| View previous topic :: View next topic |
| Author |
Message |
GreatUnknown
Cheater
![]() Reputation: 0
Joined: 19 Oct 2014
Posts: 47
|
 Posted: Wed Apr 08, 2015 6:28 am Post subject: How to use AOBScan AA to do more than nop? |
 |
|
So I want to give 100 points say and lock it (locking it is optional) but I don't know how in AOBScan and AA. This is what I have so far:
| Code: | [ENABLE]
aobscanmodule(MaxSL,Fahrenheit.exe,89 45 00)
alloc(LucasS,100)
label(LucasSReturn)
registersymbol(LucasS)
// hack goes here
[DISABLE]
MaxSL:
db 89 45 00
unregistersymbol(MaxSL) |
|
|
| Back to top |
|
 |
hhhuut
Grandmaster Cheater
 Reputation: 6
Joined: 08 Feb 2015
Posts: 607
|
| Posted: Wed Apr 08, 2015 7:19 am Post subject: |
|
|
Why don't you use the build-in AOB AA Template?
Mark the address you want to do the injection, press CTRL+A and then go to Template->AOB-Injection.
|
|
| Back to top |
|
|
GreatUnknown
Cheater
![]() Reputation: 0
Joined: 19 Oct 2014
Posts: 47
|
| Posted: Wed Apr 08, 2015 9:03 am Post subject: |
|
|
| Does it have to jump somewhere?
|
|
| Back to top |
|
|
hhhuut
Grandmaster Cheater
Reputation: 6
Joined: 08 Feb 2015
Posts: 607
|
| Posted: Wed Apr 08, 2015 9:15 am Post subject: |
|
|
| Use the template and then post the script here, please. That way it's easier to see what you want to do ...
|
|
| Back to top |
|
|
Fresco
Grandmaster Cheater
![]() Reputation: 4
Joined: 07 Nov 2010
Posts: 600
|
| Posted: Wed Apr 08, 2015 10:25 am Post subject: |
|
|
| Code: | [ENABLE]
aobscanmodule(MaxSL,Fahrenheit.exe,89 45 00)
alloc(LucasS,100)
label(LucasSReturn)
registersymbol(LucasS)
LucasS:
// hack goes here
jmp LucasSReturn
/*added*/
MaxSL:
jmp LucasS
nop
nop
LucasSReturn:
// etc... write as many nops as needed to fully nop one full instruction / opcode after the jump to LucasS
[DISABLE]
dealloc(LucasS)
unregistersymbol(MaxSL)
MaxSL:
db 89 45 00 // only 3 bytes are not enough you need at least 5 (the jmp instruction has 5 bytes)
//also enough bytes to fully restore the the one full instruction the you previously nopped |
| hhhuut wrote: | | Use the template and then post the script here, please. That way it's easier to see what you want to do ... |
Totally agree!!!
If you need help, just post a snippet of code
The script above will not work for you, you need to modify it to suit Fahrenheit.exe module
_________________
... Fresco |
|
| Back to top |
|
|
GreatUnknown
Cheater
![]() Reputation: 0
Joined: 19 Oct 2014
Posts: 47
|
| Posted: Wed Apr 08, 2015 6:28 pm Post subject: |
|
|
Well I simply want to make it so this AOB is 100 for the player mental state.
Like this
| Code: |
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem:
mov [ebp+00],50
originalcode:
//mov [ebp+00],eax
//pop ebp
//pop ebx
exit:
jmp returnhere
"Fahrenheit.exe"+15C0D3:
jmp newmem
returnhere:
|
Of course this keeps crashing the game but that's the general idea, to modify a value to 100 say using an AOB module scan.
|
|
| Back to top |
|
|
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Wed Apr 08, 2015 7:08 pm Post subject: |
|
|
Do not comment out more than you need to.
Those POP's are required. That is why you're crashing.
And as they said, use the AOB Injection template. NOT Code Injection.
|
|
| Back to top |
|
|
GreatUnknown
Cheater
![]() Reputation: 0
Joined: 19 Oct 2014
Posts: 47
|
| Posted: Thu Apr 09, 2015 1:08 pm Post subject: |
|
|
Sorry my mistake
| Code: |
{ Game : Fahrenheit.exe
Version:
Date : 2015-04-09
Author : Admin
This script does blah blah blah
}
[ENABLE]
aobscanmodule(INJECT,Fahrenheit.exe,89 45 00 5D 5B 59 C3 8B 04) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
mov [ebp+00],50
pop ebp
pop ebx
code:
mov [ebp+00],eax
pop ebp
pop ebx
jmp return
INJECT:
jmp code
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db 89 45 00 5D 5B
unregistersymbol(INJECT)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "Fahrenheit.exe"+15C0D3
"Fahrenheit.exe"+15C0B6: 3B 0C C5 98 88 95 00 - cmp ecx,[eax*8+Fahrenheit.exe+558898]
"Fahrenheit.exe"+15C0BD: 75 08 - jne Fahrenheit.exe+15C0C7
"Fahrenheit.exe"+15C0BF: 81 FA 30 02 00 00 - cmp edx,00000230
"Fahrenheit.exe"+15C0C5: 75 7B - jne Fahrenheit.exe+15C142
"Fahrenheit.exe"+15C0C7: 83 C0 01 - add eax,01
"Fahrenheit.exe"+15C0CA: 83 F8 16 - cmp eax,16
"Fahrenheit.exe"+15C0CD: 72 E7 - jb Fahrenheit.exe+15C0B6
"Fahrenheit.exe"+15C0CF: 8B 03 - mov eax,[ebx]
"Fahrenheit.exe"+15C0D1: 5F - pop edi
"Fahrenheit.exe"+15C0D2: 5E - pop esi
// ---------- INJECTING HERE ----------
"Fahrenheit.exe"+15C0D3: 89 45 00 - mov [ebp+00],eax
"Fahrenheit.exe"+15C0D6: 5D - pop ebp
"Fahrenheit.exe"+15C0D7: 5B - pop ebx
// ---------- DONE INJECTING ----------
"Fahrenheit.exe"+15C0D8: 59 - pop ecx
"Fahrenheit.exe"+15C0D9: C3 - ret
"Fahrenheit.exe"+15C0DA: 8B 04 C5 4C 89 95 00 - mov eax,[eax*8+Fahrenheit.exe+55894C]
"Fahrenheit.exe"+15C0E1: 5F - pop edi
"Fahrenheit.exe"+15C0E2: 5E - pop esi
"Fahrenheit.exe"+15C0E3: 89 45 00 - mov [ebp+00],eax
"Fahrenheit.exe"+15C0E6: 5D - pop ebp
"Fahrenheit.exe"+15C0E7: 5B - pop ebx
"Fahrenheit.exe"+15C0E8: 59 - pop ecx
"Fahrenheit.exe"+15C0E9: C3 - ret
}
|
This doesn't modify anything but it does not crash tried commenting out both pop functions as well
|
|
| Back to top |
|
|
hhhuut
Grandmaster Cheater
Reputation: 6
Joined: 08 Feb 2015
Posts: 607
|
| Posted: Thu Apr 09, 2015 1:42 pm Post subject: |
|
|
Never comment out some pop opcodes because this will mess up the stack and it's very likely that the game will crash ...
As for your current script you'd pop the two registers two time which also messes up the stack ... Try it like this:
| Code: | { Game : Fahrenheit.exe
Version:
Date : 2015-04-09
Author : Admin
This script does blah blah blah
}
[ENABLE]
aobscanmodule(INJECT,Fahrenheit.exe,89 45 00 5D 5B 59 C3 8B 04) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
mov [ebp+00],50
code:
mov [ebp+00],eax
pop ebp
pop ebx
jmp return
INJECT:
jmp newmem
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db 89 45 00 5D 5B
unregistersymbol(INJECT)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "Fahrenheit.exe"+15C0D3
"Fahrenheit.exe"+15C0B6: 3B 0C C5 98 88 95 00 - cmp ecx,[eax*8+Fahrenheit.exe+558898]
"Fahrenheit.exe"+15C0BD: 75 08 - jne Fahrenheit.exe+15C0C7
"Fahrenheit.exe"+15C0BF: 81 FA 30 02 00 00 - cmp edx,00000230
"Fahrenheit.exe"+15C0C5: 75 7B - jne Fahrenheit.exe+15C142
"Fahrenheit.exe"+15C0C7: 83 C0 01 - add eax,01
"Fahrenheit.exe"+15C0CA: 83 F8 16 - cmp eax,16
"Fahrenheit.exe"+15C0CD: 72 E7 - jb Fahrenheit.exe+15C0B6
"Fahrenheit.exe"+15C0CF: 8B 03 - mov eax,[ebx]
"Fahrenheit.exe"+15C0D1: 5F - pop edi
"Fahrenheit.exe"+15C0D2: 5E - pop esi
// ---------- INJECTING HERE ----------
"Fahrenheit.exe"+15C0D3: 89 45 00 - mov [ebp+00],eax
"Fahrenheit.exe"+15C0D6: 5D - pop ebp
"Fahrenheit.exe"+15C0D7: 5B - pop ebx
// ---------- DONE INJECTING ----------
"Fahrenheit.exe"+15C0D8: 59 - pop ecx
"Fahrenheit.exe"+15C0D9: C3 - ret
"Fahrenheit.exe"+15C0DA: 8B 04 C5 4C 89 95 00 - mov eax,[eax*8+Fahrenheit.exe+55894C]
"Fahrenheit.exe"+15C0E1: 5F - pop edi
"Fahrenheit.exe"+15C0E2: 5E - pop esi
"Fahrenheit.exe"+15C0E3: 89 45 00 - mov [ebp+00],eax
"Fahrenheit.exe"+15C0E6: 5D - pop ebp
"Fahrenheit.exe"+15C0E7: 5B - pop ebx
"Fahrenheit.exe"+15C0E8: 59 - pop ecx
"Fahrenheit.exe"+15C0E9: C3 - ret
} |
|
|
| Back to top |
|
|
Fresco
Grandmaster Cheater
![]() Reputation: 4
Joined: 07 Nov 2010
Posts: 600
|
| Posted: Thu Apr 09, 2015 2:08 pm Post subject: |
|
|
| hhhuut wrote: | Never comment out some pop opcodes because this will mess up the stack and it's very likely that the game will crash ...
As for your current script you'd pop the two registers two time which also messes up the stack ... Try it like this:
| Code: | { Game : Fahrenheit.exe
Version:
Date : 2015-04-09
Author : Admin
This script does blah blah blah
}
[ENABLE]
aobscanmodule(INJECT,Fahrenheit.exe,89 45 00 5D 5B 59 C3 8B 04) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
mov [ebp+00],50
code:
mov [ebp+00],eax
pop ebp
pop ebx
jmp return
INJECT:
jmp newmem
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db 89 45 00 5D 5B
unregistersymbol(INJECT)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "Fahrenheit.exe"+15C0D3
"Fahrenheit.exe"+15C0B6: 3B 0C C5 98 88 95 00 - cmp ecx,[eax*8+Fahrenheit.exe+558898]
"Fahrenheit.exe"+15C0BD: 75 08 - jne Fahrenheit.exe+15C0C7
"Fahrenheit.exe"+15C0BF: 81 FA 30 02 00 00 - cmp edx,00000230
"Fahrenheit.exe"+15C0C5: 75 7B - jne Fahrenheit.exe+15C142
"Fahrenheit.exe"+15C0C7: 83 C0 01 - add eax,01
"Fahrenheit.exe"+15C0CA: 83 F8 16 - cmp eax,16
"Fahrenheit.exe"+15C0CD: 72 E7 - jb Fahrenheit.exe+15C0B6
"Fahrenheit.exe"+15C0CF: 8B 03 - mov eax,[ebx]
"Fahrenheit.exe"+15C0D1: 5F - pop edi
"Fahrenheit.exe"+15C0D2: 5E - pop esi
// ---------- INJECTING HERE ----------
"Fahrenheit.exe"+15C0D3: 89 45 00 - mov [ebp+00],eax
"Fahrenheit.exe"+15C0D6: 5D - pop ebp
"Fahrenheit.exe"+15C0D7: 5B - pop ebx
// ---------- DONE INJECTING ----------
"Fahrenheit.exe"+15C0D8: 59 - pop ecx
"Fahrenheit.exe"+15C0D9: C3 - ret
"Fahrenheit.exe"+15C0DA: 8B 04 C5 4C 89 95 00 - mov eax,[eax*8+Fahrenheit.exe+55894C]
"Fahrenheit.exe"+15C0E1: 5F - pop edi
"Fahrenheit.exe"+15C0E2: 5E - pop esi
"Fahrenheit.exe"+15C0E3: 89 45 00 - mov [ebp+00],eax
"Fahrenheit.exe"+15C0E6: 5D - pop ebp
"Fahrenheit.exe"+15C0E7: 5B - pop ebx
"Fahrenheit.exe"+15C0E8: 59 - pop ecx
"Fahrenheit.exe"+15C0E9: C3 - ret
} |
|
this makes no sense, perhaps a tiny mistake :)
| Code: | ...
newmem:
mov [ebp+00],50
code:
mov [ebp+00],eax //< this should be commented
pop ebp
pop ebx
... |
_________________
... Fresco |
|
| Back to top |
|
|
hhhuut
Grandmaster Cheater
Reputation: 6
Joined: 08 Feb 2015
Posts: 607
|
| Posted: Thu Apr 09, 2015 2:10 pm Post subject: |
|
|
| Oh yeah, forgot that, sorry ^^
|
|
| Back to top |
|
|
GreatUnknown
Cheater
![]() Reputation: 0
Joined: 19 Oct 2014
Posts: 47
|
| Posted: Thu Apr 09, 2015 4:36 pm Post subject: |
|
|
The code seems to just mess up the in game timer to count how long you've been playing. Tried screen shotting it but it's all black, it'll say for example 04:256:256 and freezes. Mental state uneffected.
| Code: |
{ Game : Fahrenheit.exe
Version:
Date : 2015-04-09
Author : Admin
This script does blah blah blah
}
[ENABLE]
aobscanmodule(INJECT,Fahrenheit.exe,89 45 00 5D 5B 59 C3 8B 04) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
mov [ebp+00],100
code:
//mov [ebp+00],eax
pop ebp
pop ebx
jmp return
INJECT:
jmp newmem
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db 89 45 00 5D 5B
unregistersymbol(INJECT)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "Fahrenheit.exe"+15C0D3
"Fahrenheit.exe"+15C0B6: 3B 0C C5 98 88 95 00 - cmp ecx,[eax*8+Fahrenheit.exe+558898]
"Fahrenheit.exe"+15C0BD: 75 08 - jne Fahrenheit.exe+15C0C7
"Fahrenheit.exe"+15C0BF: 81 FA 30 02 00 00 - cmp edx,00000230
"Fahrenheit.exe"+15C0C5: 75 7B - jne Fahrenheit.exe+15C142
"Fahrenheit.exe"+15C0C7: 83 C0 01 - add eax,01
"Fahrenheit.exe"+15C0CA: 83 F8 16 - cmp eax,16
"Fahrenheit.exe"+15C0CD: 72 E7 - jb Fahrenheit.exe+15C0B6
"Fahrenheit.exe"+15C0CF: 8B 03 - mov eax,[ebx]
"Fahrenheit.exe"+15C0D1: 5F - pop edi
"Fahrenheit.exe"+15C0D2: 5E - pop esi
// ---------- INJECTING HERE ----------
"Fahrenheit.exe"+15C0D3: 89 45 00 - mov [ebp+00],eax
"Fahrenheit.exe"+15C0D6: 5D - pop ebp
"Fahrenheit.exe"+15C0D7: 5B - pop ebx
// ---------- DONE INJECTING ----------
"Fahrenheit.exe"+15C0D8: 59 - pop ecx
"Fahrenheit.exe"+15C0D9: C3 - ret
"Fahrenheit.exe"+15C0DA: 8B 04 C5 4C 89 95 00 - mov eax,[eax*8+Fahrenheit.exe+55894C]
"Fahrenheit.exe"+15C0E1: 5F - pop edi
"Fahrenheit.exe"+15C0E2: 5E - pop esi
"Fahrenheit.exe"+15C0E3: 89 45 00 - mov [ebp+00],eax
"Fahrenheit.exe"+15C0E6: 5D - pop ebp
"Fahrenheit.exe"+15C0E7: 5B - pop ebx
"Fahrenheit.exe"+15C0E8: 59 - pop ecx
"Fahrenheit.exe"+15C0E9: C3 - ret
} |
Same code so it is weird.
|
|
| Back to top |
|
|
hhhuut
Grandmaster Cheater
Reputation: 6
Joined: 08 Feb 2015
Posts: 607
|
| Posted: Thu Apr 09, 2015 5:11 pm Post subject: |
|
|
Since the instruction just writes a value to the stack it's of course possible that not only your desired value but also other values (in this case obviously the timer) are accessed by the instruction you chose ...
You should check how many and what other addresses than your desired one are accessed ...
|
|
| Back to top |
|
|
GreatUnknown
Cheater
![]() Reputation: 0
Joined: 19 Oct 2014
Posts: 47
|
| Posted: Thu Apr 09, 2015 6:40 pm Post subject: |
|
|
Nothing so far, found a sub but this injection still freezes the game:
| Code: |
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem:
add eax,100
originalcode:
//sub eax,04
mov [eax],edx
exit:
jmp returnhere
"Fahrenheit.exe"+15190C:
jmp newmem
returnhere:
|
|
|
| Back to top |
|
|
Fresco
Grandmaster Cheater
![]() Reputation: 4
Joined: 07 Nov 2010
Posts: 600
|
| Posted: Thu Apr 09, 2015 6:52 pm Post subject: |
|
|
add edx not eax!!!
don't comment the sub eax , 4
_________________
... Fresco |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
