View previous topic :: View next topic |
Author |
Message |
Whomping Walrus How do I cheat? Reputation: 0
Joined: 18 Oct 2016 Posts: 4 Location: Rune Midgard
|
Posted: Tue Oct 18, 2016 11:19 pm Post subject: Newbie issue with AoB + assembly |
|
|
Hi guys,
I've been screwing around with Metal Gear Solid V, and it's been going well - I've created plenty of AoB scripts which function just fine, but now I can't even create one that won't crash the application.
Take this for example:
Code: |
[ENABLE]
aobscanmodule(MultipliedAcceleration,mgsvtpp.exe,F3 0F 59 C4 F3 0F 10 9F 60 01 00 00)
alloc(newmem,$1000,"mgsvtpp.exe"+4271190)
label(code)
label(return)
newmem:
jmp code
code:
mulss xmm0,xmm4
movss xmm3,[rdi+00000160]
jmp return
MultipliedAcceleration:
jmp newmem
nop
nop
nop
nop
nop
nop
nop
return:
registersymbol(MultipliedAcceleration)
[DISABLE]
MultipliedAcceleration:
db F3 0F 59 C4 F3 0F 10 9F 60 01 00 00
unregistersymbol(MultipliedAcceleration)
dealloc(newmem)
|
It looks to me like it should do nothing. Absolutely nothing. It's pretty much just the AoB template. I'm missing something critical though, because it still crashes the application. Can you guys see what i'm missing?
Thanks in advance (:
|
|
Back to top |
|
|
Betcha Expert Cheater Reputation: 4
Joined: 13 Aug 2015 Posts: 232 Location: Somewhere In Space
|
Posted: Wed Oct 19, 2016 2:51 am Post subject: Re: Newbie issue with AoB + assembly |
|
|
Code: |
[ENABLE]
aobscanmodule(MultipliedAcceleration,mgsvtpp.exe,F3 0F 59 C4 F3 0F 10 9F 60 01 00 00)
alloc(newmem,$100)
label(return)
newmem:
mulss xmm0,xmm4
movss xmm3,[rdi+00000160]
jmp return
MultipliedAcceleration:
jmp newmem
nop
nop
nop
nop
nop
nop
nop
return:
registersymbol(MultipliedAcceleration)
[DISABLE]
MultipliedAcceleration:
db F3 0F 59 C4 F3 0F 10 9F 60 01 00 00
unregistersymbol(MultipliedAcceleration)
dealloc(newmem)
|
If still crashes, try check if array of bytes are unique.
|
|
Back to top |
|
|
Whomping Walrus How do I cheat? Reputation: 0
Joined: 18 Oct 2016 Posts: 4 Location: Rune Midgard
|
Posted: Wed Oct 19, 2016 3:44 am Post subject: |
|
|
Yup, still crashing.
I double checked that the bytes were unique before activating (with r/w checked), & I double checked that those are in fact the original instructions. I don't think it's performing CRCs either, since I can nop out the entire first instruction and it functions just fine.
Here's the disassembly window in case it's useful for anyone:
i_imgur_com/6AkZtfy.png
(can't linkify it because my account is new)
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 138
Joined: 06 Jul 2014 Posts: 4275
|
Posted: Wed Oct 19, 2016 7:28 am Post subject: |
|
|
Are you sure nothing jumps to the instruction movss xmm3,[rdi+00000160]? If anything does, it'll jump into the middle of your jump and probably execute something it shouldn't. You can use "Tools -> Dissect Code" to make sure.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 457
Joined: 09 May 2003 Posts: 25262 Location: The netherlands
|
Posted: Wed Oct 19, 2016 8:21 am Post subject: |
|
|
alloc(newmem,$100,mgsvtpp.exe)
Else the jmp can be either 5 or 14 bytes long
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Whomping Walrus How do I cheat? Reputation: 0
Joined: 18 Oct 2016 Posts: 4 Location: Rune Midgard
|
Posted: Wed Oct 19, 2016 10:50 pm Post subject: |
|
|
ParkourPenguin wrote: | Are you sure nothing jumps to the instruction movss xmm3,[rdi+00000160]? If anything does, it'll jump into the middle of your jump and probably execute something it shouldn't. You can use "Tools -> Dissect Code" to make sure. |
Ahh, you're 100% right! I didn't see any local jumps, but apparently there is a jump to that second line somewhere. I can inject a line earlier and still achieve what I'm working toward. Thank you, man.
Here's the fixed version for anyone who's interested:
Code: |
[ENABLE]
aobscanmodule(MultipliedAcceleration,mgsvtpp.exe,F3 0F 10 85 08 01 00 00 F3 0F 59 C4)
alloc(newmem,$1000,"mgsvtpp.exe"+4271188)
label(return)
newmem:
movss xmm0,[rbp+00000108] // Original code which was nop'd
mulss xmm0,xmm4 // Original code which was nop'd
jmp return
MultipliedAcceleration:
jmp newmem
nop
nop
nop
nop
nop
nop
nop
return:
registersymbol(MultipliedAcceleration)
[DISABLE]
MultipliedAcceleration:
db F3 0F 10 85 08 01 00 00 F3 0F 59 C4
unregistersymbol(MultipliedAcceleration)
dealloc(newmem)
|
Dark Byte wrote: | alloc(newmem,$100,mgsvtpp.exe)
Else the jmp can be either 5 or 14 bytes long |
Ahh, that's great to know - I was wondering why only sometimes the executable is specified explicitly. Is there somewhere where I can read up on the auto-assembler's syntax specifics like that, or should I just study other people's scripts and learn by inference? My Google-fu is weak, & I don't see it on the AA wiki page.
|
|
Back to top |
|
|
STN I post too much Reputation: 42
Joined: 09 Nov 2005 Posts: 2672
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 457
Joined: 09 May 2003 Posts: 25262 Location: The netherlands
|
Posted: Thu Oct 20, 2016 5:12 am Post subject: |
|
|
the helpfile also has some info
I also updated the wiki (Everyone can edit it though, you just need to register for editing to work)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Whomping Walrus How do I cheat? Reputation: 0
Joined: 18 Oct 2016 Posts: 4 Location: Rune Midgard
|
Posted: Thu Oct 20, 2016 3:13 pm Post subject: |
|
|
Great stuff, thank you guys.
|
|
Back to top |
|
|
|