View previous topic :: View next topic |
Author |
Message |
Chaosis13 Master Cheater Reputation: 0
Joined: 14 Aug 2007 Posts: 372
|
Posted: Sat Jun 21, 2008 3:34 pm Post subject: AA Script and Pointers |
|
|
I have this AA script:
Code: | [Enable]
12345678:
add eax, [eax]
[Disable]
12345678:
add al, [eax]
|
The only problem is the 12345678 address has a pointer, so it changes ever time I load the program.
So... If the pointer is at 1111111 with an offset of 1234, how can I write my script to do this? (Change assebly code at the address that the pointer is pointing to...)
Thanks in advance.
|
|
Back to top |
|
|
Symbol I'm a spammer Reputation: 0
Joined: 18 Apr 2007 Posts: 5094 Location: Israel.
|
Posted: Sat Jun 21, 2008 3:56 pm Post subject: |
|
|
Why would a pointer value be accessed?
It should be written to/read from, you probably mean 12345678 is a dynamic address.
Try using the module name, lets say game.exe base address is 10000000, so you could write:
game.exe+2345678:
add eax,[eax]
or you could find out what calls 12345678 (or jumps to) and make your code cave there.
|
|
Back to top |
|
|
Chaosis13 Master Cheater Reputation: 0
Joined: 14 Aug 2007 Posts: 372
|
Posted: Sat Jun 21, 2008 4:02 pm Post subject: |
|
|
Yes, 12345678 is dynamic, a pointer changes it. I know the pointer and the offset, but I need to then make a script to find the place the pointer is pointing to with the offset, and then be able to change the assebly code at that address.
|
|
Back to top |
|
|
Symbol I'm a spammer Reputation: 0
Joined: 18 Apr 2007 Posts: 5094 Location: Israel.
|
Posted: Sat Jun 21, 2008 4:15 pm Post subject: |
|
|
You could write the memory to memory you allocated and then copy it.
I'd do something like that:
Code: | Alloc(Temp, 64)
Alloc(CopyMemory, 128)
CreateThread(CopyMemory)
Temp:
add al,[eax]
nop
push 2
pop ecx
//Your memory
CopyMemory:
mov esi,Temp
mov edi,[11111111]
lea edi,[edi+1234]
mov ecx,10 //64 divided by 4 = 16 = 0x10
rep movsd
push 0
call ExitThread
|
|
|
Back to top |
|
|
Chaosis13 Master Cheater Reputation: 0
Joined: 14 Aug 2007 Posts: 372
|
Posted: Sat Jun 21, 2008 4:18 pm Post subject: |
|
|
I will try this... I don't know if this will work, no offense. What happens to the esi register then?
__________________
EDIT:
I tryed your script it didn't work unedited(except for changing addresses), and it crashed the program. I then changed some stuff to make it work, it still crashed it.
HELP!
|
|
Back to top |
|
|
Symbol I'm a spammer Reputation: 0
Joined: 18 Apr 2007 Posts: 5094 Location: Israel.
|
Posted: Sat Jun 21, 2008 4:32 pm Post subject: |
|
|
movsd (or movsb/movsw) is like writing:
Code: | mov temp,dword ptr ds:[esi]
mov dword ptr ds:[edi],temp
add esi,4
add edi,4
dec ecx |
or in short:
Code: | mov dword ptr ds:[edi],dword ptr ds:[esi] |
and then adds 4 to both. (movsb uses a byte and also adding 1 each while movsw uses a word and adds 2)
rep (repeat) command uses the counter register (ecx) to loop, it exits the loop when ecx is 0.
rep movsd/b is used to copy data quickly.
You could also simply used memset:
Code: | Alloc(Temp, 64)
Alloc(CopyMemory, 128)
CreateThread(CopyMemory)
Temp:
add al,[eax]
nop
push 2
pop ecx
//Your memory
CopyMemory:
push #64 //Size
push Temp //Source
mov eax,[11111111]
lea eax,[eax+1234]
push eax //Destination
call memset
push 0
call ExitThread |
But I just prefered movsd.
Edit: sorry, I didn't push parameters in the opposite order... fixed now.
|
|
Back to top |
|
|
Chaosis13 Master Cheater Reputation: 0
Joined: 14 Aug 2007 Posts: 372
|
Posted: Sat Jun 21, 2008 4:56 pm Post subject: |
|
|
kk ty, I will try that. And thank you for explaining.
I was gone for a bit, and may be again... It may take awhile for me to test it.
________________________
EDIT:
It still doesn't work.... =(
I will try some experimenting though...
|
|
Back to top |
|
|
Labyrnth Moderator Reputation: 9
Joined: 28 Nov 2006 Posts: 6285
|
Posted: Sat Jun 21, 2008 9:00 pm Post subject: |
|
|
Symbol wrote: | Why would a pointer value be accessed?
It should be written to/read from, you probably mean 12345678 is a dynamic address.
Try using the module name, lets say game.exe base address is 10000000, so you could write:
game.exe+2345678:
add eax,[eax]
or you could find out what calls 12345678 (or jumps to) and make your code cave there. |
Personally i would do it this way mate....
|
|
Back to top |
|
|
Symbol I'm a spammer Reputation: 0
Joined: 18 Apr 2007 Posts: 5094 Location: Israel.
|
Posted: Sun Jun 22, 2008 5:22 am Post subject: |
|
|
He said it didn't work, so I showed him other ways.
|
|
Back to top |
|
|
Chaosis13 Master Cheater Reputation: 0
Joined: 14 Aug 2007 Posts: 372
|
Posted: Sun Jun 22, 2008 10:57 am Post subject: |
|
|
Well... If I didn't explain it well... I want to change the value at the address a pointer is pointing to with an offset.
I am still trying to learn more and try new things. I will post my code if I ever get it right. =P
The thing is I don't want to edit the scripts every time I load the game.
EDIT:
HOLY SHIT! I tryed you idea Labyrnth, and it made a script that didn't work... It did something 100x better. I might be able to teleport now without server detecting it, and other cool stuff. lol.
|
|
Back to top |
|
|
Symbol I'm a spammer Reputation: 0
Joined: 18 Apr 2007 Posts: 5094 Location: Israel.
|
Posted: Sun Jun 22, 2008 11:59 am Post subject: |
|
|
Oh, now I understand, you could use a thread or make a code cave where the pointer is being read from/written to.
|
|
Back to top |
|
|
Labyrnth Moderator Reputation: 9
Joined: 28 Nov 2006 Posts: 6285
|
Posted: Sun Jun 22, 2008 6:34 pm Post subject: |
|
|
Chaosis13 wrote: | I tryed you idea Labyrnth, and it made a script that didn't work... It did something 100x better. I might be able to teleport now without server detecting it, and other cool stuff. lol. |
That wasn't my idea mate, Symbol posted that i just quoted him.
|
|
Back to top |
|
|
|