| View previous topic :: View next topic |
| Author |
Message |
Stylo
Grandmaster Cheater Supreme
![]() Reputation: 3
Joined: 16 May 2007
Posts: 1073
Location: Israel
|
 Posted: Mon Jul 13, 2009 1:18 pm Post subject: [Tut] How to convert AA script into your C++ project |
 |
|
Hello there.
well i'v seen a lot of people asking lately how can they convert their Auto Assembler scripts
into their C++ project using inline assembly.
so i'll post here a nice quick guide / tutorial that'll pretty much explain you the steps of the converting way.
for our tutorial will take as an example a simple AA script that hacks the mines in minesweeper
we will never ran out of flags
| Code: |
[enable]
alloc(newmem,512)
label(returnhere)
0100346E:
jmp newmem
nop
returnhere:
newmem:
mov eax,a // a means 10 in hex
mov [01005194],eax
jmp returnhere
[disable]
dealloc(newmem)
0100346E:
add [01005194],eax
|
i know i can just nop the flags handling address and i'll get the same result, but i wanted to use codecave script
ok so what we have here is
newmem - our codecave
0100346E- our address to change it's bytes to jump to our codecave
so first of all how do we create a codecave in our C++ code?
a codecave is an allocated memory in process's memory space
so a function declaration will do the job since functions are allocated memory blocks in our process memory space.
so our codecave should look like:
| Code: |
__declspec(naked) void newmem ()
{
__asm
{
}
}
|
that function will contain our assembly code that will take care to what we want to change in game
but lets go back a little bit.
how can we force the memory to jump to our codecave
so first of all we need to change the first byte in our address to a short jump byte - 0xE9.
| Code: |
DWORD Address = 0x0100346E;
*(BYTE*)Address = 0xe9;
|
and right after that we suppose to calculate the bytes to jump from the address to our codecave
the formula of this calculation goes like
Destination Address (Our codecave) - Source Address (our address) - 5 will give us the bytes to jump.
so we can define a macro that will auto calculate the bytes
| Code: |
#define JMP(frm,to) (((int)to - (int)frm)-5)
|
and we'll take the result and put it 1 byte after the jumping byte
| Code: |
*(BYTE*)Address = 0xe9;
*(DWORD*)(Address+1) = JMP(Address,codecave);
|
ok so we've jumped to our codecave now lets set the code in our codecave
| Code: |
__declspec(naked) void codecave()
{
__asm
{
push eax
push ebx
mov ebx,0x01005194 // the flags address
mov eax,0xA
mov [ebx],eax
pop ebx
pop eax
jmp dword ptr ds:[Address+5] // after done with code we jump back to our memory address + 5 bytes so we will skip the jump bytes or else we'll get into an infinite loop
}
}
|
so that's it basically i know that most of you know that stuff but i hope that helped for the guys who needed it.
that's it for now :]
|
|
| Back to top |
|
 |
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Mon Jul 13, 2009 1:22 pm Post subject: |
|
|
| Code: | push eax
push ebx
mov ebx,0x01005194 // the flags address
mov eax,0xA
mov [ebx],eax
pop ebx
pop eax |
why don't you just do :
| Code: | | mov dword ptr ds:[0x01005194], 0xA |
|
|
| Back to top |
|
|
Stylo
Grandmaster Cheater Supreme
![]() Reputation: 3
Joined: 16 May 2007
Posts: 1073
Location: Israel
|
| Posted: Mon Jul 13, 2009 1:28 pm Post subject: |
|
|
actually i always get errors with the operands and shit like that so i gave up and use the primitive way xD
but there's no reason it won't work 
|
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Mon Jul 13, 2009 3:30 pm Post subject: |
|
|
| well keep trying and it will work : ) dunno how inline asm in c++ works and what sort of code it takes but in x86 asm that is a legitimate instruction. good luck ^_^
|
|
| Back to top |
|
|
rapion124
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 25 Mar 2007
Posts: 1095
|
| Posted: Mon Jul 13, 2009 5:15 pm Post subject: |
|
|
| With C++'s inline assembler, you don't need to state the segment register. However, you do need to state the size, such as using "dword ptr";
|
|
| Back to top |
|
|
Ind3siszive
Cheater
![]() Reputation: 0
Joined: 23 Apr 2009
Posts: 43
Location: in a glitch
|
| Posted: Mon Jul 13, 2009 9:22 pm Post subject: |
|
|
so wait what exactly did you change to the code cave, i put in my hack, and the game freezes, i put in the original code and it freezes, jw what i need to do to it and tyvm for this post  '
like what would i do for something like this
| Code: |
[ENABLE]
alloc(newmem,1024)
label(returnhere)
label(originalcode)
label(exit)
007C42AA:
jmp newmem
returnhere:
newmem:
mov [eax+08],40FEDD2E // Change float point to desire speed.
mov [eax+0c],44C48C75
originalcode:
fld dword ptr ds: [eax+08]
pop edi
pop esi
exit:
jmp returnhere
a2E4C0:
dd 44600000
[DISABLE]
dealloc(newmem)
007C42AA: // D9 40 08 5F 5E C3 8B
fld dword ptr [eax+08]
pop edi
pop esi |
i know i need to put the 0x in front so then
| Code: | mov [eax+0x08],0x40FEDD2E
mov [eax+0x0c],0x44C48C75 |
but what else do i need to do
_________________
|
|
| Back to top |
|
|
Stylo
Grandmaster Cheater Supreme
![]() Reputation: 3
Joined: 16 May 2007
Posts: 1073
Location: Israel
|
| Posted: Mon Jul 13, 2009 11:08 pm Post subject: |
|
|
it's pretty much as i explained
declare a __declspec(naked) function as your codecave since it's an allocated memory block
and fill up your code
| Code: |
__declspec(naked) void myCodeCave ()
{
__asm
{
mov [eax+0x08],0x40FEDD2E
mov [eax+0x0C],0x44C48C75
fld dword ptr [eax+0x08]
pop edi
pop esi
jmp dword ptr ds:[Address+5] // Address is a DWORD variable that holds the changed address to jump you codecave
}
}
|
now, when you want to jump to your codecave you need to change the desired address's bytes to jump
| Code: |
DWORD Address = 0x007C42AA;
*(BYTE*)Address = 0xe9; // defining jump opcode
*(DWORD*)(Address+1) = JMP(Address,myCodeCave);
|
JMP(frm,to) formula is at the top of page take a look
|
|
| Back to top |
|
|
Ind3siszive
Cheater
![]() Reputation: 0
Joined: 23 Apr 2009
Posts: 43
Location: in a glitch
|
| Posted: Mon Jul 13, 2009 11:25 pm Post subject: |
|
|
hmmm ill give that a shot. but dont i need to push anything? im sorry i have a very low understanding of asm
Also would this application would produce the same results ?
http://www.dxtgaming.com/forums/showthread.php?t=4883
just convert both of them into bytes then patch the old bytes with the new with writeprocessmemory or no?
any how imma give that a try
_________________
|
|
| Back to top |
|
|
Stylo
Grandmaster Cheater Supreme
![]() Reputation: 3
Joined: 16 May 2007
Posts: 1073
Location: Israel
|
| Posted: Mon Jul 13, 2009 11:30 pm Post subject: |
|
|
writeprocessmemory should work but there are some games that using drivers to block those kinds of game hacking
inline asm is direct access to the memory without using any api
|
|
| Back to top |
|
|
Ind3siszive
Cheater
![]() Reputation: 0
Joined: 23 Apr 2009
Posts: 43
Location: in a glitch
|
| Posted: Tue Jul 14, 2009 12:00 am Post subject: |
|
|
still dosnt work but im pretty sure i know what i did wrong, and its my fault lol.
_________________
|
|
| Back to top |
|
|
~Eclipse~
Grandmaster Cheater
![]() Reputation: 0
Joined: 06 Nov 2008
Posts: 821
|
| Posted: Tue Jul 14, 2009 12:22 am Post subject: |
|
|
is nice tut but it don`t work maybe i do something wrong
_________________
|
|
| Back to top |
|
|
Ind3siszive
Cheater
![]() Reputation: 0
Joined: 23 Apr 2009
Posts: 43
Location: in a glitch
|
| Posted: Tue Jul 14, 2009 12:29 am Post subject: |
|
|
ok im really frustrated right now, i know the jmp is being changed because this is a speed hack and it only errors when i move after applying the hacks.
i have my whole code in paste bin here it is you dont have to register or anything. I really would like to get this figured out
http://pastebin.com/d570709c8
_________________
|
|
| Back to top |
|
|
Stylo
Grandmaster Cheater Supreme
![]() Reputation: 3
Joined: 16 May 2007
Posts: 1073
Location: Israel
|
| Posted: Wed Jul 15, 2009 3:46 am Post subject: |
|
|
| Ind3sisziver wrote: | ok im really frustrated right now, i know the jmp is being changed because this is a speed hack and it only errors when i move after applying the hacks.
i have my whole code in paste bin here it is you dont have to register or anything. I really would like to get this figured out
http://pastebin.com/d570709c8 |
i can't see code try upload agian
|
|
| Back to top |
|
|
Ind3siszive
Cheater
![]() Reputation: 0
Joined: 23 Apr 2009
Posts: 43
Location: in a glitch
|
| Posted: Wed Jul 15, 2009 9:27 am Post subject: |
|
|
im on vacation and i dont have it with me but ill see if i can get it and re upload, ill be back in like 9 days
ok im back here is an updated link
http://pastebin.com/m5fc0e666
can someone please bump this
_________________
|
|
| Back to top |
|
|
NoMercy
Master Cheater
![]() Reputation: 1
Joined: 09 Feb 2009
Posts: 289
|
| Posted: Sun Sep 06, 2009 7:26 am Post subject: |
|
|
| Code: | DWORD Address = 0x0051E1A7;
*(BYTE*)Address = 0xe9;
*(DWORD*)(Address+1) = JMP(Address,Check); |
when i compile my entire thing, i get errors cause those things
| Code: | 1>------ Build started: Project: jfgj, Configuration: Debug Win32 ------
1>Compiling...
1>gfh.cpp
1>c:\documents and settings\ruben\mijn documenten\visual studio 2008\projects\jfgj\jfgj\gfh.cpp(9) : error C2226: syntax error : unexpected type 'BYTE'
1>c:\documents and settings\ruben\mijn documenten\visual studio 2008\projects\jfgj\jfgj\gfh.cpp(10) : error C2226: syntax error : unexpected type 'DWORD'
1>c:\documents and settings\ruben\mijn documenten\visual studio 2008\projects\jfgj\jfgj\gfh.cpp(37) : warning C4414: 'UnlimitedAttack' : short jump to function converted to near
1>Build log was saved at "file://c:\Documents and Settings\RuBen\Mijn documenten\Visual Studio 2008\Projects\jfgj\jfgj\Debug\BuildLog.htm"
1>jfgj - 2 error(s), 1 warning(s)
========== Build: 0 succeeded, 1 failed, 0 up-to-date, 0 skipped ==========
|
Any solutions? and how about the [disable] party do i also have to code that?
[/code]
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
