I'm trying to get the max hp based on the address ..
I got this in olly:
Now I tried codecave:
Console output:
And the max HP is 1519 and then the game crashing ..
Drew Benton's functions .. (Link: [Only registered and activated users can see links. Click Here To Register...])
Any idea why the game crashing ?
and can I get the address of the Max HP ?
and if we are already here ^^ how we can also get the name address :D ?
Thanks ..
I got this in olly:
Code:
009D4B60 . 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4] 009D4B64 . 8981 58040000 MOV DWORD PTR DS:[ECX+458],EAX 009D4B6A . A1 0CF81001 MOV EAX,DWORD PTR DS:[110F80C] 009D4B6F . 85C0 TEST EAX,EAX 009D4B71 . 74 17 JE SHORT sro_clie.009D4B8A 009D4B73 . 8B88 FC060000 MOV ECX,DWORD PTR DS:[EAX+6FC] 009D4B79 . 85C9 TEST ECX,ECX 009D4B7B . 74 0D JE SHORT sro_clie.009D4B8A 009D4B7D . C74424 04 0000>MOV DWORD PTR SS:[ESP+4],0 009D4B85 .^E9 2682E5FF JMP sro_clie.0082CDB0 009D4B8A > C2 0400 RETN 4
PHP Code:
DWORD Address = 0;
DWORD dwEAX = 0;
__declspec(naked) void HPCodeCave(void)
{
printf("Getting the HP value .. \n");
__asm
{
pop Address
mov dwEAX, EAX
pushad
}
if(dwEAX >= 0)
printf("HP: %d", dwEAX);
else
printf("Waiting..\n");
__asm
{
popad
MOV DWORD PTR DS:[ECX+0x458],EAX
push Address
ret
}
}
PHP Code:
Codecave(0x009D4B64, HPCodeCave, 1);
PHP Code:
VOID WriteBytesASM(DWORD destAddress, LPVOID patch, DWORD numBytes)
{
// Store old protection of the memory page
DWORD oldProtect = 0;
// Store the source address
DWORD srcAddress = PtrToUlong(patch);
// Make sure page is writeable
VirtualProtect((void*)(destAddress), numBytes, PAGE_EXECUTE_READWRITE, &oldProtect);
// Do the patch (oldschool style to avoid memcpy)
__asm
{
nop // Filler
nop // Filler
nop // Filler
mov esi, srcAddress // Save the address
mov edi, destAddress // Save the destination address
mov ecx, numBytes // Save the size of the patch
Start:
cmp ecx, 0 // Are we done yet?
jz Exit // If so, go to end of function
mov al, [esi] // Move the byte at the patch into AL
mov [edi], al // Move AL into the destination byte
dec ecx // 1 less byte to patch
inc esi // Next source byte
inc edi // Next destination byte
jmp Start // Repeat the process
Exit:
nop // Filler
nop // Filler
nop // Filler
}
// Restore old page protection
VirtualProtect((void*)(destAddress), numBytes, oldProtect, &oldProtect);
}
VOID Codecave(DWORD destAddress, VOID (*func)(VOID), BYTE nopCount)
{
// Calculate the code cave for chat interception
DWORD offset = (PtrToUlong(func) - destAddress) - 5;
// Buffer of NOPs, static since we limit to 'UCHAR_MAX' NOPs
BYTE nopPatch[0xFF] = {0};
// Construct the patch to the function call
BYTE patch[5] = {0xE8, 0x00, 0x00, 0x00, 0x00};
memcpy(patch + 1, &offset, sizeof(DWORD));
WriteBytesASM(destAddress, patch, 5);
// We are done if we do not have NOPs
if(nopCount == 0)
return;
// Fill it with nops
memset(nopPatch, 0x90, nopCount);
// Make the patch now
WriteBytesASM(destAddress + 5, nopPatch, nopCount);
}
Code:
Getting the HP value .. HP: 24
Drew Benton's functions .. (Link: [Only registered and activated users can see links. Click Here To Register...])
Any idea why the game crashing ?
and can I get the address of the Max HP ?
and if we are already here ^^ how we can also get the name address :D ?
Thanks ..
