Full Stop
How do I cheat?
![]() Reputation: 0
Joined: 15 Feb 2013
Posts: 1
|
 Posted: Fri Feb 15, 2013 12:48 am Post subject: Auto Assembler Confusion |
 |
|
I can't get anything that has to do with allocating down.
Here's a little thing I wrote that works:
| Code: |
[ENABLE]
PhysX3CharacterKinematic_x64.dll+A5A8:
db 48 29 C0 // sub rax,rax
db 48 89 86 C8 01 00 00 // mov [rsi+000001C8],rax
db 48 89 86 D0 01 00 00 // mov [rsi+000001D0],rax
db 48 89 86 D8 01 00 00 // mov [rsi+000001D8],rax
db 90 90 90 90 // nops4omitted: mov rax,[rbx+08]
db 48 8B 43 10 // mov rax,[rbx+10]
[DISABLE]
PhysX3CharacterKinematic_x64.dll+A5A8:
db 48 8B 03 // mov rax,[rbx]
db 48 89 86 C8 01 00 00 // mov [rsi+000001C8],rax
db 48 8B 43 08 // mov rax,[rbx+08]
db 48 89 86 D0 01 00 00 // mov [rsi+000001D0],rax
db 48 8B 43 10 // mov rax,[rbx+10]
db 48 89 86 D8 01 00 00 // mov [rsi+000001D8],rax
|
The original code is for updating the position (X,Y,Z) of a character to the client. This function gets called any time something moves. It's really handy. I haven't mapped out rsi yet but I know +1C8, +1D0, and +1D8 make up the coordinates of the object. This script writes (in place) a 0 to rax, then from rax to the coords, nops a bit to make up for the unused bytes, then gives rax the values it holds at the end of the original code. I know enough asm and variable manipulation to work that out. My problem is with all this allocation stuff. I'd like to hook the function starting at "mov rax,[rbx]" and not jump back until after all the coords have been written in my subfunction. Here's what I have (that doesn't work):
| Code: |
[ENABLE]
alloc(codecave,512)
label(returnhere)
// Entry Pt: mov rax,[rbx]
PhysX3CharacterKinematic_x64.dll+A5A8:
db 90 90 90 // mov rax,[rbx]
db 90 90 90 90 90 90 90 // mov [rsi+000001C8],rax
db 90 90 90 90 // mov rax,[rbx+08]
db 90 90 90 90 90 90 90 // mov [rsi+000001D0],rax
db 90 90 90 90 // mov rax,[rbx+10]
db 90 90 // ..mov [rsi+000001D8],rax
jmp codecave // ..mov [rsi+000001D8],rax
returnhere:
codecave:
sub rax,rax
mov [rsi+000001C8],rax
mov [rsi+000001D0],rax
mov [rsi+000001D8],rax
mov rax,[rbx+10]
jmp returnhere
[DISABLE]
dealloc(codecave)
PhysX3CharacterKinematic_x64.dll+A5A8:
db 48 8B 03 // mov rax,[rbx]
db 48 89 86 C8 01 00 00 // mov [rsi+000001C8],rax // X
db 48 8B 43 08 // mov rax,[rbx+08]
db 48 89 86 D0 01 00 00 // mov [rsi+000001D0],rax // Z
db 48 8B 43 10 // mov rax,[rbx+10]
db 48 89 86 D8 01 00 00 // mov [rsi+000001D8],rax // Y
|
I'm thinking it has to do with my assumption that a jmp is 5 bytes? I might just end up doing something like this:
| Code: |
PhysX3CharacterKinematic_x64.dll+A5A8:
jmp codecave
codecave:
// do stuff
jmp PhysX3CharacterKinematic_x64.dll+A5C8 // counted in my head, might not be exact
|
|
|
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25828
Location: The netherlands
|
| Posted: Fri Feb 15, 2013 5:31 am Post subject: |
|
|
A jmp isn't always 5 bytes. If the distance is bigger than 7fffffff then a bigger construct is needed which can be 14 bytes long
You can use the 3th parameter of alloc to specify the region to allocate, so try alloc(codecave, 512, PhysX3CharacterKinematic_x64.dll)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
