jgoemat Master Cheater Reputation: 22
Joined: 25 Sep 2011 Posts: 252
|
Posted: Sun Feb 18, 2018 12:00 am Post subject: Lua for injecting near string reference using AOB in AA scri |
|
|
I ran into a game made with Game Maker Studio which had a lot of script names in it's string list. Unfortunately there was also a lot of duplicate code sections making it impossible to write a good script that could work across versions. I came up with some LUA code that does the trick. It finds the address of the script name string, finds out where that is used in the code, and lets you specify an AOB string to find near it. The entire module is scanned and the closest AOB match is used.
For instance here is some code where they push the address of the string onto the stack and I want to change the 'jbe' instruction nearby to a 'jmp'. It scans "Game.exe" for the string "AlertScript" which has the address "Game.exe+BA0BC4". It then scans "Game.exe" for that address. Finally it scans "Game.exe" for the AOB "f2 0f 10 44 24 18" and registers the symbol "AlertScriptSymbol" to be the address of the match that is closest to where the string address is used in code.
Code: | [ENABLE]
LuaCall(aobScanNearStringReference("AlertScriptSymbol", "Game.exe", "AlertScript", "f2 0f 10 44 24 18"))
AlertScriptSymbol+14:
nop
db e9 // changes jbe to jmp, but jmp is one opcode... Address is irrelevant this way
[DISABLE]
AlertScriptSymbol+14:
db 0f 86
{
// ORIGINAL CODE - INJECTION POINT: "Game.exe"+3C0A94
"Game.exe"+3C0A66: E8 35 5F 2F 00 - call Game.exe+6B69A0
"Game.exe"+3C0A6B: F7 40 0C FF FF FF 00 - test [eax+0C],FFFFFF
"Game.exe"+3C0A72: 74 14 - je Game.exe+3C0A88
"Game.exe"+3C0A74: DD 5C 24 18 - fstp qword ptr [esp+18]
// Game.exe+BA0BC4 is a pointer to the string "AlertScript"
"Game.exe"+3C0A78: C7 44 24 44 C4 0B 3C 01 - mov [esp+44],Game.exe+BA0BC4
// ---------- AOB START (add +14 hex) ----------
"Game.exe"+3C0A80: F2 0F 10 44 24 18 - movsd xmm0,[esp+18]
"Game.exe"+3C0A86: EB 04 - jmp Game.exe+3C0A8C
"Game.exe"+3C0A88: F2 0F 10 00 - movsd xmm0,[eax]
"Game.exe"+3C0A8C: 66 0F 2E 05 28 6A 3A 01 - ucomisd xmm0,[Game.exe+B86A28]
// ---------- CHANGING jbe to jmp ----------
"Game.exe"+3C0A94: 0F 86 2E 02 00 00 - jbe Game.exe+3C0CC8
// ---------- DONE INJECTING ----------
"Game.exe"+3C0A9A: 8B 47 04 - mov eax,[edi+04]
"Game.exe"+3C0A9D: 85 C0 - test eax,eax
"Game.exe"+3C0A9F: 74 07 - je Game.exe+3C0AA8
"Game.exe"+3C0AA1: 05 D0 22 00 00 - add eax,000022D0
"Game.exe"+3C0AA6: EB 11 - jmp Game.exe+3C0AB9
"Game.exe"+3C0AA8: 8B 07 - mov eax,[edi]
"Game.exe"+3C0AAA: C7 04 24 2D 02 00 00 - mov [esp],0000022D
"Game.exe"+3C0AB1: 89 F9 - mov ecx,edi
"Game.exe"+3C0AB3: FF 50 04 - call dword ptr [eax+04]
"Game.exe"+3C0AB6: 83 EC 04 - sub esp,04
} |
Description: |
LUA Table Script with function |
|
Download |
Filename: |
tablescript.lua |
Filesize: |
8.56 KB |
Downloaded: |
245 Time(s) |
|
|