View previous topic :: View next topic |
Author |
Message |
stomperz Expert Cheater Reputation: 0
Joined: 18 Jul 2004 Posts: 193 Location: USA Chicago
|
Posted: Wed Oct 13, 2004 11:20 pm Post subject: Codecaves |
|
|
Dark Byte any chance of implementing a codecave search tool?
The Allocate memory only seems to work on certain games,
and the Search memory is not practical for codecaving.
All the old codecave tools don't work on the newer games.
|
|
Back to top |
|
|
me Grandmaster Cheater Reputation: 2
Joined: 24 Jun 2004 Posts: 733 Location: location location
|
Posted: Thu Oct 14, 2004 2:35 pm Post subject: sheep |
|
|
have you used sas V1.3
off
www.sheeprec.cjb.net
might have tips on his site for code caving newer games,
have to have another peek there myself,,
|
|
Back to top |
|
|
stomperz Expert Cheater Reputation: 0
Joined: 18 Jul 2004 Posts: 193 Location: USA Chicago
|
Posted: Thu Oct 14, 2004 5:43 pm Post subject: Re: sheep |
|
|
me wrote: | have you used sas V1.3
off
www.sheeprec.cjb.net
might have tips on his site for code caving newer games,
have to have another peek there myself,,
|
Yes thanks
Have 3-4 prog's but none work.
I have monitored add's -unchanged-unchanged- ya ya ya , over and over to find C/C's but after injecting code, a few min. later the game crashes.
Game might detect changes.
I taught I had one that did not relie on the process and just examine the file.
|
|
Back to top |
|
|
stomperz Expert Cheater Reputation: 0
Joined: 18 Jul 2004 Posts: 193 Location: USA Chicago
|
Posted: Sat Oct 16, 2004 6:34 pm Post subject: code cave |
|
|
Auto Assemble works great DB but
i'm having a problem with the following code, is you see anything wrong
please let me know. (the code seems valid and if the addresses are not being used or scanned buy process or protection )
001A52FA8: code cave
mov eax,[esp+04] restore original code (would this be pointer to my bonus
mov [009d9a0c],eax restore original code (wright bonus amount)
mov [001a52fe8],esp store esp for later read (far enough away)
ret
460ec1: jmp to code cave
call 001A52FA8
nop balance out code
nop
nop
nop
it looks like they are using ESP as a general register and is used to move stack variables into EAX
but my mov [1a52fe8], esp - crashes the game
i hexedit the exe file with a nop to the whole sub with no problem, but whenever i fool with the ESP...... boom
btw - a good tool to learn assembler http://emu8086.com/
only 8086 but it lets you follow your little code snippets in real time
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25295 Location: The netherlands
|
Posted: Sat Oct 16, 2004 6:46 pm Post subject: |
|
|
The call instruction you put in decreases the ESP register with 4 (it stores the call address on the stack and sets the stack pointer to the next available spot)
you need to replace the call with a jmp and instead of a ret put in a jump to the nop (or the instruction after it)
thats why my automatic code injector uses jmp's
Also, this is a standard call mechanism. the function gets called and then looks up the variables it got by using esp+xxx and when it jumps back to the caller there's usually a ret xxxx where xxxx is the number of bytes all parameters had. It's no use to save the value of esp because that can change each time. (especially if the game has a memory leak)
But you can save the parameters of the function by saving [esp+4], [esp+8] etc.. (wich you are doing when you save eax)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
stomperz Expert Cheater Reputation: 0
Joined: 18 Jul 2004 Posts: 193 Location: USA Chicago
|
Posted: Sun Oct 17, 2004 5:44 pm Post subject: |
|
|
it seems your right about the CALL changing the ESP register.
funny.. i always CALL in my codecaves because of the JMP taking more bytes
i was trying to capture the ESP (+ 4) thinking it was the pointer to the EAX
Then I woke up!!
wrong it just stores the variable
Code Snippet:
00460e10 - c3 - ret
00460e11 - 8b 44 24 04 - mov eax,[esp+04]
00460e15 - a3 88 99 9d 00 - mov [009d9988],eax =LVL
00460e1a - c3 - ret
00460e1b - 8b 44 24 04 - mov eax,[esp+04]
00460e1f - a3 90 99 9d 00 - mov [009d9990],eax =STR
00460e24 - c3 - ret
00460e25 - 8b 44 24 04 - mov eax,[esp+04]
00460e29 - a3 9c 99 9d 00 - mov [009d999c],eax=Bonus
00460e2e - c3 - ret
00460e2f - 8b 44 24 04 - mov eax,[esp+04]
00460e33 - a3 a8 99 9d 00 - mov [009d99a8],eax=ToHit
00460e38 - c3 - ret
any idea on how to trace this back or what to look for?
Oh well back to IDA Pro
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25295 Location: The netherlands
|
Posted: Mon Oct 18, 2004 6:09 am Post subject: |
|
|
If it'm reading the code correctly [esp] contains the address of the function that called that subroutine.
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
stomperz Expert Cheater Reputation: 0
Joined: 18 Jul 2004 Posts: 193 Location: USA Chicago
|
Posted: Mon Oct 18, 2004 8:59 am Post subject: |
|
|
Dark Byte wrote: | If it'm reading the code correctly [esp] contains the address of the function that called that subroutine. |
No it contains the variable and writes it to the game
I'm unable to trace back what changes the ESP
i tried to use CE and Olly to trace the ESP but the protection stops me
I'm' lost!!
My head hurts
I need to do some more reading
mov [009d9988],eax =LVL
mov [009d9990],eax =STR
mov [009d999c],eax=Bonus
mov [009d99a8],eax=ToHit
_____________________________________________________________
text:004369C2 loc_4369C2: ; DATA XREF: sub_436198+141o
.text:004369C2 mov eax, [esp+4]
.text:004369C6 push esi
.text:004369C7 mov esi, [eax+4] is this the pointer?
.text:004369CA test esi, esi
.text:004369CC jz short loc_4369D3
.text:004369CE call sub_460DED
.text:004369D3
.text:004369D3 loc_4369D3: ; CODE XREF: .text:004369CCj
.text:004369D3 push esi changes ESP
.text:004369D4 call bonus_write
.text:004369D9 push 16h
.text:004369DB call nullsub_2
.text:004369E0 pop ecx
.text:004369E1 pop ecx
.text:004369E2 pop esi
.text:004369E3 retn
_____________________________________________________________
.text:00460EC1 public bonus_write
.text:00460EC1 bonus_write proc near ; CODE XREF: .text:004369D4p
.text:00460EC1
.text:00460EC1 arg_0 = dword ptr 4
.text:00460EC1
.text:00460EC1 mov eax, [esp+4]
.text:00460EC5 mov dword_9D9A0C, eax write bonus to game
.text:00460ECA retn:twisted:
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25295 Location: The netherlands
|
Posted: Mon Oct 18, 2004 9:18 am Post subject: |
|
|
.text:004369D3 push esi //this decreases esp with 4 and put on [esp] the value of esi
.text:004369D4 call bonus_write //this decreases esp with 4 and puts on [esp] the value 004369d9
so at 00460ec1 the stack will hold:
[esp]=004369d9
[esp+4]=value of esi
it then loads the value at [esp+4] on eax
and puts that on the static address 9d9a0c
it then does a ret. this means it jumps to the address at [esp] and increases esp with 4
so at 004369d9 [esp] holds the value of esi
then nullsub_2 gets called (wich could change esi or not)
after that it takes of the values it pushed on the stack (004369c6,004369d3,004369d9) and gives a ret instruction
so, if the values pished didn't get changed in the routines it called:
ecx will hold 16h
ecx will hold the value of esi
esi will hold the value of he esi it started out with
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
wh1t3y Advanced Cheater Reputation: 1
Joined: 09 May 2003 Posts: 85 Location: Missouri
|
|
Back to top |
|
|
stomperz Expert Cheater Reputation: 0
Joined: 18 Jul 2004 Posts: 193 Location: USA Chicago
|
Posted: Tue Oct 19, 2004 5:59 pm Post subject: |
|
|
wh1t3y wrote: | i don't know what the crap you guys are talking about.. but i just wanted to say thanks stomperz for the link to that assembly tutor program.. good stuff |
np
only wish it was for 386!
it's cool to step through your code and see first hand what's going on
hay, but it works just the same
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25295 Location: The netherlands
|
Posted: Tue Oct 19, 2004 6:25 pm Post subject: |
|
|
You know, you can allocate memory with cheat engine
in that memory write your assembler code
then set a breakpoint at the start of your code
and create a thread at that address. you can then step through your code. (even modify it a little while stepping through)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
stomperz Expert Cheater Reputation: 0
Joined: 18 Jul 2004 Posts: 193 Location: USA Chicago
|
Posted: Tue Oct 19, 2004 6:52 pm Post subject: |
|
|
Dark Byte wrote: | You know, you can allocate memory with cheat engine
in that memory write your assembler code
then set a breakpoint at the start of your code
and create a thread at that address. you can then step through your code. (even modify it a little while stepping through) |
i tried the "allocate memory", but the protection seems to find any injection no matter where i put it (and crash/freeze) maybe runaway code?
i have been able to hex some of my code into the game exe with success
but i have a hard time making the jump statement to a particular location
(working on that)
"create a thread at that address"
can you elaborate on that a little
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25295 Location: The netherlands
|
Posted: Tue Oct 19, 2004 6:58 pm Post subject: |
|
|
I was talking about experimenting with assembler. you can use any process for that (even cheat engine's own)
you can create a thread using extra->create thread.
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
stomperz Expert Cheater Reputation: 0
Joined: 18 Jul 2004 Posts: 193 Location: USA Chicago
|
Posted: Tue Oct 19, 2004 7:59 pm Post subject: |
|
|
DB ... i think i may give the impression that i know what I'm talking about
I Don't
i get it after i read it 20 or 30 times though
i read your CE hlp file from front to back and i have the basics of how to use you program, but my skills need a lot more polishing
i try google and other sites before asking but sometimes i get stuck
can you give me a example of code that could be used and how i would implement it?
|
|
Back to top |
|
|
|