View previous topic :: View next topic |
Author |
Message |
justNOPing How do I cheat? Reputation: 0
Joined: 09 Aug 2022 Posts: 7
|
Posted: Sun Aug 14, 2022 3:31 pm Post subject: Trouble making a structure (pointer) for the opcode |
|
|
Hello, I've stumbled upon an opcode that I can't seem to "intercept" since my ASM knowledge is very limited. I know you can copy register states to your own defined symbols and then use them in the script, kinda like
Code: |
newmem:
mov [p_pointer],ecx
mov eax,[ecx]
mov [esp+04],edx
jmp return
p_pointer:
dd 00
|
and then use corresponding offset
But here's what I stumbled upon:
(see attachment)
FLD loads all the values that I need (skill levels), but I can't think of a way to get these and make a single structure out of this opcode so I don't have to pointer-scan for each address individually. Any ideas?
Description: |
|
Filesize: |
79.66 KB |
Viewed: |
897 Time(s) |
|
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 138
Joined: 06 Jul 2014 Posts: 4275
|
Posted: Sun Aug 14, 2022 4:39 pm Post subject: |
|
|
All those addresses are pretty close to each other. Seems like ECX is the only thing that's changing. Does the EDX register ever change value? If not, just use that as the base and add memory records for every relevant offset.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
justNOPing How do I cheat? Reputation: 0
Joined: 09 Aug 2022 Posts: 7
|
Posted: Mon Aug 15, 2022 2:43 am Post subject: |
|
|
ParkourPenguin wrote: | Does the EDX register ever change value? If not, just use that as the base and add memory records for every relevant offset. |
Yeah, it does change. I've tried making a quite complicated thing:
Code: | newmem:
fld dword ptr [edx+ecx*4]
fstp dword ptr [esp+18]
mov [skillsedx],edx
mov [skillsecx],ecx
jmp return
skillsedx:
dd 00
skillsecx:
dd 00 |
And then just calculating it by adding address manually:
Code: | [skillsedx]+[skillsecx]*4+OFFSET |
but it doesn't work as intended for whatever reason, it returns the same value as it was before.
I ended up just parsing EDX registers into my symbol:
Code: | newmem:
fld dword ptr [edx+ecx*4]
fstp dword ptr [esp+18]
mov [skillsedx],edx
jmp return
skillsedx:
dd 00 |
and there's a problem since EDX does change, offsets are slightly off:
(see attachment)
I've also included Commonality Scanner pop-up and Dissect Data with EDX value
UPD:
Turned out that these 3 last addresses were completely useless so I just used EDX as a base for my structure. Thank you a ton, @ParkourPenguin!
Description: |
|
Filesize: |
95.52 KB |
Viewed: |
862 Time(s) |
|
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 138
Joined: 06 Jul 2014 Posts: 4275
|
Posted: Mon Aug 15, 2022 11:33 am Post subject: |
|
|
justNOPing wrote: | Code: | mov [skillsedx],edx
mov [skillsecx],ecx |
| This willl only give you the latest value of edx and ecx- not all the values.
You could store all the values to some area of memory; however, if it ever gets invalidated (e.g. deallocated), you'd need a way of removing values from that area of memory, which is easier said than done.
That instruction is clearly accessing an array of structures- specifically the first dword in each 12-byte structure. edx is the base, and ecx (really edi) is the index. The biggest problem is that there are several arrays it could be accessing.
Are you sure you need all the arrays being accessed? Are those last 3 values 170, 13, and 15 important?
Is there a different injection point you could use?
While manually doing a pointer scan for each skill level would suck, finding a pointer to the array of skill levels and then manually adding each offset is more reasonable.
I'd look at the address ebp+54 (where the base edx comes from) and see what instructions access that address. Maybe one of those could be a better injection point.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
justNOPing How do I cheat? Reputation: 0
Joined: 09 Aug 2022 Posts: 7
|
Posted: Mon Aug 15, 2022 2:51 pm Post subject: |
|
|
ParkourPenguin wrote: |
Are you sure you need all the arrays being accessed? Are those last 3 values 170, 13, and 15 important?
Is there a different injection point you could use? |
I wish I could thank you more for this valuable piece of information.
Yes, I've updated my last post just recently saying that those last 3 values turned out to be completely useless for me so I just stick to pushing EDX value in my script and it works perfectly. Thank you so much
|
|
Back to top |
|
|
|