ---------- INJECTING HERE ----------
MT2.exe+33E57: 8B 40 14              - mov eax,[rax+14]
// ---------- DONE INJECTING  ----------
MT2.exe+33E5A: C3                    - ret 
MT2.exe+33E5B: 90                    - nop 
MT2.exe+33E5C: 0F 1F 40 00           - nop dword ptr [rax+00]
MT2.exe+33E60: 41 BA 01 00 00 00     - mov r10d,00000001
MT2.exe+33E66: 66 41 0F 6E C2        - movd xmm0,r10d
MT2.exe+33E6B: 48 8B 81 E0 00 00 00  - mov rax,[rcx+000000E0]
MT2.exe+33E72: 44 8B 48 14           - mov r9d,[rax+14]
MT2.exe+33E76: 01 50 1C              - add [rax+1C],edx
MT2.exe+33E79: 4D 63 C0              - movsxd  r8,r8d
MT2.exe+33E7C: 41 01 D1              - add r9d,edx
}
But now I have another problem, as you can see in mov eax,[rax+14] offset changes after update.

For example, if I wanted to make 10000 money I can give a value to mov eax,[rax+??] even in a future update

Something like:

Code: Select all

newmem:

mov eax,[rax+??],(int)10000

code:
  readmem(Money,10)
 // mov eax,[rax+14]
 // ret 
  //nop
    reassemble(Money+A)
  jmp return

  align 10,CC  // alignment

  bkpMoney:
  readmem(Money,20)

  align 10,CC // alignment
Or to each update I have to change the offset manually?
Top
User avatar
SilverRabbit90
Table Makers
Table Makers
Posts: 214
Joined: Fri Jan 15, 2021 12:01 am
Reputation: 191

Re: Values ​​in "Code" that change at each restart

Post by SilverRabbit90 »

Solved (at least in part)...

Here's how I did:
Spoiler

Code: Select all

[ENABLE]

aobscanmodule(MoneyOnSPendAa,$process,01 50 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 44 89 48 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00) // should be unique
alloc(newmem,$1000,MoneyOnSPendAa)

//label(code)

alloc(originalbytesA,9)
registersymbol(originalbytesA)

originalbytesA:
readmem(MoneyOnSPendAa+0D,9)

label(bkpMoney)
label(return)

label(setMoney)
registersymbol(setMoney)

newmem:

mov r9d,[setMoney]

bkpMoney:
  readmem(MoneyOnSPendAa+0D,4)

//code:
  //mov [rax+14],r9d
  //lea rax,[rax+r8*8]
  
  jmp return

align 10

setMoney:
dd (int)500000

MoneyOnSPendAa+0D:
  jmp newmem
  nop 3
return:
registersymbol(MoneyOnSPendAa)
registersymbol(bkpMoney)

[DISABLE]

MoneyOnSPendAa+0D:
readmem(originalbytesA,9)
  //db 44 89 48 14 4A 8D 04 C0

unregistersymbol(*)
dealloc(*)

{
// ORIGINAL CODE - INJECTION POINT: MT2.exe+33EE0

4? ?? ?? ?? 44 89 48 1? 4?
49 C1 E0 05 44 89 48 1C 4C

MT2.exe+33EBF: 44 8B 48 14                 - mov r9d,[rax+14]
MT2.exe+33EC3: 45 84 D2                    - test r10b,r10b
MT2.exe+33EC6: 75 05                       - jne MT2.exe+33ECD
MT2.exe+33EC8: 44 39 CA                    - cmp edx,r9d
MT2.exe+33ECB: 7F 26                       - jg MT2.exe+33EF3
MT2.exe+33ECD: 4D 63 C0                    - movsxd  r8,r8d
MT2.exe+33ED0: 41 29 D1                    - sub r9d,edx
MT2.exe+33ED3: 01 50 20                    - add [rax+20],edx
MT2.exe+33ED6: 41 BA 01 00 00 00           - mov r10d,00000001
MT2.exe+33EDC: 4F 8D 04 40                 - lea r8,[r8+r8*2]
// ---------- INJECTING HERE ----------
MT2.exe+33EE0: 44 89 48 14                 - mov [rax+14],r9d
// ---------- DONE INJECTING  ----------
MT2.exe+33EE4: 4A 8D 04 C0                 - lea rax,[rax+r8*8]
MT2.exe+33EE8: 29 50 3C                    - sub [rax+3C],edx
MT2.exe+33EEB: 83 40 38 01                 - add dword ptr [rax+38],01
MT2.exe+33EEF: 44 89 49 30                 - mov [rcx+30],r9d
MT2.exe+33EF3: 44 89 D0                    - mov eax,r10d
MT2.exe+33EF6: C3                          - ret 
MT2.exe+33EF7: 66 0F 1F 84 00 00 00 00 00  - nop word ptr [rax+rax+00000000]
MT2.exe+33F00: 48 8D 05 29 E6 27 01        - lea rax,[MT2.exe+12B2530]
MT2.exe+33F07: 48 8D 0D 52 EF D9 00        - lea rcx,[MT2.exe+DD2E60]
MT2.exe+33F0E: 48 89 05 4B EF D9 00        - mov [MT2.exe+DD2E60],rax
}

It only works if you do:
Right click then "Find out what writes to this address"

In this specific case "r9d" does not change even after an update.

I tried on "Find out what accesses to this address", but with the fact that he changes mov r9d,[rax+14]
offset to each update, I have not found ways to make it work (without manually changing the offset).

Normally it would be enough for me to do:
push rcx
mov rcx,setMoney
mov rcx,dword ptr [rcx]
mov [rax+14],rcx
pop rcx

But with the fact that [rax+14] changes to each update it is useless to do it.

Does anyone have a solution?
Top
Post Reply

Return to “Generic Tutorials”

Who is online

Users browsing this forum: No registered users