| View previous topic :: View next topic |
| Author |
Message |
GodKratos
Cheater
![]() Reputation: 0
Joined: 18 Jul 2011
Posts: 30
|
 Posted: Fri Oct 07, 2011 3:58 am Post subject: Need help to trace where stack gets written |
 |
|
Hi there
I am trying to trace through some code to find out where to inject some code to enable infinite health in a game.
I have found a value that if I freeze it, it freezes my health but the way this value is used is confusing to me and I'm having a hard time trying to figure it out.
By using "What accesses this address" I get lead to the following block of code:
013A8AA4 - 55 - push ebp
013A8AA5 - 8B EC - mov ebp,esp
013A8AA7 - 8B 45 0C - mov eax,[ebp+0C]
013A8AAA - D9 00 - fld dword ptr [eax]
013A8AAC - 8B 45 08 - mov eax,[ebp+08]
013A8AAF - D9 18 - fstp dword ptr [eax]
013A8AB1 - 5D - pop ebp
013A8AB2 - C2 0800 - ret 0008
The line "fld dword ptr [eax]" is always accessed when reading my value and "fstp dword ptr [eax]" is accessed when writing to my value (when I take damage).
The problem is, this block of code is called constantly and I have a hard time tracing the code for when I get hurt only.
I have run a break and trace using the break condition "EAX==0xMyAddress" which successully breaks when I get hurt and I can see at that time that xmm0 register equals the value of my health which is what gets written to [eax] with the fstp opcode.
So up to here I'm fine.... the next step is to figure out what writes that health value to xmm0 but I have no idea how I can set a break point at earlier places from my break and trace and set a break condition that will only break for when I get hurt.
Analyzing these four lines:
mov eax,[ebp+0C]
fld dword ptr [eax]
mov eax,[ebp+08]
fstp dword ptr [eax]
Does that mean the value at address [ebp+0C] is first being stored in xmm0 and then the value at address [ebp+08] is getting written to from xmm0 ??
I tried creating the following code injection:
| Code: | [ENABLE]
alloc(newmem,1024)
label(skip)
label(returnhere)
label(exit)
newmem:
cmp ebp,00317524 // register value if being poisoned
je skip
cmp ebp,00407324 // register value if being attacked
je skip
fstp dword ptr [eax] // normal operation
jmp exit
skip:
fstp st //pop register without saving value
exit:
pop ebp
ret 0008
jmp returnhere
"witcher2.EXE"+8AAF:
jmp newmem
nop
returnhere:
[DISABLE]
"witcher2.EXE"+8AAF:
fstp dword ptr [eax]
pop ebp
ret 0008
dealloc(newmem) |
This worked fine to give me infinite health but the value of EBP changes each time I restart the game and I don't know how to change the first cmp of EBP to use pointers.
Regardless... I think I'm trying to edit the wrong place and maybe there is a much easier way to find what I'm loking for.
Any advice?
|
|
| Back to top |
|
 |
Geri
Moderator
![]() Reputation: 112
Joined: 05 Feb 2010
Posts: 5627
|
| Posted: Fri Oct 07, 2011 4:53 am Post subject: |
|
|
This code is probably shared and accessing for many addresses. Try to find another one that is not shared, eg. codes that are displaying your health only (if there are such codes) etc.
_________________
|
|
| Back to top |
|
|
GodKratos
Cheater
![]() Reputation: 0
Joined: 18 Jul 2011
Posts: 30
|
| Posted: Fri Oct 07, 2011 5:12 am Post subject: |
|
|
| Yes the problem is that this code is shared by many processes but the eax register in that code block is the only result I get when searching for my health value.
|
|
| Back to top |
|
|
Spon27
Cheater
 Reputation: 0
Joined: 22 Aug 2010
Posts: 29
Location: América del Sur
|
| Posted: Mon Oct 10, 2011 8:56 pm Post subject: |
|
|
Something similar happens to me.
I'm trying to make a hack for infinite life but I find this code:
| Code: |
00630CD8 - 8B 44 24 08 - mov eax,[esp+08]
00630CDC - 8B 08 - mov ecx,[eax] <<<<-----
00630CDE - 8B 54 24 04 - mov edx,[esp+04] |
how could I access the structure?
the game is Global Ops: Commando Libya (The SKIDROW version)
thanks in advance
_________________
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
