 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Henley
Grandmaster Cheater
 Reputation: 0
Joined: 03 Oct 2006
Posts: 671
|
 Posted: Sun Sep 14, 2008 6:42 pm Post subject: [help]converting to C++ ASM |
 |
|
This is what I have in my dll.
| Code: | DWORD dwDupeXaddy = 0x007F07D6;
DWORD dwHookaddy = 0x005C77D4;
DWORD dwDuperet = dwDupeXaddy+6;
DWORD dwHookret = dwHookaddy+6;
//---------------------------------------------------------------------------
DWORD RunFlag = 0;
DWORD EDIValue = 0;
DWORD ESIValue = 0;
DWORD ESIAddy = 0;
DWORD onoff = 0;
void _declspec(naked) DupeXCave()
{
__asm
{
push eax
push ecx
mov ecx,[onoff]
cmp [onoff], 0
je DoNormal
cmp [RunFlag], ecx
je coNseptVac
mov eax, [0x00971DF8]
add eax, 0xD74
mov eax, [eax]
sub eax, 0xc
mov [ESIValue],eax
mov eax,[eax+114]
mov [EDIValue],eax
inc [RunFlag]
inc [RunFlag]
coNseptVac:
cmp esi,[ESIValue]
je DoNormal
push ecx
mov ecx,ESIAddy
mov [ecx],esi
pop ecx
DoNormal:
mov [esi+00000110],edi
pop ecx
pop eax
jmp dwDuperet
}
}
void _declspec(naked) HookCave()
{
__asm
{
cmp [onoff], 0
je NoVac
cmp [ESIAddy], 0
je NoVac
push eax
push ebx
mov eax,[ESIAddy]
mov ebx,[EDIValue]
mov [eax+110],ebx
//mov [eax+0x4c],ebx
//mov [eax+0x50],ebx
pop ebx
pop eax
NoVac:
mov [ebx+0x0000048c],eax
jmp dwHookret
}
}
//this is to activate
*(BYTE*)dwDupeXaddy = 0xE9;
*(DWORD*)(dwDupeXaddy+1) = JMP(dwDupeXaddy, DupeXCave);
*(BYTE*)(dwDupeXaddy + 5) = 0x90; ///NOP 6th byte
*(BYTE*)dwHookaddy = 0xE9;
*(DWORD*)(dwHookaddy+1) = JMP(dwHookaddy, HookCave);
*(BYTE*)(dwHookaddy + 5) = 0x90; ///NOP 6th byte |
This is the asm script for CE:
| Code: | //updated .60 by henley
[ENABLE]
alloc(coNDupeX, 1024)
alloc(RunFlag, 4)
alloc(ESIValue, 4)
alloc(EDIValue, 4)
alloc(ESIAddy,4)
alloc(hookit,128)
alloc(onoff,4)
registersymbol(onoff)
label(returnhere)
label(NoVac)
label(coNseptVac)
label(DoNormal)
label(back)
onoff:
dd 0
coNDupeX:
push eax
push ecx
mov ecx,[onoff]
cmp [onoff], 0
je DoNormal
cmp [RunFlag], ecx
je coNseptVac
mov eax, [00971DF8]
add eax, D74
mov eax, [eax]
sub eax, c
mov [ESIValue],eax
mov eax,[eax+114]
mov [EDIValue],eax
inc [RunFlag]
inc [RunFlag]
coNseptVac:
cmp esi,[ESIValue]
je DoNormal
push ecx
mov ecx,ESIAddy
mov [ecx],esi
pop ecx
DoNormal:
mov [esi+00000110],edi
pop ecx
pop eax
jmp back
ESIAddy:
dd 0
RunFlag:
dd 0
ESIValue:
dd 0
EDIValue:
dd 0
007F07D6:
jmp coNDupeX
nop
back:
005C77D4: //89 83 ?? 04 00 00 8D ?? ?? 50 FF ?? ?? ?? ?? 00
jmp hookit
nop
returnhere:
hookit:
cmp [onoff], 0
je NoVac
cmp [ESIAddy], 0
je NoVac
push eax
push ebx
mov eax,[ESIAddy]
mov ebx,[EDIValue]
mov [eax+110],ebx
mov [eax+4c],ebx
mov [eax+50],ebx
pop ebx
pop eax
NoVac:
mov [ebx+0000048c],eax
jmp returnhere
[DISABLE]
unregistersymbol(ESIAddy)
dealloc(coNDupeX)
dealloc(RunFlag)
dealloc(ESIValue)
dealloc(EDIValue)
dealloc(ESIAddy)
dealloc(hookit)
dealloc(onoff)
unregistersymbol(onoff)
005C77D4: //89 83 8c 04 00 00 8D ?? ?? 50 ?? ?? ?? ?? ?? 00
mov [ebx+0000048c],eax
007F07D6: //89 BE 10 01 00 00 E8 ?? 01 00 00 FF ?? ?? 01 00
mov [esi+00000110],edi |
I tested this on a maplestory private server and when I activated the hack with a CE, it worked. But when I activate it with my dll, ms crashes.
I also noticed that the bytes/opcodes edited by my DLL is different from what CE edits.
Is there something I did wrong converting it to C++ asm?
Last edited by Henley on Sun Sep 14, 2008 6:44 pm; edited 1 time in total |
|
| Back to top |
|
 |
sponge
I'm a spammer
 Reputation: 1
Joined: 07 Nov 2006
Posts: 6009
|
| Posted: Sun Sep 14, 2008 6:44 pm Post subject: |
|
|
| Code: | mov [eax+110],ebx
mov eax,[eax+114]
mov [esi+00000110],edi |
0x.
_________________
Last edited by sponge on Sun Sep 14, 2008 6:51 pm; edited 1 time in total |
|
| Back to top |
|
|
lurc
Grandmaster Cheater Supreme
 Reputation: 2
Joined: 13 Nov 2006
Posts: 1900
|
| Posted: Sun Sep 14, 2008 6:48 pm Post subject: |
|
|
I literally JUST gave kitterz an entire snippet on how to activate it along with the scripts converted.
Ask him for it.
_________________
|
|
| Back to top |
|
|
sylvanus
Advanced Cheater
![]() Reputation: 0
Joined: 09 May 2006
Posts: 68
|
| Posted: Sun Sep 14, 2008 8:02 pm Post subject: |
|
|
I have the same problem as you. _Henley.
but I think that just like you, make sure 0x
it is possible that this is resolved.
|
|
| Back to top |
|
|
BanMe
Master Cheater
![]() Reputation: 0
Joined: 29 Nov 2005
Posts: 375
Location: Farmington NH, USA
|
| Posted: Mon Sep 15, 2008 3:10 pm Post subject: |
|
|
yes that is the precise problem 114 is far different then 276 
|
|
| Back to top |
|
|
sylvanus
Advanced Cheater
![]() Reputation: 0
Joined: 09 May 2006
Posts: 68
|
| Posted: Mon Sep 15, 2008 4:02 pm Post subject: |
|
|
one question?
mov [eax+110],ebx
mov eax,[eax+114]
mov [esi+00000110],edi
is equal ?
mov [eax+0x110], ebx ==> mov [eax+0x00000110]
??
|
|
| Back to top |
|
|
GMZorita
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 21 Mar 2007
Posts: 1361
|
| Posted: Mon Sep 15, 2008 4:34 pm Post subject: |
|
|
| sylvanus wrote: | one question?
mov [eax+110],ebx
mov eax,[eax+114]
mov [esi+00000110],edi
is equal ?
mov [eax+0x110], ebx ==> mov [eax+0x00000110]
?? |
No but:
mov [eax+0x110], ebx ==> mov [eax+0x00000110],ebx
_________________
Gone |
|
| Back to top |
|
|
kitterz
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 24 Dec 2007
Posts: 1268
|
| Posted: Mon Sep 15, 2008 4:43 pm Post subject: |
|
|
Ya...Thanks Lurc for your help. But this script requires us to modify the value of the addy onoff to 2 to make it vac. Though, it d/cs me whenever i assign it the vale 2, as for some reason the addy onoff is always 00000000...
Help?
_________________
|
|
| Back to top |
|
|
sponge
I'm a spammer
Reputation: 1
Joined: 07 Nov 2006
Posts: 6009
|
| Posted: Mon Sep 15, 2008 4:49 pm Post subject: |
|
|
Create a toggle and change it? is it that hard.
_________________
|
|
| Back to top |
|
|
kitterz
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 24 Dec 2007
Posts: 1268
|
| Posted: Mon Sep 15, 2008 4:54 pm Post subject: |
|
|
| sponge wrote: | | Create a toggle and change it? is it that hard. |
U mean like *(DWORD*)onoff = 2?
That does not seem to work =(
_________________
|
|
| Back to top |
|
|
GMZorita
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 21 Mar 2007
Posts: 1361
|
| Posted: Mon Sep 15, 2008 5:05 pm Post subject: |
|
|
| kitterz wrote: | | sponge wrote: | | Create a toggle and change it? is it that hard. |
U mean like *(DWORD*)onoff = 2?
That does not seem to work =( |
bool onoff;
TickBox:
onoff = true;
UnTickBox:
onoff = false;
| Code: |
cmp [onoff],0
jne on |
false = 0;
true != 0;
_________________
Gone |
|
| Back to top |
|
|
kitterz
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 24 Dec 2007
Posts: 1268
|
| Posted: Mon Sep 15, 2008 5:19 pm Post subject: |
|
|
| GMZorita wrote: | | kitterz wrote: | | sponge wrote: | | Create a toggle and change it? is it that hard. |
U mean like *(DWORD*)onoff = 2?
That does not seem to work =( |
bool onoff;
TickBox:
onoff = true;
UnTickBox:
onoff = false;
| Code: |
cmp [onoff],0
jne on |
false = 0;
true != 0; |
I see. Thanks both of you. Gah. Even with is, it still d/cs me...maybe i got the script wrong somhow.
_________________
|
|
| Back to top |
|
|
Henley
Grandmaster Cheater
Reputation: 0
Joined: 03 Oct 2006
Posts: 671
|
| Posted: Mon Sep 15, 2008 9:39 pm Post subject: |
|
|
| kitterz wrote: | | GMZorita wrote: | | kitterz wrote: | | sponge wrote: | | Create a toggle and change it? is it that hard. |
U mean like *(DWORD*)onoff = 2?
That does not seem to work =( |
bool onoff;
TickBox:
onoff = true;
UnTickBox:
onoff = false;
| Code: |
cmp [onoff],0
jne on |
false = 0;
true != 0; |
I see. Thanks both of you. Gah. Even with is, it still d/cs me...maybe i got the script wrong somhow. |
yea but we tried it with CEs and it worked, i think the script is right
btw fixed added all those 0x's i missed but after setting onoff to 2, i dc
the opcodes/bytes edited by CE and my dll is still different
| Code: | CE's opcode: jmp 4xxxxxxx
my dll's opcode: jmp 1dxxxxxx |
Last edited by Henley on Mon Sep 15, 2008 9:44 pm; edited 1 time in total |
|
| Back to top |
|
|
sponge
I'm a spammer
Reputation: 1
Joined: 07 Nov 2006
Posts: 6009
|
| Posted: Mon Sep 15, 2008 9:45 pm Post subject: |
|
|
obviously.  jmps are relative to distance. CE VirtualAllocEx. Your dll is at a fixed spot. Unless something else already occupies its space. Then it will reloc.
I deleted that post. I just realized the INC RunFlag x2 and then the cmp towards RunFlag.
_________________
Last edited by sponge on Mon Sep 15, 2008 9:47 pm; edited 2 times in total |
|
| Back to top |
|
|
Henley
Grandmaster Cheater
Reputation: 0
Joined: 03 Oct 2006
Posts: 671
|
| Posted: Mon Sep 15, 2008 9:46 pm Post subject: |
|
|
| sponge wrote: | If 2 disconnects, all other values besides 0 will disconnect.
0 = off and all other numbers = on. I don't know where you got the conception that onoff needs to be 2. |
on a private server i had to change onoff value to 2 to start vaccing
same for kitterz on gms(vacced till he had Hacking attempt detected)
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
