• Amused
  • Angry
  • Annoyed
  • Awesome
  • Bemused
  • Cocky
  • Cool
  • Crazy
  • Crying
  • Down
  • Drunk
  • Embarrased
  • Enraged
  • Friendly
  • Geeky
  • Godly
  • Happy
  • Hateful
  • Hungry
  • Innocent
  • Meh
  • Piratey
  • Poorly
  • Sad
  • Secret
  • Shy
  • Sneaky
  • Tired
  • Wtf
  • At Work
  • CodenzHub
  • Coding
  • Deejaying
  • Donating
  • Drinking
  • Eating
  • Editing
  • Hacking
  • Hate Mailing
  • Jamin'
  • Lagging
  • Live Streaming
  • Lurking
  • No Status
  • Pawning
  • PC Gaming
  • PS Gaming
  • Raging
  • Reversing
  • Sipping
  • Sleeping
  • Steam Gaming
  • Trolling
  • TwitchStreamer
  • Vodka!
  • Watching TV/Movie
  • Xbox Gaming
  • Youtuber
  • Zombies
  • Page 1 of 3 123 LastLast
    Results 1 to 10 of 24
    1. #1
      Newbie
      Biology Major -> Software.E
       
      Feeling Normal
       

      Join Date
      Jan 2018
      Posts
      21
      Thanks (-->)
      16
      Thanks (<--)
      3

      Convert Cheat Engine Script to C++ Code Cave

      How to Manual Map DLL
      Hello guys so I have trouble converting this type of CE script into C++ that has a return label

      alloc(Hack,128)
      label(return)

      Hack:
      mov eax,[02EFF398]
      lea eax,[eax+04]
      mov [ecx+4A8+08],eax
      push ebp
      mov ebp,esp
      push -01
      jmp return

      02350D60
      jmp Hack
      return:

      dealloc(Hack)


      While googling around I understood that "the return label will be replaced with the calculated return address".

      I tried writing as below but failed. Do I need to change push -01 to push 0 to 0x01? Tried but does not work anyway.

      _declspec(naked) DWORD _stdcall myHackCC()
      {
      _asm
      {
      mov eax, [cuserlocal]
      lea eax, [eax + 0x04]
      mov[ecx + 0x4A8 + 0x08], eax
      push ebp
      mov ebp, esp
      push - 01
      jmp return

      return:

      }
      }



      #define jmp(frm,to) (int)(((int)to-(int)frm) - 5)

      void myHack(HWND hwnd)
      {
      if(myHackCheck)
      {
      *(BYTE*)myhack= 0xE9;
      *(DWORD*)(myhack+ 1) = jmp(myhack, myHackCC);
      }

      else
      {
      myhack= myhackori;
      memcpy((void*)myhack, "\x55\x8B\xEC\x6A\xFF", 5);

      }

      }


      My guess is my code is wrongly written in the naked function? Would appreciate it if anyone could guide me!
      Thanks!

    2. #2
      Newbie
      Bourbon + Fanta
       
      Drunk
       

      Join Date
      Dec 2017
      Posts
      32
      Thanks (-->)
      16
      Thanks (<--)
      12

      DWORD cuserlocal = 0x02EFF398;
      void _declspec(naked) myHackCC()
      {
      _asm
      {
      mov eax, [cuserlocal]
      lea eax, [eax + 0x04] // ``add eax, 4`` wouldn't be simpler (same ammount of bytes)?
      mov[ecx + 0x4B0], eax // does it even compile with 2 offsets?
      push ebp // is this the code you detoured?
      mov ebp, esp
      push 0xFF // -1
      jmp [label1] // use square brackets

      label1:
      // do shit
      }
      }

      Correct me if I'm wrong - you detoured a function at the beginning of it and want to change ``eax`` b4 it executes.
      I don't get the point of that jump to label. Are you intending to search the hook for ``0xE9`` and place a jump back to detoured code? If so just delcare a variable containing the address and jump to it (``jmp [address]``).
      Also make sure you have write access when and if detouring.
      Last edited by IXSO; 02-11-2018 at 08:16 AM.

    3. Thanks dotHBM thanked for this post
    4. #3
      Newbie
      Biology Major -> Software.E
       
      Feeling Normal
       

      Join Date
      Jan 2018
      Posts
      21
      Thanks (-->)
      16
      Thanks (<--)
      3
      Quote Originally Posted by IXSO View Post

      DWORD cuserlocal = 0x02EFF398;
      void _declspec(naked) myHackCC()
      {
      _asm
      {
      mov eax, [cuserlocal]
      lea eax, [eax + 0x04] // ``add eax, 4`` wouldn't be simpler (same ammount of bytes)?
      mov[ecx + 0x4B0], eax // does it even compile with 2 offsets?
      push ebp // is this the code you detoured?
      mov ebp, esp
      push 0xFFFFFFFF // -1
      jmp [label1] // use square brackets

      label1:
      // do shit
      }
      }

      Correct me if I'm wrong - you detoured a function at the beginning of it and want to change ``eax`` b4 it executes.
      I don't get the point of that jump to label. Are you intending to search the hook for ``0xE9`` and place a jump back to detoured code? If so just delcare a variable containing the address and jump to it (``jmp [address]``).
      Also make sure you have write access when and if detouring.
      I'm not really sure what the script does and where it's doing the detour... The script is available online and I just want to convert it into my trainer in c++ . I'm having trouble understanding the jmp return part because the return: part declares nothing. Here's the original script

      [ENABLE]
      alloc(Aggro,128)
      label(return)

      Aggro:
      mov eax,[02EFF398]
      lea eax,[eax+04]
      mov [ecx+4A8+08],eax

      push ebp
      mov ebp,esp
      push -01
      jmp return

      02350D60:
      jmp Aggro
      return:

      [DISABLE]
      02350D60:
      push ebp
      mov ebp,esp
      push -01

      dealloc(Aggro)


      While scripts that doesn't have that return label I'm able to put them in my trainer..just this one that's giving me headache. Looks simple, but nasty lol. Any idea?

      Edit
      Found out that the return is the disabled bytes. So my return address would be myhack+0x05
      I replaced them like this


      jmp [myhackreturn]



      I can see my hack works but it will crash immediately after a sec.
      Last edited by dotHBM; 02-11-2018 at 12:39 AM.

    5. #4
      Newbie
      Biology Major -> Software.E
       
      Feeling Normal
       

      Join Date
      Jan 2018
      Posts
      21
      Thanks (-->)
      16
      Thanks (<--)
      3
      bump anyone

    6. #5
      Newbie
      Bourbon + Fanta
       
      Drunk
       

      Join Date
      Dec 2017
      Posts
      32
      Thanks (-->)
      16
      Thanks (<--)
      12
      Why don't you show us your code now?
      BTW you can always take a debuger, place a BP on 0x02350D60, step over and see what's wrong.

    7. #6
      Newbie
      Biology Major -> Software.E
       
      Feeling Normal
       

      Join Date
      Jan 2018
      Posts
      21
      Thanks (-->)
      16
      Thanks (<--)
      3
      My game would crash if I toggle breakpoint. Here's my progress

      DWORD reta = 0x02350D65;

      _declspec(naked) DWORD _stdcall MobAggroCC()
      {
      _asm
      {
      mov eax, [cuserlocal]
      lea eax, [eax + 0x04]
      mov[ecx + 0x4A8 + 0x08], eax

      push ebp
      mov ebp, esp
      push 0xFF
      jmp [reta]

      //return:


      }
      }


      I think I sort of know what the return label does now. I tried playing around with my cheat engine script to see what it does

      [ENABLE]
      alloc(Aggro,128)
      label(return)

      Aggro:
      mov eax,[02EFF398]
      lea eax,[eax+04]
      mov [ecx+4A8+08],eax

      push ebp
      mov ebp,esp
      push -01
      jmp return

      02350D60:
      jmp Aggro
      return:
      push 028E0CEE // I tried adding this part which is after my modified part and works fine

      [DISABLE]
      02350D60:
      push ebp
      mov ebp,esp
      push -01

      dealloc(Aggro)


      This is the memory region if it helps
      Original:
      Convert Cheat Engine Script to C++ Code Cave

      Hack activated
      Convert Cheat Engine Script to C++ Code Cave

      This is the memory view when edited with my own c++ code
      Convert Cheat Engine Script to C++ Code Cave

      I'm tried a lot of methods now and it doesn't work.... Would really need help :/
      Thanks for your time!

    8. #7
      Newbie
      Bourbon + Fanta
       
      Drunk
       

      Join Date
      Dec 2017
      Posts
      32
      Thanks (-->)
      16
      Thanks (<--)
      12
      __asm script looks good 2 me. You can try changing ``_declspec(naked) DWORD _stdcall MobAggroCC()`` to ``void __declspec(naked) MobAggroCC()`` cuz there is probably a missunderstanding between ``__declspec(naked)`` and ``__stdcall``. If that doesn't solve, you might have to place a breakpoint on 02350D60 and debug.

    9. Thanks dotHBM thanked for this post
    10. #8
      Newbie
      Biology Major -> Software.E
       
      Feeling Normal
       

      Join Date
      Jan 2018
      Posts
      21
      Thanks (-->)
      16
      Thanks (<--)
      3
      Quote Originally Posted by IXSO View Post
      __asm script looks good 2 me. You can try changing ``_declspec(naked) DWORD _stdcall MobAggroCC()`` to ``void __declspec(naked) MobAggroCC()`` cuz there is probably a missunderstanding between ``__declspec(naked)`` and ``__stdcall``. If that doesn't solve, you might have to place a breakpoint on 02350D60 and debug.
      Still crashes my game :/. I can't place a breakpoint because my game would crash once i attach debugger

    11. #9
      Newbie
      Bourbon + Fanta
       
      Drunk
       

      Join Date
      Dec 2017
      Posts
      32
      Thanks (-->)
      16
      Thanks (<--)
      12
      Quote Originally Posted by dotHBM View Post
      Still crashes my game :/. I can't place a breakpoint because my game would crash once i attach debugger
      Does it crash with detection or simply crash? If u r usin' CE, make sure you have VEH debugger enabled.
      You can still follow the jump with enter or rightclick->follow and compare the hook with what CE generates (post here aswel).
      Your goal is to achieve the same result as with CE, right?

    12. Thanks dotHBM thanked for this post
    13. #10
      Newbie
      Biology Major -> Software.E
       
      Feeling Normal
       

      Join Date
      Jan 2018
      Posts
      21
      Thanks (-->)
      16
      Thanks (<--)
      3
      Cheat Engine Tutorials
      Quote Originally Posted by IXSO View Post
      Does it crash with detection or simply crash? If u r usin' CE, make sure you have VEH debugger enabled.
      You can still follow the jump with enter or rightclick->follow and compare the hook with what CE generates (post here aswel).
      Your goal is to achieve the same result as with CE, right?
      Crash without detection and I'm under VEH debugger.

      I made it work with the following code :

      __declspec(naked) void __stdcall MobAggroCC() {
      _asm
      {
      mov eax, [cuserlocal]
      mov eax, [eax]
      lea eax, [eax + 0x04]
      mov[ecx + 0x4A8 + 0x08], eax
      push ebp
      mov ebp, esp
      push 0xFF
      jmp dword ptr[mobaggroret]
      }
      }


      May I ask the differences between jmp dword ptr [label] and jmp [label]? And yes, I'm trying to achieve the same result as CE !

    Page 1 of 3 123 LastLast

    Similar Game Hacker Threads

    1. [Source Code] FASM x86 Shell Code Cave - Full Source
      By V-X in forum ASM
      Replies: 3
      Last Post: 08-26-2017, 02:50 PM
    2. [Help] Need help converting Cheat Engine Script
      By Dabzy in forum Hacking Help
      Replies: 6
      Last Post: 07-11-2017, 03:28 AM
    3. Replies: 25
      Last Post: 12-28-2016, 08:25 PM
    4. [Help] Code Cave Patching - Always Something!
      By Nether in forum C / C++ Help
      Replies: 2
      Last Post: 01-06-2014, 12:52 AM
    5. A bit of Code Cave help in C++?
      By xploiitz in forum C / C++ Help
      Replies: 9
      Last Post: 07-28-2012, 01:18 AM