Hello People,
I made some hacks for some games like unlimited ammo, unlimited stars and credits and etc. etc. by backtracing and injecting to specific locations in memory region.
But in almost all my hacks, after activating the hack for example for credits, you write a value of the credits and you are activating the script and your CREDITS wont change to the moment when you buy something for credits. When you buy something, then the value of credits will change to the value that you written in the script. The same is for ammo and other hacks.
My question is what to do, what change in script to after activating some hack, the value changes in instant, not after buying something or doing something. Is it possible? if yes, how to do that? What I must add to my script or what to change?
If you need to look on my scripts, write and I will share them.
Best Regards,
Marek.
How to make "instant" hack that values will change instantly?
How to make "instant" hack that values will change instantly?
Hi Marek.
You have to also apply some decent logic to what you're asking for. Have you stopped to ask yourself WHY it happens only after you buy stuff or consume ammo? Did it ever occur to you that the reason for this is the spots where you inject your code are instructions that are executed only on WRITE and not on ACCESS? And by write I mean only when your value would change.
How about you try "find out what accesses this value", instead of "what writes", and use one of those instructions? ;)
Let us know how it worked out.
You have to also apply some decent logic to what you're asking for. Have you stopped to ask yourself WHY it happens only after you buy stuff or consume ammo? Did it ever occur to you that the reason for this is the spots where you inject your code are instructions that are executed only on WRITE and not on ACCESS? And by write I mean only when your value would change.
How about you try "find out what accesses this value", instead of "what writes", and use one of those instructions? ;)
Let us know how it worked out.
Last edited by SunBeam on Thu Jan 01, 1970 12:00 am, edited 4 times in total.
How to make "instant" hack that values will change instantly?
Oh my god, why didnt i think like that? I was only thinking about WRITE WRITE WRITE because I had memorize that if visual value is changing that means something is WRITING to the value - so I was only thinking about WRITE, not about ACCESSING.
Thanks for the TIP SunBeam.
I will check my scripts like you told me and we will see what happens. I will write later when I check it.
[automerge]1525863972[/automerge]
Ok, I checked it. I marked by red the functions which are accesing only when I get credits or when I lost credits. Now what? :p
[img]https://i.imgur.com/Pl65qWh.png[/img]
Thanks for the TIP SunBeam.
I will check my scripts like you told me and we will see what happens. I will write later when I check it.
[automerge]1525863972[/automerge]
Ok, I checked it. I marked by red the functions which are accesing only when I get credits or when I lost credits. Now what? :p
[img]https://i.imgur.com/Pl65qWh.png[/img]
Last edited by marek1957 on Wed May 09, 2018 11:07 am, edited 2 times in total.
How to make "instant" hack that values will change instantly?
"Now what?" - now write a script at one of the locations that constantly run so that when you enable the script your code is constantly run rather than only running after something happens.
How to make "instant" hack that values will change instantly?
[USER=11389]@marek1957[/USER]: ACCESS means the instructions also access your value without doing anything; sure, there will be some that do that only when you consume or use the amount; but for visuals (displaying amount) you will see that you do nothing - idle - and still get code listed in that debugger window ;) Pick one of those to hook :p Like the one that got hit 4334 times in your picture :P
Last edited by SunBeam on Thu Jan 01, 1970 12:00 am, edited 2 times in total.
How to make "instant" hack that values will change instantly?
The thing I like to do is have the hook at the write instruction, but use the access instruction (one that runs constantly) to just get the address; then in another script you can write to the value with some Lua.
[CODE=cea]//...
[ENABLE]
//...
alloc(memMoneyHook, 0x400, injMoneyHook)
label(ptrMoneyHook)
registerSymbol(ptrMoneyHook)
label(n_code)
label(o_code)
label(exit)
label(return)
memMoneyHook:
ptrMoneyHook:
dd 0
align 10 CC
n_code:
mov [ptrMoneyHook],ebx
o_code:
cmp ecx,[ebx+ABC]
exit:
jmp return
////
//// ---------- Injection Point ----------
injMoneyHook:
jmp n_code
nop
return:
[DISABLE]
//...[/CODE]
[CODE=lua]{$lua}
[ENABLE]
local value = 500
local addr = '[ptrMoneyHook]+ABC'
if syntaxcheck then return end
writeInteger(addr, value + readInteger(addr))
[DISABLE][/CODE]
EDIT:
This way is the "lazy non-reversing" why, so it works; but you won't be known as a "reverser" for this kind of thing.
[CODE=cea]//...
[ENABLE]
//...
alloc(memMoneyHook, 0x400, injMoneyHook)
label(ptrMoneyHook)
registerSymbol(ptrMoneyHook)
label(n_code)
label(o_code)
label(exit)
label(return)
memMoneyHook:
ptrMoneyHook:
dd 0
align 10 CC
n_code:
mov [ptrMoneyHook],ebx
o_code:
cmp ecx,[ebx+ABC]
exit:
jmp return
////
//// ---------- Injection Point ----------
injMoneyHook:
jmp n_code
nop
return:
[DISABLE]
//...[/CODE]
[CODE=lua]{$lua}
[ENABLE]
local value = 500
local addr = '[ptrMoneyHook]+ABC'
if syntaxcheck then return end
writeInteger(addr, value + readInteger(addr))
[DISABLE][/CODE]
EDIT:
This way is the "lazy non-reversing" why, so it works; but you won't be known as a "reverser" for this kind of thing.
Last edited by TimFun13 on Wed May 09, 2018 11:50 am, edited 3 times in total.
How to make "instant" hack that values will change instantly?
Sometimes you don't have a choice but to use write only code. If you're particularly bothered you can do something like
-backtrack and use the caller function which usually gets hit real time but you will need to filter out rest of the stuff that gets called or get to your desired address by calculating/fetching the addresses yourself.
- Use some other real time code that's accessing stuff adjacent to your desired address. For example you want health to be realtime, stamina might be getting accessed so you can use that provided health is adjacent i.e offsets are close.
- sometimes you can check for random addresses in your health structure that get accessed real time and offset to health.
- your health base structure might get accessed real time.
Lastly you can create a thread to execute your function. You do need to set the proper params etc.
-backtrack and use the caller function which usually gets hit real time but you will need to filter out rest of the stuff that gets called or get to your desired address by calculating/fetching the addresses yourself.
- Use some other real time code that's accessing stuff adjacent to your desired address. For example you want health to be realtime, stamina might be getting accessed so you can use that provided health is adjacent i.e offsets are close.
- sometimes you can check for random addresses in your health structure that get accessed real time and offset to health.
- your health base structure might get accessed real time.
Lastly you can create a thread to execute your function. You do need to set the proper params etc.
How to make "instant" hack that values will change instantly?
If you're still at it, learn some decent ASM and create a thread to call in the internal SetHealth or SetMoney functions with parameters ;) :D
How to make "instant" hack that values will change instantly?
Ok guys, I understand all but I am not good with writing scripts, can you help me write an example of correct script? This will help me to understand all of this.
This is the original code of function which is constantly accesing:
[code]
{ Game : Asphalt8.exe
Version:
Date : 2018-05-09
Author : A101
This script does blah blah blah
}
[ENABLE]
aobscanmodule(INJECT,Asphalt8.exe,3B 47 08 74 0D 51 8B CF E8 6C) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
cmp eax,[edi+08]
je Asphalt8.exe+813C09
jmp return
INJECT:
jmp newmem
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db 3B 47 08 74 0D
unregistersymbol(INJECT)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "Asphalt8.exe"+813BF7
"Asphalt8.exe"+813BD8: C1 E8 10 - shr eax,10
"Asphalt8.exe"+813BDB: 33 C6 - xor eax,esi
"Asphalt8.exe"+813BDD: 69 C8 3B 9F 5D 04 - imul ecx,eax,045D9F3B
"Asphalt8.exe"+813BE3: 8B C1 - mov eax,ecx
"Asphalt8.exe"+813BE5: C1 E8 10 - shr eax,10
"Asphalt8.exe"+813BE8: 33 C1 - xor eax,ecx
"Asphalt8.exe"+813BEA: 69 D0 3B 9F 5D 04 - imul edx,eax,045D9F3B
"Asphalt8.exe"+813BF0: 8B C2 - mov eax,edx
"Asphalt8.exe"+813BF2: C1 E8 10 - shr eax,10
"Asphalt8.exe"+813BF5: 33 C2 - xor eax,edx
// ---------- INJECTING HERE ----------
"Asphalt8.exe"+813BF7: 3B 47 08 - cmp eax,[edi+08]
"Asphalt8.exe"+813BFA: 74 0D - je Asphalt8.exe+813C09
// ---------- DONE INJECTING ----------
"Asphalt8.exe"+813BFC: 51 - push ecx
"Asphalt8.exe"+813BFD: 8B CF - mov ecx,edi
"Asphalt8.exe"+813BFF: E8 6C 5A 90 FF - call Asphalt8.exe+119670
"Asphalt8.exe"+813C04: 5F - pop edi
"Asphalt8.exe"+813C05: 33 C0 - xor eax,eax
"Asphalt8.exe"+813C07: 5E - pop esi
"Asphalt8.exe"+813C08: C3 - ret
"Asphalt8.exe"+813C09: 5F - pop edi
"Asphalt8.exe"+813C0A: 8B C6 - mov eax,esi
"Asphalt8.exe"+813C0C: 5E - pop esi
}[/code]
and this is the original code of writing function:
[code]
{ Game : Asphalt8.exe
Version:
Date : 2018-05-09
Author : A101
This script does blah blah blah
}
[ENABLE]
aobscanmodule(INJECT,Asphalt8.exe,89 47 08 5F 5E 5B 5D) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
mov [edi+08],eax
pop edi
pop esi
jmp return
INJECT:
jmp newmem
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db 89 47 08 5F 5E
unregistersymbol(INJECT)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "Asphalt8.exe"+11965F
"Asphalt8.exe"+119640: C1 E8 10 - shr eax,10
"Asphalt8.exe"+119643: 33 C2 - xor eax,edx
"Asphalt8.exe"+119645: 69 C8 3B 9F 5D 04 - imul ecx,eax,045D9F3B
"Asphalt8.exe"+11964B: 8B C1 - mov eax,ecx
"Asphalt8.exe"+11964D: C1 E8 10 - shr eax,10
"Asphalt8.exe"+119650: 33 C1 - xor eax,ecx
"Asphalt8.exe"+119652: 69 C8 3B 9F 5D 04 - imul ecx,eax,045D9F3B
"Asphalt8.exe"+119658: 8B C1 - mov eax,ecx
"Asphalt8.exe"+11965A: C1 E8 10 - shr eax,10
"Asphalt8.exe"+11965D: 33 C1 - xor eax,ecx
// ---------- INJECTING HERE ----------
"Asphalt8.exe"+11965F: 89 47 08 - mov [edi+08],eax
"Asphalt8.exe"+119662: 5F - pop edi
"Asphalt8.exe"+119663: 5E - pop esi
// ---------- DONE INJECTING ----------
"Asphalt8.exe"+119664: 5B - pop ebx
"Asphalt8.exe"+119665: 5D - pop ebp
"Asphalt8.exe"+119666: C2 04 00 - ret 0004
"Asphalt8.exe"+119669: CC - int 3
"Asphalt8.exe"+11966A: CC - int 3
"Asphalt8.exe"+11966B: CC - int 3
"Asphalt8.exe"+11966C: CC - int 3
"Asphalt8.exe"+11966D: CC - int 3
"Asphalt8.exe"+11966E: CC - int 3
"Asphalt8.exe"+11966F: CC - int 3
}
[/code]
[automerge]1525866617[/automerge]
I would like to learn but I dont know where I can fing good tutorials or info about it. I like to learn by viewing and examinig correct examples of script. Thanks to that, I can learn how the script is working. This is the best method for me to learning.
[automerge]1525866786[/automerge]
I need only a correct script for this function and then I will learn and study how script is working and thanks to example, I will correct all my scripts by myself :-)
But I need correct example. Without this, I wont learn anything. :-(
Can you provide me correct example of the script that I want?
This is the original code of function which is constantly accesing:
[code]
{ Game : Asphalt8.exe
Version:
Date : 2018-05-09
Author : A101
This script does blah blah blah
}
[ENABLE]
aobscanmodule(INJECT,Asphalt8.exe,3B 47 08 74 0D 51 8B CF E8 6C) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
cmp eax,[edi+08]
je Asphalt8.exe+813C09
jmp return
INJECT:
jmp newmem
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db 3B 47 08 74 0D
unregistersymbol(INJECT)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "Asphalt8.exe"+813BF7
"Asphalt8.exe"+813BD8: C1 E8 10 - shr eax,10
"Asphalt8.exe"+813BDB: 33 C6 - xor eax,esi
"Asphalt8.exe"+813BDD: 69 C8 3B 9F 5D 04 - imul ecx,eax,045D9F3B
"Asphalt8.exe"+813BE3: 8B C1 - mov eax,ecx
"Asphalt8.exe"+813BE5: C1 E8 10 - shr eax,10
"Asphalt8.exe"+813BE8: 33 C1 - xor eax,ecx
"Asphalt8.exe"+813BEA: 69 D0 3B 9F 5D 04 - imul edx,eax,045D9F3B
"Asphalt8.exe"+813BF0: 8B C2 - mov eax,edx
"Asphalt8.exe"+813BF2: C1 E8 10 - shr eax,10
"Asphalt8.exe"+813BF5: 33 C2 - xor eax,edx
// ---------- INJECTING HERE ----------
"Asphalt8.exe"+813BF7: 3B 47 08 - cmp eax,[edi+08]
"Asphalt8.exe"+813BFA: 74 0D - je Asphalt8.exe+813C09
// ---------- DONE INJECTING ----------
"Asphalt8.exe"+813BFC: 51 - push ecx
"Asphalt8.exe"+813BFD: 8B CF - mov ecx,edi
"Asphalt8.exe"+813BFF: E8 6C 5A 90 FF - call Asphalt8.exe+119670
"Asphalt8.exe"+813C04: 5F - pop edi
"Asphalt8.exe"+813C05: 33 C0 - xor eax,eax
"Asphalt8.exe"+813C07: 5E - pop esi
"Asphalt8.exe"+813C08: C3 - ret
"Asphalt8.exe"+813C09: 5F - pop edi
"Asphalt8.exe"+813C0A: 8B C6 - mov eax,esi
"Asphalt8.exe"+813C0C: 5E - pop esi
}[/code]
and this is the original code of writing function:
[code]
{ Game : Asphalt8.exe
Version:
Date : 2018-05-09
Author : A101
This script does blah blah blah
}
[ENABLE]
aobscanmodule(INJECT,Asphalt8.exe,89 47 08 5F 5E 5B 5D) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
mov [edi+08],eax
pop edi
pop esi
jmp return
INJECT:
jmp newmem
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db 89 47 08 5F 5E
unregistersymbol(INJECT)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "Asphalt8.exe"+11965F
"Asphalt8.exe"+119640: C1 E8 10 - shr eax,10
"Asphalt8.exe"+119643: 33 C2 - xor eax,edx
"Asphalt8.exe"+119645: 69 C8 3B 9F 5D 04 - imul ecx,eax,045D9F3B
"Asphalt8.exe"+11964B: 8B C1 - mov eax,ecx
"Asphalt8.exe"+11964D: C1 E8 10 - shr eax,10
"Asphalt8.exe"+119650: 33 C1 - xor eax,ecx
"Asphalt8.exe"+119652: 69 C8 3B 9F 5D 04 - imul ecx,eax,045D9F3B
"Asphalt8.exe"+119658: 8B C1 - mov eax,ecx
"Asphalt8.exe"+11965A: C1 E8 10 - shr eax,10
"Asphalt8.exe"+11965D: 33 C1 - xor eax,ecx
// ---------- INJECTING HERE ----------
"Asphalt8.exe"+11965F: 89 47 08 - mov [edi+08],eax
"Asphalt8.exe"+119662: 5F - pop edi
"Asphalt8.exe"+119663: 5E - pop esi
// ---------- DONE INJECTING ----------
"Asphalt8.exe"+119664: 5B - pop ebx
"Asphalt8.exe"+119665: 5D - pop ebp
"Asphalt8.exe"+119666: C2 04 00 - ret 0004
"Asphalt8.exe"+119669: CC - int 3
"Asphalt8.exe"+11966A: CC - int 3
"Asphalt8.exe"+11966B: CC - int 3
"Asphalt8.exe"+11966C: CC - int 3
"Asphalt8.exe"+11966D: CC - int 3
"Asphalt8.exe"+11966E: CC - int 3
"Asphalt8.exe"+11966F: CC - int 3
}
[/code]
[automerge]1525866617[/automerge]
I would like to learn but I dont know where I can fing good tutorials or info about it. I like to learn by viewing and examinig correct examples of script. Thanks to that, I can learn how the script is working. This is the best method for me to learning.
[automerge]1525866786[/automerge]
I need only a correct script for this function and then I will learn and study how script is working and thanks to example, I will correct all my scripts by myself :-)
But I need correct example. Without this, I wont learn anything. :-(
Can you provide me correct example of the script that I want?
Last edited by marek1957 on Wed May 09, 2018 11:53 am, edited 2 times in total.
How to make "instant" hack that values will change instantly?
So first off, having a hardcoded address in the script when using "aobScan" really makes no sense, you might as well just use an address for the injection point. Second you need to use unique symbols for any thing you register with the user symbols list.
"What ever" Hook:
[CODE=cea]{ Game : Asphalt8.exe
Version:
Date : 2018-05-09
Author : Bob
}
[ENABLE]
aobscanmodule(valueAccINJ,Asphalt8.exe,33 C2 3B 47 08 74 0D 51 8B CF E8 6C) // should be unique
registersymbol(valueAccINJ)
alloc(newmem,$1000)
label(code)
label(return)
label(valuePtr)
registersymbol(valuePtr)
newmem:
code:
xor eax,edx
cmp eax,[edi+08]
mov [valuePtr],edi
jmp return
valuePtr:
dd 0
valueAccINJ:
jmp newmem
return:
[DISABLE]
valueAccINJ:
db 3B 47 08 74 0D
unregistersymbol(valueAccINJ)
unregistersymbol(valuePtr)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "Asphalt8.exe"+813BF5
"Asphalt8.exe"+813BD8: C1 E8 10 - shr eax,10
"Asphalt8.exe"+813BDB: 33 C6 - xor eax,esi
"Asphalt8.exe"+813BDD: 69 C8 3B 9F 5D 04 - imul ecx,eax,045D9F3B
"Asphalt8.exe"+813BE3: 8B C1 - mov eax,ecx
"Asphalt8.exe"+813BE5: C1 E8 10 - shr eax,10
"Asphalt8.exe"+813BE8: 33 C1 - xor eax,ecx
"Asphalt8.exe"+813BEA: 69 D0 3B 9F 5D 04 - imul edx,eax,045D9F3B
"Asphalt8.exe"+813BF0: 8B C2 - mov eax,edx
"Asphalt8.exe"+813BF2: C1 E8 10 - shr eax,10
// ---------- INJECTING HERE ----------
"Asphalt8.exe"+813BF5: 33 C2 - xor eax,edx
"Asphalt8.exe"+813BF7: 3B 47 08 - cmp eax,[edi+08]
// ---------- DONE INJECTING ----------
"Asphalt8.exe"+813BFA: 74 0D - je Asphalt8.exe+813C09
"Asphalt8.exe"+813BFC: 51 - push ecx
"Asphalt8.exe"+813BFD: 8B CF - mov ecx,edi //// We know EDI holds the base for the value.
"Asphalt8.exe"+813BFF: E8 6C 5A 90 FF - call Asphalt8.exe+119670 //// This is probably the CALL you were told about
"Asphalt8.exe"+813C04: 5F - pop edi
"Asphalt8.exe"+813C05: 33 C0 - xor eax,eax
"Asphalt8.exe"+813C07: 5E - pop esi
"Asphalt8.exe"+813C08: C3 - ret
"Asphalt8.exe"+813C09: 5F - pop edi
"Asphalt8.exe"+813C0A: 8B C6 - mov eax,esi
"Asphalt8.exe"+813C0C: 5E - pop esi
}[/CODE]
+500 "What ever":
[CODE=lua]{$lua}
[ENABLE]
local value = 500
local addr = '[valuePtr]+8'
if syntaxcheck then return end
writeInteger(addr, value + readInteger(addr))
[DISABLE][/CODE]
Infinite "What ever":
[CODE=cea]{ Game : Asphalt8.exe
Version:
Date : 2018-05-09
Author : Bob
}
[ENABLE]
aobscanmodule(valueWrtINJ,Asphalt8.exe,89 47 08 5F 5E 5B 5D) // should be unique
unregistersymbol(valueWrtINJ)
valueWrtINJ:
nop
nop
nop
[DISABLE]
valueWrtINJ:
db 89 47 08
unregistersymbol(valueWrtINJ)
{
// ORIGINAL CODE - INJECTION POINT: "Asphalt8.exe"+11965F
"Asphalt8.exe"+119640: C1 E8 10 - shr eax,10
"Asphalt8.exe"+119643: 33 C2 - xor eax,edx
"Asphalt8.exe"+119645: 69 C8 3B 9F 5D 04 - imul ecx,eax,045D9F3B
"Asphalt8.exe"+11964B: 8B C1 - mov eax,ecx
"Asphalt8.exe"+11964D: C1 E8 10 - shr eax,10
"Asphalt8.exe"+119650: 33 C1 - xor eax,ecx
"Asphalt8.exe"+119652: 69 C8 3B 9F 5D 04 - imul ecx,eax,045D9F3B
"Asphalt8.exe"+119658: 8B C1 - mov eax,ecx
"Asphalt8.exe"+11965A: C1 E8 10 - shr eax,10
"Asphalt8.exe"+11965D: 33 C1 - xor eax,ecx
// ---------- INJECTING HERE ----------
"Asphalt8.exe"+11965F: 89 47 08 - mov [edi+08],eax
// ---------- DONE INJECTING ----------
"Asphalt8.exe"+119662: 5F - pop edi
"Asphalt8.exe"+119663: 5E - pop esi
"Asphalt8.exe"+119664: 5B - pop ebx
"Asphalt8.exe"+119665: 5D - pop ebp
"Asphalt8.exe"+119666: C2 04 00 - ret 0004
"Asphalt8.exe"+119669: CC - int 3
"Asphalt8.exe"+11966A: CC - int 3
"Asphalt8.exe"+11966B: CC - int 3
"Asphalt8.exe"+11966C: CC - int 3
"Asphalt8.exe"+11966D: CC - int 3
"Asphalt8.exe"+11966E: CC - int 3
"Asphalt8.exe"+11966F: CC - int 3
}[/CODE]
"What ever" Hook:
[CODE=cea]{ Game : Asphalt8.exe
Version:
Date : 2018-05-09
Author : Bob
}
[ENABLE]
aobscanmodule(valueAccINJ,Asphalt8.exe,33 C2 3B 47 08 74 0D 51 8B CF E8 6C) // should be unique
registersymbol(valueAccINJ)
alloc(newmem,$1000)
label(code)
label(return)
label(valuePtr)
registersymbol(valuePtr)
newmem:
code:
xor eax,edx
cmp eax,[edi+08]
mov [valuePtr],edi
jmp return
valuePtr:
dd 0
valueAccINJ:
jmp newmem
return:
[DISABLE]
valueAccINJ:
db 3B 47 08 74 0D
unregistersymbol(valueAccINJ)
unregistersymbol(valuePtr)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "Asphalt8.exe"+813BF5
"Asphalt8.exe"+813BD8: C1 E8 10 - shr eax,10
"Asphalt8.exe"+813BDB: 33 C6 - xor eax,esi
"Asphalt8.exe"+813BDD: 69 C8 3B 9F 5D 04 - imul ecx,eax,045D9F3B
"Asphalt8.exe"+813BE3: 8B C1 - mov eax,ecx
"Asphalt8.exe"+813BE5: C1 E8 10 - shr eax,10
"Asphalt8.exe"+813BE8: 33 C1 - xor eax,ecx
"Asphalt8.exe"+813BEA: 69 D0 3B 9F 5D 04 - imul edx,eax,045D9F3B
"Asphalt8.exe"+813BF0: 8B C2 - mov eax,edx
"Asphalt8.exe"+813BF2: C1 E8 10 - shr eax,10
// ---------- INJECTING HERE ----------
"Asphalt8.exe"+813BF5: 33 C2 - xor eax,edx
"Asphalt8.exe"+813BF7: 3B 47 08 - cmp eax,[edi+08]
// ---------- DONE INJECTING ----------
"Asphalt8.exe"+813BFA: 74 0D - je Asphalt8.exe+813C09
"Asphalt8.exe"+813BFC: 51 - push ecx
"Asphalt8.exe"+813BFD: 8B CF - mov ecx,edi //// We know EDI holds the base for the value.
"Asphalt8.exe"+813BFF: E8 6C 5A 90 FF - call Asphalt8.exe+119670 //// This is probably the CALL you were told about
"Asphalt8.exe"+813C04: 5F - pop edi
"Asphalt8.exe"+813C05: 33 C0 - xor eax,eax
"Asphalt8.exe"+813C07: 5E - pop esi
"Asphalt8.exe"+813C08: C3 - ret
"Asphalt8.exe"+813C09: 5F - pop edi
"Asphalt8.exe"+813C0A: 8B C6 - mov eax,esi
"Asphalt8.exe"+813C0C: 5E - pop esi
}[/CODE]
+500 "What ever":
[CODE=lua]{$lua}
[ENABLE]
local value = 500
local addr = '[valuePtr]+8'
if syntaxcheck then return end
writeInteger(addr, value + readInteger(addr))
[DISABLE][/CODE]
Infinite "What ever":
[CODE=cea]{ Game : Asphalt8.exe
Version:
Date : 2018-05-09
Author : Bob
}
[ENABLE]
aobscanmodule(valueWrtINJ,Asphalt8.exe,89 47 08 5F 5E 5B 5D) // should be unique
unregistersymbol(valueWrtINJ)
valueWrtINJ:
nop
nop
nop
[DISABLE]
valueWrtINJ:
db 89 47 08
unregistersymbol(valueWrtINJ)
{
// ORIGINAL CODE - INJECTION POINT: "Asphalt8.exe"+11965F
"Asphalt8.exe"+119640: C1 E8 10 - shr eax,10
"Asphalt8.exe"+119643: 33 C2 - xor eax,edx
"Asphalt8.exe"+119645: 69 C8 3B 9F 5D 04 - imul ecx,eax,045D9F3B
"Asphalt8.exe"+11964B: 8B C1 - mov eax,ecx
"Asphalt8.exe"+11964D: C1 E8 10 - shr eax,10
"Asphalt8.exe"+119650: 33 C1 - xor eax,ecx
"Asphalt8.exe"+119652: 69 C8 3B 9F 5D 04 - imul ecx,eax,045D9F3B
"Asphalt8.exe"+119658: 8B C1 - mov eax,ecx
"Asphalt8.exe"+11965A: C1 E8 10 - shr eax,10
"Asphalt8.exe"+11965D: 33 C1 - xor eax,ecx
// ---------- INJECTING HERE ----------
"Asphalt8.exe"+11965F: 89 47 08 - mov [edi+08],eax
// ---------- DONE INJECTING ----------
"Asphalt8.exe"+119662: 5F - pop edi
"Asphalt8.exe"+119663: 5E - pop esi
"Asphalt8.exe"+119664: 5B - pop ebx
"Asphalt8.exe"+119665: 5D - pop ebp
"Asphalt8.exe"+119666: C2 04 00 - ret 0004
"Asphalt8.exe"+119669: CC - int 3
"Asphalt8.exe"+11966A: CC - int 3
"Asphalt8.exe"+11966B: CC - int 3
"Asphalt8.exe"+11966C: CC - int 3
"Asphalt8.exe"+11966D: CC - int 3
"Asphalt8.exe"+11966E: CC - int 3
"Asphalt8.exe"+11966F: CC - int 3
}[/CODE]
Last edited by TimFun13 on Wed May 09, 2018 12:17 pm, edited 8 times in total.
How to make "instant" hack that values will change instantly?
you can also do this for the access script:
[CODE=cea]{ Game : Asphalt8.exe
Version:
Date : 2018-05-09
Author : Bob
}
[ENABLE]
aobscanmodule(valueAccINJ,Asphalt8.exe,33 C2 3B 47 08 74 0D 51 8B CF E8 6C) // should be unique
registersymbol(valueAccINJ)
registersymbol(valueToSet)
alloc(newmem,$1000)
label(cheat)
label(orig)
label(return)
label(valueToSet)
newmem:
cheat:
push ecx // Save the value in ecx for later
mov ecx,[valueToSet] // This copies the value we registered to ecx
mov [edi+08],ecx // This will change the value (money for exmp) to whatever we written in valueToSet (default 500)
pop ecx // pop back the value so the code can continue normally
orig:
xor eax,edx
cmp eax,[edi+08]
jmp return
valueToSet:
dd 01 F4
valueAccINJ:
jmp newmem
return:
[DISABLE]
valueAccINJ:
db 3B 47 08 74 0D
unregistersymbol(valueAccINJ)
unregistersymbol(valueToSet)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "Asphalt8.exe"+813BF5
"Asphalt8.exe"+813BD8: C1 E8 10 - shr eax,10
"Asphalt8.exe"+813BDB: 33 C6 - xor eax,esi
"Asphalt8.exe"+813BDD: 69 C8 3B 9F 5D 04 - imul ecx,eax,045D9F3B
"Asphalt8.exe"+813BE3: 8B C1 - mov eax,ecx
"Asphalt8.exe"+813BE5: C1 E8 10 - shr eax,10
"Asphalt8.exe"+813BE8: 33 C1 - xor eax,ecx
"Asphalt8.exe"+813BEA: 69 D0 3B 9F 5D 04 - imul edx,eax,045D9F3B
"Asphalt8.exe"+813BF0: 8B C2 - mov eax,edx
"Asphalt8.exe"+813BF2: C1 E8 10 - shr eax,10
// ---------- INJECTING HERE ----------
"Asphalt8.exe"+813BF5: 33 C2 - xor eax,edx
"Asphalt8.exe"+813BF7: 3B 47 08 - cmp eax,[edi+08]
// ---------- DONE INJECTING ----------
"Asphalt8.exe"+813BFA: 74 0D - je Asphalt8.exe+813C09
"Asphalt8.exe"+813BFC: 51 - push ecx
"Asphalt8.exe"+813BFD: 8B CF - mov ecx,edi //// We know EDI holds the base for the value.
"Asphalt8.exe"+813BFF: E8 6C 5A 90 FF - call Asphalt8.exe+119670 //// This is probably the CALL you where told about
"Asphalt8.exe"+813C04: 5F - pop edi
"Asphalt8.exe"+813C05: 33 C0 - xor eax,eax
"Asphalt8.exe"+813C07: 5E - pop esi
"Asphalt8.exe"+813C08: C3 - ret
"Asphalt8.exe"+813C09: 5F - pop edi
"Asphalt8.exe"+813C0A: 8B C6 - mov eax,esi
"Asphalt8.exe"+813C0C: 5E - pop esi
}[/CODE]
This will also set the value to 500.
And it will enable you to add the registered value to your table and change it. (from 500 to whatever)
The script for the write can stay the same.
EDIT:
Usually you would want the original to be before the cheat section.
It really depends on what the code does.
In this case I just randomly decided to write the cheat first and then the original code, but as you can notice
we compare the value (lets say it's money) to eax, but just before that I changed the value with the cheat section.
This can cause some bugs/unexpected behavior from the game.
So you might need to switch between the sections or save the original value and compare it with eax.
[CODE=cea]{ Game : Asphalt8.exe
Version:
Date : 2018-05-09
Author : Bob
}
[ENABLE]
aobscanmodule(valueAccINJ,Asphalt8.exe,33 C2 3B 47 08 74 0D 51 8B CF E8 6C) // should be unique
registersymbol(valueAccINJ)
registersymbol(valueToSet)
alloc(newmem,$1000)
label(cheat)
label(orig)
label(return)
label(valueToSet)
newmem:
cheat:
push ecx // Save the value in ecx for later
mov ecx,[valueToSet] // This copies the value we registered to ecx
mov [edi+08],ecx // This will change the value (money for exmp) to whatever we written in valueToSet (default 500)
pop ecx // pop back the value so the code can continue normally
orig:
xor eax,edx
cmp eax,[edi+08]
jmp return
valueToSet:
dd 01 F4
valueAccINJ:
jmp newmem
return:
[DISABLE]
valueAccINJ:
db 3B 47 08 74 0D
unregistersymbol(valueAccINJ)
unregistersymbol(valueToSet)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "Asphalt8.exe"+813BF5
"Asphalt8.exe"+813BD8: C1 E8 10 - shr eax,10
"Asphalt8.exe"+813BDB: 33 C6 - xor eax,esi
"Asphalt8.exe"+813BDD: 69 C8 3B 9F 5D 04 - imul ecx,eax,045D9F3B
"Asphalt8.exe"+813BE3: 8B C1 - mov eax,ecx
"Asphalt8.exe"+813BE5: C1 E8 10 - shr eax,10
"Asphalt8.exe"+813BE8: 33 C1 - xor eax,ecx
"Asphalt8.exe"+813BEA: 69 D0 3B 9F 5D 04 - imul edx,eax,045D9F3B
"Asphalt8.exe"+813BF0: 8B C2 - mov eax,edx
"Asphalt8.exe"+813BF2: C1 E8 10 - shr eax,10
// ---------- INJECTING HERE ----------
"Asphalt8.exe"+813BF5: 33 C2 - xor eax,edx
"Asphalt8.exe"+813BF7: 3B 47 08 - cmp eax,[edi+08]
// ---------- DONE INJECTING ----------
"Asphalt8.exe"+813BFA: 74 0D - je Asphalt8.exe+813C09
"Asphalt8.exe"+813BFC: 51 - push ecx
"Asphalt8.exe"+813BFD: 8B CF - mov ecx,edi //// We know EDI holds the base for the value.
"Asphalt8.exe"+813BFF: E8 6C 5A 90 FF - call Asphalt8.exe+119670 //// This is probably the CALL you where told about
"Asphalt8.exe"+813C04: 5F - pop edi
"Asphalt8.exe"+813C05: 33 C0 - xor eax,eax
"Asphalt8.exe"+813C07: 5E - pop esi
"Asphalt8.exe"+813C08: C3 - ret
"Asphalt8.exe"+813C09: 5F - pop edi
"Asphalt8.exe"+813C0A: 8B C6 - mov eax,esi
"Asphalt8.exe"+813C0C: 5E - pop esi
}[/CODE]
This will also set the value to 500.
And it will enable you to add the registered value to your table and change it. (from 500 to whatever)
The script for the write can stay the same.
EDIT:
Usually you would want the original to be before the cheat section.
It really depends on what the code does.
In this case I just randomly decided to write the cheat first and then the original code, but as you can notice
we compare the value (lets say it's money) to eax, but just before that I changed the value with the cheat section.
This can cause some bugs/unexpected behavior from the game.
So you might need to switch between the sections or save the original value and compare it with eax.
Last edited by bonzay0 on Wed May 09, 2018 1:10 pm, edited 1 time in total.
How to make "instant" hack that values will change instantly?
Guys, thank you for your help but your codes not working at all, in every code that I tried from you, the credits are changing to 0. And I cannot change, I find it that EDX is having credits value here:
[code]
{ Game : Asphalt8.exe
Version:
Date : 2018-05-09
Author : A101
This script does blah blah blah
}
[ENABLE]
aobscanmodule(INJECT,Asphalt8.exe,8B CA F7 D1 33 08) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
mov ecx,edx
not ecx
xor ecx,[eax]
jmp return
INJECT:
jmp newmem
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db 8B CA F7 D1 33 08
unregistersymbol(INJECT)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "Asphalt8.exe"+119634
"Asphalt8.exe"+11961A: 99 - cdq
"Asphalt8.exe"+11961B: F7 F9 - idiv ecx
"Asphalt8.exe"+11961D: 8D 42 01 - lea eax,[edx+01]
"Asphalt8.exe"+119620: 99 - cdq
"Asphalt8.exe"+119621: F7 F9 - idiv ecx
"Asphalt8.exe"+119623: 8B 47 04 - mov eax,[edi+04]
"Asphalt8.exe"+119626: 89 15 40 BC B0 02 - mov [Asphalt8.exe+1A1BC40],edx
"Asphalt8.exe"+11962C: 89 10 - mov [eax],edx
"Asphalt8.exe"+11962E: 8B 47 04 - mov eax,[edi+04]
"Asphalt8.exe"+119631: 8B 55 08 - mov edx,[ebp+08]
// ---------- INJECTING HERE ----------
"Asphalt8.exe"+119634: 8B CA - mov ecx,edx
"Asphalt8.exe"+119636: F7 D1 - not ecx
"Asphalt8.exe"+119638: 33 08 - xor ecx,[eax]
// ---------- DONE INJECTING ----------
"Asphalt8.exe"+11963A: 8B 07 - mov eax,[edi]
"Asphalt8.exe"+11963C: 89 08 - mov [eax],ecx
"Asphalt8.exe"+11963E: 8B C2 - mov eax,edx
"Asphalt8.exe"+119640: C1 E8 10 - shr eax,10
"Asphalt8.exe"+119643: 33 C2 - xor eax,edx
"Asphalt8.exe"+119645: 69 C8 3B 9F 5D 04 - imul ecx,eax,045D9F3B
"Asphalt8.exe"+11964B: 8B C1 - mov eax,ecx
"Asphalt8.exe"+11964D: C1 E8 10 - shr eax,10
"Asphalt8.exe"+119650: 33 C1 - xor eax,ecx
"Asphalt8.exe"+119652: 69 C8 3B 9F 5D 04 - imul ecx,eax,045D9F3B
}
[/code]
when I add code: mov edx,#5000 before mov ecx,edx at "Asphalt8.exe"+119634: it will change the credits to 5000 value after buying something. So now how to use this write script with all-the-time accessing script? But when I tried CHECK WHAT MORE ADDRESSES ACCESING THIS ADDRESS ("Asphalt8.exe"+119634:) its showing nothing. Why?
[code]
{ Game : Asphalt8.exe
Version:
Date : 2018-05-09
Author : A101
This script does blah blah blah
}
[ENABLE]
aobscanmodule(INJECT,Asphalt8.exe,8B CA F7 D1 33 08) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
mov ecx,edx
not ecx
xor ecx,[eax]
jmp return
INJECT:
jmp newmem
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db 8B CA F7 D1 33 08
unregistersymbol(INJECT)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "Asphalt8.exe"+119634
"Asphalt8.exe"+11961A: 99 - cdq
"Asphalt8.exe"+11961B: F7 F9 - idiv ecx
"Asphalt8.exe"+11961D: 8D 42 01 - lea eax,[edx+01]
"Asphalt8.exe"+119620: 99 - cdq
"Asphalt8.exe"+119621: F7 F9 - idiv ecx
"Asphalt8.exe"+119623: 8B 47 04 - mov eax,[edi+04]
"Asphalt8.exe"+119626: 89 15 40 BC B0 02 - mov [Asphalt8.exe+1A1BC40],edx
"Asphalt8.exe"+11962C: 89 10 - mov [eax],edx
"Asphalt8.exe"+11962E: 8B 47 04 - mov eax,[edi+04]
"Asphalt8.exe"+119631: 8B 55 08 - mov edx,[ebp+08]
// ---------- INJECTING HERE ----------
"Asphalt8.exe"+119634: 8B CA - mov ecx,edx
"Asphalt8.exe"+119636: F7 D1 - not ecx
"Asphalt8.exe"+119638: 33 08 - xor ecx,[eax]
// ---------- DONE INJECTING ----------
"Asphalt8.exe"+11963A: 8B 07 - mov eax,[edi]
"Asphalt8.exe"+11963C: 89 08 - mov [eax],ecx
"Asphalt8.exe"+11963E: 8B C2 - mov eax,edx
"Asphalt8.exe"+119640: C1 E8 10 - shr eax,10
"Asphalt8.exe"+119643: 33 C2 - xor eax,edx
"Asphalt8.exe"+119645: 69 C8 3B 9F 5D 04 - imul ecx,eax,045D9F3B
"Asphalt8.exe"+11964B: 8B C1 - mov eax,ecx
"Asphalt8.exe"+11964D: C1 E8 10 - shr eax,10
"Asphalt8.exe"+119650: 33 C1 - xor eax,ecx
"Asphalt8.exe"+119652: 69 C8 3B 9F 5D 04 - imul ecx,eax,045D9F3B
}
[/code]
when I add code: mov edx,#5000 before mov ecx,edx at "Asphalt8.exe"+119634: it will change the credits to 5000 value after buying something. So now how to use this write script with all-the-time accessing script? But when I tried CHECK WHAT MORE ADDRESSES ACCESING THIS ADDRESS ("Asphalt8.exe"+119634:) its showing nothing. Why?
How to make "instant" hack that values will change instantly?
you are being a bit too specific on your problem.
We all gave you a way to find out and write a code that will change the value on a "What Accessing This Address".
I'll try to simplify it a bit:
1) You have the address for money. Lets call the address "MyMoney".
2) you find what access it
3) you check where it's getting the most access from (meaning the number doesn't stop from going up even if you do nothing)
4) you go to "show disassembler"
5) you create a script that either replace directly the address with something new (but keep the original code in your script as well)
or you create an aob script for that section (usually makes updates easier)
in the script you want to change the content of the address. You can debug the code if you need.
Look where "MyMoney" is being accessed from.
Lets say [esi+08] is "MyMoney" address.
You want to change the value this address is holding ("MyMoney"). So you add a code that does just that:
mov [esi+08],#5000 [B]or [/B]add [esi+08],#5000 [B]or [/B]whatever code you want that changes this address.
After that you just run the original code and exit your script (or let original code run and then your script)
I suggest doing the tutorial as it covers this as well.
EDIT:
Just in case I wasn't clear:
You want the address, not the value.
If you found the address for "MyMoney" to be "10ABCDEF"
[esi+08] also needs to be "10ABCDEF".
It's all in the tutorial so I again suggest to try it out at least once.
We all gave you a way to find out and write a code that will change the value on a "What Accessing This Address".
I'll try to simplify it a bit:
1) You have the address for money. Lets call the address "MyMoney".
2) you find what access it
3) you check where it's getting the most access from (meaning the number doesn't stop from going up even if you do nothing)
4) you go to "show disassembler"
5) you create a script that either replace directly the address with something new (but keep the original code in your script as well)
or you create an aob script for that section (usually makes updates easier)
in the script you want to change the content of the address. You can debug the code if you need.
Look where "MyMoney" is being accessed from.
Lets say [esi+08] is "MyMoney" address.
You want to change the value this address is holding ("MyMoney"). So you add a code that does just that:
mov [esi+08],#5000 [B]or [/B]add [esi+08],#5000 [B]or [/B]whatever code you want that changes this address.
After that you just run the original code and exit your script (or let original code run and then your script)
I suggest doing the tutorial as it covers this as well.
EDIT:
Just in case I wasn't clear:
You want the address, not the value.
If you found the address for "MyMoney" to be "10ABCDEF"
[esi+08] also needs to be "10ABCDEF".
It's all in the tutorial so I again suggest to try it out at least once.
Last edited by bonzay0 on Wed May 09, 2018 4:29 pm, edited 2 times in total.
How to make "instant" hack that values will change instantly?
His problem is he wants this only for Asphalt. Check out his posts as well ;)
How to make "instant" hack that values will change instantly?
BONZAY0 - thank you for this explanation, I understand now. So I must have the same address (for example: "10ABCDEF") for accessing and writing the value right?
So it is impossible to write a script that if for example one address : AAAA is accessing all the time the proccess so using this accessing address, it will make a move to activate the other address, for example BBBB to write the value ?? it is not possible to do that way? That if one address is accessing, then it is activating completely different address to write a value?
SUNBEAM - yes, I only using this advices for Asphalt8 because this is the only game that I want to hack :-D It's old game from 2013 but I like it, and I want to know everything from this game
So it is impossible to write a script that if for example one address : AAAA is accessing all the time the proccess so using this accessing address, it will make a move to activate the other address, for example BBBB to write the value ?? it is not possible to do that way? That if one address is accessing, then it is activating completely different address to write a value?
SUNBEAM - yes, I only using this advices for Asphalt8 because this is the only game that I want to hack :-D It's old game from 2013 but I like it, and I want to know everything from this game
Who is online
Users browsing this forum: No registered users