Перейти к содержанию

Один скрипт для 5 игр + урок - Как выйти на структуру, для написания фильтра.


Рекомендуемые сообщения

Скрипт Window Character для 5-ти игр:
King's Bounty - The Legend
Kings Bounty Armored Princess
Kings Bounty Crossworlds
King's Bounty - Warriors of the North
King's Bounty Dark Side

Lua - часть скрипта:

Скрытый текст

[ENABLE]
{$LUA}
addressList = getAddressList()
memoryRecord = addressList.getMemoryRecordByID(226)
memoryRecord2 = addressList.getMemoryRecordByID(162)

if (getProcessIDFromProcessName("KB.exe")==nil) then
else
OpenProcess("KB.exe")

if memoryRecord.value == "King's Bounty - The Leg" then
Process = 'KB.exe'
Signatura = '8B 4F 0C 8B 2C 81 89'
Register1 = 'eax'
Register2 = 'edi'
Register3 = 'ecx'
a = '14'
OriginalCode = 'db 8B 4F 0C 8B 2C 81'
else
if memoryRecord.value == "Kings Bounty Armored Pr" then
Process = 'kb.exe'
Signatura = '8B 4F 0C 8B 34 81 89 74 24 10 EB 06'
Register1 = 'eax'
Register2 = 'edi'
Register3 = 'ecx'
a = '0C'
OriginalCode = 'db 8B 4F 0C 8B 34 81'
else
if memoryRecord.value == "Kings Bounty Crossworld" then
Process = 'kb.exe'
Signatura = '8B 4F 0C 8B 34 81 89 74 24 18'
Register1 = 'eax'
Register2 = 'edi'
Register3 = 'ecx'
a = '0C'
OriginalCode = 'db 8B 4F 0C 8B 34 81'
end
end
end
end

if (getProcessIDFromProcessName("KBWotN.exe")==nil) then
else
OpenProcess("KBWotN.exe")
Process = 'KBWotN.exe'
Signatura = '8B 4F 0C 8B 1C 81 EB 02 33 DB 0F'
Register1 = 'eax'
Register2 = 'edi'
Register3 = 'ecx'
a = '0C'
OriginalCode = 'db 8B 4F 0C 8B 1C 81'
end

if (getProcessIDFromProcessName("KBDarkside.exe")==nil) then
else
OpenProcess("KBDarkside.exe")
Process = 'KBDarkside.exe'
Signatura = '8B 45 0C 8B 0C 98 8B 01 FF 50 14 89 44 24 14 8B 46 10'
Register1 = 'ecx'
Register2 = 'ebp'
Register3 = 'eax'
a = '0C'
OriginalCode = 'db 8B 45 0C 8B 0C 98'
end

script = memoryRecord2.Script
script = string.gsub(script, "$Process", Process)
script = string.gsub(script, "$Signatura", Signatura)
script = string.gsub(script, "$Register1", Register1)
script = string.gsub(script, "$Register2", Register2)
script = string.gsub(script, "$Register3", Register3)
script = string.gsub(script, "$a", a)
script = string.gsub(script, "$OriginalCode", OriginalCode)
memoryRecord2.Script = script
 
{$ASM}
[DISABLE]

 

Сам скрипт:

Скрытый текст

{ Game   : KB.exe
  Version:
  Date   : 2016-01-18
  Author : Garik66

  This script does blah blah blah
}

[ENABLE]
aobscanmodule(WindowCharacter,$Process,$Signatura) // should be unique
alloc(newmem,$4000)
label(code)
label(return)
label(XAR1)
registersymbol(XAR1)
label(XAR2)
registersymbol(XAR2)
label(XAR3)
registersymbol(XAR3)
label(XAR4)
registersymbol(XAR4)
label(XAR5)
registersymbol(XAR5)
label(XAR6)
registersymbol(XAR6)
label(XAR7)
registersymbol(XAR7)
label(XAR8)
registersymbol(XAR8)
label(XAR9)
registersymbol(XAR9)
label(XAR10)
registersymbol(XAR10)
label(XAR11)
registersymbol(XAR11)
label(XAR12)
registersymbol(XAR12)
label(XAR13)
registersymbol(XAR13)
registersymbol(WindowCharacter)

newmem:
  $OriginalCode
  push $Register1
  mov $Register1,[$Register2+04]
  cmp [$Register1+$a],61747461      // attack
  jne @f
  cmp [$Register1+$a+4],00006B63
  jne @f
  mov [XAR1],$Register3
  jmp code

@@:
  cmp [$Register1+$a],6B6F6F62      // booksize
  jne @f
  cmp [$Register1+$a+4],657A6973
  jne @f
  mov [XAR2],$Register3
  jmp code

@@:
  cmp [$Register1+$a+28],6B6F6F62   // booksize
  jne @f
  cmp [$Register1+$a+28+4],657A6973
  jne @f
  mov [XAR2],$Register3
  jmp code

@@:
  cmp [$Register1+$a],73797263      // crystals
  jne @f
  cmp [$Register1+$a+4],736C6174
  jne @f
  mov [XAR3],$Register3
  jmp code

@@:
  cmp [$Register1+$a],65666564      // defense
  jne @f
  cmp [$Register1+$a+4],0065736E
  jne @f
  mov [XAR4],$Register3
  jmp code

@@:
  cmp [$Register1+$a],65707865      // experience
  jne @f
  cmp [$Register1+$a+4],6E656972
  jne @f
  cmp [$Register1+$a+8],00006563
  jne @f
  mov [XAR5],$Register3
  jmp code

@@:
  cmp [$Register1+$a],65746E69      // intellect
  jne @f
  cmp [$Register1+$a+4],63656C6C
  jne @f
  cmp [$Register1+$a+8],00000074
  jne @f
  mov [XAR6],$Register3
  jmp code

@@:
  cmp [$Register1+$a],6461656C      // leadership
  jne @f
  cmp [$Register1+$a+4],68737265
  jne @f
  cmp [$Register1+$a+8],00007069
  jne @f
  mov [XAR7],$Register3
  jmp code

@@:
  cmp [$Register1+$a],616E616D      // mana
  jne @f
  mov [XAR8],$Register3
  mov $Register1,[$Register3]
  mov [$Register1+08],64
  jmp code

@@:
  cmp [$Register1+$a],656E6F6D      // money
  jne @f
  cmp byte ptr [$Register1+$a+4],79
  jne @f
  mov [XAR9],$Register3
  jmp code

@@:
  cmp [$Register1+$a],65676172      // rage
  jne @f
  mov [XAR10],$Register3
  mov $Register1,[$Register3]
  mov [$Register1+08],64
  jmp code

@@:
  cmp [$Register1+$a+28],65676172   // rage
  jne @f
  mov [XAR10],$Register3
  mov $Register1,[$Register3]
  mov [$Register1+08],64
  jmp code

@@:
  cmp [$Register1+$a],656E7572      // rune_magic
  jne @f
  cmp [$Register1+$a+4],67616D5F
  jne @f
  cmp [$Register1+$a+8],00006369
  jne @f
  mov [XAR11],$Register3
  jmp code

@@:
  cmp [$Register1+$a],656E7572      // rune_might
  jne @f
  cmp [$Register1+$a+4],67696D5F
  jne @f
  cmp [$Register1+$a+8],00007468
  jne @f
  mov [XAR12],$Register3
  jmp code

@@:
  cmp [$Register1+$a],656E7572      // rune_mind
  jne code
  cmp [$Register1+$a+4],6E696D5F
  jne code
  cmp [$Register1+$a+8],00000064
  jne code
  mov [XAR13],$Register3
  jmp code

code:
  pop $Register1
  jmp return

XAR1:
dd 0
XAR2:
dd 0
XAR3:
dd 0
XAR4:
dd 0
XAR5:
dd 0
XAR6:
dd 0
XAR7:
dd 0
XAR8:
dd 0
XAR9:
dd 0
XAR10:
dd 0
XAR11:
dd 0
XAR12:
dd 0
XAR13:
dd 0

WindowCharacter:
  jmp newmem
  db 90
return:

[DISABLE]
WindowCharacter:
  $OriginalCode

unregistersymbol(XAR1)
unregistersymbol(XAR2)
unregistersymbol(XAR3)
unregistersymbol(XAR4)
unregistersymbol(XAR5)
unregistersymbol(XAR6)
unregistersymbol(XAR7)
unregistersymbol(XAR8)
unregistersymbol(XAR9)
unregistersymbol(XAR10)
unregistersymbol(XAR11)
unregistersymbol(XAR12)
unregistersymbol(XAR13)
unregistersymbol(WindowCharacter)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "KB.exe"+465A1

"KB.exe"+46582: E8 09 C4 FC FF     -  call KB.exe+12990
"KB.exe"+46587: 8B F8              -  mov edi,eax
"KB.exe"+46589: 85 FF              -  test edi,edi
"KB.exe"+4658B: 0F 84 6D FF FF FF  -  je KB.exe+464FE
"KB.exe"+46591: 8B 74 24 3C        -  mov esi,[esp+3C]
"KB.exe"+46595: 56                 -  push esi
"KB.exe"+46596: 8B CF              -  mov ecx,edi
"KB.exe"+46598: E8 A3 79 1E 00     -  call KB.exe+22DF40
"KB.exe"+4659D: 85 C0              -  test eax,eax
"KB.exe"+4659F: 7C 0C              -  jl KB.exe+465AD
// ---------- INJECTING HERE ----------
"KB.exe"+465A1: 8B 4F 0C           -  mov ecx,[edi+0C]
"KB.exe"+465A4: 8B 2C 81           -  mov ebp,[ecx+eax*4]
// ---------- DONE INJECTING  ----------
"KB.exe"+465A7: 89 6C 24 18        -  mov [esp+18],ebp
"KB.exe"+465AB: EB 06              -  jmp KB.exe+465B3
"KB.exe"+465AD: 89 5C 24 18        -  mov [esp+18],ebx
"KB.exe"+465B1: 8B EB              -  mov ebp,ebx
"KB.exe"+465B3: 0F B6 16           -  movzx edx,byte ptr [esi]
"KB.exe"+465B6: 8B 44 24 1C        -  mov eax,[esp+1C]
"KB.exe"+465BA: 52                 -  push edx
"KB.exe"+465BB: E8 D0 AE 00 00     -  call KB.exe+51490
"KB.exe"+465C0: 84 C0              -  test al,al
"KB.exe"+465C2: 0F 84 E4 00 00 00  -  je KB.exe+466AC
}
{
// ORIGINAL CODE - INJECTION POINT: "kb.exe"+4CBD0

"kb.exe"+4CBB1: E8 EA AA FC FF     -  call kb.exe+176A0
"kb.exe"+4CBB6: 8B F8              -  mov edi,eax
"kb.exe"+4CBB8: 85 FF              -  test edi,edi
"kb.exe"+4CBBA: 0F 84 6C FF FF FF  -  je kb.exe+4CB2C
"kb.exe"+4CBC0: 8B 6C 24 34        -  mov ebp,[esp+34]
"kb.exe"+4CBC4: 55                 -  push ebp
"kb.exe"+4CBC5: 8B CF              -  mov ecx,edi
"kb.exe"+4CBC7: E8 A4 1B 1F 00     -  call kb.exe+23E770
"kb.exe"+4CBCC: 85 C0              -  test eax,eax
"kb.exe"+4CBCE: 7C 0C              -  jl kb.exe+4CBDC
// ---------- INJECTING HERE ----------
"kb.exe"+4CBD0: 8B 4F 0C           -  mov ecx,[edi+0C]
"kb.exe"+4CBD3: 8B 34 81           -  mov esi,[ecx+eax*4]
// ---------- DONE INJECTING  ----------
"kb.exe"+4CBD6: 89 74 24 10        -  mov [esp+10],esi
"kb.exe"+4CBDA: EB 06              -  jmp kb.exe+4CBE2
"kb.exe"+4CBDC: 89 5C 24 10        -  mov [esp+10],ebx
"kb.exe"+4CBE0: 8B F3              -  mov esi,ebx
"kb.exe"+4CBE2: 0F B6 55 00        -  movzx edx,byte ptr [ebp+00]
"kb.exe"+4CBE6: 8B 44 24 14        -  mov eax,[esp+14]
"kb.exe"+4CBEA: 52                 -  push edx
"kb.exe"+4CBEB: E8 60 CF 00 00     -  call kb.exe+59B50
"kb.exe"+4CBF0: 84 C0              -  test al,al
"kb.exe"+4CBF2: 0F 84 F6 00 00 00  -  je kb.exe+4CCEE
}
{
// ORIGINAL CODE - INJECTION POINT: "KB.exe"+51122

"KB.exe"+51103: E8 58 83 FC FF           -  call KB.exe+19460
"KB.exe"+51108: 8B F8                    -  mov edi,eax
"KB.exe"+5110A: 85 FF                    -  test edi,edi
"KB.exe"+5110C: 0F 84 70 FF FF FF        -  je KB.exe+51082
"KB.exe"+51112: 8B 6C 24 3C              -  mov ebp,[esp+3C]
"KB.exe"+51116: 55                       -  push ebp
"KB.exe"+51117: 8B CF                    -  mov ecx,edi
"KB.exe"+51119: E8 72 68 1E 00           -  call KB.exe+237990
"KB.exe"+5111E: 85 C0                    -  test eax,eax
"KB.exe"+51120: 7C 0C                    -  jl KB.exe+5112E
// ---------- INJECTING HERE ----------
"KB.exe"+51122: 8B 4F 0C                 -  mov ecx,[edi+0C]
"KB.exe"+51125: 8B 34 81                 -  mov esi,[ecx+eax*4]
// ---------- DONE INJECTING  ----------
"KB.exe"+51128: 89 74 24 18              -  mov [esp+18],esi
"KB.exe"+5112C: EB 0C                    -  jmp KB.exe+5113A
"KB.exe"+5112E: C7 44 24 18 00 00 00 00  -  mov [esp+18],00000000
"KB.exe"+51136: 8B 74 24 18              -  mov esi,[esp+18]
"KB.exe"+5113A: 0F B6 55 00              -  movzx edx,byte ptr [ebp+00]
"KB.exe"+5113E: 52                       -  push edx
"KB.exe"+5113F: 8B C3                    -  mov eax,ebx
"KB.exe"+51141: E8 EA DC 00 00           -  call KB.exe+5EE30
"KB.exe"+51146: 84 C0                    -  test al,al
"KB.exe"+51148: 0F 84 F8 00 00 00        -  je KB.exe+51246
}
{
// ORIGINAL CODE - INJECTION POINT: "KBWotN.exe"+D43EC

"KBWotN.exe"+D43CD: E8 7E ED F2 FF           -  call KBWotN.exe+3150
"KBWotN.exe"+D43D2: 8B F8                    -  mov edi,eax
"KBWotN.exe"+D43D4: 85 FF                    -  test edi,edi
"KBWotN.exe"+D43D6: 0F 84 67 FF FF FF        -  je KBWotN.exe+D4343
"KBWotN.exe"+D43DC: 8B 74 24 34              -  mov esi,[esp+34]
"KBWotN.exe"+D43E0: 56                       -  push esi
"KBWotN.exe"+D43E1: 8B CF                    -  mov ecx,edi
"KBWotN.exe"+D43E3: E8 F8 07 F3 FF           -  call KBWotN.exe+4BE0
"KBWotN.exe"+D43E8: 85 C0                    -  test eax,eax
"KBWotN.exe"+D43EA: 78 08                    -  js KBWotN.exe+D43F4
// ---------- INJECTING HERE ----------
"KBWotN.exe"+D43EC: 8B 4F 0C                 -  mov ecx,[edi+0C]
"KBWotN.exe"+D43EF: 8B 1C 81                 -  mov ebx,[ecx+eax*4]
// ---------- DONE INJECTING  ----------
"KBWotN.exe"+D43F2: EB 02                    -  jmp KBWotN.exe+D43F6
"KBWotN.exe"+D43F4: 33 DB                    -  xor ebx,ebx
"KBWotN.exe"+D43F6: 0F B6 16                 -  movzx edx,byte ptr [esi]
"KBWotN.exe"+D43F9: 52                       -  push edx
"KBWotN.exe"+D43FA: 8B CD                    -  mov ecx,ebp
"KBWotN.exe"+D43FC: E8 8F 6A FE FF           -  call KBWotN.exe+BAE90
"KBWotN.exe"+D4401: 84 C0                    -  test al,al
"KBWotN.exe"+D4403: 0F 84 EC 00 00 00        -  je KBWotN.exe+D44F5
"KBWotN.exe"+D4409: 85 DB                    -  test ebx,ebx
"KBWotN.exe"+D440B: 0F 84 0B 01 00 00        -  je KBWotN.exe+D451C
}
{
// ORIGINAL CODE - INJECTION POINT: "KBDarkside.exe"+30FF17

"KBDarkside.exe"+30FEF5: 33 DB                 -  xor ebx,ebx
"KBDarkside.exe"+30FEF7: 89 44 24 14           -  mov [esp+14],eax
"KBDarkside.exe"+30FEFB: 85 C0                 -  test eax,eax
"KBDarkside.exe"+30FEFD: 0F 84 87 00 00 00     -  je KBDarkside.exe+30FF8A
"KBDarkside.exe"+30FF03: 57                    -  push edi
"KBDarkside.exe"+30FF04: 3B 5D 10              -  cmp ebx,[ebp+10]
"KBDarkside.exe"+30FF07: 72 0E                 -  jb KBDarkside.exe+30FF17
"KBDarkside.exe"+30FF09: 68 50 72 8A 00        -  push KBDarkside.exe+4A7250
"KBDarkside.exe"+30FF0E: FF 15 C4 2F 10 01     -  call dword ptr [KBDarkside.exe+D02FC4]
"KBDarkside.exe"+30FF14: 83 C4 04              -  add esp,04
// ---------- INJECTING HERE ----------
"KBDarkside.exe"+30FF17: 8B 45 0C              -  mov eax,[ebp+0C]
"KBDarkside.exe"+30FF1A: 8B 0C 98              -  mov ecx,[eax+ebx*4]
// ---------- DONE INJECTING  ----------
"KBDarkside.exe"+30FF1D: 8B 01                 -  mov eax,[ecx]
"KBDarkside.exe"+30FF1F: FF 50 14              -  call dword ptr [eax+14]
"KBDarkside.exe"+30FF22: 89 44 24 14           -  mov [esp+14],eax
"KBDarkside.exe"+30FF26: 8B 46 10              -  mov eax,[esi+10]
"KBDarkside.exe"+30FF29: 89 44 24 10           -  mov [esp+10],eax
"KBDarkside.exe"+30FF2D: 8D 68 01              -  lea ebp,[eax+01]
"KBDarkside.exe"+30FF30: 3B 6E 14              -  cmp ebp,[esi+14]
"KBDarkside.exe"+30FF33: 76 1D                 -  jna KBDarkside.exe+30FF52
"KBDarkside.exe"+30FF35: 8D 45 10              -  lea eax,[ebp+10]
"KBDarkside.exe"+30FF38: 89 46 14              -  mov [esi+14],eax
}

 

Статичный адрес, по которому определяю какая и 3 первых игр (у них название процесса одинакова) - [nvd3dum.dll+D6ECD9].

Как забиты сами адреса характеристик Героя - пример [[XAR1]+0]+8, на видео показываю это.

Тема, которая создавалась у нас на форуме при написании скрипта - Один скрипт для двух игр, написанных на одном движке. Почитайте её тоже обязательно.

Видео:

 

Изменено пользователем Garik66
  • Плюс 3
Ссылка на комментарий
Поделиться на другие сайты

Разобрался, где и как сохранить, а потом и загрузить в табличку скрипт с метками.

Скрипт LUA для сохранения и загрузки в таблицу скрипта с метками:

Скрытый текст

addressList = getAddressList()
memoryRecord2 = addressList.getMemoryRecordByID(162)
SaveScript1 = [[
{ Game   : KB.exe
  Version:
  Date   : 2016-01-18
  Author : Garik66

  This script does blah blah blah
}

[ENABLE]
aobscanmodule(WindowCharacter,$Process,$Signatura) // should be unique
alloc(newmem,$4000)
label(code)
label(return)
label(XAR1)
registersymbol(XAR1)
label(XAR2)
registersymbol(XAR2)
label(XAR3)
registersymbol(XAR3)
label(XAR4)
registersymbol(XAR4)
label(XAR5)
registersymbol(XAR5)
label(XAR6)
registersymbol(XAR6)
label(XAR7)
registersymbol(XAR7)
label(XAR8)
registersymbol(XAR8)
label(XAR9)
registersymbol(XAR9)
label(XAR10)
registersymbol(XAR10)
label(XAR11)
registersymbol(XAR11)
label(XAR12)
registersymbol(XAR12)
label(XAR13)
registersymbol(XAR13)
registersymbol(WindowCharacter)

newmem:
  $OriginalCode
  push $Register1
  mov $Register1,[$Register2+04]
  cmp [$Register1+$a],61747461      // attack
  jne @f
  cmp [$Register1+$a+4],00006B63
  jne @f
  mov [XAR1],$Register3
  jmp code

@@:
  cmp [$Register1+$a],6B6F6F62      // booksize
  jne @f
  cmp [$Register1+$a+4],657A6973
  jne @f
  mov [XAR2],$Register3
  jmp code

@@:
  cmp [$Register1+$a+28],6B6F6F62   // booksize
  jne @f
  cmp [$Register1+$a+28+4],657A6973
  jne @f
  mov [XAR2],$Register3
  jmp code

@@:
  cmp [$Register1+$a],73797263      // crystals
  jne @f
  cmp [$Register1+$a+4],736C6174
  jne @f
  mov [XAR3],$Register3
  jmp code

@@:
  cmp [$Register1+$a],65666564      // defense
  jne @f
  cmp [$Register1+$a+4],0065736E
  jne @f
  mov [XAR4],$Register3
  jmp code

@@:
  cmp [$Register1+$a],65707865      // experience
  jne @f
  cmp [$Register1+$a+4],6E656972
  jne @f
  cmp [$Register1+$a+8],00006563
  jne @f
  mov [XAR5],$Register3
  jmp code

@@:
  cmp [$Register1+$a],65746E69      // intellect
  jne @f
  cmp [$Register1+$a+4],63656C6C
  jne @f
  cmp [$Register1+$a+8],00000074
  jne @f
  mov [XAR6],$Register3
  jmp code

@@:
  cmp [$Register1+$a],6461656C      // leadership
  jne @f
  cmp [$Register1+$a+4],68737265
  jne @f
  cmp [$Register1+$a+8],00007069
  jne @f
  mov [XAR7],$Register3
  jmp code

@@:
  cmp [$Register1+$a],616E616D      // mana
  jne @f
  mov [XAR8],$Register3
  mov $Register1,[$Register3]
  mov [$Register1+08],64
  jmp code

@@:
  cmp [$Register1+$a],656E6F6D      // money
  jne @f
  cmp byte ptr [$Register1+$a+4],79
  jne @f
  mov [XAR9],$Register3
  jmp code

@@:
  cmp [$Register1+$a],65676172      // rage
  jne @f
  mov [XAR10],$Register3
  mov $Register1,[$Register3]
  mov [$Register1+08],64
  jmp code

@@:
  cmp [$Register1+$a+28],65676172   // rage
  jne @f
  mov [XAR10],$Register3
  mov $Register1,[$Register3]
  mov [$Register1+08],64
  jmp code

@@:
  cmp [$Register1+$a],656E7572      // rune_magic
  jne @f
  cmp [$Register1+$a+4],67616D5F
  jne @f
  cmp [$Register1+$a+8],00006369
  jne @f
  mov [XAR11],$Register3
  jmp code

@@:
  cmp [$Register1+$a],656E7572      // rune_might
  jne @f
  cmp [$Register1+$a+4],67696D5F
  jne @f
  cmp [$Register1+$a+8],00007468
  jne @f
  mov [XAR12],$Register3
  jmp code

@@:
  cmp [$Register1+$a],656E7572      // rune_mind
  jne code
  cmp [$Register1+$a+4],6E696D5F
  jne code
  cmp [$Register1+$a+8],00000064
  jne code
  mov [XAR13],$Register3
  jmp code

code:
  pop $Register1
  jmp return

XAR1:
dd 0
XAR2:
dd 0
XAR3:
dd 0
XAR4:
dd 0
XAR5:
dd 0
XAR6:
dd 0
XAR7:
dd 0
XAR8:
dd 0
XAR9:
dd 0
XAR10:
dd 0
XAR11:
dd 0
XAR12:
dd 0
XAR13:
dd 0

WindowCharacter:
  jmp newmem
  db 90
return:

[DISABLE]
WindowCharacter:
  $OriginalCode

unregistersymbol(XAR1)
unregistersymbol(XAR2)
unregistersymbol(XAR3)
unregistersymbol(XAR4)
unregistersymbol(XAR5)
unregistersymbol(XAR6)
unregistersymbol(XAR7)
unregistersymbol(XAR8)
unregistersymbol(XAR9)
unregistersymbol(XAR10)
unregistersymbol(XAR11)
unregistersymbol(XAR12)
unregistersymbol(XAR13)
unregistersymbol(WindowCharacter)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "KB.exe"+465A1

"KB.exe"+46582: E8 09 C4 FC FF     -  call KB.exe+12990
"KB.exe"+46587: 8B F8              -  mov edi,eax
"KB.exe"+46589: 85 FF              -  test edi,edi
"KB.exe"+4658B: 0F 84 6D FF FF FF  -  je KB.exe+464FE
"KB.exe"+46591: 8B 74 24 3C        -  mov esi,[esp+3C]
"KB.exe"+46595: 56                 -  push esi
"KB.exe"+46596: 8B CF              -  mov ecx,edi
"KB.exe"+46598: E8 A3 79 1E 00     -  call KB.exe+22DF40
"KB.exe"+4659D: 85 C0              -  test eax,eax
"KB.exe"+4659F: 7C 0C              -  jl KB.exe+465AD
// ---------- INJECTING HERE ----------
"KB.exe"+465A1: 8B 4F 0C           -  mov ecx,[edi+0C]
"KB.exe"+465A4: 8B 2C 81           -  mov ebp,[ecx+eax*4]
// ---------- DONE INJECTING  ----------
"KB.exe"+465A7: 89 6C 24 18        -  mov [esp+18],ebp
"KB.exe"+465AB: EB 06              -  jmp KB.exe+465B3
"KB.exe"+465AD: 89 5C 24 18        -  mov [esp+18],ebx
"KB.exe"+465B1: 8B EB              -  mov ebp,ebx
"KB.exe"+465B3: 0F B6 16           -  movzx edx,byte ptr [esi]
"KB.exe"+465B6: 8B 44 24 1C        -  mov eax,[esp+1C]
"KB.exe"+465BA: 52                 -  push edx
"KB.exe"+465BB: E8 D0 AE 00 00     -  call KB.exe+51490
"KB.exe"+465C0: 84 C0              -  test al,al
"KB.exe"+465C2: 0F 84 E4 00 00 00  -  je KB.exe+466AC
}
{
// ORIGINAL CODE - INJECTION POINT: "kb.exe"+4CBD0

"kb.exe"+4CBB1: E8 EA AA FC FF     -  call kb.exe+176A0
"kb.exe"+4CBB6: 8B F8              -  mov edi,eax
"kb.exe"+4CBB8: 85 FF              -  test edi,edi
"kb.exe"+4CBBA: 0F 84 6C FF FF FF  -  je kb.exe+4CB2C
"kb.exe"+4CBC0: 8B 6C 24 34        -  mov ebp,[esp+34]
"kb.exe"+4CBC4: 55                 -  push ebp
"kb.exe"+4CBC5: 8B CF              -  mov ecx,edi
"kb.exe"+4CBC7: E8 A4 1B 1F 00     -  call kb.exe+23E770
"kb.exe"+4CBCC: 85 C0              -  test eax,eax
"kb.exe"+4CBCE: 7C 0C              -  jl kb.exe+4CBDC
// ---------- INJECTING HERE ----------
"kb.exe"+4CBD0: 8B 4F 0C           -  mov ecx,[edi+0C]
"kb.exe"+4CBD3: 8B 34 81           -  mov esi,[ecx+eax*4]
// ---------- DONE INJECTING  ----------
"kb.exe"+4CBD6: 89 74 24 10        -  mov [esp+10],esi
"kb.exe"+4CBDA: EB 06              -  jmp kb.exe+4CBE2
"kb.exe"+4CBDC: 89 5C 24 10        -  mov [esp+10],ebx
"kb.exe"+4CBE0: 8B F3              -  mov esi,ebx
"kb.exe"+4CBE2: 0F B6 55 00        -  movzx edx,byte ptr [ebp+00]
"kb.exe"+4CBE6: 8B 44 24 14        -  mov eax,[esp+14]
"kb.exe"+4CBEA: 52                 -  push edx
"kb.exe"+4CBEB: E8 60 CF 00 00     -  call kb.exe+59B50
"kb.exe"+4CBF0: 84 C0              -  test al,al
"kb.exe"+4CBF2: 0F 84 F6 00 00 00  -  je kb.exe+4CCEE
}
{
// ORIGINAL CODE - INJECTION POINT: "KB.exe"+51122

"KB.exe"+51103: E8 58 83 FC FF           -  call KB.exe+19460
"KB.exe"+51108: 8B F8                    -  mov edi,eax
"KB.exe"+5110A: 85 FF                    -  test edi,edi
"KB.exe"+5110C: 0F 84 70 FF FF FF        -  je KB.exe+51082
"KB.exe"+51112: 8B 6C 24 3C              -  mov ebp,[esp+3C]
"KB.exe"+51116: 55                       -  push ebp
"KB.exe"+51117: 8B CF                    -  mov ecx,edi
"KB.exe"+51119: E8 72 68 1E 00           -  call KB.exe+237990
"KB.exe"+5111E: 85 C0                    -  test eax,eax
"KB.exe"+51120: 7C 0C                    -  jl KB.exe+5112E
// ---------- INJECTING HERE ----------
"KB.exe"+51122: 8B 4F 0C                 -  mov ecx,[edi+0C]
"KB.exe"+51125: 8B 34 81                 -  mov esi,[ecx+eax*4]
// ---------- DONE INJECTING  ----------
"KB.exe"+51128: 89 74 24 18              -  mov [esp+18],esi
"KB.exe"+5112C: EB 0C                    -  jmp KB.exe+5113A
"KB.exe"+5112E: C7 44 24 18 00 00 00 00  -  mov [esp+18],00000000
"KB.exe"+51136: 8B 74 24 18              -  mov esi,[esp+18]
"KB.exe"+5113A: 0F B6 55 00              -  movzx edx,byte ptr [ebp+00]
"KB.exe"+5113E: 52                       -  push edx
"KB.exe"+5113F: 8B C3                    -  mov eax,ebx
"KB.exe"+51141: E8 EA DC 00 00           -  call KB.exe+5EE30
"KB.exe"+51146: 84 C0                    -  test al,al
"KB.exe"+51148: 0F 84 F8 00 00 00        -  je KB.exe+51246
}
{
// ORIGINAL CODE - INJECTION POINT: "KBWotN.exe"+D43EC

"KBWotN.exe"+D43CD: E8 7E ED F2 FF           -  call KBWotN.exe+3150
"KBWotN.exe"+D43D2: 8B F8                    -  mov edi,eax
"KBWotN.exe"+D43D4: 85 FF                    -  test edi,edi
"KBWotN.exe"+D43D6: 0F 84 67 FF FF FF        -  je KBWotN.exe+D4343
"KBWotN.exe"+D43DC: 8B 74 24 34              -  mov esi,[esp+34]
"KBWotN.exe"+D43E0: 56                       -  push esi
"KBWotN.exe"+D43E1: 8B CF                    -  mov ecx,edi
"KBWotN.exe"+D43E3: E8 F8 07 F3 FF           -  call KBWotN.exe+4BE0
"KBWotN.exe"+D43E8: 85 C0                    -  test eax,eax
"KBWotN.exe"+D43EA: 78 08                    -  js KBWotN.exe+D43F4
// ---------- INJECTING HERE ----------
"KBWotN.exe"+D43EC: 8B 4F 0C                 -  mov ecx,[edi+0C]
"KBWotN.exe"+D43EF: 8B 1C 81                 -  mov ebx,[ecx+eax*4]
// ---------- DONE INJECTING  ----------
"KBWotN.exe"+D43F2: EB 02                    -  jmp KBWotN.exe+D43F6
"KBWotN.exe"+D43F4: 33 DB                    -  xor ebx,ebx
"KBWotN.exe"+D43F6: 0F B6 16                 -  movzx edx,byte ptr [esi]
"KBWotN.exe"+D43F9: 52                       -  push edx
"KBWotN.exe"+D43FA: 8B CD                    -  mov ecx,ebp
"KBWotN.exe"+D43FC: E8 8F 6A FE FF           -  call KBWotN.exe+BAE90
"KBWotN.exe"+D4401: 84 C0                    -  test al,al
"KBWotN.exe"+D4403: 0F 84 EC 00 00 00        -  je KBWotN.exe+D44F5
"KBWotN.exe"+D4409: 85 DB                    -  test ebx,ebx
"KBWotN.exe"+D440B: 0F 84 0B 01 00 00        -  je KBWotN.exe+D451C
}
{
// ORIGINAL CODE - INJECTION POINT: "KBDarkside.exe"+30FF17

"KBDarkside.exe"+30FEF5: 33 DB                 -  xor ebx,ebx
"KBDarkside.exe"+30FEF7: 89 44 24 14           -  mov [esp+14],eax
"KBDarkside.exe"+30FEFB: 85 C0                 -  test eax,eax
"KBDarkside.exe"+30FEFD: 0F 84 87 00 00 00     -  je KBDarkside.exe+30FF8A
"KBDarkside.exe"+30FF03: 57                    -  push edi
"KBDarkside.exe"+30FF04: 3B 5D 10              -  cmp ebx,[ebp+10]
"KBDarkside.exe"+30FF07: 72 0E                 -  jb KBDarkside.exe+30FF17
"KBDarkside.exe"+30FF09: 68 50 72 8A 00        -  push KBDarkside.exe+4A7250
"KBDarkside.exe"+30FF0E: FF 15 C4 2F 10 01     -  call dword ptr [KBDarkside.exe+D02FC4]
"KBDarkside.exe"+30FF14: 83 C4 04              -  add esp,04
// ---------- INJECTING HERE ----------
"KBDarkside.exe"+30FF17: 8B 45 0C              -  mov eax,[ebp+0C]
"KBDarkside.exe"+30FF1A: 8B 0C 98              -  mov ecx,[eax+ebx*4]
// ---------- DONE INJECTING  ----------
"KBDarkside.exe"+30FF1D: 8B 01                 -  mov eax,[ecx]
"KBDarkside.exe"+30FF1F: FF 50 14              -  call dword ptr [eax+14]
"KBDarkside.exe"+30FF22: 89 44 24 14           -  mov [esp+14],eax
"KBDarkside.exe"+30FF26: 8B 46 10              -  mov eax,[esi+10]
"KBDarkside.exe"+30FF29: 89 44 24 10           -  mov [esp+10],eax
"KBDarkside.exe"+30FF2D: 8D 68 01              -  lea ebp,[eax+01]
"KBDarkside.exe"+30FF30: 3B 6E 14              -  cmp ebp,[esi+14]
"KBDarkside.exe"+30FF33: 76 1D                 -  jna KBDarkside.exe+30FF52
"KBDarkside.exe"+30FF35: 8D 45 10              -  lea eax,[ebp+10]
"KBDarkside.exe"+30FF38: 89 46 14              -  mov [esi+14],eax
}
]]
memoryRecord2.Script = SaveScript1

 

Видео:

 

Изменено пользователем Garik66
  • Плюс 2
Ссылка на комментарий
Поделиться на другие сайты

×
×
  • Создать...

Важная информация

Находясь на нашем сайте, Вы автоматически соглашаетесь соблюдать наши Условия использования.