| View previous topic :: View next topic |
| Author |
Message |
Ejay1984
Newbie cheater
![]() Reputation: 0
Joined: 16 Nov 2017
Posts: 24
|
 Posted: Wed Nov 22, 2017 4:43 am Post subject: Game Maker Studio Script Help - Valdis Story |
 |
|
Hi all,
I tried to write a script for the above game and ran into a lot of difficulties till I realized it was a Game Maker Studio game. I've been through the tutorial by h3x1c. The script is below.
| Code: | [ENABLE]
aobscanmodule(PlayerStatus,Valdis_Story_AC.exe,DD 5E 08 5E 5D C3 CC CC 56) // should be unique
alloc(newmem,$1000)
alloc(health,4)
alloc(MP,4)
alloc(abillity,4)
alloc(skills,4)
label(code)
label(originalcode)
label(return)
label(playerHealth)
label(playerAbillity)
label(playerSkills)
label(playerMP)
health:
dq (double)9999
abillity:
dq (double)999
skills:
dq (double)999
MP:
dq (double)999
newmem:
code:
push ebx
mov ebx,[ebp-4074]
pushf
cmp ebx,2CF9FF50
je playerHealth
cmp ebx,1CF25C20
je playerAbillity
cmp ebx,1CF25950
je playerSkills
mov ebx,[ebp-4078]
cmp ebx,2CF9F7F8
je playerMP
jmp originalcode
playerHealth:
fstp st(0)
fld qword ptr [health]
jmp originalcode
playerAbillity:
fstp st(0)
fld qword ptr [abillity]
jmp originalcode
playerSkills:
fstp st(0)
fld qword ptr [skills]
jmp originalcode
playerMP:
fstp st(0)
fld qword ptr [MP]
jmp originalcode
originalcode:
fstp qword ptr [esi+08]
pop esi
pop ebp
jmp return
PlayerStatus:
jmp newmem
return:
registersymbol(PlayerStatus)
[DISABLE]
PlayerStatus:
db DD 5E 08 5E 5D
unregistersymbol(PlayerStatus)
dealloc(newmem)
dealloc(health)
dealloc(abillity)
dealloc(skills)
dealloc(MP) |
The game crashes upon activation of the script.
I am not sure what I'm doing wrong.
I've attached a screen grab of the stacks for the addresses.
Below is a list of the opcodes that are different
Health
EBX=2CF9FF50
EDX=0017D50C
EDI=00018EE1
ESP=0017948C
EBP=0017D50C
MP
EBX=2CF9F7F8
EDX=0018F910
EDI=0001959F
ESP=0018B88C
EBP=0018F910
Ability
EBX=1CF25C20
EDX=0018B010
EDI=00018EFE
ESP=00186F90
EBP=0018B010
Skills
EBX=1CF25950
EDX=00181E10
EDI=00018EFF
ESP=0017DD90
EBP=00181E10
| Description: |
|
| Filesize: |
363.53 KB |
| Viewed: |
6907 Time(s) |
|
|
|
| Back to top |
|
 |
FreeER
Grandmaster Cheater Supreme
![]() Reputation: 53
Joined: 09 Aug 2013
Posts: 1091
|
| Posted: Wed Nov 22, 2017 6:13 am Post subject: |
|
|
You push the flags with pushf but you don't call popf anywhere... possible you handle it in another way but crashes tend to be caused by the simpler problems you overlooked (or a pointer occasionally being 0), especially once you feel confident enough to try these more complex scripts 
BTW, using esp instead of ebp would make the offsets much simpler in this case (right click in the stack view and you can change how CE shows them, some programs don't use a base pointer at all so you have to use esp).
|
|
| Back to top |
|
|
Ejay1984
Newbie cheater
![]() Reputation: 0
Joined: 16 Nov 2017
Posts: 24
|
| Posted: Wed Nov 22, 2017 6:57 am Post subject: |
|
|
| FreeER wrote: | You push the flags with pushf but you don't call popf anywhere... possible you handle it in another way but crashes tend to be caused by the simpler problems you overlooked (or a pointer occasionally being 0), especially once you feel confident enough to try these more complex scripts
BTW, using esp instead of ebp would make the offsets much simpler in this case (right click in the stack view and you can change how CE shows them, some programs don't use a base pointer at all so you have to use esp). |
Ahh . Where would I have to insert popf after all the cmp commands?
|
|
| Back to top |
|
|
FreeER
Grandmaster Cheater Supreme
![]() Reputation: 53
Joined: 09 Aug 2013
Posts: 1091
|
| Posted: Wed Nov 22, 2017 7:25 am Post subject: |
|
|
It'd have to come after the conditional jump (je) since it uses the flags to decide whether to jump, since all paths end up in originalcode I'd place it at the start there.
Though it really doesn't look as if you needed to push the flags in the first place, you really only need to save the flags if you're hooking somewhere inbetween the game setting the flags and using them (like inbetween a cmp and a conditional jump)... so you may be able to just remove the pushf.
|
|
| Back to top |
|
|
Ejay1984
Newbie cheater
![]() Reputation: 0
Joined: 16 Nov 2017
Posts: 24
|
| Posted: Wed Nov 22, 2017 8:30 am Post subject: |
|
|
| FreeER wrote: | It'd have to come after the conditional jump (je) since it uses the flags to decide whether to jump, since all paths end up in originalcode I'd place it at the start there.
Though it really doesn't look as if you needed to push the flags in the first place, you really only need to save the flags if you're hooking somewhere inbetween the game setting the flags and using them (like inbetween a cmp and a conditional jump)... so you may be able to just remove the pushf. |
Removing pushf caused the game to crash so I'll insert the popf after the last conditional jump.
EDIT:
This is the script I've come up with. I was able to find an offset value that was constant across the ebx values;
| Code: | [ENABLE]
aobscanmodule(Playestatus,Valdis_Story_AC.exe,DD 5E 08 5E 5D C3 CC CC 56) // should be unique
alloc(newmem,$100)
alloc(health,4)
alloc(abillity,4)
alloc(skills,4)
alloc(MP,4)
label(code)
label(originalcode)
label(return)
label(playerHealth)
label(playerAbillity)
label(playerSkills)
label(playerMP)
health:
dq (double)9999
abillity:
dq (double)999
skills:
dq (double)999
MP:
dq (double)999
newmem:
code:
push ebx
mov ebx,[ebp+20]
pushf
cmp ebx,2AAE9C18
je playerHealth
cmp ebx,1CB44438
je playerAbillity
cmp ebx,1CB44578
je playerSkills
cmp ebx,2AAE9A60
je playerMP
popf
jmp originalcode
playerHealth:
fstp st(0)
fld qword ptr [health]
jmp originalcode
playerAbillity:
fstp st(0)
fld qword ptr [abillity]
jmp originalcode
playerSkills:
fstp st(0)
fld qword ptr [skills]
jmp originalcode
playerMP:
fstp st(0)
fld qword ptr [MP]
jmp originalcode
originalcode:
fstp qword ptr [esi+08]
pop esi
pop ebp
jmp return
Playestatus:
jmp newmem
return:
registersymbol(Playestatus)
[DISABLE]
Playestatus:
db DD 5E 08 5E 5D
unregistersymbol(Playestatus)
dealloc(newmem)
dealloc(health)
dealloc(abillity)
dealloc(skills)
dealloc(MP) |
Would be grateful for comments before assigning it.
Cheers
|
|
| Back to top |
|
|
FreeER
Grandmaster Cheater Supreme
![]() Reputation: 53
Joined: 09 Aug 2013
Posts: 1091
|
| Posted: Wed Nov 22, 2017 10:20 am Post subject: |
|
|
 | Quote: | | since all paths end up in originalcode I'd place it at the start there. |
If you just place it after the je then it only pops the flags if the jump is not taken, when it is taken then it never runs so the pushed flags never get popped so the stack isn't in the same state as before the hook and so the game will almost certainly crash when it's time to return from a function and it tries to read the return address from the stack. If you push something (in order to save and restore the value) you always need to pop it no matter which way the jump goes.
|
|
| Back to top |
|
|
Ejay1984
Newbie cheater
![]() Reputation: 0
Joined: 16 Nov 2017
Posts: 24
|
| Posted: Thu Nov 23, 2017 10:34 am Post subject: |
|
|
| Thanks for your help. This is my first attempt at a complex script hence my novice
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
