Author Topic: CodeCaving with Ammo  (Read 1830 times)

0 Members and 1 Guest are viewing this topic.

UnKnOwNCoDe

  • Intentional Cheater
  • **
  • Posts: 40
    • View Profile
CodeCaving with Ammo
« on: July 23, 2007, 08:08:08 pm »
.
« Last Edit: May 28, 2012, 11:53:29 pm by UnKnOwNCoDe »

M. O.

  • Administrator
  • MasstKer
  • *
  • Posts: 9185
    • View Profile
    • http://www.tkc-community.net
Re: CodeCaving with Ammo
« Reply #1 on: July 23, 2007, 10:23:10 pm »
Are you sure 0x400000 is blank and readable? Did you use some code cave finder for that?

I also see that you use call and ret. Ret usually returns something and _could_ overwrite some other register. That's possible especially if you want to send in parameters and ret another. But I would use simple jmp's, which also is the standard approach.

So instead of a call I would use:

jmp 0x400000
[any nops, if needed, especially when your jmp overwrites instructions below and "distorts" them -> replace with nops until the first non-distorted opcode]

offset 0x400000
[any code you had to overwrite first ie distorted/replaced code, by the jmp]
[your code]
jmp [0x400000+the length of the jmp instruction in bytes, i.e next non-distorted opcode, usually after the nops]


The unpatched code will also have to replace any overwritten instructions below the old jump.
Heckling is an art, and game hacking a science.

M. O.

  • Administrator
  • MasstKer
  • *
  • Posts: 9185
    • View Profile
    • http://www.tkc-community.net
Re: CodeCaving with Ammo
« Reply #2 on: July 24, 2007, 12:46:21 am »
You might also have to decrease edx back to -1 after the mov. Double check your nop and other opcode balancing.
Heckling is an art, and game hacking a science.

M. O.

  • Administrator
  • MasstKer
  • *
  • Posts: 9185
    • View Profile
    • http://www.tkc-community.net
Re: CodeCaving with Ammo
« Reply #3 on: July 24, 2007, 04:29:17 am »
[Ok I see you got your prob solved but I'll post my reply anyway  :icon_biggrin2]

I would pick some other code cave tool. There's a lot more caves than that. They usually give you the correct mem region too, but I'm not sure how you make your trainer but I guess it's TMK and also guess that they change rights when needed.

Opcode balancing is important to ensure that no code gets lost.

For instance if your original code is this:

mov [ebp+0x314], edx
mov [ebp+0x318], eax
mov [ebp+0x31B], ebx

And you do this:
mov [ebp+0x314], edx
jmp 0xAddy

You will most likely overwrite:
mov [ebp+0x318], eax

which means you need to recreate it in your code cave.

You'll also likely get the situation where your replacement screws up some code:
mov [ebp+0x314], edx
jmp 0xAddy
add ebx,9 (example; this shouldn't be here)
mov [ebp+0x31B], ebx (this is ok, but usually everything after the jmp will be screwed up)

To fix this you balance with nops:
mov [ebp+0x314], edx
jmp 0xAddy
nop
nop
..
nop (result = no new operations)
mov [ebp+0x31B], ebx (jump back here)

As you see, your mov [ebp+0x318] disappears and probably causes an error or a crash. So it has to be recreated.


Edit:
+ I think you should put edx back to -1 in order to avoid problems.
Heckling is an art, and game hacking a science.

M. O.

  • Administrator
  • MasstKer
  • *
  • Posts: 9185
    • View Profile
    • http://www.tkc-community.net
Re: CodeCaving with Ammo
« Reply #4 on: July 24, 2007, 05:53:57 am »
You're probably overwriting some extra code when you enter the dec in the 45BA2D location.

Put the decs right before the ret and it should work without any extra changes.
Heckling is an art, and game hacking a science.

MrMedic

  • MasstKer
  • ********
  • Posts: 8900
  • programmer/dev/software engineer
    • View Profile
Re: CodeCaving with Ammo
« Reply #5 on: July 24, 2007, 02:23:01 pm »
crossword clue : 

7 down : call the police or he will never return.
EnCoded Message: i3iy9yl8kr2xf3g2Txs3pr6ye3ya7jg5ty2z

https://www.youtube.com/watch?v=62_7-AYfdkQ
you need a paypal account for the private versions.

Website:
http://bit.ly/medic101

Teamspeak 3: 85.236.101.5:10157

M. O.

  • Administrator
  • MasstKer
  • *
  • Posts: 9185
    • View Profile
    • http://www.tkc-community.net
Re: CodeCaving with Ammo
« Reply #6 on: July 24, 2007, 03:57:01 pm »
Nono, not like that.

Now you just increase edx and decrease it just after. => No change of edx for your ammo.
inc before mov and dec after like in you second snippet.

I think whats causing your probs is that the length of jmp is different to that of call which you used before. You might have to add or remove nops + put code that the jmp overwrote in the cave.
Heckling is an art, and game hacking a science.

M. O.

  • Administrator
  • MasstKer
  • *
  • Posts: 9185
    • View Profile
    • http://www.tkc-community.net
Re: CodeCaving with Ammo
« Reply #7 on: July 24, 2007, 08:25:26 pm »
That will be a bit harder:

Code: (asm) [Select]
push edx (push edx to stack)
mov edx, 0x32
mov [ebp+0x314], edx (but now it will increase with 50, for jumping to 50 u need to do more research, ie find the current ammo value, check ebp+0x314)
pop edx (restore edx to what it was, in order to avoid probs)

If you want to make it jump to 50 (for instance when ammo is 0) and _then_ decrease u'll have to do something like this:
Code: (asm) [Select]
push edx
cmp yourCurrentAmmo, 0x0  (or cmp isOutofAmmo, 0x1)
jle codeCaveForIncreaseWithFifty (no ammo=true? jump if less or equal)
mov [ebp+0x314], edx
pop edx (restore edx from stack)

offset codeCaveForIncreaseWithFiftyLocation
mov edx, 0x32
jmp jumpBackLocation (the operation right after the jle)

Or skip the extra code cave and make it jump over the increase by 50 code.

Code: (asm) [Select]
push edx
cmp yourCurrentAmmo, 0x0 
jg skipTheIncrease (is there ammo? jump there if greater than 0)
mov edx, 0x32
@skipTheIncrease
mov [ebp+0x314], edx
pop edx (restore edx from stack)

You'll still have to balance nops etc to make sure you dont overwrite any operations.
Heckling is an art, and game hacking a science.

MrMedic

  • MasstKer
  • ********
  • Posts: 8900
  • programmer/dev/software engineer
    • View Profile
Re: CodeCaving with Ammo
« Reply #8 on: July 30, 2007, 01:58:54 am »


as promised m8 here is a quick tut for ammo ( or godmode life etc )

ok step 1:

attach tsearch to kuma

step 2 : find your life counter offset

step 3 : equip 3 medpacks

step 4 : breakpoint health pointer

step 5 : throw a nade or get hurt a little

step 6 : use a medpack

step 7 : look at what changed life

step 8 : should be something like mov [blahblah+blahblah],64 ( 64 hex = decimal 100 health )

step 9 : change the 64 to whatever you want and everytime you press medpack key you get whatever life you want.

ammo is the same just replace the medpack keypress with reload key

happy hacking m8


Medic :)
« Last Edit: July 30, 2007, 02:08:50 am by MrMedic »
EnCoded Message: i3iy9yl8kr2xf3g2Txs3pr6ye3ya7jg5ty2z

https://www.youtube.com/watch?v=62_7-AYfdkQ
you need a paypal account for the private versions.

Website:
http://bit.ly/medic101

Teamspeak 3: 85.236.101.5:10157

UnKnOwNCoDe

  • Intentional Cheater
  • **
  • Posts: 40
    • View Profile
Re: CodeCaving with Ammo
« Reply #9 on: July 30, 2007, 08:39:41 pm »
.
« Last Edit: May 28, 2012, 11:51:19 pm by UnKnOwNCoDe »

[TKC]Wesker

  • ArmA's Most Wanted
  • The Central Committee
  • Master Heckler
  • *
  • Posts: 2209
  • The Illusive Man
    • View Profile
    • TKC Tube
Re: CodeCaving with Ammo
« Reply #10 on: July 30, 2007, 10:06:23 pm »
lmao

The Illusive Man

UnKnOwNCoDe

  • Intentional Cheater
  • **
  • Posts: 40
    • View Profile
Re: CodeCaving with Ammo
« Reply #11 on: July 31, 2007, 12:01:30 am »
.
« Last Edit: May 28, 2012, 11:50:49 pm by UnKnOwNCoDe »

UnKnOwNCoDe

  • Intentional Cheater
  • **
  • Posts: 40
    • View Profile
Re: CodeCaving with Ammo
« Reply #12 on: July 31, 2007, 06:43:30 am »
.
« Last Edit: May 28, 2012, 11:51:07 pm by UnKnOwNCoDe »