| View previous topic :: View next topic |
| Author |
Message |
GodKratos
Cheater
![]() Reputation: 0
Joined: 18 Jul 2011
Posts: 30
|
 Posted: Mon Feb 03, 2014 3:28 am Post subject: Code shifted to Dynamic Memory |
 |
|
Hi there I searched the forum for some help on this but couldn't find anything.
Either no one seems to experience this issue or my searching skills are very pathetic.
Anyway, the problem I have is that I have some code found from finding "What writes to this memory" and replaced it with nop's to prevent a stat from decreasing.
All very basic stuff of course, however the problem I have is that the code that performs the modification of data is stored in dynamic memory so I cannot get an address pointer of game.exe+1234 to use to replace the code as there is no module loaded where my code is.
| Code: | | 2AF76697 - 89 47 0C - mov [edi+0C],eax |
I'm not really sure what I need to do to locate this memory region for code injection purposes since it changes each time I load the game and has no module reference.
Is this normal?
|
|
| Back to top |
|
 |
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Mon Feb 03, 2014 4:02 am Post subject: |
|
|
Yes. Use AOBscan in your script. For example, let's say your script looks like this:
| Code: | [ENABLE]
alloc(newmem,2048)
label(returnhere)
label(originalcode)
newmem:
cmp [ecx+000001F0],0
je originalcode
mov [ecx+000001F0],0
jmp returnhere
originalcode:
movss [ecx+000001F0],xmm0
jmp returnhere
"game.exe"+64797E:
jmp newmem
nop
nop
nop
returnhere:
[DISABLE]
dealloc(newmem)
"game.exe"+64797E:
movss [ecx+000001F0],xmm0
//Alt: db F3 0F 11 81 F0 01 00 00 |
You would write it like this:
| Code: | [ENABLE]
aobscan(aob1,F3 0F 11 81 F0 01 00 00) //////////////////////////////NEW - may need to add more bytes
alloc(newmem,2048)
label(returnhere)
label(originalcode)
registersymbol(aob1) //////////////////////////////NEW
newmem:
cmp [ecx+000001F0],0
je originalcode
mov [ecx+000001F0],0
jmp returnhere
originalcode:
movss [ecx+000001F0],xmm0
jmp returnhere
aob1: //////////////////////////////CHANGED
jmp newmem
nop
nop
nop
returnhere:
[DISABLE]
dealloc(newmem)
aob1: //////////////////////////////CHANGED
movss [ecx+000001F0],xmm0
//Alt: db F3 0F 11 81 F0 01 00 00
unregistersymbol(aob1) //////////////////////////////NEW |
However, you must make sure that the AOB is unique. You must scan for your AOB value:
F3 0F 11 81 F0 01 00 00
Here is an example of scan settings:
If your AOB value is not unique (more than one result shows up in your scan), you need to add more bytes to make it unique. View the instruction in memory viewer to see all of the bytes.
|
|
| Back to top |
|
|
GodKratos
Cheater
![]() Reputation: 0
Joined: 18 Jul 2011
Posts: 30
|
| Posted: Wed Feb 05, 2014 2:23 am Post subject: |
|
|
Ah got ya.
I have used AOBscan before to make a patch "upgradeproof", just didn't occur to me to use it for dynamic code.
Seems obvious now 
Thanks 
|
|
| Back to top |
|
|
STN
I post too much
 Reputation: 43
Joined: 09 Nov 2005
Posts: 2676
|
| Posted: Wed Feb 05, 2014 3:46 am Post subject: |
|
|
Go to memory viewer > Show Module Addresses for viewing the module that code resides in.
If it is dynamically shifting, do like ++METHOS suggested.
If its shifting because the code is in dll you don't need to use aob, just handling it like module+offset is enough. AOB/Sig scanning the whole memory in this case will result in slower scans due to dlls being loaded at higher address space.
If its not a dll then aobscan is the only way to go.
_________________
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
