| View previous topic :: View next topic |
| Author |
Message |
vergilganesh
Expert Cheater
 Reputation: 0
Joined: 01 Jul 2013
Posts: 134
Location: India
|
 Posted: Fri Aug 16, 2013 12:33 am Post subject: [doubt]With the Auto assembler codes |
 |
|
I have a doubt. What does these codes do? At what structure the codes are arranged. I noped the fsub instruction which activates one hit kill mode.
| Description: |
|
| Filesize: |
76.95 KB |
| Viewed: |
9423 Time(s) |
|
| Description: |
|
| Filesize: |
82.28 KB |
| Viewed: |
9423 Time(s) |
|
|
|
| Back to top |
|
 |
mgr.inz.Player
I post too much
 Reputation: 222
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Fri Aug 16, 2013 9:09 am Post subject: |
|
|
FSUB - Subtract Value from ST(0) and store result in ST(0)
FSUBR - Subtract ST(0) from Value and store result in ST(0)
_________________
|
|
| Back to top |
|
|
vergilganesh
Expert Cheater
Reputation: 0
Joined: 01 Jul 2013
Posts: 134
Location: India
|
| Posted: Fri Aug 16, 2013 12:06 pm Post subject: |
|
|
why does hero dies when noping the instruction?
It subtract and store the same pointer.
|
|
| Back to top |
|
|
mgr.inz.Player
I post too much
Reputation: 222
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Fri Aug 16, 2013 1:17 pm Post subject: |
|
|
Here we go:
fld dword ptr [esp+1C] // load damage base value
(...)
fmul dword ptr [esp+B4] // multiply damage by multiplier
(...)
fst qword ptr [esp+28] // store total damage for other calculations
fsubr dword ptr [ebp+A0] // subtract "total damage" from currentHP (result, newHP, in ST(0) )
fstp dword ptr [ebp+A0] // store and pop, (overwrite currentHP with new HP)
Lets start analyzing
Our stack:
_____________________
| ST(0) empty0 |
| ST(1) empty1 |
| ST(2) empty2 |
| ... |
| ... |
After first instruction, our stack looks like this:
____________________
| ST(0) damageBase |
| ST(1) empty0 |
| |
| |
After second, like this (multiplied)
____________________
| ST(0) totalDamage |
| ST(1) empty0 |
| |
| |
After third, like this (not changed, because we stored value only)
____________________
| ST(0) totalDamage |
| ST(1) empty0 |
| |
| |
After fourth, like this ( "currentHP-totalDamage" )
____________________
| ST(0) newHP |
| ST(1) empty0 |
| |
| |
After fifth, like this (we stored and pop from the stack)
_____________________
| ST(0) empty0 |
| ST(1) empty1 |
| ST(2) empty2 |
| ... |
| ... |
I you just nop this instruction "fsubr"
Our stack:
_____________________
| ST(0) empty0 |
| ST(1) empty1 |
| ST(2) empty2 |
| ... |
| ... |
After first instruction, our stack looks like this:
____________________
| ST(0) damageBase |
| ST(1) empty0 |
| |
| |
After second, like this (multiplied)
____________________
| ST(0) totalDamage |
| ST(1) empty0 |
| |
| |
After third, like this (not changed, because we stored value only)
____________________
| ST(0) totalDamage |
| ST(1) empty0 |
| |
| |
We nopped so:
____________________
| ST(0) totalDamage |
| ST(1) empty0 |
| |
| |
After fifth, like this (we stored ST(0) and poped from the stack)
_____________________
| ST(0) empty0 |
| ST(1) empty1 |
| ST(2) empty2 |
| ... |
| ... |
Never NOP any FPU instruction if it cause unbalanced FPU stack.
Especially F____P (like fstp, faddp, fsubp,...) or F____R (like fsubr,...).
If you want NOP this instruction: fstp dword ptr [xxxxxxx]
You must use this: fstp ST(0)
In this case, you don't want substraction:
fsubr dword ptr [XXXXXX]
fstp dword ptr [XXXXXX]
Just change it to
fsubr dword ptr [XXXXXX]
fstp ST(0)
_________________
Last edited by mgr.inz.Player on Wed Jan 07, 2015 7:57 am; edited 1 time in total |
|
| Back to top |
|
|
vergilganesh
Expert Cheater
Reputation: 0
Joined: 01 Jul 2013
Posts: 134
Location: India
|
| Posted: Sat Aug 17, 2013 5:20 am Post subject: |
|
|
| Yes, you are absolutely correct. I just multiply with 0.0 after fld [esp+1c] then it activates god mode. but by dissecting data/structure i m unable to find the difference between enemy and player. however the player's health only is accessed by one instruction continuously. but both the healths are write by the above instruction only. Is there anyway to make one hit kill?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 470
Joined: 09 May 2003
Posts: 25804
Location: The netherlands
|
| Posted: Sat Aug 17, 2013 5:52 am Post subject: |
|
|
find the code that reads ONLY your health. Then do a code injection there and store the address it last read out to a known location.
Then in the code that writes check if the current address being changed is that stored address or not. And if so, it's the player, else enemy
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
daspamer
Grandmaster Cheater Supreme
 Reputation: 54
Joined: 13 Sep 2011
Posts: 1588
|
| Posted: Sat Aug 17, 2013 5:56 am Post subject: |
|
|
| vergilganesh wrote: | | Yes, you are absolutely correct. I just multiply with 0.0 after fld [esp+1c] then it activates god mode. but by dissecting data/structure i m unable to find the difference between enemy and player. however the player's health only is accessed by one instruction continuously. but both the healths are write by the above instruction only. Is there anyway to make one hit kill? |
Check in dissect, inside pointers if there's any differences.
And then compare with the pointers.
_________________
I'm rusty and getting older, help me re-learn lua. |
|
| Back to top |
|
|
vergilganesh
Expert Cheater
Reputation: 0
Joined: 01 Jul 2013
Posts: 134
Location: India
|
|
| Back to top |
|
|
vergilganesh
Expert Cheater
Reputation: 0
Joined: 01 Jul 2013
Posts: 134
Location: India
|
| Posted: Sun Aug 18, 2013 10:19 am Post subject: |
|
|
| how to do that
|
|
| Back to top |
|
|
vergilganesh
Expert Cheater
Reputation: 0
Joined: 01 Jul 2013
Posts: 134
Location: India
|
| Posted: Mon Aug 19, 2013 6:42 am Post subject: |
|
|
I have done it. Because it is a multiplayer game.,, i grab only two addresses and used cmp cmd. IF any one is correct i activated the code. Beacuse it is continously accesses both the players address. when enemy attacks me, any one of the player lost its health. so only i have done my code like below.
| Code: |
[ENABLE]
alloc(newmem,2048)
alloc(val,24)
alloc(count,128)
label(www)
label(returnhere)
label(originalcode)
label(exit)
count:
dd (int)2
newmem:
originalcode:
fld dword ptr [esi+000000A0]
cmp [count],2
jne www
mov [val],esi
sub [count],1
jmp exit
www:
cmp [count],1
jne exit
mov [val+4],esi
sub [count],1
exit:
jmp returnhere
"Shank2.exe"+F0249:
jmp newmem
nop
returnhere:
alloc(newmem1,2048) //2kb should be enough
alloc(value,128)
label(returnhere1)
label(god)
label(godad)
label(originalcode1)
label(exit1)
value:
dd (float)0.0
newmem1:
originalcode1:
fld dword ptr [esp+1C]
cmp ebp,[val]
je godad
cmp ebp,[val+4]
jne god
godad:
fmul dword ptr [value]
god:
mov ecx,[ebp+08]
exit1:
jmp returnhere1
"Shank2.exe"+EDCE4:
jmp newmem1
nop
nop
returnhere1:
[DISABLE]
dealloc(newmem)
"Shank2.exe"+F0249:
fld dword ptr [esi+000000A0]
//Alt: db D9 86 A0 00 00 00
dealloc(newmem1)
"Shank2.exe"+EDCE4:
fld dword ptr [esp+1C]
mov ecx,[ebp+08]
//Alt: db D9 44 24 1C 8B 4D 08
|
I just set damage as 0 for player and normal for enemy from this code. Once there is a map change or replaying with other character the cheat doesnot works. Any Idea??????????? i want to make the cheat every time i went to a new location
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
