SteveAndrew
Master Cheater
 Reputation: 30
Joined: 02 Sep 2012
Posts: 323
|
 Posted: Fri Mar 22, 2013 2:24 pm Post subject: |
|
|
Okay well so that address you found with a value of '26' is the number of points you have right now right?
So in that case that code you found mov [edi+cc],eax is the one responsible for writing how many points you have left after it deducts them?
Which is the instruction that you nopped which had the effect you wanted? Was it that one or the other one mov [edi+cc],00000000?
I don't have this game so I'm purely winging this here! lol
If you look at what was in EAX and ECX when after that instruction executed (it shows on the bottom of that 'the following opcodes write to blahh..' window, or if you press more information it shows what was in the registers as well)
It appears the game was already moving a value of zero into that memory location [edi+CC] so if that's what the game does normally that doesn't seem like what you want...
Have you tried moving a different value besides zero in there instead? One would think if you put a value of 26 into eax before that 'mov [edi+cc],eax' instruction executes it would force you to always have 26 points no matter how many you use...
When you said you did a mov eax,0 did you just single line assemble it, or did you actually make an injectable script? (note a quick / better way to zero a register is to xor it with it self.. (example: xor eax,eax) will make eax zero no matter what it contained before...
why I'm asking is because 'mov eax,00000000' is actually a five byte instruction, so there isn't room for it there, and you'll actually (if you select yes overwrite with nops) be overwriting the 'mov [edi+cc],eax' instruction with nops along with changing that instruction 'add eax,ecx'
A script like this I mean (presuming that address doesn't change 1f9600b3 [else you'll have to make an AOBScan version])
| Code: |
[enable]
alloc(EndlessSpaceHack,64)
label(EndlessSpaceHackRet)
EndlessSpaceHack:
mov eax,#26 //force a value of 26 into eax register
mov [edi+cc],eax //this is what actually applies it, this should set your points address's value to 26 decimal
jmp EndlessSpaceHackRet
1f9600b3:
jmp EndlessSpaceHack
nop
EndlessSpaceHackRet:
[disable]
1f9600b3:
mov [edi+cc],eax
dealloc(EndlessSpaceHack)
|
But really it's okay to nop, you are just saying you don't want to have to scan the value and debug and get back to that address each time right?
well you could do something like this:
| Code: |
[enable]
1f9600b3:
db 90 90 90 90 90 90 //instruction is 6 bytes so 6 nops
[disable]
1f9600b3:
mov [edi+cc],eax //upon disabling put that instruction back
|
If that address of that instruction changes, then you could do an aobscan version of the script like this (note: not sure if these bytes are unique enough, since I don't have the game to test it, but if it works and finds the right address it should nop that instruction)
| Code: |
[enable]
aobscan(EndlessSpaceHackAddress,f2 0f 2c c8 03 c1 89 87 cc 00 00 00)
label(EndlessSpaceHackAddy)
registersymbol(EndlessSpaceHackAddy)
EndlessSpaceHackAddress+6:
EndlessSpaceHackAddy:
db 90 90 90 90 90 90
[disable]
EndlessSpaceHackAddy:
mov [edi+cc],eax
unregistersymbol(EndlessSpaceHackAddy)
|
See no hard coded address there 
Well I hope this helps!
Oh and the reason why it's +6 in that 'EndlessSpaceHackAddress+6' line is because I started the aob from here:
1F9600AD - F2 0F2C C8 - cvttsd2si ecx,xmm0
1F9600B1 - 03 C1 - add eax,ecx
1F9600B3 - 89 87 CC000000 - mov [edi+000000CC],eax
So the address you hook can be different then where you make your aob from, just be sure to add the correct number of bytes to get to the hook address... (1f9600ad + 6 == 1f9600b3) 
_________________
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
