Garik66 Опубликовано 2 августа, 2016 Поделиться Опубликовано 2 августа, 2016 (изменено) Скрипт Window Character для 5-ти игр: King's Bounty - The Legend Kings Bounty Armored Princess Kings Bounty Crossworlds King's Bounty - Warriors of the North King's Bounty Dark Side Lua - часть скрипта: Скрытый текст [ENABLE] {$LUA} addressList = getAddressList() memoryRecord = addressList.getMemoryRecordByID(226) memoryRecord2 = addressList.getMemoryRecordByID(162) if (getProcessIDFromProcessName("KB.exe")==nil) then else OpenProcess("KB.exe") if memoryRecord.value == "King's Bounty - The Leg" then Process = 'KB.exe' Signatura = '8B 4F 0C 8B 2C 81 89' Register1 = 'eax' Register2 = 'edi' Register3 = 'ecx' a = '14' OriginalCode = 'db 8B 4F 0C 8B 2C 81' else if memoryRecord.value == "Kings Bounty Armored Pr" then Process = 'kb.exe' Signatura = '8B 4F 0C 8B 34 81 89 74 24 10 EB 06' Register1 = 'eax' Register2 = 'edi' Register3 = 'ecx' a = '0C' OriginalCode = 'db 8B 4F 0C 8B 34 81' else if memoryRecord.value == "Kings Bounty Crossworld" then Process = 'kb.exe' Signatura = '8B 4F 0C 8B 34 81 89 74 24 18' Register1 = 'eax' Register2 = 'edi' Register3 = 'ecx' a = '0C' OriginalCode = 'db 8B 4F 0C 8B 34 81' end end end end if (getProcessIDFromProcessName("KBWotN.exe")==nil) then else OpenProcess("KBWotN.exe") Process = 'KBWotN.exe' Signatura = '8B 4F 0C 8B 1C 81 EB 02 33 DB 0F' Register1 = 'eax' Register2 = 'edi' Register3 = 'ecx' a = '0C' OriginalCode = 'db 8B 4F 0C 8B 1C 81' end if (getProcessIDFromProcessName("KBDarkside.exe")==nil) then else OpenProcess("KBDarkside.exe") Process = 'KBDarkside.exe' Signatura = '8B 45 0C 8B 0C 98 8B 01 FF 50 14 89 44 24 14 8B 46 10' Register1 = 'ecx' Register2 = 'ebp' Register3 = 'eax' a = '0C' OriginalCode = 'db 8B 45 0C 8B 0C 98' end script = memoryRecord2.Script script = string.gsub(script, "$Process", Process) script = string.gsub(script, "$Signatura", Signatura) script = string.gsub(script, "$Register1", Register1) script = string.gsub(script, "$Register2", Register2) script = string.gsub(script, "$Register3", Register3) script = string.gsub(script, "$a", a) script = string.gsub(script, "$OriginalCode", OriginalCode) memoryRecord2.Script = script {$ASM} [DISABLE] Сам скрипт: Скрытый текст { Game : KB.exe Version: Date : 2016-01-18 Author : Garik66 This script does blah blah blah } [ENABLE] aobscanmodule(WindowCharacter,$Process,$Signatura) // should be unique alloc(newmem,$4000) label(code) label(return) label(XAR1) registersymbol(XAR1) label(XAR2) registersymbol(XAR2) label(XAR3) registersymbol(XAR3) label(XAR4) registersymbol(XAR4) label(XAR5) registersymbol(XAR5) label(XAR6) registersymbol(XAR6) label(XAR7) registersymbol(XAR7) label(XAR8) registersymbol(XAR8) label(XAR9) registersymbol(XAR9) label(XAR10) registersymbol(XAR10) label(XAR11) registersymbol(XAR11) label(XAR12) registersymbol(XAR12) label(XAR13) registersymbol(XAR13) registersymbol(WindowCharacter) newmem: $OriginalCode push $Register1 mov $Register1,[$Register2+04] cmp [$Register1+$a],61747461 // attack jne @f cmp [$Register1+$a+4],00006B63 jne @f mov [XAR1],$Register3 jmp code @@: cmp [$Register1+$a],6B6F6F62 // booksize jne @f cmp [$Register1+$a+4],657A6973 jne @f mov [XAR2],$Register3 jmp code @@: cmp [$Register1+$a+28],6B6F6F62 // booksize jne @f cmp [$Register1+$a+28+4],657A6973 jne @f mov [XAR2],$Register3 jmp code @@: cmp [$Register1+$a],73797263 // crystals jne @f cmp [$Register1+$a+4],736C6174 jne @f mov [XAR3],$Register3 jmp code @@: cmp [$Register1+$a],65666564 // defense jne @f cmp [$Register1+$a+4],0065736E jne @f mov [XAR4],$Register3 jmp code @@: cmp [$Register1+$a],65707865 // experience jne @f cmp [$Register1+$a+4],6E656972 jne @f cmp [$Register1+$a+8],00006563 jne @f mov [XAR5],$Register3 jmp code @@: cmp [$Register1+$a],65746E69 // intellect jne @f cmp [$Register1+$a+4],63656C6C jne @f cmp [$Register1+$a+8],00000074 jne @f mov [XAR6],$Register3 jmp code @@: cmp [$Register1+$a],6461656C // leadership jne @f cmp [$Register1+$a+4],68737265 jne @f cmp [$Register1+$a+8],00007069 jne @f mov [XAR7],$Register3 jmp code @@: cmp [$Register1+$a],616E616D // mana jne @f mov [XAR8],$Register3 mov $Register1,[$Register3] mov [$Register1+08],64 jmp code @@: cmp [$Register1+$a],656E6F6D // money jne @f cmp byte ptr [$Register1+$a+4],79 jne @f mov [XAR9],$Register3 jmp code @@: cmp [$Register1+$a],65676172 // rage jne @f mov [XAR10],$Register3 mov $Register1,[$Register3] mov [$Register1+08],64 jmp code @@: cmp [$Register1+$a+28],65676172 // rage jne @f mov [XAR10],$Register3 mov $Register1,[$Register3] mov [$Register1+08],64 jmp code @@: cmp [$Register1+$a],656E7572 // rune_magic jne @f cmp [$Register1+$a+4],67616D5F jne @f cmp [$Register1+$a+8],00006369 jne @f mov [XAR11],$Register3 jmp code @@: cmp [$Register1+$a],656E7572 // rune_might jne @f cmp [$Register1+$a+4],67696D5F jne @f cmp [$Register1+$a+8],00007468 jne @f mov [XAR12],$Register3 jmp code @@: cmp [$Register1+$a],656E7572 // rune_mind jne code cmp [$Register1+$a+4],6E696D5F jne code cmp [$Register1+$a+8],00000064 jne code mov [XAR13],$Register3 jmp code code: pop $Register1 jmp return XAR1: dd 0 XAR2: dd 0 XAR3: dd 0 XAR4: dd 0 XAR5: dd 0 XAR6: dd 0 XAR7: dd 0 XAR8: dd 0 XAR9: dd 0 XAR10: dd 0 XAR11: dd 0 XAR12: dd 0 XAR13: dd 0 WindowCharacter: jmp newmem db 90 return: [DISABLE] WindowCharacter: $OriginalCode unregistersymbol(XAR1) unregistersymbol(XAR2) unregistersymbol(XAR3) unregistersymbol(XAR4) unregistersymbol(XAR5) unregistersymbol(XAR6) unregistersymbol(XAR7) unregistersymbol(XAR8) unregistersymbol(XAR9) unregistersymbol(XAR10) unregistersymbol(XAR11) unregistersymbol(XAR12) unregistersymbol(XAR13) unregistersymbol(WindowCharacter) dealloc(newmem) { // ORIGINAL CODE - INJECTION POINT: "KB.exe"+465A1 "KB.exe"+46582: E8 09 C4 FC FF - call KB.exe+12990 "KB.exe"+46587: 8B F8 - mov edi,eax "KB.exe"+46589: 85 FF - test edi,edi "KB.exe"+4658B: 0F 84 6D FF FF FF - je KB.exe+464FE "KB.exe"+46591: 8B 74 24 3C - mov esi,[esp+3C] "KB.exe"+46595: 56 - push esi "KB.exe"+46596: 8B CF - mov ecx,edi "KB.exe"+46598: E8 A3 79 1E 00 - call KB.exe+22DF40 "KB.exe"+4659D: 85 C0 - test eax,eax "KB.exe"+4659F: 7C 0C - jl KB.exe+465AD // ---------- INJECTING HERE ---------- "KB.exe"+465A1: 8B 4F 0C - mov ecx,[edi+0C] "KB.exe"+465A4: 8B 2C 81 - mov ebp,[ecx+eax*4] // ---------- DONE INJECTING ---------- "KB.exe"+465A7: 89 6C 24 18 - mov [esp+18],ebp "KB.exe"+465AB: EB 06 - jmp KB.exe+465B3 "KB.exe"+465AD: 89 5C 24 18 - mov [esp+18],ebx "KB.exe"+465B1: 8B EB - mov ebp,ebx "KB.exe"+465B3: 0F B6 16 - movzx edx,byte ptr [esi] "KB.exe"+465B6: 8B 44 24 1C - mov eax,[esp+1C] "KB.exe"+465BA: 52 - push edx "KB.exe"+465BB: E8 D0 AE 00 00 - call KB.exe+51490 "KB.exe"+465C0: 84 C0 - test al,al "KB.exe"+465C2: 0F 84 E4 00 00 00 - je KB.exe+466AC } { // ORIGINAL CODE - INJECTION POINT: "kb.exe"+4CBD0 "kb.exe"+4CBB1: E8 EA AA FC FF - call kb.exe+176A0 "kb.exe"+4CBB6: 8B F8 - mov edi,eax "kb.exe"+4CBB8: 85 FF - test edi,edi "kb.exe"+4CBBA: 0F 84 6C FF FF FF - je kb.exe+4CB2C "kb.exe"+4CBC0: 8B 6C 24 34 - mov ebp,[esp+34] "kb.exe"+4CBC4: 55 - push ebp "kb.exe"+4CBC5: 8B CF - mov ecx,edi "kb.exe"+4CBC7: E8 A4 1B 1F 00 - call kb.exe+23E770 "kb.exe"+4CBCC: 85 C0 - test eax,eax "kb.exe"+4CBCE: 7C 0C - jl kb.exe+4CBDC // ---------- INJECTING HERE ---------- "kb.exe"+4CBD0: 8B 4F 0C - mov ecx,[edi+0C] "kb.exe"+4CBD3: 8B 34 81 - mov esi,[ecx+eax*4] // ---------- DONE INJECTING ---------- "kb.exe"+4CBD6: 89 74 24 10 - mov [esp+10],esi "kb.exe"+4CBDA: EB 06 - jmp kb.exe+4CBE2 "kb.exe"+4CBDC: 89 5C 24 10 - mov [esp+10],ebx "kb.exe"+4CBE0: 8B F3 - mov esi,ebx "kb.exe"+4CBE2: 0F B6 55 00 - movzx edx,byte ptr [ebp+00] "kb.exe"+4CBE6: 8B 44 24 14 - mov eax,[esp+14] "kb.exe"+4CBEA: 52 - push edx "kb.exe"+4CBEB: E8 60 CF 00 00 - call kb.exe+59B50 "kb.exe"+4CBF0: 84 C0 - test al,al "kb.exe"+4CBF2: 0F 84 F6 00 00 00 - je kb.exe+4CCEE } { // ORIGINAL CODE - INJECTION POINT: "KB.exe"+51122 "KB.exe"+51103: E8 58 83 FC FF - call KB.exe+19460 "KB.exe"+51108: 8B F8 - mov edi,eax "KB.exe"+5110A: 85 FF - test edi,edi "KB.exe"+5110C: 0F 84 70 FF FF FF - je KB.exe+51082 "KB.exe"+51112: 8B 6C 24 3C - mov ebp,[esp+3C] "KB.exe"+51116: 55 - push ebp "KB.exe"+51117: 8B CF - mov ecx,edi "KB.exe"+51119: E8 72 68 1E 00 - call KB.exe+237990 "KB.exe"+5111E: 85 C0 - test eax,eax "KB.exe"+51120: 7C 0C - jl KB.exe+5112E // ---------- INJECTING HERE ---------- "KB.exe"+51122: 8B 4F 0C - mov ecx,[edi+0C] "KB.exe"+51125: 8B 34 81 - mov esi,[ecx+eax*4] // ---------- DONE INJECTING ---------- "KB.exe"+51128: 89 74 24 18 - mov [esp+18],esi "KB.exe"+5112C: EB 0C - jmp KB.exe+5113A "KB.exe"+5112E: C7 44 24 18 00 00 00 00 - mov [esp+18],00000000 "KB.exe"+51136: 8B 74 24 18 - mov esi,[esp+18] "KB.exe"+5113A: 0F B6 55 00 - movzx edx,byte ptr [ebp+00] "KB.exe"+5113E: 52 - push edx "KB.exe"+5113F: 8B C3 - mov eax,ebx "KB.exe"+51141: E8 EA DC 00 00 - call KB.exe+5EE30 "KB.exe"+51146: 84 C0 - test al,al "KB.exe"+51148: 0F 84 F8 00 00 00 - je KB.exe+51246 } { // ORIGINAL CODE - INJECTION POINT: "KBWotN.exe"+D43EC "KBWotN.exe"+D43CD: E8 7E ED F2 FF - call KBWotN.exe+3150 "KBWotN.exe"+D43D2: 8B F8 - mov edi,eax "KBWotN.exe"+D43D4: 85 FF - test edi,edi "KBWotN.exe"+D43D6: 0F 84 67 FF FF FF - je KBWotN.exe+D4343 "KBWotN.exe"+D43DC: 8B 74 24 34 - mov esi,[esp+34] "KBWotN.exe"+D43E0: 56 - push esi "KBWotN.exe"+D43E1: 8B CF - mov ecx,edi "KBWotN.exe"+D43E3: E8 F8 07 F3 FF - call KBWotN.exe+4BE0 "KBWotN.exe"+D43E8: 85 C0 - test eax,eax "KBWotN.exe"+D43EA: 78 08 - js KBWotN.exe+D43F4 // ---------- INJECTING HERE ---------- "KBWotN.exe"+D43EC: 8B 4F 0C - mov ecx,[edi+0C] "KBWotN.exe"+D43EF: 8B 1C 81 - mov ebx,[ecx+eax*4] // ---------- DONE INJECTING ---------- "KBWotN.exe"+D43F2: EB 02 - jmp KBWotN.exe+D43F6 "KBWotN.exe"+D43F4: 33 DB - xor ebx,ebx "KBWotN.exe"+D43F6: 0F B6 16 - movzx edx,byte ptr [esi] "KBWotN.exe"+D43F9: 52 - push edx "KBWotN.exe"+D43FA: 8B CD - mov ecx,ebp "KBWotN.exe"+D43FC: E8 8F 6A FE FF - call KBWotN.exe+BAE90 "KBWotN.exe"+D4401: 84 C0 - test al,al "KBWotN.exe"+D4403: 0F 84 EC 00 00 00 - je KBWotN.exe+D44F5 "KBWotN.exe"+D4409: 85 DB - test ebx,ebx "KBWotN.exe"+D440B: 0F 84 0B 01 00 00 - je KBWotN.exe+D451C } { // ORIGINAL CODE - INJECTION POINT: "KBDarkside.exe"+30FF17 "KBDarkside.exe"+30FEF5: 33 DB - xor ebx,ebx "KBDarkside.exe"+30FEF7: 89 44 24 14 - mov [esp+14],eax "KBDarkside.exe"+30FEFB: 85 C0 - test eax,eax "KBDarkside.exe"+30FEFD: 0F 84 87 00 00 00 - je KBDarkside.exe+30FF8A "KBDarkside.exe"+30FF03: 57 - push edi "KBDarkside.exe"+30FF04: 3B 5D 10 - cmp ebx,[ebp+10] "KBDarkside.exe"+30FF07: 72 0E - jb KBDarkside.exe+30FF17 "KBDarkside.exe"+30FF09: 68 50 72 8A 00 - push KBDarkside.exe+4A7250 "KBDarkside.exe"+30FF0E: FF 15 C4 2F 10 01 - call dword ptr [KBDarkside.exe+D02FC4] "KBDarkside.exe"+30FF14: 83 C4 04 - add esp,04 // ---------- INJECTING HERE ---------- "KBDarkside.exe"+30FF17: 8B 45 0C - mov eax,[ebp+0C] "KBDarkside.exe"+30FF1A: 8B 0C 98 - mov ecx,[eax+ebx*4] // ---------- DONE INJECTING ---------- "KBDarkside.exe"+30FF1D: 8B 01 - mov eax,[ecx] "KBDarkside.exe"+30FF1F: FF 50 14 - call dword ptr [eax+14] "KBDarkside.exe"+30FF22: 89 44 24 14 - mov [esp+14],eax "KBDarkside.exe"+30FF26: 8B 46 10 - mov eax,[esi+10] "KBDarkside.exe"+30FF29: 89 44 24 10 - mov [esp+10],eax "KBDarkside.exe"+30FF2D: 8D 68 01 - lea ebp,[eax+01] "KBDarkside.exe"+30FF30: 3B 6E 14 - cmp ebp,[esi+14] "KBDarkside.exe"+30FF33: 76 1D - jna KBDarkside.exe+30FF52 "KBDarkside.exe"+30FF35: 8D 45 10 - lea eax,[ebp+10] "KBDarkside.exe"+30FF38: 89 46 14 - mov [esi+14],eax } Статичный адрес, по которому определяю какая и 3 первых игр (у них название процесса одинакова) - [nvd3dum.dll+D6ECD9]. Как забиты сами адреса характеристик Героя - пример [[XAR1]+0]+8, на видео показываю это. Тема, которая создавалась у нас на форуме при написании скрипта - Один скрипт для двух игр, написанных на одном движке. Почитайте её тоже обязательно. Видео: Изменено 2 августа, 2016 пользователем Garik66 3 Ссылка на комментарий Поделиться на другие сайты Поделиться
Shan0x228 Опубликовано 4 августа, 2016 Поделиться Опубликовано 4 августа, 2016 Спасибо, познавательное видео. Ссылка на комментарий Поделиться на другие сайты Поделиться
Garik66 Опубликовано 4 августа, 2016 Автор Поделиться Опубликовано 4 августа, 2016 (изменено) Разобрался, где и как сохранить, а потом и загрузить в табличку скрипт с метками. Скрипт LUA для сохранения и загрузки в таблицу скрипта с метками: Скрытый текст addressList = getAddressList() memoryRecord2 = addressList.getMemoryRecordByID(162) SaveScript1 = [[ { Game : KB.exe Version: Date : 2016-01-18 Author : Garik66 This script does blah blah blah } [ENABLE] aobscanmodule(WindowCharacter,$Process,$Signatura) // should be unique alloc(newmem,$4000) label(code) label(return) label(XAR1) registersymbol(XAR1) label(XAR2) registersymbol(XAR2) label(XAR3) registersymbol(XAR3) label(XAR4) registersymbol(XAR4) label(XAR5) registersymbol(XAR5) label(XAR6) registersymbol(XAR6) label(XAR7) registersymbol(XAR7) label(XAR8) registersymbol(XAR8) label(XAR9) registersymbol(XAR9) label(XAR10) registersymbol(XAR10) label(XAR11) registersymbol(XAR11) label(XAR12) registersymbol(XAR12) label(XAR13) registersymbol(XAR13) registersymbol(WindowCharacter) newmem: $OriginalCode push $Register1 mov $Register1,[$Register2+04] cmp [$Register1+$a],61747461 // attack jne @f cmp [$Register1+$a+4],00006B63 jne @f mov [XAR1],$Register3 jmp code @@: cmp [$Register1+$a],6B6F6F62 // booksize jne @f cmp [$Register1+$a+4],657A6973 jne @f mov [XAR2],$Register3 jmp code @@: cmp [$Register1+$a+28],6B6F6F62 // booksize jne @f cmp [$Register1+$a+28+4],657A6973 jne @f mov [XAR2],$Register3 jmp code @@: cmp [$Register1+$a],73797263 // crystals jne @f cmp [$Register1+$a+4],736C6174 jne @f mov [XAR3],$Register3 jmp code @@: cmp [$Register1+$a],65666564 // defense jne @f cmp [$Register1+$a+4],0065736E jne @f mov [XAR4],$Register3 jmp code @@: cmp [$Register1+$a],65707865 // experience jne @f cmp [$Register1+$a+4],6E656972 jne @f cmp [$Register1+$a+8],00006563 jne @f mov [XAR5],$Register3 jmp code @@: cmp [$Register1+$a],65746E69 // intellect jne @f cmp [$Register1+$a+4],63656C6C jne @f cmp [$Register1+$a+8],00000074 jne @f mov [XAR6],$Register3 jmp code @@: cmp [$Register1+$a],6461656C // leadership jne @f cmp [$Register1+$a+4],68737265 jne @f cmp [$Register1+$a+8],00007069 jne @f mov [XAR7],$Register3 jmp code @@: cmp [$Register1+$a],616E616D // mana jne @f mov [XAR8],$Register3 mov $Register1,[$Register3] mov [$Register1+08],64 jmp code @@: cmp [$Register1+$a],656E6F6D // money jne @f cmp byte ptr [$Register1+$a+4],79 jne @f mov [XAR9],$Register3 jmp code @@: cmp [$Register1+$a],65676172 // rage jne @f mov [XAR10],$Register3 mov $Register1,[$Register3] mov [$Register1+08],64 jmp code @@: cmp [$Register1+$a+28],65676172 // rage jne @f mov [XAR10],$Register3 mov $Register1,[$Register3] mov [$Register1+08],64 jmp code @@: cmp [$Register1+$a],656E7572 // rune_magic jne @f cmp [$Register1+$a+4],67616D5F jne @f cmp [$Register1+$a+8],00006369 jne @f mov [XAR11],$Register3 jmp code @@: cmp [$Register1+$a],656E7572 // rune_might jne @f cmp [$Register1+$a+4],67696D5F jne @f cmp [$Register1+$a+8],00007468 jne @f mov [XAR12],$Register3 jmp code @@: cmp [$Register1+$a],656E7572 // rune_mind jne code cmp [$Register1+$a+4],6E696D5F jne code cmp [$Register1+$a+8],00000064 jne code mov [XAR13],$Register3 jmp code code: pop $Register1 jmp return XAR1: dd 0 XAR2: dd 0 XAR3: dd 0 XAR4: dd 0 XAR5: dd 0 XAR6: dd 0 XAR7: dd 0 XAR8: dd 0 XAR9: dd 0 XAR10: dd 0 XAR11: dd 0 XAR12: dd 0 XAR13: dd 0 WindowCharacter: jmp newmem db 90 return: [DISABLE] WindowCharacter: $OriginalCode unregistersymbol(XAR1) unregistersymbol(XAR2) unregistersymbol(XAR3) unregistersymbol(XAR4) unregistersymbol(XAR5) unregistersymbol(XAR6) unregistersymbol(XAR7) unregistersymbol(XAR8) unregistersymbol(XAR9) unregistersymbol(XAR10) unregistersymbol(XAR11) unregistersymbol(XAR12) unregistersymbol(XAR13) unregistersymbol(WindowCharacter) dealloc(newmem) { // ORIGINAL CODE - INJECTION POINT: "KB.exe"+465A1 "KB.exe"+46582: E8 09 C4 FC FF - call KB.exe+12990 "KB.exe"+46587: 8B F8 - mov edi,eax "KB.exe"+46589: 85 FF - test edi,edi "KB.exe"+4658B: 0F 84 6D FF FF FF - je KB.exe+464FE "KB.exe"+46591: 8B 74 24 3C - mov esi,[esp+3C] "KB.exe"+46595: 56 - push esi "KB.exe"+46596: 8B CF - mov ecx,edi "KB.exe"+46598: E8 A3 79 1E 00 - call KB.exe+22DF40 "KB.exe"+4659D: 85 C0 - test eax,eax "KB.exe"+4659F: 7C 0C - jl KB.exe+465AD // ---------- INJECTING HERE ---------- "KB.exe"+465A1: 8B 4F 0C - mov ecx,[edi+0C] "KB.exe"+465A4: 8B 2C 81 - mov ebp,[ecx+eax*4] // ---------- DONE INJECTING ---------- "KB.exe"+465A7: 89 6C 24 18 - mov [esp+18],ebp "KB.exe"+465AB: EB 06 - jmp KB.exe+465B3 "KB.exe"+465AD: 89 5C 24 18 - mov [esp+18],ebx "KB.exe"+465B1: 8B EB - mov ebp,ebx "KB.exe"+465B3: 0F B6 16 - movzx edx,byte ptr [esi] "KB.exe"+465B6: 8B 44 24 1C - mov eax,[esp+1C] "KB.exe"+465BA: 52 - push edx "KB.exe"+465BB: E8 D0 AE 00 00 - call KB.exe+51490 "KB.exe"+465C0: 84 C0 - test al,al "KB.exe"+465C2: 0F 84 E4 00 00 00 - je KB.exe+466AC } { // ORIGINAL CODE - INJECTION POINT: "kb.exe"+4CBD0 "kb.exe"+4CBB1: E8 EA AA FC FF - call kb.exe+176A0 "kb.exe"+4CBB6: 8B F8 - mov edi,eax "kb.exe"+4CBB8: 85 FF - test edi,edi "kb.exe"+4CBBA: 0F 84 6C FF FF FF - je kb.exe+4CB2C "kb.exe"+4CBC0: 8B 6C 24 34 - mov ebp,[esp+34] "kb.exe"+4CBC4: 55 - push ebp "kb.exe"+4CBC5: 8B CF - mov ecx,edi "kb.exe"+4CBC7: E8 A4 1B 1F 00 - call kb.exe+23E770 "kb.exe"+4CBCC: 85 C0 - test eax,eax "kb.exe"+4CBCE: 7C 0C - jl kb.exe+4CBDC // ---------- INJECTING HERE ---------- "kb.exe"+4CBD0: 8B 4F 0C - mov ecx,[edi+0C] "kb.exe"+4CBD3: 8B 34 81 - mov esi,[ecx+eax*4] // ---------- DONE INJECTING ---------- "kb.exe"+4CBD6: 89 74 24 10 - mov [esp+10],esi "kb.exe"+4CBDA: EB 06 - jmp kb.exe+4CBE2 "kb.exe"+4CBDC: 89 5C 24 10 - mov [esp+10],ebx "kb.exe"+4CBE0: 8B F3 - mov esi,ebx "kb.exe"+4CBE2: 0F B6 55 00 - movzx edx,byte ptr [ebp+00] "kb.exe"+4CBE6: 8B 44 24 14 - mov eax,[esp+14] "kb.exe"+4CBEA: 52 - push edx "kb.exe"+4CBEB: E8 60 CF 00 00 - call kb.exe+59B50 "kb.exe"+4CBF0: 84 C0 - test al,al "kb.exe"+4CBF2: 0F 84 F6 00 00 00 - je kb.exe+4CCEE } { // ORIGINAL CODE - INJECTION POINT: "KB.exe"+51122 "KB.exe"+51103: E8 58 83 FC FF - call KB.exe+19460 "KB.exe"+51108: 8B F8 - mov edi,eax "KB.exe"+5110A: 85 FF - test edi,edi "KB.exe"+5110C: 0F 84 70 FF FF FF - je KB.exe+51082 "KB.exe"+51112: 8B 6C 24 3C - mov ebp,[esp+3C] "KB.exe"+51116: 55 - push ebp "KB.exe"+51117: 8B CF - mov ecx,edi "KB.exe"+51119: E8 72 68 1E 00 - call KB.exe+237990 "KB.exe"+5111E: 85 C0 - test eax,eax "KB.exe"+51120: 7C 0C - jl KB.exe+5112E // ---------- INJECTING HERE ---------- "KB.exe"+51122: 8B 4F 0C - mov ecx,[edi+0C] "KB.exe"+51125: 8B 34 81 - mov esi,[ecx+eax*4] // ---------- DONE INJECTING ---------- "KB.exe"+51128: 89 74 24 18 - mov [esp+18],esi "KB.exe"+5112C: EB 0C - jmp KB.exe+5113A "KB.exe"+5112E: C7 44 24 18 00 00 00 00 - mov [esp+18],00000000 "KB.exe"+51136: 8B 74 24 18 - mov esi,[esp+18] "KB.exe"+5113A: 0F B6 55 00 - movzx edx,byte ptr [ebp+00] "KB.exe"+5113E: 52 - push edx "KB.exe"+5113F: 8B C3 - mov eax,ebx "KB.exe"+51141: E8 EA DC 00 00 - call KB.exe+5EE30 "KB.exe"+51146: 84 C0 - test al,al "KB.exe"+51148: 0F 84 F8 00 00 00 - je KB.exe+51246 } { // ORIGINAL CODE - INJECTION POINT: "KBWotN.exe"+D43EC "KBWotN.exe"+D43CD: E8 7E ED F2 FF - call KBWotN.exe+3150 "KBWotN.exe"+D43D2: 8B F8 - mov edi,eax "KBWotN.exe"+D43D4: 85 FF - test edi,edi "KBWotN.exe"+D43D6: 0F 84 67 FF FF FF - je KBWotN.exe+D4343 "KBWotN.exe"+D43DC: 8B 74 24 34 - mov esi,[esp+34] "KBWotN.exe"+D43E0: 56 - push esi "KBWotN.exe"+D43E1: 8B CF - mov ecx,edi "KBWotN.exe"+D43E3: E8 F8 07 F3 FF - call KBWotN.exe+4BE0 "KBWotN.exe"+D43E8: 85 C0 - test eax,eax "KBWotN.exe"+D43EA: 78 08 - js KBWotN.exe+D43F4 // ---------- INJECTING HERE ---------- "KBWotN.exe"+D43EC: 8B 4F 0C - mov ecx,[edi+0C] "KBWotN.exe"+D43EF: 8B 1C 81 - mov ebx,[ecx+eax*4] // ---------- DONE INJECTING ---------- "KBWotN.exe"+D43F2: EB 02 - jmp KBWotN.exe+D43F6 "KBWotN.exe"+D43F4: 33 DB - xor ebx,ebx "KBWotN.exe"+D43F6: 0F B6 16 - movzx edx,byte ptr [esi] "KBWotN.exe"+D43F9: 52 - push edx "KBWotN.exe"+D43FA: 8B CD - mov ecx,ebp "KBWotN.exe"+D43FC: E8 8F 6A FE FF - call KBWotN.exe+BAE90 "KBWotN.exe"+D4401: 84 C0 - test al,al "KBWotN.exe"+D4403: 0F 84 EC 00 00 00 - je KBWotN.exe+D44F5 "KBWotN.exe"+D4409: 85 DB - test ebx,ebx "KBWotN.exe"+D440B: 0F 84 0B 01 00 00 - je KBWotN.exe+D451C } { // ORIGINAL CODE - INJECTION POINT: "KBDarkside.exe"+30FF17 "KBDarkside.exe"+30FEF5: 33 DB - xor ebx,ebx "KBDarkside.exe"+30FEF7: 89 44 24 14 - mov [esp+14],eax "KBDarkside.exe"+30FEFB: 85 C0 - test eax,eax "KBDarkside.exe"+30FEFD: 0F 84 87 00 00 00 - je KBDarkside.exe+30FF8A "KBDarkside.exe"+30FF03: 57 - push edi "KBDarkside.exe"+30FF04: 3B 5D 10 - cmp ebx,[ebp+10] "KBDarkside.exe"+30FF07: 72 0E - jb KBDarkside.exe+30FF17 "KBDarkside.exe"+30FF09: 68 50 72 8A 00 - push KBDarkside.exe+4A7250 "KBDarkside.exe"+30FF0E: FF 15 C4 2F 10 01 - call dword ptr [KBDarkside.exe+D02FC4] "KBDarkside.exe"+30FF14: 83 C4 04 - add esp,04 // ---------- INJECTING HERE ---------- "KBDarkside.exe"+30FF17: 8B 45 0C - mov eax,[ebp+0C] "KBDarkside.exe"+30FF1A: 8B 0C 98 - mov ecx,[eax+ebx*4] // ---------- DONE INJECTING ---------- "KBDarkside.exe"+30FF1D: 8B 01 - mov eax,[ecx] "KBDarkside.exe"+30FF1F: FF 50 14 - call dword ptr [eax+14] "KBDarkside.exe"+30FF22: 89 44 24 14 - mov [esp+14],eax "KBDarkside.exe"+30FF26: 8B 46 10 - mov eax,[esi+10] "KBDarkside.exe"+30FF29: 89 44 24 10 - mov [esp+10],eax "KBDarkside.exe"+30FF2D: 8D 68 01 - lea ebp,[eax+01] "KBDarkside.exe"+30FF30: 3B 6E 14 - cmp ebp,[esi+14] "KBDarkside.exe"+30FF33: 76 1D - jna KBDarkside.exe+30FF52 "KBDarkside.exe"+30FF35: 8D 45 10 - lea eax,[ebp+10] "KBDarkside.exe"+30FF38: 89 46 14 - mov [esi+14],eax } ]] memoryRecord2.Script = SaveScript1 Видео: Изменено 4 августа, 2016 пользователем Garik66 2 Ссылка на комментарий Поделиться на другие сайты Поделиться
Рекомендуемые сообщения