View previous topic :: View next topic |
Author |
Message |
Cestra Newbie cheater Reputation: 0
Joined: 03 Jun 2016 Posts: 14
|
Posted: Mon Jun 27, 2016 6:22 am Post subject: call/ret game crashes |
|
|
jump function is work but try to with call instantly crashes. what is wrong?
script:
Code: | money:
call newmem
newmem:
push ecx
add eax,20
cmp eax,ecx
jne +A //code
mov [edi+930],0
code:
push eax
ret |
inject:
Code: | {
// ORIGINAL CODE - INJECTION POINT: "game.exe"+AD6187
"game.exe"+AD616A: 3B C2 - cmp eax,edx
"game.exe"+AD616C: 73 05 - jae game.exe+AD6173
"game.exe"+AD616E: 8B 1C 83 - mov ebx,[ebx+eax*4]
"game.exe"+AD6171: EB 02 - jmp game.exe+AD6175
"game.exe"+AD6173: 33 DB - xor ebx,ebx
"game.exe"+AD6175: 8B CF - mov ecx,edi
"game.exe"+AD6177: E8 74 D7 ED FF - call game.exe+9B38F0
"game.exe"+AD617C: 8D 48 24 - lea ecx,[eax+24]
"game.exe"+AD617F: E8 2C 2E C5 FF - call game.exe+728FB0
"game.exe"+AD6184: 8D 4E 20 - lea ecx,[esi+20]
// ---------- INJECTING HERE ----------
"game.exe"+AD6187: 51 - push ecx
"game.exe"+AD6188: 83 C0 20 - add eax,20
"game.exe"+AD618B: 50 - push eax
// ---------- DONE INJECTING ----------
"game.exe"+AD618C: E8 DF 2D DD FF - call game.exe+8A8F70
"game.exe"+AD6191: 83 C4 08 - add esp,08
"game.exe"+AD6194: 84 C0 - test al,al
"game.exe"+AD6196: 74 5F - je game.exe+AD61F7
"game.exe"+AD6198: F3 0F 10 87 30 09 00 00 - movss xmm0,[edi+00000930]
"game.exe"+AD61A0: F3 0F 11 44 24 48 - movss [esp+48],xmm0
"game.exe"+AD61A6: F3 0F 10 87 5C 09 00 00 - movss xmm0,[edi+0000095C]
"game.exe"+AD61AE: 8B CF - mov ecx,edi
"game.exe"+AD61B0: F3 0F 11 44 24 40 - movss [esp+40],xmm0
"game.exe"+AD61B6: E8 35 D7 ED FF - call game.exe+9B38F0
} |
|
|
Back to top |
|
|
hhhuut Grandmaster Cheater Reputation: 6
Joined: 08 Feb 2015 Posts: 607
|
Posted: Mon Jun 27, 2016 6:26 am Post subject: |
|
|
The "ret" instruction takes the address it is supposed to retun to from the stack. By pushing two registers (ecx and eax) onto the stack without popping them later you modify the stack and caus the program to return to probably some value ...
|
|
Back to top |
|
|
zm0d Master Cheater Reputation: 7
Joined: 06 Nov 2013 Posts: 423
|
Posted: Mon Jun 27, 2016 6:44 am Post subject: |
|
|
Cestra wrote: | money:
call newmem |
use jmp instead of call
Code: | cmp eax,ecx
jne +A //code |
What is this "+A" doing?
|
|
Back to top |
|
|
Cestra Newbie cheater Reputation: 0
Joined: 03 Jun 2016 Posts: 14
|
Posted: Mon Jun 27, 2016 7:04 am Post subject: |
|
|
zm0d wrote: |
use jmp instead of call
Code: | cmp eax,ecx
jne +A //code |
What is this "+A" doing? |
same jne code
hhhuut wrote: | The "ret" instruction takes the address it is supposed to retun to from the stack. By pushing two registers (ecx and eax) onto the stack without popping them later you modify the stack and caus the program to return to probably some value ... |
Thx understand. I'll try any other way or keep up jump.
|
|
Back to top |
|
|
zm0d Master Cheater Reputation: 7
Joined: 06 Nov 2013 Posts: 423
|
Posted: Mon Jun 27, 2016 7:13 am Post subject: |
|
|
what do you mean with "same jne code"? Where do you jump to?
|
|
Back to top |
|
|
hhhuut Grandmaster Cheater Reputation: 6
Joined: 08 Feb 2015 Posts: 607
|
Posted: Mon Jun 27, 2016 7:25 am Post subject: |
|
|
He means that the instruction "mov [edi+930],0" is 10 bytes long, so "jne +A" jumps 10 byts further which is why it'd be the same as "jne code".
But I'm also curious why the hell you'd write jne +A instead of jne code ^^
|
|
Back to top |
|
|
Cestra Newbie cheater Reputation: 0
Joined: 03 Jun 2016 Posts: 14
|
Posted: Mon Jun 27, 2016 7:43 am Post subject: |
|
|
hhhuut wrote: | He means that the instruction "mov [edi+930],0" is 10 bytes long, so "jne +A" jumps 10 byts further which is why it'd be the same as "jne code".
But I'm also curious why the hell you'd write jne +A instead of jne code ^^ |
ok hhhuut. found one more but again crash.
Code: | newmem:
cmp ecx,edx
je code
mov [edi+930],0
code:
add esp,08
test al,al
ret |
|
|
Back to top |
|
|
hhhuut Grandmaster Cheater Reputation: 6
Joined: 08 Feb 2015 Posts: 607
|
Posted: Mon Jun 27, 2016 7:51 am Post subject: |
|
|
"add esp,08" is still modifying the stack, that's why it keeps crashing.
As zm0d suggested, best use jumps instead of calls, it's much more reliable (that's why CE uses them too).
If you're just trying to understand what's the difference, could you please let CE generate a script at the address you want to inject something, so that we can see what the original code is and understand what you're trying to do?
|
|
Back to top |
|
|
Cestra Newbie cheater Reputation: 0
Joined: 03 Jun 2016 Posts: 14
|
Posted: Mon Jun 27, 2016 8:20 am Post subject: |
|
|
hhhuut wrote: | "add esp,08" is still modifying the stack, that's why it keeps crashing.
As zm0d suggested, best use jumps instead of calls, it's much more reliable (that's why CE uses them too).
If you're just trying to understand what's the difference, could you please let CE generate a script at the address you want to inject something, so that we can see what the original code is and understand what you're trying to do? |
just want to know. Thx again.
|
|
Back to top |
|
|
|