| View previous topic :: View next topic |
| Author |
Message |
x1337
How do I cheat?
![]() Reputation: 0
Joined: 15 May 2025
Posts: 4
|
 Posted: Sun Sep 07, 2025 9:44 am Post subject: AoB to Ptr |
 |
|
Hello! I need you a little! Is there any possibility that through this assembly script (AOB) I can reach the fixed pointer? Because when I call (float) 3 for example, it changes my attack speed, but I would like to find the fixed address from the pointer that reaches the attack speed
test.exe
Version:
Date : 2025-09-07
Author : Administrator
This script does blah blah blah
}
define(address,"test.exe"+326360)
define(bytes,D9 81 8C 18 00 00)
[ENABLE]
assert(address,bytes)
alloc(newmem,$1000)
label(code)
label(return)
newmem:
mov [ecx+0000188C],(float)2
code:
fld dword ptr [ecx+0000188C]
jmp return
address:
jmp newmem
nop
return:
[DISABLE]
address:
db bytes
// fld dword ptr [ecx+0000188C]
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: test.exe+326360
test.exe+326356: C3 - ret
test.exe+326357: CC - int 3
test.exe+326358: CC - int 3
test.exe+326359: CC - int 3
test.exe+32635A: CC - int 3
test.exe+32635B: CC - int 3
test.exe+32635C: CC - int 3
test.exe+32635D: CC - int 3
test.exe+32635E: CC - int 3
test.exe+32635F: CC - int 3
// ---------- INJECTING HERE ----------
test.exe+326360: D9 81 8C 18 00 00 - fld dword ptr [ecx+0000188C]
// ---------- DONE INJECTING ----------
test.exe+326366: C3 - ret
test.exe+326367: CC - int 3
test.exe+326368: CC - int 3
test.exe+326369: CC - int 3
test.exe+32636A: CC - int 3
test.exe+32636B: CC - int 3
test.exe+32636C: CC - int 3
test.exe+32636D: CC - int 3
test.exe+32636E: CC - int 3
test.exe+32636F: CC - int 3
}
|
|
| Back to top |
|
 |
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4706
|
| Posted: Sun Sep 07, 2025 10:50 am Post subject: |
|
|
Search "injection copy"
Move the value of ecx into some memory you allocated. If the memory wasn't a globalalloc, use registersymbol so you can access the symbol outside the script. Add a new record to the cheat table, check the "pointer" checkbox, base address is the registered symbol, only offset is 188C.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
x1337
How do I cheat?
![]() Reputation: 0
Joined: 15 May 2025
Posts: 4
|
| Posted: Sun Sep 07, 2025 11:27 am Post subject: |
|
|
| ParkourPenguin wrote: | Search "injection copy"
Move the value of ecx into some memory you allocated. If the memory wasn't a globalalloc, use registersymbol so you can access the symbol outside the script. Add a new record to the cheat table, check the "pointer" checkbox, base address is the registered symbol, only offset is 188C. |
You a have a minimum example ? 🙏🏻
|
|
| Back to top |
|
|
C1aref5
Cheater
![]() Reputation: 0
Joined: 20 Feb 2025
Posts: 32
|
| Posted: Thu Oct 23, 2025 3:41 pm Post subject: |
|
|
// injection-copy example (adjust addresses/module name as needed)
define(address, "test.exe"+326360)
define(origBytes, D9 81 8C 18 00 00) // original instr
[ENABLE]
assert(address, origBytes)
// allocate storage for the ECX pointer (4 bytes for x86)
alloc(ptr_storage,4)
registersymbol(ptr_storage) // makes "ptr_storage" visible in the table
alloc(newmem, $1000)
label(code)
label(return)
newmem:
// copy ECX into ptr_storage so you can create a pointer to it
mov dword ptr [ptr_storage], ecx
// original instruction (we keep the original behavior but can also set a float here)
fld dword ptr [ecx+0000188C]
jmp return
code:
jmp newmem
nop
return:
[DISABLE]
// restore original bytes
address:
db origBytes
// free allocations
dealloc(newmem)
unregistersymbol(ptr_storage)
dealloc(ptr_storage)
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
