| View previous topic :: View next topic |
| Author |
Message |
Hieroglyphics
I post too much
 Reputation: 0
Joined: 06 Dec 2007
Posts: 2007
Location: Your bedroom
|
 Posted: Tue Jul 29, 2008 3:22 pm Post subject: [C++] mrBOT DLL with SOURCE! |
 |
|
First thing I have released, I made a trainer for Ghost Online here. Which was my first real project I tried making a trainer before but it sucked :\ For this I just took out all of the hacks real quick and I am going on vacation tomorow so thought I may as well release this.
_________________
|
|
| Back to top |
|
 |
&Vage
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 25 Jul 2008
Posts: 1053
|
| Posted: Tue Jul 29, 2008 4:00 pm Post subject: |
|
|
| Code: |
static const FARPROC VPX = (FARPROC)((DWORD)GetProcAddress(GetModuleHandleA("kernel32.dll"), "VirtualProtectEx")+5);
DWORD oldp = 0;
PDWORD oldprot = &oldp;
#define JMP(frm, to) (int)(((int)to - (int)frm) - 5);
DWORD dwBytesWritten;
_declspec(naked) BOOL WINAPI FixMemEx(HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect) {
_asm {
mov edi,edi
push ebp
mov ebp,esp
jmp VPX
}
} |
Useless shit?
|
|
| Back to top |
|
|
Hieroglyphics
I post too much
Reputation: 0
Joined: 06 Dec 2007
Posts: 2007
Location: Your bedroom
|
| Posted: Tue Jul 29, 2008 4:20 pm Post subject: |
|
|
I just took shit out of my trainer though took me less than 5 minutes, I don't care bout the useless shit.
_________________
|
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Sat Aug 02, 2008 3:31 am Post subject: |
|
|
| Why do people always feel inclined to add the "mov edi, edi" when trampolining ?! It does nothing.
|
|
| Back to top |
|
|
DeletedUser14087
I post too much
![]() Reputation: 2
Joined: 21 Jun 2006
Posts: 3069
|
| Posted: Sat Aug 02, 2008 4:45 am Post subject: |
|
|
| Slugsnack wrote: | | Why do people always feel inclined to add the "mov edi, edi" when trampolining ?! It does nothing. |
to verify it's 5 byte(s) long.
|
|
| Back to top |
|
|
DoomsDay
Grandmaster Cheater
 Reputation: 0
Joined: 06 Jan 2007
Posts: 768
Location: %HomePath%
|
| Posted: Sat Aug 02, 2008 8:47 am Post subject: |
|
|
| Rot1 wrote: | | Slugsnack wrote: | | Why do people always feel inclined to add the "mov edi, edi" when trampolining ?! It does nothing. |
to verify it's 5 byte(s) long. |
What's the logic about that? The instruction was added to make hooking easier, and to identify the libraries.
|
|
| Back to top |
|
|
Zand
Master Cheater
![]() Reputation: 0
Joined: 21 Jul 2006
Posts: 424
|
| Posted: Sat Aug 02, 2008 11:00 pm Post subject: |
|
|
| Without mov edi, edi it doesn't work.
|
|
| Back to top |
|
|
DoomsDay
Grandmaster Cheater
Reputation: 0
Joined: 06 Jan 2007
Posts: 768
Location: %HomePath%
|
| Posted: Sun Aug 03, 2008 2:43 am Post subject: |
|
|
| Zand wrote: | | Without mov edi, edi it doesn't work. |
Lets go forward with that one 
Prove it!
|
|
| Back to top |
|
|
Zand
Master Cheater
![]() Reputation: 0
Joined: 21 Jul 2006
Posts: 424
|
| Posted: Sun Aug 03, 2008 2:56 am Post subject: |
|
|
| You can either code a sample DLL that does hookhop without "mov edi, edi" to prove it, or take my word for it. The instruction was in the original function, so it follows to replicate the first 5 bytes of the original instruction you would have to have "mov edi, edi". I'm not completely sure, but the last time I tried hookhop without that instruction it didn't work.
|
|
| Back to top |
|
|
Cx
Master Cheater
 Reputation: 0
Joined: 27 Jul 2007
Posts: 367
|
|
| Back to top |
|
|
Symbol
I'm a spammer
![]() Reputation: 0
Joined: 18 Apr 2007
Posts: 5094
Location: Israel.
|
| Posted: Wed Aug 20, 2008 7:47 am Post subject: |
|
|
| Rot1 wrote: | | Slugsnack wrote: | | Why do people always feel inclined to add the "mov edi, edi" when trampolining ?! It does nothing. |
to verify it's 5 byte(s) long. |
He means, what's the point of adding "mov edi,edi" IN the hook? the only reason APIs starts with "mov edi,edi" is to make hooking easier, because most of the APIs starts by pushing ebp and storing esp in ebp (to save the stack address when the API was called), you could replace "mov edi,edi" with any other 2 bytes, xor eax,eax, 2 NOPs, push eax & pop eax...
|
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Thu Aug 21, 2008 1:54 am Post subject: |
|
|
Sorry if I was unclear, I meant there is no point in putting that instruction into the trampoline. It does nothing. It's just like writing in 2 NOPs instead. And Zand, you are wrong, trampolining works perfectly without the "mov edi, edi" since that instruction does nothing.
I know its purpose in normal functions already (hot patching).
|
|
| Back to top |
|
|
pkedpker
Master Cheater
![]() Reputation: 1
Joined: 11 Oct 2006
Posts: 412
|
| Posted: Thu Aug 21, 2008 5:38 pm Post subject: |
|
|
it does do something it moves the edi back into the edi.. so it moves it self back to it self i think so but it does something doesn't do nothing.. it still processes the command now replacing it with nops will make it looks messier though.. like
mov edi, edi is like correct me im wrong but its like gonna be omg. like man lemme do this.. 2 NOPS! man.. thats heavy
_________________
|
|
| Back to top |
|
|
HalfPrime
Grandmaster Cheater
![]() Reputation: 0
Joined: 12 Mar 2008
Posts: 532
Location: Right there...On your monitor
|
| Posted: Thu Aug 21, 2008 5:56 pm Post subject: |
|
|
| Code: | _asm {
mov edi,edi
push ebp
mov ebp,esp
jmp VPX
} |
is equal to
| Code: | _asm {
push ebp
mov ebp,esp
jmp VPX
} |
from the program's view.
Why do you think they used that command for hotpatching? Because it does nothing and wouldn't change anything. Like saying varx=varx;.
_________________
|
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Fri Aug 22, 2008 1:44 am Post subject: |
|
|
| pkedpker wrote: | it does do something it moves the edi back into the edi.. so it moves it self back to it self i think so but it does something doesn't do nothing.. it still processes the command now replacing it with nops will make it looks messier though.. like
mov edi, edi is like correct me im wrong but its like gonna be omg. like man lemme do this.. 2 NOPS! man.. thats heavy |
I hope you do realise that a NOP is XCHNG EAX, EAX. So you can say a NOP 'does do something' too..
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
