View Full Version : Code Injection (plz help)
Nick
November 8th, 2002, 05:08
note: "***" does not refer to any particular game/application, so this code isn't target specific
Hi again,
I managed to locate most of the memory addresses I need in *** using TSearch, and now I want to go about injecting my own code to make a patch using TSearch.
There is a float variable in the game called "available option" for when you build your character, my goal is to prevent this value from decreasing so that I can make an uber-sweet modified thingy.
After searching for the value in memory I came up with the address 60823D8 which stores the value for "available option. So then I set a breakpoint on this address, and then returned to the game and decreased the available tonnage by 1.
Then the debugger popped up with the following line:
006b47e1 D91E fstp dword ptr [esi]
What I want to do is to prevent the "one of the options" from decreasing by injecting my own code.
Now in TSearch I believe you have to use the 'easywrite' tool for code injection as is shown in their tutorial. What I need to know is what to write in both the "patched" and "unpatched" boxes of the 'easywrite' program. The code I'll be injecting will require an offset that does not interfere with the game, I was thinking of maybe using an address of one of the nops shown in the above disassembler code.
I was wondering if you could help me with what to write in the 'easywrite' patcher?
Thanks a lot.
nikolatesla20
November 8th, 2002, 05:22
I'm wondering if it may work if you just nop out the fstp instruction. Then it would never "update" the value at all.
The only "thing" is this might only be the displayed value, versus the value that is strored in the actual game. I've read that *** is protected fairly well against hacking. Does this include trainers?
-nt20
Nick
November 8th, 2002, 05:33
Quote:
Originally posted by nikolatesla20
I'm wondering if it may work if you just nop out the fstp instruction. Then it would never "update" the value at all.
The only "thing" is this might only be the displayed value, versus the value that is strored in the actual game. I've read that *** is protected fairly well against hacking. Does this include trainers?
-nt20 |
Well there were in fact 2 addresses 60823D8, and 20BEB94. Now that I have tried the nop on 60823D8 like you said it seems that 60823D8 is only a displayed value. 20BEB94 However does seem to work when I nop it, but it makes the game go kinda screwy and distorted.
The fact is that I want to practice doing something more sophisticated than nopping as I am trying to learn about code injection..etc.
Nick
November 8th, 2002, 05:52
Yeah, so 20BEB94 was the correct address, I set a breakpoint on it and it displayed a: "fstp dword ptr" thing; which i nopped but that kinda crashed the game, and the game has some kind of checking mechanism where it must compare the "available option" with "max option" and "current option".
Nopping didn't seem to help much, I think code injection will be a cleaner solution for this, and I won't have to search for the value each time I load the game.
edit: I'll post the assembly that I get for the breakpoint of the real address (i.e what was in 20BEB94) and from there I'll try to work out some code injection.
ZaiRoN
November 8th, 2002, 10:21
I think that the crash happens because you have nopped an instruction that modifies the state of the floating point stack; you have to preserve the state of the stack. If you want to avoid the update of the value, I suggest to change into something like:
fstp dword ptr [<address>]
where address points to 8 useless bytes.
regards,
ZaiRoN
Aimless
November 8th, 2002, 13:46
Try getting memory scan tools:
Gamehack, Gamethis, gamethat, etc. will work IF and ONLY if the tonnage is at constant address ALL the time.
In case it is NOT at the same address all the time (like, for eg: Diablo and Diablo2,) you will have to find the TRIGGER that does this. And remember, it may be that for speeding up the game, more that one instance of this address manipulator could be used.
Have Phun,
^chaos^
November 8th, 2002, 14:22
well i emailed you, your problem is that you are nop'ing the wrong thing. post some code above 005eee3d, in particular any add/inc sub/dec . If this function is called, trace back through the functions and find where the value is being modified.
my age of mythology tutorial explains it a lot better then i will again. i would recommend checking out the other tutorials on my site to get some insight.
http://www.s-i-n.com/chaos/myaomtut.txt
^chaos^
trainerology: the source for game hacking tutorials
www.s-i-n.com/chaos/
From what i recall on hacking weight, is that i went to the armor screen, found the value for current # of armor or current weight, i forget ..its been a while, and i set it to zero and then i added on more armor and then reduced the thing to 0. that was with just simple mem hacking, if i had bothered to install si i woulda nop'd the inc/add instruction that added weight / armor.
Nick
November 11th, 2002, 06:45
Thanks,
Sorry, I have been away for a few days, I'll get back to work on this now and post my results. Thanks for the instructions ^chaos^ I'll try that.
Nick
November 12th, 2002, 01:34
Ok guys, here is the update on my progress:
After doing memory searches on the "Option 1", "Option 2" and "Option 3" I came up with the following:
Code:
Option 1:
005ef4a8 D99EB8030000 fstp dword ptr [esi+0x3B8]
005ef4ae 5E pop esi
005ef4af 5D pop ebp
005ef4b0 B001 mov al,0x1
005ef4b2 5B pop ebx
005ef4b3 59 pop ecx
005ef4b4 C3 retn
005ef4b5 5F pop edi
005ef4b6 5E pop esi
005ef4b7 5D pop ebp
005ef4b8 32C0 xor al,al
005ef4ba 5B pop ebx
005ef4bb 59 pop ecx
005ef4bc C3 retn
005ef4bd 90 nop
005ef4be 90 nop
005ef4bf 90 nop
005ef4c0 8B442404 mov eax,[esp+0x4]
005ef4c4 56 push esi
005ef4c5 57 push edi
005ef4c6 8BF1 mov esi,ecx
005ef4c8 50 push eax
005ef4c9 E872A0EEFF call 0x004D9540
005ef4ce 8BCE mov ecx,esi
005ef4d0 E8BBFEFFFF call 0x005EF390
005ef4d5 33C9 xor ecx,ecx
005ef4d7 8A8E70010000 mov cl,[esi+0x170]
005ef4dd 8D54240C lea edx,[esp+0xC]
005ef4e1 52 push edx
005ef4e2 894C2410 mov [esp+0x10],ecx
005ef4e6 8D8884030000 lea ecx,[eax+0x384]
005ef4ec E8AF75E2FF call 0x00416AA0
005ef4f1 8DB894000000 lea edi,[eax+0x94]
005ef4f7 57 push edi
005ef4f8 8BCE mov ecx,esi
005ef4fa E8515FE2FF call 0x00415450
005ef4ff 84C0 test al,al
005ef501 7508 jnz short 0x005EF50B
005ef503 56 push esi
005ef504 8BCF mov ecx,edi
005ef506 E8E583E2FF call 0x004178F0
005ef50b 5F pop edi
005ef50c 5E pop esi
005ef50d C20400 retn 0x4
005ef510 51 push ecx
005ef511 53 push ebx
005ef512 56 push esi
005ef513 57 push edi
005ef514 8BF9 mov edi,ecx
005ef516 E875FEFFFF call 0x005EF390
Option 2:
006b47e1 D91E fstp dword ptr [esi]
006b47e3 5F pop edi
006b47e4 5E pop esi
006b47e5 5B pop ebx
006b47e6 8BE5 mov esp,ebp
006b47e8 5D pop ebp
006b47e9 C3 retn
006b47ea 8A5001 mov dl,[eax+0x1]
006b47ed 80FA3D cmp dl,0x3D
006b47f0 7574 jnz short 0x006B4866
006b47f2 80F92B cmp cl,0x2B
006b47f5 7518 jnz short 0x006B480F
006b47f7 83C002 add eax,0x2
006b47fa A320B38200 mov [0x82B320],eax
006b47ff E86C480100 call 0x006C9070
006b4804 D806 fadd dword ptr [esi]
006b4806 5F pop edi
006b4807 D91E fstp dword ptr [esi]
006b4809 5E pop esi
006b480a 5B pop ebx
006b480b 8BE5 mov esp,ebp
006b480d 5D pop ebp
006b480e C3 retn
006b480f 80F92D cmp cl,0x2D
006b4812 7518 jnz short 0x006B482C
006b4814 83C002 add eax,0x2
006b4817 A320B38200 mov [0x82B320],eax
006b481c E84F480100 call 0x006C9070
006b4821 D82E fsubr dword ptr [esi]
006b4823 5F pop edi
006b4824 D91E fstp dword ptr [esi]
006b4826 5E pop esi
006b4827 5B pop ebx
006b4828 8BE5 mov esp,ebp
006b482a 5D pop ebp
006b482b C3 retn
006b482c 80F92A cmp cl,0x2A
006b482f 7518 jnz short 0x006B4849
006b4831 83C002 add eax,0x2
006b4834 A320B38200 mov [0x82B320],eax
006b4839 E832480100 call 0x006C9070
006b483e D80E fmul dword ptr [esi]
006b4840 5F pop edi
006b4841 D91E fstp dword ptr [esi]
006b4843 5E pop esi
006b4844 5B pop ebx
006b4845 8BE5 mov esp,ebp
006b4847 5D pop ebp
006b4848 C3 retn
006b4849 80F92F cmp cl,0x2F
Option 3:
006b47e1 D91E fstp dword ptr [esi]
006b47e3 5F pop edi
006b47e4 5E pop esi
006b47e5 5B pop ebx
006b47e6 8BE5 mov esp,ebp
006b47e8 5D pop ebp
006b47e9 C3 retn
006b47ea 8A5001 mov dl,[eax+0x1]
006b47ed 80FA3D cmp dl,0x3D
006b47f0 7574 jnz short 0x006B4866
006b47f2 80F92B cmp cl,0x2B
006b47f5 7518 jnz short 0x006B480F
006b47f7 83C002 add eax,0x2
006b47fa A320B38200 mov [0x82B320],eax
006b47ff E86C480100 call 0x006C9070
006b4804 D806 fadd dword ptr [esi]
006b4806 5F pop edi
006b4807 D91E fstp dword ptr [esi]
006b4809 5E pop esi
006b480a 5B pop ebx
006b480b 8BE5 mov esp,ebp
006b480d 5D pop ebp
006b480e C3 retn
006b480f 80F92D cmp cl,0x2D
006b4812 7518 jnz short 0x006B482C
006b4814 83C002 add eax,0x2
006b4817 A320B38200 mov [0x82B320],eax
006b481c E84F480100 call 0x006C9070
006b4821 D82E fsubr dword ptr [esi]
006b4823 5F pop edi
006b4824 D91E fstp dword ptr [esi]
006b4826 5E pop esi
006b4827 5B pop ebx
006b4828 8BE5 mov esp,ebp
006b482a 5D pop ebp
006b482b C3 retn
006b482c 80F92A cmp cl,0x2A
006b482f 7518 jnz short 0x006B4849
006b4831 83C002 add eax,0x2
006b4834 A320B38200 mov [0x82B320],eax
006b4839 E832480100 call 0x006C9070
006b483e D80E fmul dword ptr [esi]
006b4840 5F pop edi
006b4841 D91E fstp dword ptr [esi]
006b4843 5E pop esi
006b4844 5B pop ebx
006b4845 8BE5 mov esp,ebp
006b4847 5D pop ebp
006b4848 C3 retn
006b4849 80F92F cmp cl,0x2F
This is the
updated and correct code:
Option 1:
005ef4a8 D99EB8030000 fstp dword ptr [esi+0x3B8]
Option 2:
006b47e1 D91E fstp dword ptr [esi]
Option 3:
006b47e1 D91E fstp dword ptr [esi]
Notice how "Option 2" uses the exact same code as "Option 3" which is weird, I double checked this and it is right.
What I still need to know from this is how to inject code in order for the "Option" of my *** to be unlimited. I was thinking of modifying the .exe directly using OLLYDBG or using Win32Dasm and a Hex editor. More importantly I need to know WHAT to inject... i.e (How should I modify these lines of code to get the results that I want).
Thanks again for your time and comments ppl.
Nick
November 12th, 2002, 02:55
And for ^chaos^ here is the code above and below
005ef4a8 (from Win32Dasm):
Code:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005EF431(C)
|
:005EF439 33C9 xor ecx, ecx
:005EF43B 8A8F70010000 mov cl, byte ptr [edi+00000170]
:005EF441 8D542410 lea edx, dword ptr [esp+10]
:005EF445 52 push edx
:005EF446 891D08E27A00 mov dword ptr [007AE208], ebx
:005EF44C 894C2414 mov dword ptr [esp+14], ecx
:005EF450 8D8E84030000 lea ecx, dword ptr [esi+00000384]
:005EF456 E84576E2FF call 00416AA0
:005EF45B 8BD8 mov ebx, eax
:005EF45D 85DB test ebx, ebx
:005EF45F 7454 je 005EF4B5
:005EF461 8B451C mov eax, dword ptr [ebp+1C]
:005EF464 50 push eax
:005EF465 8BCE mov ecx, esi
:005EF467 E854B20000 call 005FA6C0
:005EF46C 84C0 test al, al
:005EF46E 7445 je 005EF4B5
:005EF470 57 push edi
:005EF471 8BCB mov ecx, ebx
:005EF473 E85869FCFF call 005B5DD0
:005EF478 85C0 test eax, eax
:005EF47A 7439 je 005EF4B5
:005EF47C 8B96BC030000 mov edx, dword ptr [esi+000003BC]
:005EF482 D9451C fld dword ptr [ebp+1C]
:005EF485 8B4D20 mov ecx, dword ptr [ebp+20]
:005EF488 8B86C0030000 mov eax, dword ptr [esi+000003C0]
:005EF48E 03D1 add edx, ecx
:005EF490 8996BC030000 mov dword ptr [esi+000003BC], edx
:005EF496 8B5524 mov edx, dword ptr [ebp+24]
:005EF499 D886B8030000 fadd dword ptr [esi+000003B8]
:005EF49F 03C2 add eax, edx
:005EF4A1 5F pop edi
:005EF4A2 8986C0030000 mov dword ptr [esi+000003C0], eax
:005EF4A8 D99EB8030000 fstp dword ptr [esi+000003B8]
:005EF4AE 5E pop esi
:005EF4AF 5D pop ebp
:005EF4B0 B001 mov al, 01
:005EF4B2 5B pop ebx
:005EF4B3 59 pop ecx
:005EF4B4 C3 ret
Also here is the code above and below
006b47e1 (from Win32Dasm):
Code:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006B47C1(C)
|
:006B47C9 8A08 mov cl, byte ptr [eax]
:006B47CB 80F93D cmp cl, 3D
:006B47CE 8B3518B38200 mov esi, dword ptr [0082B318]
:006B47D4 7514 jne 006B47EA
:006B47D6 40 inc eax
:006B47D7 A320B38200 mov dword ptr [0082B320], eax
:006B47DC E88F480100 call 006C9070
:006B47E1 D91E fstp dword ptr [esi]
:006B47E3 5F pop edi
:006B47E4 5E pop esi
:006B47E5 5B pop ebx
:006B47E6 8BE5 mov esp, ebp
:006B47E8 5D pop ebp
:006B47E9 C3 ret
Nick
November 12th, 2002, 10:16
Well, I took a break from trying to hack the option and decided to have a go at hacking another option in the game. I actually managed to create a trainer that stops *** from experiencing the condition up even when the option is turned on! The only problem is that it does not work in multiplayer. Once I connect to a server and then click the "option" button on my trainer the server kicks me out. I guess the server must check that your original .exe has not been modified.
The trainer I made is for the new *** that just came out last week. The trainer works fine in single player, but I need to find a way of fooling the server into thinking I have the original .exe, maybe packet editing?
Manko
November 12th, 2002, 10:28
Give it up, Nick!
I can understand the fascination, since it's supposed to be really hard to crack the onlinegaming of ***...
But trying to cheat online is so low.
Anyway... I doubt VERY much that it'd be JUST a matter of checking the exe. The server most likely KNOWS that your heat must raise when you perform certain task's, so you're screwed anyway! :P
/Manko
^chaos^
November 12th, 2002, 21:07
005EF499 D886B8030000 fadd dword ptr [esi+000003B8]
well that line looks suspcious either nop it to change it to fsub and your weight should not increase...
and for the other thing, that inc eax looks suspicious so you might want to nop that.
as for the server booting you out, i have no idea, did you change some bytes to nop's or what. but they probably added some kind of server side protection, who knows.
Nick
November 13th, 2002, 01:24
Quote:
Originally posted by ^chaos^
005EF499 D886B8030000 fadd dword ptr [esi+000003B8]
well that line looks suspcious either nop it to change it to fsub and your weight should not increase...
and for the other thing, that inc eax looks suspicious so you might want to nop that.
as for the server booting you out, i have no idea, did you change some bytes to nop's or what. but they probably added some kind of server side protection, who knows. |
The FSUB worked on singleplayer! But on multiplayer the server was too clever for that and booted me.
But how hard can it really be to find and bypass these checking mechanisms by the server? There must be a method that people know of.
Nick
November 14th, 2002, 07:29
Welp, I can hack the game inside out but I can't get away with it on the multiplayer servers.
^chaos^ I wonder how your hacked .exe did not get booted off servers? Did you have to defeat any in-game checks?
^chaos^
November 14th, 2002, 17:59
im sure they got smart and put in some protection against such hackery.. what though i couldnt tell you. if it works in single player then you did your job right.. but its something that the server checks.. when does it disconnect you? here is a little tale of bad hacking.
some idiot released a starcraft trainer oh so many years ago, he thought it worked online for minerals.. what it did was up them to 9999999 on your client. however the game..the other plays knew the real value of the minerals. when the game depleted its real minerals...and then you tried to build something with your phantom minerals.. the game booted you.
so what im saying is that if you hacked the ammo for instance.. when do you get disconnected? when you fire 1 bullet.. when you deplete your ammo.. instantly?
Nick
November 14th, 2002, 19:49
Quote:
Originally posted by ^chaos^
im sure they got smart and put in some protection against such hackery.. what though i couldnt tell you. if it works in single player then you did your job right.. but its something that the server checks.. when does it disconnect you? here is a little tale of bad hacking.
some idiot released a starcraft trainer oh so many years ago, he thought it worked online for minerals.. what it did was up them to 9999999 on your client. however the game..the other plays knew the real value of the minerals. when the game depleted its real minerals...and then you tried to build something with your phantom minerals.. the game booted you.
so what im saying is that if you hacked the ammo for instance.. when do you get disconnected? when you fire 1 bullet.. when you deplete your ammo.. instantly? |
Always instantly.
^chaos^
November 15th, 2002, 19:15
bummer. it could be a million things so its hard to say. atleast i hope your learned something, its too bad it didn't work in multiplayer.
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.