| View previous topic :: View next topic |
| Author |
Message |
ChemicallyNerd
How do I cheat?
![]() Reputation: 0
Joined: 05 Jul 2015
Posts: 9
|
 Posted: Fri Jul 10, 2015 7:39 am Post subject: Any other way of getting a pointer? |
 |
|
mov [esi+edi*4+08],ebx
ESI:16BBC9E0
EDI:00000000
EBX:00084000
is the offset 08 or 4+08 or what?
Sorry if this is a stupid question.
___________________________________________________________
Dark Byte wrote:
0*4+8=8
I thought so but I am unable to find any kind of pointer for this adress, manual and pointer scanner.
Is there any other way?
Last edited by ChemicallyNerd on Fri Jul 10, 2015 11:12 am; edited 1 time in total |
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25819
Location: The netherlands
|
| Posted: Fri Jul 10, 2015 7:57 am Post subject: |
|
|
0*4+8=8
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
ChemicallyNerd
How do I cheat?
![]() Reputation: 0
Joined: 05 Jul 2015
Posts: 9
|
| Posted: Fri Jul 10, 2015 11:05 am Post subject: |
|
|
I thought so but I am unable to find any kind of pointer for this adress, manual and pointer scanner.
Is there any other way?
|
|
| Back to top |
|
|
vng21092
Grandmaster Cheater
 Reputation: 15
Joined: 05 Apr 2013
Posts: 644
|
| Posted: Fri Jul 10, 2015 2:31 pm Post subject: |
|
|
| screw pointers, code injection, with something like [esi+edi*4+8], it has to be some sort of array, maybe some kind of inventory or something I'm assuming, something with "slots". Therefore, [esi+8] would be the first item in the array, find some way to reference the first slot, and from there you could reference anything else in that array.
|
|
| Back to top |
|
|
Rydian
Grandmaster Cheater Supreme
 Reputation: 31
Joined: 17 Sep 2012
Posts: 1358
|
|
| Back to top |
|
|
ChemicallyNerd
How do I cheat?
![]() Reputation: 0
Joined: 05 Jul 2015
Posts: 9
|
| Posted: Sat Jul 11, 2015 9:33 am Post subject: |
|
|
| vng21092 wrote: | | screw pointers, code injection, with something like [esi+edi*4+8], it has to be some sort of array, maybe some kind of inventory or something I'm assuming, something with "slots". Therefore, [esi+8] would be the first item in the array, find some way to reference the first slot, and from there you could reference anything else in that array. |
How would I be able to reference the address so that I would be able to edit the same value every time (it is the status effects on the character BTW)
what I am trying to do is when the character uses his special ability he gains a buff of increased speed and increased dex and I am trying to disable the speed and only have dex using a hotkey so that it chances the value form,
Spd + Dex: 540672
to
Dex: 524288
but I can not find the address every time without searching which is a lonesome process since the address changes each instance (Like every 10 minutes).
______________________________________________________________________________________________________________
Since AoB scan can find the address that writes to the value that I want and I can check manually what addresses accesses the instruction. Would it be possible for someone to tell me/give a template on how to use the aob injection to get the address that accesses the instruction?
basically using it as some kind of pointer.
|
|
| Back to top |
|
|
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Sat Jul 11, 2015 10:17 am Post subject: |
|
|
Post the AOB Injection Template for the code which retrieves your value.
Give us the value of the offset register when it accesses your specific address.
In your example, EDI is 0. Simple enough.
If I were to hazard a guess, I would say each value of EDI corresponds to a different stat.
0 being speed, possibly 1 being dex, etc.
The value of ESI possibly corresponds to the buff structure.
The only problem with the injection approach is this code likely effects all buffs.
May be difficult if you only want it to work on one specific buff.
|
|
| Back to top |
|
|
ChemicallyNerd
How do I cheat?
![]() Reputation: 0
Joined: 05 Jul 2015
Posts: 9
|
| Posted: Sat Jul 11, 2015 10:53 am Post subject: |
|
|
AoB inject template: | Code: | { Game : flashplayer_18_sa.exe
Version:
Date : 2015-07-11
Author : Luke ChemicallyNerd
This script does blah blah blah
}
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
aobscan(Buff,89 5C BE 08 E9 44 33 00 00) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
mov [esi+edi*4+08],ebx
jmp 1463A941
jmp return
Buff:
jmp code
nop
nop
nop
nop
return:
registersymbol(Buff)
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
Buff:
db 89 5C BE 08 E9 44 33 00 00
unregistersymbol(Buff)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: 146375F4
146375D5: 3B F8 - cmp edi,eax
146375D7: 72 1B - jb 146375F4
146375D9: 8B B5 18 FF FF FF - mov esi,[ebp-000000E8]
146375DF: 8B 9D 1C FF FF FF - mov ebx,[ebp-000000E4]
146375E5: 83 EC 08 - sub esp,08
146375E8: 56 - push esi
146375E9: 53 - push ebx
146375EA: E8 A1 8B E9 EC - call flashplayer_18_sa.exe+5F0190
146375EF: 83 C4 08 - add esp,08
146375F2: EB 04 - jmp 146375F8
// ---------- INJECTING HERE ----------
146375F4: 89 5C BE 08 - mov [esi+edi*4+08],ebx
146375F8: E9 44 33 00 00 - jmp 1463A941
// ---------- DONE INJECTING ----------
146375FD: 8B 8D 28 FF FF FF - mov ecx,[ebp-000000D8]
14637603: 8B 1D 38 A8 49 03 - mov ebx,[0349A838]
14637609: 85 DB - test ebx,ebx
1463760B: 74 0B - je 14637618
1463760D: 83 EC 0C - sub esp,0C
14637610: E8 DA 33 00 00 - call 1463A9EF
14637615: 83 C4 10 - add esp,10
14637618: 8B B5 58 FF FF FF - mov esi,[ebp-000000A8]
1463761E: 85 F6 - test esi,esi
14637620: 0F 84 A2 33 00 00 - je 1463A9C8
} |
By "Give us the value of the offset register when it accesses your specific address." do you mean this?
| Code: | EAX=00000002
EBX=00084000
ECX=14487268
EDX=00A9EC38
ESI=16005DD0
EDI=00000000
ESP=00A9EBF0
EBP=00A9ECF8
EIP=146375F8
|
Thank you
|
|
| Back to top |
|
|
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Sat Jul 11, 2015 11:03 am Post subject: |
|
|
See if the following script works.
After it is activated, manually add an address to your table.
Set the address as: [Buff_ptr]+8
| Code: | [ENABLE]
aobscan(Buff,89 5C BE 08 E9 * * * * 8B 8D 28 FF FF FF 8B 1D)
alloc(newmem,$1000)
alloc(Buff_save,5)
alloc(Buff_ptr,4)
label(code)
label(return)
Buff_save:
readmem(Buff+4,5)
newmem:
code:
mov [Buff_ptr],esi
mov [esi+edi*4+08],ebx
readmem(Buff+4,5)
jmp return
Buff:
jmp code
nop
nop
nop
nop
return:
registersymbol(Buff)
registersymbol(Buff_save)
registersymbol(Buff_ptr)
[DISABLE]
Buff:
db 89 5C BE 08// E9 44 33 00 00
readmem(Buff_save,5)
unregistersymbol(Buff)
unregistersymbol(Buff_save)
unregistersymbol(Buff_ptr)
dealloc(newmem)
dealloc(Buff_save)
dealloc(Buff_ptr) |
|
|
| Back to top |
|
|
ChemicallyNerd
How do I cheat?
![]() Reputation: 0
Joined: 05 Jul 2015
Posts: 9
|
| Posted: Sun Jul 12, 2015 3:42 am Post subject: |
|
|
| Zanzer wrote: | See if the following script works.
After it is activated, manually add an address to your table.
Set the address as: [Buff_ptr]+8
|
It crashes, is any way to know why?
BTW thank you so much, I am completely lost here.
Wish I knew more but I have no idea where to start.
|
|
| Back to top |
|
|
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Sun Jul 12, 2015 9:17 am Post subject: |
|
|
Oh that was my fault. For some reason I thought I could save the JMP instruction that way. 
Do me a favor and follow that JMP command after the instruction you hooked.
Show me the AOB Injection template for that location instead.
|
|
| Back to top |
|
|
ChemicallyNerd
How do I cheat?
![]() Reputation: 0
Joined: 05 Jul 2015
Posts: 9
|
| Posted: Sun Jul 12, 2015 11:07 am Post subject: |
|
|
| Zanzer wrote: | Oh that was my fault. For some reason I thought I could save the JMP instruction that way.
Do me a favor and follow that JMP command after the instruction you hooked.
Show me the AOB Injection template for that location instead. |
I think this is what you want, the location it jumps to right?
| Code: | { Game : flashplayer_18_sa.exe
Version:
Date : 2015-07-12
Author : Luke ChemicallyNerd
This script does blah blah blah
}
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
aobscan(INJECT,24 9D * * * * 8D 9D 18 FF FF FF 8D B5 1C FF FF FF 8B 7D A8) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
lea ebx,[ebp-000000E8]
jmp return
INJECT+06:
jmp code
nop
return:
registersymbol(INJECT)
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
INJECT+06:
db 8D 9D 18 FF FF FF
unregistersymbol(INJECT)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: 0A23E69E
0A23E66D: 75 09 - jne 0A23E678
0A23E66F: C7 45 D0 4F 00 00 00 - mov [ebp-30],0000004F
0A23E676: EB 07 - jmp 0A23E67F
0A23E678: C7 45 D0 50 00 00 00 - mov [ebp-30],00000050
0A23E67F: 8B 5D D0 - mov ebx,[ebp-30]
0A23E682: 89 9D 1C FF FF FF - mov [ebp-000000E4],ebx
0A23E688: 83 FB 50 - cmp ebx,50
0A23E68B: 0F 83 A7 DD FF FF - jae 0A23C438
0A23E691: 8B 9D 1C FF FF FF - mov ebx,[ebp-000000E4]
0A23E697: FF 24 9D 88 4B 79 10 - jmp dword ptr [ebx*4+10794B88]
// ---------- INJECTING HERE ----------
0A23E69E: 8D 9D 18 FF FF FF - lea ebx,[ebp-000000E8]
// ---------- DONE INJECTING ----------
0A23E6A4: 8D B5 1C FF FF FF - lea esi,[ebp-000000E4]
0A23E6AA: 8B 7D A8 - mov edi,[ebp-58]
0A23E6AD: 89 BD 18 FF FF FF - mov [ebp-000000E8],edi
0A23E6B3: 8B 7D A0 - mov edi,[ebp-60]
0A23E6B6: 89 BD 1C FF FF FF - mov [ebp-000000E4],edi
0A23E6BC: 83 EC 08 - sub esp,08
0A23E6BF: 56 - push esi
0A23E6C0: 53 - push ebx
0A23E6C1: 8B 8D 2C FF FF FF - mov ecx,[ebp-000000D4]
0A23E6C7: E8 24 10 72 F6 - call flashplayer_18_sa.exe+61F6F0
} |
|
|
| Back to top |
|
|
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Sun Jul 12, 2015 11:45 am Post subject: |
|
|
Okay, lets see if this works.
| Code: | [ENABLE]
aobscan(buff,24 9D * * * * 8D 9D 18 FF FF FF 8D B5 1C FF FF FF 8B 7D A8)
alloc(newmem,$1000)
alloc(buff_ptr,4)
label(code)
label(return)
newmem:
code:
mov [buff_ptr],esi
lea ebx,[ebp-000000E8]
jmp return
buff+06:
jmp code
nop
return:
registersymbol(buff)
registersymbol(buff_ptr)
[DISABLE]
buff+06:
db 8D 9D 18 FF FF FF
unregistersymbol(buff)
unregistersymbol(buff_ptr)
dealloc(newmem)
dealloc(buff_ptr) |
Activate then manually add the address:
|
|
| Back to top |
|
|
ChemicallyNerd
How do I cheat?
![]() Reputation: 0
Joined: 05 Jul 2015
Posts: 9
|
| Posted: Sun Jul 12, 2015 3:04 pm Post subject: |
|
|
I get an address but not the one desired and also the address changes every once and a while, from what I can tell the value of the address does not seem the have any relation with the buff system.
Also I am guessing that the address is changing because it is the addresses using the instruction (I am I correct?) so is it possible to have an hotkey (special ability button) to filter the addresses using the institution with the value of the buff (540672= value of SPD and DEX buff if you need it, 0 = when no statis effect is present) so that you could find the buff value?
Also how do I leave a review and give you rep? Sorry if it obvious I don't see a button anywhere.
|
|
| Back to top |
|
|
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Sun Jul 12, 2015 3:17 pm Post subject: |
|
|
According to the first instruction, EBX is written to the address, so it should contain the #540672 value.
This update will only update the pointer if the value matches the address "buff_find" (default: #540672).
You can add "buff_find" to your table as well to change it on the fly if needed.
Once you have posted enough you will see a little upvote icon next to the reputation total.
| Code: | [ENABLE]
aobscan(buff,24 9D * * * * 8D 9D 18 FF FF FF 8D B5 1C FF FF FF 8B 7D A8)
alloc(newmem,$1000)
alloc(buff_ptr,4)
alloc(buff_find,4)
label(code)
label(return)
buff_find:
dd #540672
newmem:
cmp ebx,[buff_find]
jne code
mov [buff_ptr],esi
code:
lea ebx,[ebp-000000E8]
jmp return
buff+06:
jmp newmem
nop
return:
registersymbol(buff)
registersymbol(buff_ptr)
registersymbol(buff_find)
[DISABLE]
buff+06:
db 8D 9D 18 FF FF FF
unregistersymbol(buff)
unregistersymbol(buff_ptr)
unregistersymbol(buff_find)
dealloc(newmem)
dealloc(buff_ptr)
dealloc(buff_find) |
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
