 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
iRiot
Master Cheater
 Reputation: 0
Joined: 03 Jul 2007
Posts: 395
Location: Aka RIOT
|
 Posted: Sun Mar 30, 2008 2:44 pm Post subject: [C++] help with asm |
 |
|
Well i just started c++ not to long ago and i finished a couple tutorials on it and well i just want to stick to asm in c++ and converting AA scripts into c++ and well i came across a source " Super Tubi " << Maplestory hack and well i was looking at it and i have some questions on it and if u can be kind and answer and explain a bit to me i would appreciate it
My first question is the statcall and the hookaddress
i know by looking at this that statcall and hookaddress are addresses.. but are they really needed if i would want to a code a dll for maplestory..?
| Code: |
unsigned long StatCALL = 0x006A6D1C, HookAddress = 0x006A6A83; |
And then now we have something called StatHook as the procedure says...
But y do we need this if we are only gonna use super tubi>? my guess its for hooking onto maple?
| Code: | void __declspec(naked) StatHook() // you need the __declspec(naked) so keep it! this is a hack you don't turn off..
{
__asm {
mov eax, [esp+4]
mov [currenthp],eax
mov eax, [esp+8]
mov [maxhp],eax
mov eax, [esp+0x0C]
mov [currentmp],eax
mov eax,[esp+0x10]
mov [maxmp],eax
mov eax, [esp+0x14]
mov [currentexp],eax
mov eax,[esp+0x18]
mov [maxexp],eax
jmp dword ptr [StatCALL]
}
} |
well now for the super tubi part the thing i dont understand is the asm?
as u see in the code i provided how do u know what to put? like the push eax, push ecx, mov eax, etc... how do i know i have to put that there like if it was a different address and script like pin type where it uses "Jbe" and "Jae" ???
well what i also see in this code that the "HookAddress" and the "StatHook" are being used... also the its subtracting 5 because its the distance to jump
but what does the 0xE8 stand for?
| Code: | _asm
{
push eax
push ecx
mov eax, dword ptr [HookAddress] // from
mov ecx, dword ptr [StatHook] // to
sub ecx, eax // to - from
sub ecx, 5 // MINUS 5 = DISTANCE TO JUMP!
mov byte ptr [eax], 0xE8 // E8 = CALL
mov dword ptr [eax+1], ecx // Finish off rest of hook
pop ecx
pop eax
} |
Well in this code down here i can see that the address supertubi is there and the 0x9090 stands for Nop Nop each 90 stands for Nop and that brings up my next question how i know the numbers or hex formate for other commands in asm? also wat does *(WORD*) stand for?
| Code: | *(WORD*)0x004AAD1D = 0x9090; // MapleStory Super Tubi Address V52
SuperTubi = 1;
|
Complete Source:
| Code: | // SuperTubi.cpp : Defines the entry point for the DLL application.
#include "windows.h"
#include <fstream>
#define JMP(frm, to) (int)(((int)to - (int)frm) - 5); // this will come in handy for script hacks
BYTE OriginalBytes[2];
bool SuperTubi = 0;
int currenthp, maxhp, currentmp, maxmp, currentexp, maxexp;
unsigned long StatCALL = 0x006A6D1C, HookAddress = 0x006A6A83;
using namespace std;
void __declspec(naked) StatHook() // you need the __declspec(naked) so keep it! this is a hack you don't turn off..
{
__asm {
mov eax, [esp+4]
mov [currenthp],eax
mov eax, [esp+8]
mov [maxhp],eax
mov eax, [esp+0x0C]
mov [currentmp],eax
mov eax,[esp+0x10]
mov [maxmp],eax
mov eax, [esp+0x14]
mov [currentexp],eax
mov eax,[esp+0x18]
mov [maxexp],eax
jmp dword ptr [StatCALL]
}
}
bool EasyDLL(void)
{
MessageBoxA(0,"Super Tubi Dll!", "Hack", 0);
memcpy((void*)OriginalBytes, (void*)0x004AAD1D, 2);
//*(DWORD*)HookAddress = JMP(HookAddress, StatHook); // OR
_asm
{
push eax
push ecx
mov eax, dword ptr [HookAddress] // from
mov ecx, dword ptr [StatHook] // to
sub ecx, eax // to - from
sub ecx, 5 // MINUS 5 = DISTANCE TO JUMP!
mov byte ptr [eax], 0xE8 // E8 = CALL
mov dword ptr [eax+1], ecx // Finish off rest of hook
pop ecx
pop eax
}
for(;;)
{
Sleep(10); // DONT REMOVE! REQUIRED FOR ANTI-LAG AKA NON 100% CPU usage
if(GetAsyncKeyState(VK_F6)) // OUR FIRST HACK! a simple byte change hack!
{
if(SuperTubi == 0)
{
*(WORD*)0x004AAD1D = 0x9090; // MapleStory Super Tubi Address V51
SuperTubi = 1;
}
else if(SuperTubi == 1)
{
memcpy((void*)0x004AAD1D, (void*)OriginalBytes, 2);
SuperTubi = 0;
}
Sleep(200); // So it doesn't get pressed twice or more in 1 press
// we make it wait 200ms before it can be pressed again...
}
if(GetAsyncKeyState(VK_END))
{
MessageBoxA(0, "Ejecting...", ".:::1337:::.", 0);
Sleep(100);
HINSTANCE hMod = GetModuleHandleA("SuperTubi.dll");
FreeLibraryAndExitThread(hMod, 0);
}
}
return TRUE;
}
BOOL APIENTRY DllMain(HMODULE hModule,DWORD ul_reason_for_call,LPVOID lpReserved)
{
if (ul_reason_for_call == DLL_PROCESS_ATTACH)
{
CreateThread(0, 0, (LPTHREAD_START_ROUTINE)&EasyDLL, 0, 0, 0);
MessageBox(NULL, L"Super Tubi\nPress F6 to activate\n", L"Riot", MB_ICONINFORMATION | MB_OK);
}
return true;
}
|
Complied Questions:
1.My first question is the statcall and the hookaddress... would i need this to make a dll for maplestory?> and is this what hooks onto maple?
2. StatHook Procedure... my guess this is what hooks onto maple?
3. The asm part for the super tubi...like the push eax, push ecx, mov eax, etc... how do i know i have to put that there like if it was a different address and script like pin type where it uses "Jbe" and "Jae" ???
4. What does 0xE8 stand for?
5. Nop Nop each 90 stands for Nop and that brings up my next question how i know the numbers or hex formate for other asm commands?
6. What does *(WORD*) stand for?
well what i really need help is the asm part with the push eax, and the push ecx i do i know i have to include that stuff?
i hope i get useful posts... i just started c++ and well i just want it to use it for convert AA scripts into c++ asm so i can make dlls..
I just wanted more info on this source and how to use it better and understand it... i want to understand it so i can start making more dlls and i wanted pin type to be 1 of my first dlls for maplestory even though there isn't a ggcrc bypass out yet just want to make it for fun..
Super Tubi Script:
| Code: | [Enable]
004AAD1D:
nop
nop
[Disable]
004AAD1D:
jne 004aad55 |
Also if any1 would help me get a head start on making a pin type dll
| Code: | [enable]
004906AB:
jae 0049061D
[disable]
004906AB:
jbe 0049061D
|
*I updated all these addresses in this source so they are updated to v52 maplestory
_________________
Last edited by iRiot on Sun Mar 30, 2008 8:10 pm; edited 1 time in total |
|
| Back to top |
|
 |
smartz993
I post too much
 Reputation: 2
Joined: 20 Jun 2006
Posts: 2013
Location: USA
|
| Posted: Sun Mar 30, 2008 3:03 pm Post subject: |
|
|
E8 means call.
The script is allocated in the dll's memory space inside maple..so you're basically call that script instead of original code.
|
|
| Back to top |
|
|
lurc
Grandmaster Cheater Supreme
 Reputation: 2
Joined: 13 Nov 2006
Posts: 1900
|
| Posted: Sun Mar 30, 2008 3:04 pm Post subject: Re: [C++] help with asm |
|
|
| iRiot wrote: | My first question is the statcall and the hookaddress
i know by looking at this that statcall and hookaddress are addresses.. but are they really needed if i would want to a code a dll for maplestory..?
| Code: |
unsigned long StatCALL = 0x006A6D1C, HookAddress = 0x006A6A83; |
|
Yes, You have to Make the hook addy jump to your code cave so yes the addy's are needed if you want to have a stat hook (for hp,mp, ane exp)
| iRiot wrote: |
And then now we have something called StatHook as the procedure says...
But y do we need this if we are only gonna use super tubi>? my guess its for hooking onto maple? |
Stat hook is to get your HP/MP/EXP. It isn't needed for Super Tubi.
| iRiot wrote: |
well now for the super tubi part the thing i dont understand is the asm?
as u see in the code i provided how do u know what to put? like the push eax, push ecx, mov eax, etc... how do i know i have to put that there like if it was a different address and script like pin type where it uses "Jbe" and "Jae" ???
|
Jae, Jbe, all these opcode's have a byte value. So when you go to modify the address you simply just change the byte value. Super Tubi need's to be Nop'd twice to activate so it would look like this:
*(WORD*)TubiAddy = 0x9090;
(Remember to VirtualProtectEx the addy to PAGE_EXECUTE_READWRITE)
| iRiot wrote: |
well what i also see in this code that the "HookAddress" and the "StatHook" are being used... also the its subtracting 5 because its the distance to jump
but what does the 0xE8 stand for?
|
E8 = the byte value for "Call"
| iRiot wrote: |
Well in this code down here i can see that the address supertubi is there and the 0x9090 stands for Nop Nop each 90 stands for Nop and that brings up my next question how i know the numbers or hex formate for other commands in asm? also wat does *(WORD*) stand for?
| Code: | *(WORD*)0x004AAD1D = 0x9090; // MapleStory Super Tubi Address V51
SuperTubi = 1;
|
|
WORD = unsigned short which means 2 bytes, since your modifying the 2 byte procedure you use WORD.
If you need to figure out what a byte value is go into MapleStory's ad window, open Cheat Engine, attach it to MapleStory.exe and just change some random addy's opcode to the bytes u need, then check the byte column. Either that or look it up.
Edit:
Pin Type
--To activate:
| Code: | | *(WORD*)0x004906AB = 0x830F; |
--To deactivate:
| Code: | | *(WORD*)0x004906AB = 0x860F; |
OR
For me, i just do a memcpy before i modify, so i can just memcpy the bytes i stored back to the addy and i wont have to worry about disabling.
Super Tubi
--To Activate:
| Code: | | *(WORD*)0x004AAD1D = 0x9090; |
--To Deactivate:
| Code: | | *(WORD*)0x004AAD1D = 0x3675; |
OR
same as above, with the memcpy.
Edit 2:
You gotta remember, when manually editing/reading LIKE THIS (above, meaning *(type*)addy = byteval;) the byte val has to be backwards.
Like with PinType:
In Cheat Engine It looks like this:
| Code: | | 004906AB - 0f 86 6c ff ff ff - jbe 0049061d |
See 0F 86 is the original Addy (0F 86 also = jbe, 0F 83 = jae)
So when we go to reverse the jump instead of saying
| Code: | | *(WORD*)0x004906AB = 0x0F83; |
We must say say
| Code: | | *(WORD*)0x004906AB = 0x830F; |
_________________
|
|
| Back to top |
|
|
iRiot
Master Cheater
Reputation: 0
Joined: 03 Jul 2007
Posts: 395
Location: Aka RIOT
|
| Posted: Sun Mar 30, 2008 3:54 pm Post subject: |
|
|
thanks lurc u helped me understand this much more.. and yeah for the hp mp and exp i didnt think that was needed ether super tubi but what would it be needed for or is it just for like for a hp bar mp bar and exp bar on trainers?
how do u get the opcode bytes on the engine?
but also my other question iam not too sure about...
how would use this for like other scripts i just dont what to put like the push eax and the push ecx where did they get that from?
| Code: | _asm
{
push eax
push ecx
mov eax, dword ptr [HookAddress] // from
mov ecx, dword ptr [StatHook] // to
sub ecx, eax // to - from
sub ecx, 5 // MINUS 5 = DISTANCE TO JUMP!
mov byte ptr [eax], 0xE8 // E8 = CALL
mov dword ptr [eax+1], ecx // Finish off rest of hook
pop ecx
pop eax
}
|
also another scripts instand drop its from v43 too lazy to update..
| Code: | [enable]
0078CD70:
add [eax],al
add [eax],al
add [eax],al
add [eax],al
[disable]
0078CD70:
add [eax],al
add [eax],al
add [eax-71],al
inc eax |
but if i was gonna enable it how would i do it? and would i do something liek this?
_asm
{
add [eax],al
add [eax],al
add [eax],al
add [eax]al
}
_________________
|
|
| Back to top |
|
|
lurc
Grandmaster Cheater Supreme
Reputation: 2
Joined: 13 Nov 2006
Posts: 1900
|
| Posted: Sun Mar 30, 2008 4:13 pm Post subject: |
|
|
| iRiot wrote: | | thanks lurc u helped me understand this much more.. and yeah for the hp mp and exp i didnt think that was needed ether super tubi but what would it be needed for or is it just for like for a hp bar mp bar and exp bar on trainers? |
Np 
And The Stat Hook:
Pretty much, but they also allow you to have the most efficiant Auto-Pot since your reading directly from the game.
| iRiot wrote: | | how do u get the opcode bytes on the engine? |
You can simply double click any addy in memory view and put in the line of assembly that u want, then u look at the byte column and u can get the bytes there.
| iRiot wrote: | but also my other question iam not too sure about...
how would use this for like other scripts i just dont what to put like the push eax and the push ecx where did they get that from?
| Code: | _asm
{
push eax
push ecx
mov eax, dword ptr [HookAddress] // from
mov ecx, dword ptr [StatHook] // to
sub ecx, eax // to - from
sub ecx, 5 // MINUS 5 = DISTANCE TO JUMP!
mov byte ptr [eax], 0xE8 // E8 = CALL
mov dword ptr [eax+1], ecx // Finish off rest of hook
pop ecx
pop eax
}
|
|
I just use this.
#define JMP(frm, to) (int)(((int)to - (int)frm) - 5);
But ill explain the asm for u anyways.
anyways
eax and ecx are 32-Bit Registers
your first pushing both registers onto the stack so u can use them
next your putting the HookAddress into eax and StatCall into ecx.
Now that they're stored you subtract where ur jumping to, to where your jumping from, then subtract 5 from that, which equals the distance to jump.
now that we have the jump addy, we can edit the addy to call the code cave.
So mov byte ptr is going to change a single byte at eax, which is HookAddress, and that byte is 0xE8 (call)
mov dword ptr is going to change 4 bytes at HookAddress+1 (cuz we changed HookAddress's byte already so we add 1 to it)
and at that we're putting the jump addy we got by subtracting to-from
finally we pop eax and ecx off the stack.
| iRiot wrote: | also another scripts instand drop its from v43 too lazy to update..
| Code: | [enable]
0078CD70:
add [eax],al
add [eax],al
add [eax],al
add [eax],al
[disable]
0078CD70:
add [eax],al
add [eax],al
add [eax-71],al
inc eax |
but if i was gonna enable it how would i do it? and would i do something liek this?
_asm
{
add [eax],al
add [eax],al
add [eax],al
add [eax]al
} |
Well, the addy for Instant drop is: 008079E8 in v52.
Its 8 bytes. so 2 DWORD's
add [eax],al - byte value = 00
they're's 2 ways we can do this.
Easy way:
| Code: | *(DWORD*)0x008079E8 = 0x00000000;
*(DWORD*)(0x008079E8+4) = 0x00000000; |
or
| Code: | *(BYTE*)0x008079E8 = 0xE8;
*(DWORD*)(0x008079E8+1) = JMP( 0x008079E8, InstDrpHook );
memset( (void*)(0x008079E8+5), 0x90, 3 ); |
Explaining this:
0x008079E8 becomes a call
0x008079E8+1 becomes the addy to jmp to
then finally to make sure we dont screw any opcodes up, we nop the last 3 bytes to complete the 8 bytes.
then we have our hook for it
| Code: | void __declspec(naked) InstDrpHook()
{
_asm
{
add [eax],al
add [eax],al
add [eax],al
add [eax],al
}
} |
So you see, for simple Addy changes, usually its alot easier to just manually edit them. For scripted hacks that require us to use more bytes then there is there, we have to create a code cave and make that addy jump to it.
Edit
For Easy Disabling you can do this
first create a byte array the size of how many bytes your editing, so ill use Super Tubi as an example
| Code: | BOOL bTubi = FALSE;
BYTE bTubiOrig[2];
void ActivateTubi()
{
if ( !bTubi )
{
memcpy( (void*)bTubiOrig, (void*)0x004AAD1D, 2 );
*(WORD*)0x004AAD1D = 0x9090;
bTubi = TRUE;
OutputDebugString( L"Tubi Activated" );
}
else
{
memcpy( (void*)0x004AAD1D, (void*)bTubiOrig, 2 );
OutputDebugString( L"Tubi Deactivated" );
bTubi = FALSE;
}
} |
This way, you dont have to worry about having the original bytes, all you need to know is what to modify it with.
_________________
|
|
| Back to top |
|
|
iRiot
Master Cheater
Reputation: 0
Joined: 03 Jul 2007
Posts: 395
Location: Aka RIOT
|
| Posted: Sun Mar 30, 2008 4:41 pm Post subject: |
|
|
ohhh i get it now the asm is like a hook
i get the od code and finding the bytes to it always though the bytes were for the addresses -.- lol so the number of the digits a address has is the number for bytes? like (12345678) has 8 bytes?
and Dword stands for 4 bytes each and Word stands for 2 bytes? kinda confused on that part now.
also y would we need JMP for instant drop?
*(DWORD*)(0x008079E8+1) = JMP( 0x008079E8, InstDrpHook );
_________________
|
|
| Back to top |
|
|
lurc
Grandmaster Cheater Supreme
Reputation: 2
Joined: 13 Nov 2006
Posts: 1900
|
| Posted: Sun Mar 30, 2008 4:53 pm Post subject: |
|
|
| iRiot wrote: | ohhh i get it now the asm is like a hook
i get the od code and finding the bytes to it always though the bytes were for the addresses -.- lol so the number of the digits a address has is the number for bytes? like (12345678) has 8 bytes? |
Lol No, You have to see what the original bytes look like, you can check CE for that.
| Code: | 008079E8 - 00 00 - add [eax],al
008079EA - 00 00 - add [eax],al
008079EC - 00 40 8f - add [eax-71],al
008079EF - 40 - inc eax |
So we get 00 00 00 00 00 40 8f 40. Which is 8 bytes.
| iRiot wrote: | | and Dword stands for 4 bytes each and Word stands for 2 bytes? kinda confused on that part now. |
DWORD - unsigned long - 4 Bytes
WORD - unsigned short - 2 Bytes
BYTE - unsigned char - 1 Byte
When you edit memory manually you have to use the correct type. so if the addy is more then 4 bytes, you have to use a combination of DWORD's, WORD's and BYTE's. Else you use a code cave.
| iRiot wrote: | also y would we need JMP for instant drop?
*(DWORD*)(0x008079E8+1) = JMP( 0x008079E8, InstDrpHook ); |
I was just showing u the code caving side of editing memory.
JMP is defined as i showed u abov
| Code: | | #define JMP(frm, to) (int)(((int)to - (int)frm) - 5); |
It's an easier way to get the jump addy then doing the asm.
_________________
|
|
| Back to top |
|
|
iRiot
Master Cheater
Reputation: 0
Joined: 03 Jul 2007
Posts: 395
Location: Aka RIOT
|
| Posted: Sun Mar 30, 2008 8:27 pm Post subject: |
|
|
thanks lurc i got everything i wanted to work the super tubi instant drop and pin typer all work perfectly but now i just need help on the hotkeys cause when i set them they dont work... well i added u on msn ([email protected]) +rep
_________________
|
|
| Back to top |
|
|
Snootae
Grandmaster Cheater
![]() Reputation: 0
Joined: 16 Dec 2006
Posts: 969
Location: --->
|
| Posted: Mon Mar 31, 2008 2:50 am Post subject: |
|
|
woah lurc, your a helpful guy,
but with this bit:
| Quote: | Super Tubi
--To Activate:
Code:
*(WORD*)0x004AAD1D = 0x9090;
--To Deactivate:
Code:
*(WORD*)0x004AAD1D = 0x3675; |
what does the 3675 mean, in undestand the first one is like two nops, but that one got me
also, is crc bypass required to read hp/mp values this way? cos if not im gonna try use it
_________________
|
|
| Back to top |
|
|
lurc
Grandmaster Cheater Supreme
Reputation: 2
Joined: 13 Nov 2006
Posts: 1900
|
| Posted: Mon Mar 31, 2008 7:44 am Post subject: |
|
|
| Snootae wrote: | woah lurc, your a helpful guy,
but with this bit:
| Quote: | Super Tubi
--To Activate:
Code:
*(WORD*)0x004AAD1D = 0x9090;
--To Deactivate:
Code:
*(WORD*)0x004AAD1D = 0x3675; |
what does the 3675 mean, in undestand the first one is like two nops, but that one got me
also, is crc bypass required to read hp/mp values this way? cos if not im gonna try use it |
If you check the Tubi addy you'll see the original opcode is
jne xxxxxxxx (at school so i dont have the exact)
anyways the byte val is
75 36
So when you go to disable you edit the byte val backwards.
And yes a CRC Bypass and GGCRC Bypass is required because you are editing the Stat call to jump to your code cave
_________________
|
|
| Back to top |
|
|
iRiot
Master Cheater
Reputation: 0
Joined: 03 Jul 2007
Posts: 395
Location: Aka RIOT
|
| Posted: Mon Mar 31, 2008 3:21 pm Post subject: |
|
|
u can also disable a hack like super tubi by making a memcpy something like this
include this 2 bytes because super tubi has 2 bytes
| Code: |
BYTE OriginalBytes[2]; |
when u first enable ur hack just include the memcpy
| Code: | | memcpy((void*)OriginalBytes, (void*)0x004AAD1D, 2); |
and then when u wanna disable the code just put in this
| Code: |
memcpy((void*)0x004AAD1D, (void*)OriginalBytes, 2); |
its like opposite like lurc said wait the super tubi bytes 75 36 to 3675 just like this u have OriginalBytes first and the Address second and then we switch them so address first and the OriginalBytes second..
i just got this off the super tubi source i was using and learned about it when lurc was explaining it to me [=
btw lurc did u receive my friend request on msn?
and if u get the chance to read this iam trying to convert pg into a dll also i got the bytes for the enable part like u did for the instant drop the add al and well i got 9 bytes for the pg
| Code: |
//9 bytes
*(WORD*)0x00000000 = 0xE8; // call
*(DWORD*)(0x00000000+1) = JMP ( 0x00000000, PgHook); //Jmp + hook
*(WORD*)0x00000000 = 0x90909090; // 4 nops
memset((void*)(0x00000000+5), 0x90, 1); // nop the last byte |
well i didnt include the addresses or the hook dont wanna release it on the forums but can u tell me if iam doing it right because iam using the Pghook and using 4 nops and also iam not sure if i got the right amount of bytes for it... but i injected it and got a hacking attempt so i know i did something right
_________________
Last edited by iRiot on Mon Mar 31, 2008 3:31 pm; edited 1 time in total |
|
| Back to top |
|
|
lurc
Grandmaster Cheater Supreme
Reputation: 2
Joined: 13 Nov 2006
Posts: 1900
|
| Posted: Mon Mar 31, 2008 4:20 pm Post subject: |
|
|
| iRiot wrote: | and if u get the chance to read this iam trying to convert pg into a dll also i got the bytes for the enable part like u did for the instant drop the add al and well i got 9 bytes for the pg
| Code: |
//9 bytes
*(WORD*)0x00000000 = 0xE8; // call
*(DWORD*)(0x00000000+1) = JMP ( 0x00000000, PgHook); //Jmp + hook
*(WORD*)0x00000000 = 0x90909090; // 4 nops
memset((void*)(0x00000000+5), 0x90, 1); // nop the last byte |
well i didnt include the addresses or the hook dont wanna release it on the forums but can u tell me if iam doing it right because iam using the Pghook and using 4 nops and also iam not sure if i got the right amount of bytes for it... but i injected it and got a hacking attempt so i know i did something right |
hmm, you still don't get the BYTE WORD and DWORD's...
Okay, so your code is wrong.
| Code: |
*(WORD*)0x00000000 = 0xE8;
*(DWORD*)(0x00000000+1) = JMP ( 0x00000000, PgHook);
*(WORD*)0x00000000 = 0x90909090;
memset((void*)(0x00000000+5), 0x90, 1); // nop the last byte |
You have 9 Bytes.
For the first BYTE your making a call. Notice E8? This is only 1 BYTE.
so it would look like this
| Code: | | *(BYTE*)0x0000000 = 0xE8; |
the next one you got correct! the addy is going to be a 4 byte jump, which is a DWORD.
Unfortunatly this is the only thing u got correct.
For 1. Your editing the original address. You didn't add +5 to it, seeing as you want to edit the opcode's after.
Also, See your saying:
Edit this 2 byte address with 4 bytes. (*(WORD*)addy = 0x90909090)
Every 2 digits is 1 byte.
00 - 1 Byte
60 - 1 Byte
90 90 - 2 Bytes
54 75 0F FF - 4 Bytes
75 35 FF - 3 Bytes
Etc.
Your editing the addy to be "90909090" which is also represented as
BYTE bNops[4] = { 0x90, 0x90, 0x90, 0x90 }
or (In CE)
90
90
90
90
This is 4 BYTE's so you would be editing it using DWORD.
Next you're using memset... +5 your addy, which you have already (or wanted to) nop.
memset( (void*)addy, 0x90, 4 ); is the same as saying *(DWORD*)Addy = 0x90909090;
Overall it should look like this
| Code: | *(BYTE*)0x00000000 = 0xE8;
*(DWORD*)(0x00000000+1) = JMP ( 0x00000000, PgHook);
*(DWORD*)(0x00000000+5) = 0x90909090; |
For the nop's, if it is a different address your nopping then sorry, you can leave it without the +5 but if its the same then you want +5 and memset can go. else, just do
*(BYTE*)(0x0000000+5) = 0x90; (since your memset was only 1 nop)
_________________
|
|
| Back to top |
|
|
Snootae
Grandmaster Cheater
![]() Reputation: 0
Joined: 16 Dec 2006
Posts: 969
Location: --->
|
| Posted: Tue Apr 01, 2008 5:44 am Post subject: |
|
|
thanks lurc, i get it now
btw, does anyone know or have xor's method of finding hp/mp value in maple? apparently it didn't require a crc bypass
_________________
|
|
| Back to top |
|
|
lurc
Grandmaster Cheater Supreme
Reputation: 2
Joined: 13 Nov 2006
Posts: 1900
|
| Posted: Tue Apr 01, 2008 7:56 am Post subject: |
|
|
It did require a bypass, it had a crc bypass implemented.
_________________
|
|
| Back to top |
|
|
Snootae
Grandmaster Cheater
![]() Reputation: 0
Joined: 16 Dec 2006
Posts: 969
Location: --->
|
| Posted: Tue Apr 01, 2008 8:29 am Post subject: |
|
|
oh, did it need a gg crc bypass?
_________________
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
