Scripting:Asm
Contents
Getting Values & Address
Get Values Without Pointers
cant find pointers?, pointer scanner takes so long?. use this and change the requirements, dont forget to add VALUE as an address to your address-list.
[enable]
aobscan(symbol,01 23 45 67 89 AB CD EF)
alloc(newmem,$1000)
registersymbol(symbol)
registersymbol(value)
label(value)
label(originalcode)
label(exit)
newmem:
mov eax,[edx+110]
mov [value],eax
originalcode:
mov eax,[edx+110]
jmp exit
value:
dd 00
symbol:
jmp newmem
nop
exit:
[disable]
unregistersymbol(value)
dealloc(newmem)
symbol:
mov eax,[edx+110]
unregistersymbol(symbol)
Get Addresses Without Pointers
cant find pointers?, pointer scanner takes so long?. use this and change the requirements, dont forget to add ADDRESS as an address to your address-list and change diplay type to HEXADECIMAL.
[enable]
aobscan(symbol,01 23 45 67 89 AB CD EF)
alloc(newmem,$1000)
registersymbol(symbol)
registersymbol(address)
label(address)
label(originalcode)
label(exit)
newmem:
lea eax,[edx+110]
mov [address],eax
originalcode:
mov eax,[edx+110]
jmp exit
address:
dd 00
symbol:
jmp newmem
nop
exit:
[disable]
unregistersymbol(address)
dealloc(newmem)
symbol:
mov eax,[edx+110]
unregistersymbol(symbol)
Loading Pointers Into Registers
Load Pointers Into Registers
in some cases you might need to load a pointer into a register, here how its done.
[enable]
aobscan(symbol,01 23 45 67 89 AB CD EF)
alloc(newmem,$1000)
registersymbol(symbol)
label(originalcode)
label(exit)
newmem:
lea eax,[[[[[["Executable.exe"+00123ABC]+4]+56]+0]+789]+DEF]
// do some stuff here
originalcode:
mov eax,[edx+110]
jmp exit
symbol:
jmp newmem
nop
exit:
[disable]
dealloc(newmem)
symbol:
mov eax,[edx+110]
unregistersymbol(symbol)
Load Pointers From Dissect Data / Structures
sometimes you find valid compare points under pointers, but how to use pointers from dissect data / structures?.
say: mov [ebx+04],eax is writing to your health address as well as your enemy, in dissect d/s CE shows at offset '54' there is a pointer. and when expanding that pointer, shows at offset '10' there is a value we can build our compare on.
[enable]
aobscan(symbol,01 23 45 67 89 AB CD EF)
alloc(newmem,$1000)
registersymbol(symbol)
label(originalcode)
label(exit)
newmem:
push eax
mov eax,[ebx+54] // moving the pointer into eax
cmp byte ptr [eax+10],01 // comparing pointer address + 10 with value of '1' which stands for player team
pop eax
jz exit
originalcode:
mov [ebx+04],eax
jmp exit
symbol:
jmp newmem
nop
exit:
[disable]
dealloc(newmem)
symbol:
mov [ebx+04],eax
unregistersymbol(symbol)
Custom Regeneration
Using Address & Offset
this script requires you to get the address & the offset from another script, dont forget to globally allocate them or at least register them as a symbol. the script might not be injected in 32 bit processes example: [edx+110]
mov [address],edx
mov [offset],110
[enable]
alloc(ReGen,$100)
registersymbol(ReGen)
createthread(ReGen)
label(return)
label(exit)
registersymbol(exit)
ReGen:
push 03E8
call Kernel32.Sleep
cmp byte ptr [exit],00 // add exit to your address list, default is '1' change it to '0' if you want to stop the regeneration.
jz return
mov edx,[address]
add edx,[offset]
cmp dword ptr [edx],64 // say your health limit is 4-byte '100' once your health goes below '100' it will regenerate health
jz ReGen
add [edx],01
jmp ReGen
return:
ret
exit:
db 01
[disable]
dealloc(ReGen)
unregistersymbol(ReGen)
unregistersymbol(exit)
Using Pointers
we all love pointers, they have multiple uses. note that the script might not be injected in 32 bit processes, unless you remove push 03E8 and call Kernel32.Sleep. keep in mind you need to specify the data type if your value is a floating point value, add [edx],01 is not the same as add [edx],(float)1.0.
[enable]
alloc(ReGen,$100)
registersymbol(ReGen)
createthread(ReGen)
label(return)
label(exit)
registersymbol(exit)
ReGen:
push 03E8
call Kernel32.Sleep
cmp byte ptr [exit],00 // add exit to your address list, default is '1' change it to '0' if you want to stop the regeneration.
jz return
lea edx,[[[[[["Executable.exe"+00123ABC]+4]+56]+0]+789]+DEF]
cmp dword ptr [edx],64 // say your health limit is 4-byte '100' once your health goes below '100' it will regenerate health
jz ReGen
add [edx],01
jmp ReGen
return:
ret
exit:
db 01
[disable]
dealloc(ReGen)
unregistersymbol(ReGen)
unregistersymbol(exit)