Problem with simple script for unlimited ammo

[Fenekie]

Hello guys,
I have a problem with game crash. I'm trying to make unlimited ammo for Black Mesa game. From the beginning everything worked fine, but when I get in to some point in the game where turret starts to fire at NPC, the game will crash. For "frezzing" ammo value I just added // (command) before mov action, but as I see, that's not the right way how to do it. Any ideas? O.o

Code: Select all

define(address,"server.dll"+FBC34)
define(bytes,89 1E 5F 5E 5B)

[ENABLE]

assert(address,bytes)
alloc(newmem,$1000)

label(code)
label(return)

newmem:

code:
  // mov [esi],ebx
  pop edi
  pop esi
  pop ebx
  jmp return

address:
  jmp newmem
return:

[DISABLE]

address:
  db bytes
  // mov [esi],ebx
  // pop edi
  // pop esi
  // pop ebx

dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "server.dll"+FBC34

"server.dll"+FBC0E: 81 C1 FC 06 00 00              -  add ecx,000006FC
"server.dll"+FBC14: 8B 04 B9                       -  mov eax,[ecx+edi*4]
"server.dll"+FBC17: 8D 34 B9                       -  lea esi,[ecx+edi*4]
"server.dll"+FBC1A: 89 5D 08                       -  mov [ebp+08],ebx
"server.dll"+FBC1D: 3B 02                          -  cmp eax,[edx]
"server.dll"+FBC1F: 74 15                          -  je server.dll+FBC36
"server.dll"+FBC21: 8B 81 04 F9 FF FF              -  mov eax,[ecx-000006FC]
"server.dll"+FBC27: 81 C1 04 F9 FF FF              -  add ecx,FFFFF904
"server.dll"+FBC2D: 56                             -  push esi
"server.dll"+FBC2E: FF 90 4C 05 00 00              -  call dword ptr [eax+0000054C]
// ---------- INJECTING HERE ----------
"server.dll"+FBC34: 89 1E                          -  mov [esi],ebx
"server.dll"+FBC36: 5F                             -  pop edi
"server.dll"+FBC37: 5E                             -  pop esi
"server.dll"+FBC38: 5B                             -  pop ebx
// ---------- DONE INJECTING  ----------
"server.dll"+FBC39: 8B E5                          -  mov esp,ebp
"server.dll"+FBC3B: 5D                             -  pop ebp
"server.dll"+FBC3C: C2 08 00                       -  ret 0008
"server.dll"+FBC3F: CC                             -  int 3 
"server.dll"+FBC40: 55                             -  push ebp
"server.dll"+FBC41: 8B EC                          -  mov ebp,esp
"server.dll"+FBC43: 56                             -  push esi
"server.dll"+FBC44: 57                             -  push edi
"server.dll"+FBC45: FF 75 0C                       -  push [ebp+0C]
"server.dll"+FBC48: 8B F9                          -  mov edi,ecx
}

[seikur0]

Look at "server.dll+FBC1F", it will totally jump into the middle of the place where you inject and instead of popping the 3 registers do something random, because the last 3 bytes of your jump instruction are there.

So as you can see that jump instruction already does, what you intended to do, it skips the mov [esi],ebx line. Use that and just change the jump byte at "server.dll+FBC1F" from 74=je to eb=jmp. These one-byte changes are my favorites

[Fenekie]

To be honest, I'm little bit lost in your explanation. I kinda see what are you pointing at, but I'm not sure why should I change something in ORIGINAL CODE under [DISABLE]. I'm certainly sure, that I misunderstood you. How the code will look like after your suggestion? Maybe I will understand it more, if you will fix it in my code and show me what you have in mind...

[seikur0]

Code: Select all

define(address,"server.dll"+FBC34)
define(bytes,89 1E 5F 5E 5B)

[ENABLE]

assert(address,bytes)

address-15:
  db EB

[DISABLE]
address-15:
  db 74

{
// ORIGINAL CODE - INJECTION POINT: "server.dll"+FBC34

"server.dll"+FBC0E: 81 C1 FC 06 00 00              -  add ecx,000006FC
"server.dll"+FBC14: 8B 04 B9                       -  mov eax,[ecx+edi*4]
"server.dll"+FBC17: 8D 34 B9                       -  lea esi,[ecx+edi*4]
"server.dll"+FBC1A: 89 5D 08                       -  mov [ebp+08],ebx
"server.dll"+FBC1D: 3B 02                          -  cmp eax,[edx]
"server.dll"+FBC1F: 74 15                          -  je server.dll+FBC36
"server.dll"+FBC21: 8B 81 04 F9 FF FF              -  mov eax,[ecx-000006FC]
"server.dll"+FBC27: 81 C1 04 F9 FF FF              -  add ecx,FFFFF904
"server.dll"+FBC2D: 56                             -  push esi
"server.dll"+FBC2E: FF 90 4C 05 00 00              -  call dword ptr [eax+0000054C]
// ---------- INJECTING HERE ----------
"server.dll"+FBC34: 89 1E                          -  mov [esi],ebx
"server.dll"+FBC36: 5F                             -  pop edi
"server.dll"+FBC37: 5E                             -  pop esi
"server.dll"+FBC38: 5B                             -  pop ebx
// ---------- DONE INJECTING  ----------
"server.dll"+FBC39: 8B E5                          -  mov esp,ebp
"server.dll"+FBC3B: 5D                             -  pop ebp
"server.dll"+FBC3C: C2 08 00                       -  ret 0008
"server.dll"+FBC3F: CC                             -  int 3 
"server.dll"+FBC40: 55                             -  push ebp
"server.dll"+FBC41: 8B EC                          -  mov ebp,esp
"server.dll"+FBC43: 56                             -  push esi
"server.dll"+FBC44: 57                             -  push edi
"server.dll"+FBC45: FF 75 0C                       -  push [ebp+0C]
"server.dll"+FBC48: 8B F9                          -  mov edi,ecx
}

or even better as aobscan (just an example, I'm not sure, if that aob is unique):

Code: Select all

aobscanmodule(inj_ammunition,server.dll,89 5D 08 3B 02 74 15 8B 81 04 F9 FF FF  )

[ENABLE]
inj_ammunition+5:
  db EB //this is a jmp instruction
registersymbol(inj_ammunition)

[DISABLE]
inj_ammunition+5:
  db 74 //this is a je instruction
unregistersymbol(inj_ammunition)

{
// ORIGINAL CODE - INJECTION POINT: "server.dll"+FBC34

"server.dll"+FBC0E: 81 C1 FC 06 00 00              -  add ecx,000006FC
"server.dll"+FBC14: 8B 04 B9                       -  mov eax,[ecx+edi*4]
"server.dll"+FBC17: 8D 34 B9                       -  lea esi,[ecx+edi*4]
"server.dll"+FBC1A: 89 5D 08                       -  mov [ebp+08],ebx
"server.dll"+FBC1D: 3B 02                          -  cmp eax,[edx]
// ---------- INJECTING HERE ----------
"server.dll"+FBC1F: 74 15                          -  je server.dll+FBC36
// ---------- DONE INJECTING  ----------
"server.dll"+FBC21: 8B 81 04 F9 FF FF              -  mov eax,[ecx-000006FC]
"server.dll"+FBC27: 81 C1 04 F9 FF FF              -  add ecx,FFFFF904
"server.dll"+FBC2D: 56                             -  push esi
"server.dll"+FBC2E: FF 90 4C 05 00 00              -  call dword ptr [eax+0000054C]
"server.dll"+FBC34: 89 1E                          -  mov [esi],ebx
"server.dll"+FBC36: 5F                             -  pop edi
"server.dll"+FBC37: 5E                             -  pop esi
"server.dll"+FBC38: 5B                             -  pop ebx
"server.dll"+FBC39: 8B E5                          -  mov esp,ebp
"server.dll"+FBC3B: 5D                             -  pop ebp
"server.dll"+FBC3C: C2 08 00                       -  ret 0008
"server.dll"+FBC3F: CC                             -  int 3 
"server.dll"+FBC40: 55                             -  push ebp
"server.dll"+FBC41: 8B EC                          -  mov ebp,esp
"server.dll"+FBC43: 56                             -  push esi
"server.dll"+FBC44: 57                             -  push edi
"server.dll"+FBC45: FF 75 0C                       -  push [ebp+0C]
"server.dll"+FBC48: 8B F9                          -  mov edi,ecx
}

[Fenekie]

Awesome! Thank you! Now I'm little bit more closer to Cheat Engine knowledge...