| View previous topic :: View next topic |
| Author |
Message |
Twistedfate
Expert Cheater
 Reputation: 1
Joined: 11 Mar 2016
Posts: 231
|
 Posted: Wed Nov 23, 2016 5:34 pm Post subject: Update addresses and offsets in my trainers |
 |
|
every time I have to update my trainer I have to go to
-ollydbg copy the instructions and getting my code
and copy the address with opcodes .. delete opcodes to get the address only
because ollydbg copy all line
ex
| Quote: | | 0069B727 . 3D 00010000 CMP EAX,100 |
and pasting the new addresses to my lua script ( trainer file ) in each location
.....
Is there any ideas to update my trainers faster ... i tryed macro recorder but its not good one error will destroy my work
|
|
| Back to top |
|
 |
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Wed Nov 23, 2016 6:52 pm Post subject: |
|
|
There a reason you're hard-coding the address instead of using an AOB Injection?
Or maybe I'm misunderstanding.
|
|
| Back to top |
|
|
Kavvman
Master Cheater
![]() Reputation: 2
Joined: 17 Apr 2004
Posts: 316
|
| Posted: Thu Nov 24, 2016 3:41 am Post subject: |
|
|
EDIT > Copy address
EDIT > Binary copy (bytes copy only)
Also what Zanzer said?^
_________________
... |
|
| Back to top |
|
|
Twistedfate
Expert Cheater
Reputation: 1
Joined: 11 Mar 2016
Posts: 231
|
| Posted: Thu Nov 24, 2016 5:21 am Post subject: |
|
|
| Zanzer wrote: | There a reason you're hard-coding the address instead of using an AOB Injection?
Or maybe I'm misunderstanding. |
yes
| Code: | [ENABLE]
aobscanmodule(speed,game.exe,75 17 68 74 C6 B0 00) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
jne game.exe+331AF7
push game.exe+70C674
jmp return
speed:
jmp newmem
nop
nop
return:
registersymbol(speed)
[DISABLE]
speed:
db 75 17 68 74 C6 B0 00
unregistersymbol(speed)
dealloc(newmem)
|
code like this will change every time even with aob right ?
| Code: |
jne game.exe+331AF7
push game.exe+70C674 |
|
|
| Back to top |
|
|
Kavvman
Master Cheater
![]() Reputation: 2
Joined: 17 Apr 2004
Posts: 316
|
| Posted: Thu Nov 24, 2016 6:26 am Post subject: |
|
|
The jne is safe to use (as its a short jump, just use the bytes 75 17) but yes the push might change.
You can use reassemble or readmem to recreate those instructions without using any hardcoded addresses/instructions.
_________________
... |
|
| Back to top |
|
|
Twistedfate
Expert Cheater
Reputation: 1
Joined: 11 Mar 2016
Posts: 231
|
| Posted: Thu Nov 24, 2016 5:29 pm Post subject: |
|
|
| Quote: | | just use the bytes 75 17 |
Can u give me more explanation.
If used them only to scan
then the code will stay the same and break mygame because it will jump to different address with newer update of game
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Thu Nov 24, 2016 6:01 pm Post subject: |
|
|
| The jump distance is calculated using the hex or byte representation of the instruction, in lieu of what CE interprets (jump to game+offset), it will be (jump this many bytes away). Regarding the push and also the possibility of the 'distance' changing you can do as ViZZion suggests and use readmem to create a dynamic script.
|
|
| Back to top |
|
|
Twistedfate
Expert Cheater
Reputation: 1
Joined: 11 Mar 2016
Posts: 231
|
| Posted: Fri Nov 25, 2016 12:38 pm Post subject: |
|
|
can you use readmem and calculate bytes for this script
for call and jump please .
| Code: | jmp game.exe+43c723→ when I follow its jump to → 0083C723
call game.exe+2ec616→ 006EC616 |
| Code: | [ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
aobscanmodule(fastskills,game.exe,75 44 57 ?? ?? ?? ?? ?? 89 86 94 19 00 00 8b 44 24 10 6a 00) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
jmp game.exe+461799
push edi
call game.exe+3093E6
jmp return
fastskills:
jmp newmem
nop
nop
nop
return:
registersymbol(fastskills)
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
fastskills:
db 75 44 57 E8 8B 7C EA FF
unregistersymbol(fastskills)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "game.exe"+461753
"game.exe"+46172F: 83 4D FC FF - or dword ptr [ebp-04],-01
"game.exe"+461733: 8D 8D EC FB FF FF - lea ecx,[ebp-00000414]
"game.exe"+461739: E8 15 7E 02 00 - call game.exe+489553
"game.exe"+46173E: E8 F4 31 18 00 - call game.exe+5E4937
"game.exe"+461743: C2 08 00 - ret 0008
"game.exe"+461746: 53 - push ebx
"game.exe"+461747: 56 - push esi
"game.exe"+461748: 8B F1 - mov esi,ecx
"game.exe"+46174A: 8D 9E A0 19 00 00 - lea ebx,[esi+000019A0]
"game.exe"+461750: 83 3B 00 - cmp dword ptr [ebx],00
// ---------- INJECTING HERE ----------
"game.exe"+461753: 75 44 - jne game.exe+461799
"game.exe"+461755: 57 - push edi
"game.exe"+461756: E8 8B 7C EA FF - call game.exe+3093E6
// ---------- DONE INJECTING ----------
"game.exe"+46175B: 89 86 94 19 00 00 - mov [esi+00001994],eax
"game.exe"+461761: 8B 44 24 10 - mov eax,[esp+10]
"game.exe"+461765: 6A 00 - push 00
"game.exe"+461767: 8D BE 98 19 00 00 - lea edi,[esi+00001998]
"game.exe"+46176D: 68 0B 04 00 00 - push 0000040B
"game.exe"+461772: 89 07 - mov [edi],eax
"game.exe"+461774: C7 03 01 00 00 00 - mov [ebx],00000001
"game.exe"+46177A: E8 EB 82 EB FF - call game.exe+319A6A
"game.exe"+46177F: 8B B6 94 19 00 00 - mov esi,[esi+00001994]
"game.exe"+461785: 8B 07 - mov eax,[edi] |
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4702
|
|
| Back to top |
|
|
Twistedfate
Expert Cheater
Reputation: 1
Joined: 11 Mar 2016
Posts: 231
|
| Posted: Sat Nov 26, 2016 7:07 pm Post subject: Thnx problem solved |
|
|
Thank you all problem solved
but if I want to change push command bytes 57 how ?
could I write
db 75 44 57 ?
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4702
|
| Posted: Sat Nov 26, 2016 7:14 pm Post subject: |
|
|
You could do it that way. Alternatively, you could also use a previously defined label to specify where to write the byte(s) to.
| Code: | fastskills+2:
db 57 |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
Twistedfate
Expert Cheater
Reputation: 1
Joined: 11 Mar 2016
Posts: 231
|
| Posted: Sat Nov 26, 2016 7:23 pm Post subject: last case |
|
|
what If I want to add these instruction above this push command what could I do
| Code: | MOV [ecx+74],#260000
MOV [ecx+88],(int)10000
MOV [ecx+8c],(int)10000
MOV [ecx+90],(int)10000 |
| Code: | push [ecx+1C]
CALL 0080A0EE |
full code
| Code: | [ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
aobscanmodule(Left_Click_far,game.exe,FF 71 1C E8 ?? ?? ?? ?? 59 c3 56 ) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
push [ecx+1C]
call game.exe+42D232
jmp return
code:
push [ecx+1C]
call game.exe+42D232
jmp return
Left_Click_far:
jmp newmem
nop
nop
nop
return:
registersymbol(Left_Click_far)
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
Left_Click_far:
db FF 71 1C E8 CA FF FF FF
unregistersymbol(Left_Click_far)
dealloc(newmem)
|
bytes here
| Code: | // ORIGINAL CODE - INJECTION POINT: "game.exe"+42D260
"game.exe"+42D248: 33 D2 - xor edx,edx
"game.exe"+42D24A: B9 40 42 0F 00 - mov ecx,000F4240
"game.exe"+42D24F: F7 F1 - div ecx
"game.exe"+42D251: B9 E8 03 00 00 - mov ecx,000003E8
"game.exe"+42D256: 8B C2 - mov eax,edx
"game.exe"+42D258: 33 D2 - xor edx,edx
"game.exe"+42D25A: F7 F1 - div ecx
"game.exe"+42D25C: C3 - ret
"game.exe"+42D25D: 33 C0 - xor eax,eax
"game.exe"+42D25F: C3 - ret
// ---------- INJECTING HERE ----------
"game.exe"+42D260: FF 71 1C - push [ecx+1C]
"game.exe"+42D263: E8 CA FF FF FF - call game.exe+42D232
// ---------- DONE INJECTING ----------
"game.exe"+42D268: 59 - pop ecx
"game.exe"+42D269: C3 - ret
"game.exe"+42D26A: 56 - push esi
"game.exe"+42D26B: 8B 74 24 08 - mov esi,[esp+08]
"game.exe"+42D26F: 56 - push esi
"game.exe"+42D270: E8 A9 E7 FF FF - call game.exe+42BA1E
"game.exe"+42D275: 48 - dec eax
"game.exe"+42D276: 59 - pop ecx
"game.exe"+42D277: 74 41 - je game.exe+42D2BA
"game.exe"+42D279: 48 - dec eax
} |
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4702
|
| Posted: Sat Nov 26, 2016 8:57 pm Post subject: |
|
|
Copy and paste those instructions above the push in your code. The code label and the 3 instructions under it are unnecessary, but besides that, I don't see any errors in that script.
If the game updates often and you're concerned about the relative address in the call changing, either find a better injection point or see this post for information on using reassemble.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
Twistedfate
Expert Cheater
Reputation: 1
Joined: 11 Mar 2016
Posts: 231
|
| Posted: Sat Nov 26, 2016 9:01 pm Post subject: |
|
|
| I got it thank you man <3
|
|
| Back to top |
|
|
mgr.inz.Player
I post too much
 Reputation: 222
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Sun Nov 27, 2016 5:46 pm Post subject: |
|
|
| Code: | [ENABLE]
aobscanmodule(Left_Click_far,game.exe,FF 71 1C E8 xx xx xx xx 59 C3 56)
registersymbol(Left_Click_far)
alloc(newmem,$1000,game.exe)
label(copyOfOrig)
registersymbol(copyOfOrig)
newmem:
mov [ecx+74],(int)260000 // new
mov [ecx+88],(int)10000 // new
mov [ecx+8c],(int)10000 // new
mov [ecx+90],(int)10000 // new
push [rcx+1C]
reassemble(Left_Click_far+3)
pop ecx
ret
copyOfOrig:
readmem(Left_Click_far,8)
Left_Click_far:
jmp newmem
nop
nop
nop
[DISABLE]
Left_Click_far:
readmem(copyOfOrig,8)
unregistersymbol(Left_Click_far)
unregistersymbol(copyOfOrig)
dealloc(newmem) |
_________________
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
