View previous topic :: View next topic |
Author |
Message |
deama1234 Master Cheater Reputation: 3
Joined: 20 Dec 2014 Posts: 328
|
Posted: Mon Aug 31, 2015 6:33 pm Post subject: Create a thread inside an injected script? |
|
|
So, let's say I got something like:
Code: | [ENABLE]
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem:
add [ebx+00000480],01
originalcode:
//sub [ebx+00000480],eax
exit:
jmp returnhere
"Tutorial-i386.exe"+24FFB:
jmp newmem
nop
returnhere:
[DISABLE]
dealloc(newmem)
"Tutorial-i386.exe"+24FFB:
sub [ebx+00000480],eax
//Alt: db 29 83 80 04 00 00 |
how would I create a thread in there that would execute the "add" instruction repeatedly?
|
|
Back to top |
|
|
Zanzer I post too much Reputation: 126
Joined: 09 Jun 2013 Posts: 3278
|
Posted: Mon Aug 31, 2015 7:10 pm Post subject: |
|
|
Your thread would need to hardcode the value of EBX so it can repeatedly have access to the intended variable.
The better choice would be to find something that accesses the variable constantly already.
Then you inject your addition into that location so it runs repeatedly.
Otherwise, you might as well use:
Code: | [ENABLE]
{$lua}
timer_addr = 0x00000000
timer=createTimer(nil)
timer.Interval = 3000
timer.OnTimer = function(timer)
writeInteger(timer_addr, readInteger(timer_addr) + 1)
end
timer.Enabled = true
{$asm}
[DISABLE]
{$lua}
timer.Enabled = false
timer.Destroy()
timer = nil
{$asm} |
|
|
Back to top |
|
|
Gniarf Grandmaster Cheater Supreme Reputation: 43
Joined: 12 Mar 2012 Posts: 1285
|
Posted: Mon Aug 31, 2015 7:13 pm Post subject: |
|
|
One method:
1-Add and activate this script.
2-Add address manually, type "StopIncreasing" in the address field, type=single byte.
3-Get hit once, so the the script stores the address.
4-Profit.
5-Set StopIncreasing to 1 and wait more than 20ms.
6-Deactivate script. Skipping step 5 would cause a crash.
Code: | [ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
label(WorkerFunction)
label(WorkerFunction_LoopingPoint)
label(AddressToIncrease)
label(StopIncreasing)
registersymbol(StopIncreasing)
createthread(WorkerFunction) //create the worker thread
newmem:
//add [ebx+00000480],01
push eax //temporarily save eax
lea eax,[ebx+480] //set eax=ebx+480
mov dword [AddressToIncrease],eax //save eax=ebx+480 in AddressToIncrease
pop eax //restore eax
originalcode:
//sub [ebx+00000480],eax
exit:
jmp returnhere
AddressToIncrease:
dd 0
StopIncreasing:
db 0
WorkerFunction: //this function will be executed by the worker thread, it increases [[AddressToIncrease]] by 1
push 100 //wait 100ms
call Sleep
mov edi,dword [AddressToIncrease] //load in edi the address we want to increase
test edi,edi //did we set AddressToIncrease yet?
jz WorkerFunction //jump if not
WorkerFunction_LoopingPoint:
inc dword [edi]
push 20 //pause a bit at each loop or the thread will use 100% cpu
call Sleep
test byte [StopIncreasing],1 //see StopIncreasing is = 1
jz WorkerFunction_LoopingPoint //jump to WorkerFunction_LoopingPoint if StopIncreasing is 0
retn
"Tutorial-i386.exe"+24FFB:
jmp newmem
nop
returnhere:
[DISABLE]
dealloc(newmem)
"Tutorial-i386.exe"+24FFB:
sub [ebx+00000480],eax
//Alt: db 29 83 80 04 00 00
unregistersymbol(StopIncreasing) |
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
Back to top |
|
|
deama1234 Master Cheater Reputation: 3
Joined: 20 Dec 2014 Posts: 328
|
Posted: Mon Aug 31, 2015 7:29 pm Post subject: |
|
|
Is there a way for it to not wait for "ebx" to recieve the address? Like, once I enable the script it straight up starts to increment the "[ebx+480]"? I guess, force it to execute?
|
|
Back to top |
|
|
Gniarf Grandmaster Cheater Supreme Reputation: 43
Joined: 12 Mar 2012 Posts: 1285
|
Posted: Mon Aug 31, 2015 7:38 pm Post subject: |
|
|
If you know what ebx+480 is at this point of the code, then you can set AddressToIncrease to that value and the thread will immediately start increasing.
Otherwise if you don't know what ebx+480 points to and don't know how to find it, then the thread cannot know it either.
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
Back to top |
|
|
deama1234 Master Cheater Reputation: 3
Joined: 20 Dec 2014 Posts: 328
|
Posted: Mon Aug 31, 2015 7:53 pm Post subject: |
|
|
Alright; cheers.
|
|
Back to top |
|
|
Gniarf Grandmaster Cheater Supreme Reputation: 43
Joined: 12 Mar 2012 Posts: 1285
|
Posted: Mon Aug 31, 2015 7:58 pm Post subject: |
|
|
Did you understand why?
'Coz if you didn't I can try to explain.
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
Back to top |
|
|
deama1234 Master Cheater Reputation: 3
Joined: 20 Dec 2014 Posts: 328
|
Posted: Mon Aug 31, 2015 8:35 pm Post subject: |
|
|
Oh yeah, I understand; was hoping maybe that'd be some crazy workaround I missed or couldn't think of lol.
|
|
Back to top |
|
|
|