Have a table almost complete, except for two items in the 'Advanced Options / Code List'.
Both are NOP, than when toggled by right click, select 'replace with code that does nothing', both work just fine.
Every attempt to turn those items into <script> in the main table has failed / doesn't work.
Watching multiple YouTube video tutorials hasn't been very helpful in figuring out where I am going wrong.
Am I barking up the wrong tree? Or is it even possible to do that?
( CE 6.7 64bit )
[SOLVED] NOP a Code Injection?
Re: [HELP] NOP a Code Injection?
It is possible to write a script for this. CE will even build the script for you. Without knowing what you are doing or what is happening with the code, we can only speculate the cause for the crashing.
Re: [HELP] NOP a Code Injection?
Thanks for responding.
I tried to look at other tables for examples of scripts, but all I really found was AoB Scans / Injection.
The script attempts ....
Tried going through the memory disassembler, highlight the correct address line, tools, AutoAssemble, cheat framework, and then either code injection or full injection.
In the memory disassembler, when one of the 'Code List' items is toggled, the correct address and the next line both show nop.
Testing shows it works as desired.
In the memory disassembler, every script attempt has shown a hex address, and then a nop in the next line or two or three. And it doesn't work in testing.
Do I need to post one of the script attempts?
I tried to look at other tables for examples of scripts, but all I really found was AoB Scans / Injection.
The script attempts ....
Tried going through the memory disassembler, highlight the correct address line, tools, AutoAssemble, cheat framework, and then either code injection or full injection.
In the memory disassembler, when one of the 'Code List' items is toggled, the correct address and the next line both show nop.
Testing shows it works as desired.
In the memory disassembler, every script attempt has shown a hex address, and then a nop in the next line or two or three. And it doesn't work in testing.
Do I need to post one of the script attempts?
Re: [HELP] NOP a Code Injection?
When you use a script, a segment of code is allocated for your codecave and the original code jumps to that codecave where your code gets executed, so you would see something in memory viewer like the following:
It might help if you paste your untouched script here that CE created. Use full injection so that we can see the surrounding code. If you like, you can include what you are wanting to change using comment brackets. For example:
If you allow CE to set up your script for you and the target is still crashing when you try to execute the script, there are many number of reasons why this could be happening.jmp 02E80000
nop
nop
//rest of originalcode
It might help if you paste your untouched script here that CE created. Use full injection so that we can see the surrounding code. If you like, you can include what you are wanting to change using comment brackets. For example:
Is the target an online game or something that might have anti-cheat measures in place? If so, that would be good to know.newmem:
mov edx,[eax+4] //want to nop this line
pop edi
jmp return
Re: [HELP] NOP a Code Injection?
It's a Single Player game, most of the values found are constants ( older game / not a newly released ).
This is the output from the disassembler without and with the NOP applied.
This is the saved <script> output :
After looking at the disassembler output ( and thinking for a bit ), would this code be correct?
This is the output from the disassembler without and with the NOP applied.
Code: Select all
--> NOP Disabled
************************.exe+25B8E3 - 0F2F C1 - comiss xmm0,xmm1
************************.exe+25B8E6 - EB 03 - jmp ************************.exe+25B8EB
************************.exe+25B8E8 - 0F2F D1 - comiss xmm2,xmm1
************************.exe+25B8EB - 76 05 - jna ************************.exe+25B8F2
************************.exe+25B8ED - F3 0F11 4F 40 - movss [edi+40],xmm1
************************.exe+25B8F2 - 8B 4D F4 - mov ecx,[ebp-0C]
************************.exe+25B8F5 - 64 89 0D 00000000 - mov fs:[00000000],ecx { 0 }
--> NOP Enabled
************************.exe+25B8E3 - 0F2F C1 - comiss xmm0,xmm1
************************.exe+25B8E6 - EB 03 - jmp ************************.exe+25B8EB
************************.exe+25B8E8 - 0F2F D1 - comiss xmm2,xmm1
************************.exe+25B8EB - 90 - nop
************************.exe+25B8EC - 90 - nop
************************.exe+25B8ED - F3 0F11 4F 40 - movss [edi+40],xmm1
************************.exe+25B8F2 - 8B 4D F4 - mov ecx,[ebp-0C]
************************.exe+25B8F5 - 64 89 0D 00000000 - mov fs:[00000000],ecx { 0 }
Code: Select all
{ Game : ************************.exe
Version:
Date : 2017-07-08
Author : blah blah blah
This script does blah blah blah
}
define(address,"************************.exe"+25B8EB)
define(bytes,76 05 F3 0F 11 4F 40)
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
assert(address,bytes)
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
jna ************************.exe+25B8F2
movss [edi+40],xmm1
jmp return
address:
jmp newmem
nop
nop
return:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
address:
db bytes
// jna ************************.exe+25B8F2
// movss [edi+40],xmm1
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "************************.exe"+25B8EB
"************************.exe"+25B8C2: F3 0F 58 C2 - addss xmm0,xmm2
"************************.exe"+25B8C6: F3 0F 11 47 40 - movss [edi+40],xmm0
"************************.exe"+25B8CB: EB 25 - jmp ************************.exe+25B8F2
"************************.exe"+25B8CD: F3 0F 10 47 34 - movss xmm0,[edi+34]
"************************.exe"+25B8D2: F3 0F 59 05 24 92 6D 01 - mulss xmm0,[************************.exe+499224]
"************************.exe"+25B8DA: F3 0F 58 C2 - addss xmm0,xmm2
"************************.exe"+25B8DE: F3 0F 11 47 40 - movss [edi+40],xmm0
"************************.exe"+25B8E3: 0F 2F C1 - comiss xmm0,xmm1
"************************.exe"+25B8E6: EB 03 - jmp ************************.exe+25B8EB
"************************.exe"+25B8E8: 0F 2F D1 - comiss xmm2,xmm1
// ---------- INJECTING HERE ----------
"************************.exe"+25B8EB: 76 05 - jna ************************.exe+25B8F2
"************************.exe"+25B8ED: F3 0F 11 4F 40 - movss [edi+40],xmm1
// ---------- DONE INJECTING ----------
"************************.exe"+25B8F2: 8B 4D F4 - mov ecx,[ebp-0C]
"************************.exe"+25B8F5: 64 89 0D 00 00 00 00 - mov fs:[00000000],ecx
"************************.exe"+25B8FC: 59 - pop ecx
"************************.exe"+25B8FD: 5F - pop edi
"************************.exe"+25B8FE: 5E - pop esi
"************************.exe"+25B8FF: 5B - pop ebx
"************************.exe"+25B900: 8B 4D F0 - mov ecx,[ebp-10]
"************************.exe"+25B903: 33 CD - xor ecx,ebp
"************************.exe"+25B905: E8 F8 C0 0E 00 - call ************************.exe+347A02
"************************.exe"+25B90A: 8B E5 - mov esp,ebp
}
Code: Select all
newmem:
nop
nop
movss [edi+40],xmm1
jmp return
Re: [HELP] NOP a Code Injection?
What happens if you inject 1 line above, instead?"game.exe"+25B8E8: 0F 2F D1 - comiss xmm2,xmm1 //----------inject here, instead
"game.exe"+25B8EB: 76 05 - jna game.exe+25B8F2
Re: [HELP] NOP a Code Injection?
The disassembler output had some arrows not included in my earlier posts.
I may have tried the suggested injection point earlier, but don't remember clearly.
The 'replace with code that does nothing' always goes back to this line :
This does work properly ( tested ) :
The same approach also worked on the other 'nop' I wanted to script :
Your help got my mental gears turning.
Thank You.
[ PS : you can change the thread header from [HELP] to [SOLVED], or anything you think appropriate. ]
Code: Select all
this line :
"************************.exe"+25B8E6: EB 03 - jmp ************************.exe+25B8EB
goes to this line ( green arrow ) :
"************************.exe"+25B8EB: 76 05 - jna ************************.exe+25B8F2
goes to this line ( red arrow ) :
"************************.exe"+25B8F2: 8B 4D F4 - mov ecx,[ebp-0C]
Code: Select all
"************************.exe"+25B8E3: 0F 2F C1 - comiss xmm0,xmm1
"************************.exe"+25B8E6: EB 03 - jmp ************************.exe+25B8EB
"************************.exe"+25B8E8: 0F 2F D1 - comiss xmm2,xmm1
"************************.exe"+25B8EB: 76 05 - jna ************************.exe+25B8F2
"************************.exe"+25B8ED: F3 0F 11 4F 40 - movss [edi+40],xmm1
"************************.exe"+25B8F2: 8B 4D F4 - mov ecx,[ebp-0C]
"************************.exe"+25B8F5: 64 89 0D 00 00 00 00 - mov fs:[00000000],ecx
The 'replace with code that does nothing' always goes back to this line :
Code: Select all
"************************.exe"+25B8E6: EB 03 - jmp ************************.exe+25B8EB
This does work properly ( tested ) :
Code: Select all
Version:
Date : 2017-07-08
Author : 3oddbits
This script does [REDACTED]
}
define(address,"************************.exe"+25B8EB)
define(bytes,76 05 F3 0F 11 4F 40)
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
assert(address,bytes)
alloc(newmem,$1000)
label(code)
label(return)
newmem:
nop
nop
movss [edi+40],xmm1
jmp return
code:
jna ************************.exe+25B8F2
movss [edi+40],xmm1
jmp return
address:
jmp newmem
nop
nop
return:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
address:
db bytes
// jna ************************.exe+25B8F2
// movss [edi+40],xmm1
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "************************.exe"+25B8EB
"************************.exe"+25B8C2: F3 0F 58 C2 - addss xmm0,xmm2
"************************.exe"+25B8C6: F3 0F 11 47 40 - movss [edi+40],xmm0
"************************.exe"+25B8CB: EB 25 - jmp ************************.exe+25B8F2
"************************.exe"+25B8CD: F3 0F 10 47 34 - movss xmm0,[edi+34]
"************************.exe"+25B8D2: F3 0F 59 05 24 92 54 01 - mulss xmm0,[************************.exe+499224]
"************************.exe"+25B8DA: F3 0F 58 C2 - addss xmm0,xmm2
"************************.exe"+25B8DE: F3 0F 11 47 40 - movss [edi+40],xmm0
"************************.exe"+25B8E3: 0F 2F C1 - comiss xmm0,xmm1
"************************.exe"+25B8E6: EB 03 - jmp ************************.exe+25B8EB
"************************.exe"+25B8E8: 0F 2F D1 - comiss xmm2,xmm1
// ---------- INJECTING HERE ----------
"************************.exe"+25B8EB: 76 05 - jna ************************.exe+25B8F2
"************************.exe"+25B8ED: F3 0F 11 4F 40 - movss [edi+40],xmm1
// ---------- DONE INJECTING ----------
"************************.exe"+25B8F2: 8B 4D F4 - mov ecx,[ebp-0C]
"************************.exe"+25B8F5: 64 89 0D 00 00 00 00 - mov fs:[00000000],ecx
"************************.exe"+25B8FC: 59 - pop ecx
"************************.exe"+25B8FD: 5F - pop edi
"************************.exe"+25B8FE: 5E - pop esi
"************************.exe"+25B8FF: 5B - pop ebx
"************************.exe"+25B900: 8B 4D F0 - mov ecx,[ebp-10]
"************************.exe"+25B903: 33 CD - xor ecx,ebp
"************************.exe"+25B905: E8 F8 C0 0E 00 - call ************************.exe+347A02
"************************.exe"+25B90A: 8B E5 - mov esp,ebp
}
Code: Select all
Version:
Date : 2017-07-08
Author : 3oddbits
This script does [REDACTED]
}
define(address,"************************.exe"+2B889E)
define(bytes,FF 48 0C FF 4D 90)
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
assert(address,bytes)
alloc(newmem,$1000)
label(code)
label(return)
newmem:
nop
nop
nop
dec [ebp-70]
jmp return
code:
dec [eax+0C]
dec [ebp-70]
jmp return
address:
jmp newmem
nop
return:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
address:
db bytes
// dec [eax+0C]
// dec [ebp-70]
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "************************.exe"+2B889E
"************************.exe"+2B8880: E8 AB 45 FC FF - call ************************.exe+27CE30
"************************.exe"+2B8885: 83 C4 20 - add esp,20
"************************.exe"+2B8888: 8B 85 44 FF FF FF - mov eax,[ebp-000000BC]
"************************.exe"+2B888E: 40 - inc eax
"************************.exe"+2B888F: 89 45 90 - mov [ebp-70],eax
"************************.exe"+2B8892: 85 C0 - test eax,eax
"************************.exe"+2B8894: 7E 17 - jle ************************.exe+2B88AD
"************************.exe"+2B8896: 56 - push esi
"************************.exe"+2B8897: 8B CF - mov ecx,edi
"************************.exe"+2B8899: E8 12 F4 D5 FF - call ************************.exe+17CB0
// ---------- INJECTING HERE ----------
"************************.exe"+2B889E: FF 48 0C - dec [eax+0C]
"************************.exe"+2B88A1: FF 4D 90 - dec [ebp-70]
// ---------- DONE INJECTING ----------
"************************.exe"+2B88A4: C7 40 10 00 00 00 00 - mov [eax+10],00000000
"************************.exe"+2B88AB: 75 E9 - jne ************************.exe+2B8896
"************************.exe"+2B88AD: 8B 85 54 FF FF FF - mov eax,[ebp-000000AC]
"************************.exe"+2B88B3: 0F B7 C0 - movzx eax,ax
"************************.exe"+2B88B6: BA 1B 00 00 00 - mov edx,0000001B
"************************.exe"+2B88BB: 50 - push eax
"************************.exe"+2B88BC: 8D 4A ED - lea ecx,[edx-13]
"************************.exe"+2B88BF: 89 B5 4C FF FF FF - mov [ebp-000000B4],esi
"************************.exe"+2B88C5: E8 B6 C0 E9 FF - call ************************.exe+154980
"************************.exe"+2B88CA: 8B 7D 94 - mov edi,[ebp-6C]
}
Thank You.
[ PS : you can change the thread header from [HELP] to [SOLVED], or anything you think appropriate. ]
[SOLVED] NOP a Code Injection?
If all you want to do is NOP an instruction, you don't need to really do a code injection, but you should start with the template. Instead of allocating 'newmem' and doing the jmp to it, you can just overwrite the game code with the NOPs.
Now when you enable the script it will just replace the jna with two NOPs
Code: Select all
define(address,"************************.exe"+25B8EB)
define(bytes,76 05 F3 0F 11 4F 40)
[ENABLE]
assert(address,bytes)
address:
// replace the '76 05' for the jna instruction with NOPs
nop
nop
[DISABLE]
address:
db bytes
Who is online
Users browsing this forum: No registered users