undyingpants
How do I cheat?
![]() Reputation: 0
Joined: 23 Jun 2023
Posts: 1
|
 Posted: Fri Jun 23, 2023 10:29 am Post subject: Unable to find the right address for CRC bypass |
 |
|
Alright this is an immature post. I had a Cheat Table that i've been using but a game patch just basically crashes me. I studied what could've been possible solution to bypass this new patch.
But I did not know what kind of anti-cheat detection did the game use. So I went on a journey to indulge myself in this no-sleep adventure to find a solution.
 After a couple week of trying to find the "right" solution (I could be wrong). I suspect that the game has included a CRC detection. What made me suspect it's CRC:-
1. Game only crashes (not immediately) after applying the cheat table (tick).
2. I use the feature 'Find out what accesses this address" and found this "510B25E0 - 69 07 8935147A - imul eax,[edi],7A143589" instruction has been accessing all the patched cheat table instructions.
Therefore I have been looking into a solution for CRC bypass and found what I think would be the closest solution. What the bypass does ? Points the CRC to a duplicated address so that it doesn't detect any discrepancies during it's CRC.
But it doesn't work and I feel like I know what's the issue.
| Code: | [ENABLE]
{$lua}
if addressOfCopy==nil then
addressOfCopy=copyMemory(getAddress(process), getModuleSize(process))
end
{$asm}
alloc(newmem,2048,"Client.dll"+25E0)
alloc(addressThatHoldsTheModuleBase,8,"Client.dll"+25E0)
alloc(addressThatHoldTheModuleEnd,8,"Client.dll"+25E0)
alloc(addressThatHoldsTheCopyBase,8,"Client.dll"+25E0)
addressThatHoldsTheModuleBase:
dq $process // fill the address with the address of the module base
addressThatHoldsTheModuleEnd:
dq $process+getModuleSize(process)
addressThatHoldsTheCopyBase:
dq $addressOfCopy
label(returnhere)
label(originalcode)
label(exit)
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
push rax
lea rax,[edi]//store rax. Dont forget to restore later
cmp rax,[addressThatHoldsTheModuleBase]
jb originalcode //if below its not inside
cmp rax,[addressThatHoldTheModuleEnd]
ja originalcode //if above its not inside
//still here , so inside the module. So we need to adjust
sub rax,[addressThatHoldsTheModuleBase]
add rax,[addressThatHoldsTheCopyBase]
imul eax,[rax],7A143589
jmp exit
notinsidemodule:
originalcode:
imul eax,[edi],7A143589
exit:
pop rax
jmp returnhere
"Client.dll"+25E0:
jmp newmem
nop
returnhere:
[DISABLE]
dealloc(newmem)
"Client.dll"+25E0:
[b]imul [/b]eax,[edi],7A143589
|
"imul" doesn't seem like the correct instruction that I should be tempering with. From a couple tutorial videos I've seen, the "Client.dll" instruction were all "mov". So this resulted in wrong instruction being sent with "lea rax,[edi]".
I appreciate if anyone could enlighten me on :-
1. If my diagnose correct that the game patches added CRC detection onto the game ?
2. What went wrong with the solution?
Appreciate if anyone could redirect me to learning sources so that I understand better and could make this a success. Thanks
| Description: |
|
| Filesize: |
16.98 KB |
| Viewed: |
1172 Time(s) |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
