View previous topic :: View next topic |
Author |
Message |
onomamashinee Newbie cheater Reputation: 0
Joined: 27 Dec 2014 Posts: 19
|
Posted: Tue Apr 26, 2016 11:24 am Post subject: Using an offset within an offset in autoassembler scripts |
|
|
I have found a value using dissect data/structures, however it is an offset within a pointer offset. It is offset +0000 within offset eax+1C4. Does anyone have any idea on how I could move it to values and/or compare it to values ou simply use this value in the auto assembler script? Btw, this value (offset 0000 within offset 1C4) is a string, and is text instead of numbers. Any help is immensely appreciated.
Description: |
Offset +1C4 is highlighted and below it is its own offset +0000 |
|
Filesize: |
126.67 KB |
Viewed: |
9141 Time(s) |
|
|
|
Back to top |
|
|
++METHOS I post too much Reputation: 92
Joined: 29 Oct 2010 Posts: 4197
|
Posted: Tue Apr 26, 2016 11:33 am Post subject: |
|
|
Change the string data type to 4 byte hex and compare against that. Assuming your originalcode is mov eax,[esi+04]:
Code: | newmem:
push edi
mov edi,[esi+1C4]
mov edi,[edi+0]
cmp edi,63666261
pop edi
je cheat
jmp originalcode |
There are other ways, of course.
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4291
|
Posted: Tue Apr 26, 2016 11:34 am Post subject: |
|
|
Those bytes need to be in reverse order, ++METHOS. 'cfba' (string) == 63 66 62 61 (AoB) == 61626663 (dword). CE can translate string literals to bytes automatically:
Code: | mov eax,[baseOfStructure] // have some sort of a reference to it
mov eax,[eax+1C4] // dereference the pointer at that offset
mov eax,[eax] // dereference that address to get the value
cmp eax,'cfba' // compare the value with whatever
// do something based on that cmp |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
++METHOS I post too much Reputation: 92
Joined: 29 Oct 2010 Posts: 4197
|
Posted: Tue Apr 26, 2016 1:58 pm Post subject: |
|
|
I just used an online converter for the sake of providing an example. If he follows my instructions, he shouldn't have any problems.
|
|
Back to top |
|
|
onomamashinee Newbie cheater Reputation: 0
Joined: 27 Dec 2014 Posts: 19
|
Posted: Wed Apr 27, 2016 10:22 am Post subject: |
|
|
I tried following these instructions, but the game crashes everytime I activate anything in game that accesses the resulting script. Am I missing something? The original code is:
mov [eax-04],ecx
mov ecx,[ebp+00]
What I am trying to do, at least for now, is make [eax-04], 0 if the value in the offset is, for instance "cfba" or "babt" (text values in the offset 0000 of offset eax+1C4, which is a pointer)
Description: |
|
Filesize: |
70.2 KB |
Viewed: |
9046 Time(s) |
|
Last edited by onomamashinee on Wed Apr 27, 2016 10:26 am; edited 1 time in total |
|
Back to top |
|
|
hhhuut Grandmaster Cheater Reputation: 6
Joined: 08 Feb 2015 Posts: 607
|
Posted: Wed Apr 27, 2016 10:25 am Post subject: |
|
|
You pop the edi register at the wrong place:
Code: | newmem:
cheat:
push edi
mov edi,[eax+1c4]
mov edi,[edi]
cmp edi,'cfba'
jne code
mov dword ptr [eax-04],00
code:
pop edi
mov [eax-04],00
mov ecx,[ebp]
jmp return |
|
|
Back to top |
|
|
Cake-san Grandmaster Cheater Reputation: 8
Joined: 18 Dec 2014 Posts: 541 Location: Semenanjung
|
Posted: Wed Apr 27, 2016 10:31 am Post subject: |
|
|
Code: |
cheat:
push edi
mov edi,[eax+1c4]
mov edi,[edi]
cmp edi,'cfba'
pop edi
jne code
mov [eax-04],00
mov ecx,[ebp]
jmp return
code:
mov [eax-04],ecx
mov ecx,[ebp]
jmp return
|
_________________
... |
|
Back to top |
|
|
++METHOS I post too much Reputation: 92
Joined: 29 Oct 2010 Posts: 4197
|
Posted: Wed Apr 27, 2016 10:43 am Post subject: |
|
|
I don't understand why people can't follow simple instructions.
Anyway, you also want to make sure that your pointer is valid for all addresses. You may have to incorporate another filter if it's not.
|
|
Back to top |
|
|
onomamashinee Newbie cheater Reputation: 0
Joined: 27 Dec 2014 Posts: 19
|
Posted: Wed Apr 27, 2016 11:09 am Post subject: |
|
|
Tried changing the script to all of the above including fixing the location of the pop edi, but the game still crashes nonetheless. Thanks everyone for the help, but using offset 0000 of offset 1C4 just is not working right now. Autoassembler scripting is indeed complicated. Maybe I'll try using other, less complicated offsets that are not pointers.
|
|
Back to top |
|
|
++METHOS I post too much Reputation: 92
Joined: 29 Oct 2010 Posts: 4197
|
Posted: Wed Apr 27, 2016 11:18 am Post subject: |
|
|
Like I said, you may have to add another filter in the event that you're trying to process a invalid pointer.
|
|
Back to top |
|
|
onomamashinee Newbie cheater Reputation: 0
Joined: 27 Dec 2014 Posts: 19
|
Posted: Wed Apr 27, 2016 3:55 pm Post subject: |
|
|
You are right ++METHOS, I've found that in certain rare situations eax+1C4 is actually 0 and not a pointer. It may even have other values in other situations I am not aware of. Even though these situations are not the ones I was trying to change, I see they prevent me from changing the ones I do want to change :~
|
|
Back to top |
|
|
++METHOS I post too much Reputation: 92
Joined: 29 Oct 2010 Posts: 4197
|
Posted: Wed Apr 27, 2016 4:01 pm Post subject: |
|
|
All you have to do is perform a check or test to see if the data is valid. There are several ways to do this, just check the forum. Once you have filtered all of the bad addresses out, then you can do your string compare without crashing the target.
|
|
Back to top |
|
|
onomamashinee Newbie cheater Reputation: 0
Joined: 27 Dec 2014 Posts: 19
|
Posted: Wed Apr 27, 2016 5:56 pm Post subject: |
|
|
Added some more conditions before doing the string compare, and it worked like a charm. I think the problem is pretty much solved now.
|
|
Back to top |
|
|
++METHOS I post too much Reputation: 92
Joined: 29 Oct 2010 Posts: 4197
|
Posted: Thu Apr 28, 2016 5:05 am Post subject: |
|
|
I guess......you're welcome?
|
|
Back to top |
|
|
onomamashinee Newbie cheater Reputation: 0
Joined: 27 Dec 2014 Posts: 19
|
Posted: Fri Apr 29, 2016 12:09 am Post subject: |
|
|
++METHOS wrote: | I guess......you're welcome? | Thanks everyone, I tried to say thank you in my comment before, but for some reason I kept being redirected to the main page, and I ended up giving up. Thanks guys, you guys are awesome
|
|
Back to top |
|
|
|