Help seperating me from enimes

[pharaon]

^ Find out where ebp+08 gets it value from. Something puts it on the stack, so try to find when it gets pushed.

i mention it in my previous post

mov edx,[ebp-14]
mov [esp],edx
call>>>
push ebp
mov ebp,esp
push ebx
push edi
mov eax,esi
fld dword ptr [ebp+08]

so do you think it been modified before the call of fld dword ptr [ebp+08] ?

[TimFun13]

...
i mention it in my previous post

Code: Select all

mov edx,[ebp-14]
mov [esp],edx
call>>>
       push ebp
       mov ebp,esp
       push ebx
       push edi
       mov eax,esi
       fld dword ptr [ebp+08] 

so do you think it been modified before the call of fld dword ptr [ebp+08] ?

First, temporarily disable your internet connection (disconnect the wire), and make sure it's not coming from a server. Then "see what accesses this address".

Before fld dword ptr [ebp+08] Yes, it has to be; something has to set it. Before the call, no idea; looks like it might be set a little bit before loading the dword to the FPU registry. You'll be looking for an instruction that looks like ??? [esp+??],???, ??? [ebp+??],???, or just a push ??? in the right spot. But you'll want to keep back tracing tell to find where the address is coming from.

But have you looked for a different instruction, you said you used "see what writes" did you try "see what accesses"; it just seems to me that "player gold" would be accessed somewhere else that doesn't access anything else.

[pharaon]

the function have those opcode before that call is made
mov edx,[ebp-14]
mov [esp],edx

so do you think it's one of them??
and if so then which address should i be looking for ?

[TimFun13]

the function have those opcode before that call is made
mov edx,[ebp-14]
mov [esp],edx

so do you think it's one of them??
and if so then which address should i be looking for ?

Could be, but you're the only one you can know which address to look for (your gold address); You should have needed it to find this address.

Let's back up a bit.
So you found your gold address with scanning and you can freeze it with a working effect in game, correct?

If yes, then see what accesses this address (make sure to view menus, buy stuff, sell stuff, pickup gold, and any other actions with gold), and post the results.

[pharaon]

Let's back up a bit.
So you found your gold address with scanning and you can freeze it with a working effect in game, correct?

ok let me explain my situation and i'm asking for kindly some focus

this game have encrypted value

i search for increase/decrease value till i get the address with encrypted value of gold of course the value is different than the displaying since it's encrypted

second step i did was to find out what write tot hat address i got the opcode
mov [edx+ecx*4],eax<<<<which write the encrypted value

so the [ebp+08] is before encryption but i can't separate myself of enemies

that's why i don't know what address i should be looking for in the stack because i don't know exactly what is the address of Gold before encryption

[TimFun13]

...
ok let me explain my situation and i'm asking for kindly some focus

this game have encrypted value

i search for increase/decrease value till i get the address with encrypted value of gold of course the value is different than the displaying since it's encrypted

second step i did was to find out what write tot hat address i got the opcode
mov [edx+ecx*4],eax<<<<which write the encrypted value

so the [ebp+08] is before encryption but i can't separate myself of enemies

that's why i don't know what address i should be looking for in the stack because i don't know exactly what is the address of Gold before encryption

This is the first time you mentioned encrypted values, so I kindly ask for all relevant information.

But big question is do you have the right address, even if it's encrypted you should be able to freeze it with an effect in game.

And it might be easier to reverse the encryption and just decrypt the value somewhere else. If you have the decrypted value you should be able to step though the code and see how it's encrypted.

[pharaon]

This is the first time you mentioned encrypted values, so I kindly ask for all relevant information

what relevant information do you want and i'll provide

But big question is do you have the right address, even if it's encrypted you should be able to freeze it with an effect in game

yes it's the right address and when i change it's value i get totally different value in the display amount of Gold

And it might be easier to reverse the encryption and just decrypt the value somewhere else. If you have the decrypted value you should be able to step though the code and see how it's encrypted

this is the game code

Code: Select all

// ---------- INJECTING HERE ----------
"StrongholdBase.dll"+2CE041: 8B 45 08           -  mov eax,[ebp+08] <<<< this is where my gold and enemies gold is set
"StrongholdBase.dll"+2CE044: 8B 49 78           -  mov ecx,[ecx+78]
// ---------- DONE INJECTING  ----------
"StrongholdBase.dll"+2CE047: 33 C2              -  xor eax,edx <<<<< i think here is where it get encryptet
"StrongholdBase.dll"+2CE049: 8B 97 2C 01 00 00  -  mov edx,[edi+0000012C]
"StrongholdBase.dll"+2CE04F: 5F                 -  pop edi
"StrongholdBase.dll"+2CE050: 84 DB              -  test bl,bl
"StrongholdBase.dll"+2CE052: 89 04 8A           -  mov [edx+ecx*4],eax <<<< this is what write to the address of encrypted Gold value

[TimFun13]

...
what relevant information do you want and i'll provide
...

Like if the value is encrypted, like I said in that sentence. Or if your online. Main thing was you asked for focus, but you seem to be not focusing on what your trying to do. I just throw a similar statement back at you, mostly just fuckin with you.

...

But big question is do you have the right address, even if it's encrypted you should be able to freeze it with an effect in game

yes it's the right address and when i change it's value i get totally different value in the display amount of Gold

So, did you freeze the value, does this freeze the value in game?

...
this is the game code

Code: Select all

// ---------- INJECTING HERE ----------
"StrongholdBase.dll"+2CE041: 8B 45 08           -  mov eax,[ebp+08] <<<< this is where my gold and enemies gold is set
"StrongholdBase.dll"+2CE044: 8B 49 78           -  mov ecx,[ecx+78]
// ---------- DONE INJECTING  ----------
"StrongholdBase.dll"+2CE047: 33 C2              -  xor eax,edx <<<<< i think here is where it get encryptet
"StrongholdBase.dll"+2CE049: 8B 97 2C 01 00 00  -  mov edx,[edi+0000012C]
"StrongholdBase.dll"+2CE04F: 5F                 -  pop edi
"StrongholdBase.dll"+2CE050: 84 DB              -  test bl,bl
"StrongholdBase.dll"+2CE052: 89 04 8A           -  mov [edx+ecx*4],eax <<<< this is what write to the address of encrypted Gold value

So find out what edx is, then you just xor it; like the game is doing. Then find where it reads the value and see how it get's decrypted.

[pharaon]

this opcode
mov eax,[ebp+08]
before the XOR is writing to one address the Gold amount of me and enemies
and i don't know how to the game separate it
when i break point this code i find it each time i step into it write to the same address the Gold amount of each player

i want to know how to separate

[pharaon]

how can i get advantage of FPU
when i check on the one address that all the gold amount of me and enemies been written to
i find my value on the FPU register

1500 is my gold

[pharaon]

So find out what edx is, then you just xor it; like the game is doing. Then find where it reads the value and see how it get's decrypted

can you tell me how to
1- xor edx
2- find where it reads the value
3- see how it get's decrypted

i think i'm not that advanced

[TimFun13]

So find out what edx is, then you just xor it; like the game is doing. Then find where it reads the value and see how it get's decrypted

can you tell me how to
1- xor edx
2- find where it reads the value
3- see how it get's decrypted

i think i'm not that advanced

1: xor edx,??? (learn to use google), but this isn't what I said to do; I said to xor your gold with what's in edx, like the game is doing.
2: Again, "SEE WHAT ACCESSES THIS ADDRESS"; you keep doing see what writes, and I keep telling you to see what accesses.
3: See answer #2, then look with your eye holes, and find what gets xored with it.

... I think you need to step back and take the time to learn some ASM and the basics of programming. Have you done the CE tutorial yet?
...

[pharaon]

... I think you need to step back and take the time to learn some ASM and the basics of programming. Have you done the CE tutorial yet?
i swear i done it

those are what accessing the address of encrypted gold value
6D06DEF9 - 8B 0C 8F - mov ecx,[edi+ecx*4]
6D06E052 - 89 04 8A - mov [edx+ecx*4],eax

so can i get any use of mov ecx,[edi+ecx*4]?

[TimFun13]

^ You asked me how to "xor edx", so no you clearly didn't take any time to learn any ASM. And you seem to be purposely not posting much of any information; until I explicitly tell you to post it, and even then it seems to take a few tries before you finally post it.

Now that you have to read instruction, see what it's xored with; like I already said to do.

[pharaon]

^ You asked me how to "xor edx", so no you clearly didn't take any time to learn any ASM. And you seem to be purposely not posting much of any information; until I explicitly tell you to post it, and even then it seems to take a few tries before you finally post it.

Now that you have to read instruction, see what it's xored with; like I already said to do.

dear ShyTwig16
i'm not noob neither professional, still learning

i know xor eax,edx can be reversed by xor
like xor 5,6 =2
so xor 5,2=6
xor 6,2=5


the point i want to understand from you is the purpose of doing with xor opcode?

so after i get EAX before it being xored that will let me get addresses of gold for all the play so i can change only mine or it wont

because i already have the opcode before it's being xored

the only problem i face since i'm not that professional is that the opcode write to shared address
all the values been written to same address one by time

and the only way i know to separate from enemies is using addresses for each player and do compare in offset throw dissect data or by registers or by stack

i don't know how to separate from one address because i don't know what to compare to