Tzeentch Опубликовано 13 марта, 2021 Поделиться Опубликовано 13 марта, 2021 Всем доброго дня. Ломал издание Uplay. Но думаю, на пиратке также работать будет. Здоровье и патроны тут находятся почти также как и прошлых частях. На точность прицела оказалось достаточно подмены только одной инструкции в нужном месте. Итак: Infinite Health: Спойлер { Game : splintercell3.exe Version: Date : 2021-03-13 Author : Templar This script does blah blah blah } [ENABLE] aobscanmodule(InfHealth,splintercell3.exe,8B 54 24 10 2B C2) // should be unique alloc(newmem,$1000) label(code) label(return) label(next_code) newmem: code: mov edx,[esp+10] ///урон ///my code cmp [ebx+10],#1 ///id игрока jne next_code ///прыгаем если не игрок xor edx,edx ///обнуляем урон ///my code next_code: sub eax,edx ///отнимание от здоровья jmp return InfHealth: jmp newmem nop return: registersymbol(InfHealth) [DISABLE] InfHealth: db 8B 54 24 10 2B C2 unregistersymbol(InfHealth) dealloc(newmem) { // ORIGINAL CODE - INJECTION POINT: splintercell3.exe+3F07C4 splintercell3.exe+3F07AA: 89 56 0C - mov [esi+0C],edx splintercell3.exe+3F07AD: 80 38 42 - cmp byte ptr [eax],42 splintercell3.exe+3F07B0: 75 10 - jne splintercell3.exe+3F07C2 splintercell3.exe+3F07B2: 8B 4E 08 - mov ecx,[esi+08] splintercell3.exe+3F07B5: 6A 00 - push 00 splintercell3.exe+3F07B7: 40 - inc eax splintercell3.exe+3F07B8: 56 - push esi splintercell3.exe+3F07B9: 89 46 0C - mov [esi+0C],eax splintercell3.exe+3F07BC: FF 15 C0 28 31 11 - call dword ptr [splintercell3.exe+A128C0] splintercell3.exe+3F07C2: 8B 03 - mov eax,[ebx] // ---------- INJECTING HERE ---------- splintercell3.exe+3F07C4: 8B 54 24 10 - mov edx,[esp+10] // ---------- DONE INJECTING ---------- splintercell3.exe+3F07C8: 2B C2 - sub eax,edx splintercell3.exe+3F07CA: 89 03 - mov [ebx],eax splintercell3.exe+3F07CC: 8B D8 - mov ebx,eax splintercell3.exe+3F07CE: 8B 44 24 14 - mov eax,[esp+14] splintercell3.exe+3F07D2: 5E - pop esi splintercell3.exe+3F07D3: 89 18 - mov [eax],ebx splintercell3.exe+3F07D5: 5B - pop ebx splintercell3.exe+3F07D6: 59 - pop ecx splintercell3.exe+3F07D7: C2 08 00 - ret 0008 splintercell3.exe+3F07DA: CC - int 3 } Infinite Ammo: Спойлер { Game : splintercell3.exe Version: Date : 2021-03-13 Author : Templar This script does blah blah blah } [ENABLE] aobscanmodule(InfAmmo,splintercell3.exe,4F 89 BE 3C 04 00 00) // should be unique alloc(newmem,$1000) label(code) label(return) label(next_code) newmem: code: ///my code cmp [esi+0000043C+C],#20 ///статичное смещение - пистолет je next_code /// перепрыгиваем отнимание если пистолет cmp [esi+0000043C+C],#80 ///статичное смещение - автомат je next_code /// перепрыгиваем отнимание если автомат ///my code dec edi ///отнимает всё остальное next_code: mov [esi+0000043C],edi jmp return InfAmmo: jmp newmem nop 2 return: registersymbol(InfAmmo) [DISABLE] InfAmmo: db 4F 89 BE 3C 04 00 00 unregistersymbol(InfAmmo) dealloc(newmem) { // ORIGINAL CODE - INJECTION POINT: splintercell3.AEGameplayObject::PostBeginPlay+BBBB splintercell3.AEGameplayObject::PostBeginPlay+BB98: 89 50 04 - mov [eax+04],edx splintercell3.AEGameplayObject::PostBeginPlay+BB9B: 8B 91 B4 02 00 00 - mov edx,[ecx+000002B4] splintercell3.AEGameplayObject::PostBeginPlay+BBA1: 52 - push edx splintercell3.AEGameplayObject::PostBeginPlay+BBA2: 8B CE - mov ecx,esi splintercell3.AEGameplayObject::PostBeginPlay+BBA4: 89 78 08 - mov [eax+08],edi splintercell3.AEGameplayObject::PostBeginPlay+BBA7: E8 84 F0 FF FF - call splintercell3.AEGameplayObject::PostBeginPlay+AC30 splintercell3.AEGameplayObject::PostBeginPlay+BBAC: 8B 9E 34 04 00 00 - mov ebx,[esi+00000434] splintercell3.AEGameplayObject::PostBeginPlay+BBB2: 8B BE 3C 04 00 00 - mov edi,[esi+0000043C] splintercell3.AEGameplayObject::PostBeginPlay+BBB8: 6A 00 - push 00 splintercell3.AEGameplayObject::PostBeginPlay+BBBA: 4B - dec ebx // ---------- INJECTING HERE ---------- splintercell3.AEGameplayObject::PostBeginPlay+BBBB: 4F - dec edi // ---------- DONE INJECTING ---------- splintercell3.AEGameplayObject::PostBeginPlay+BBBC: 89 BE 3C 04 00 00 - mov [esi+0000043C],edi splintercell3.AEGameplayObject::PostBeginPlay+BBC2: 8B BE 20 04 00 00 - mov edi,[esi+00000420] splintercell3.AEGameplayObject::PostBeginPlay+BBC8: 6A 00 - push 00 splintercell3.AEGameplayObject::PostBeginPlay+BBCA: 89 9E 34 04 00 00 - mov [esi+00000434],ebx splintercell3.AEGameplayObject::PostBeginPlay+BBD0: A1 A0 A0 1F 11 - mov eax,[splintercell3.exe+8FA0A0] splintercell3.AEGameplayObject::PostBeginPlay+BBD5: 8B 1F - mov ebx,[edi] splintercell3.AEGameplayObject::PostBeginPlay+BBD7: 6A 00 - push 00 splintercell3.AEGameplayObject::PostBeginPlay+BBD9: 50 - push eax splintercell3.AEGameplayObject::PostBeginPlay+BBDA: 8B CF - mov ecx,edi splintercell3.AEGameplayObject::PostBeginPlay+BBDC: E8 5F F4 0D 00 - call splintercell3.exe+3D92D0 } NoReload: Спойлер { Game : splintercell3.exe Version: Date : 2021-03-13 Author : Templar This script does blah blah blah } [ENABLE] aobscanmodule(InfAmmo,splintercell3.exe,4F 89 BE 3C 04 00 00) // should be unique registersymbol(InfAmmo) alloc(newmem_1,$1000) aobscanmodule(NoReload,splintercell3.exe,89 9E 34 04 00 00 A1) // should be unique registersymbol(NoReload) alloc(newmem_2,$1000) ///InfAmmo label(code_1) label(return_1) label(next_code) newmem_1: code_1: ///my code cmp [esi+0000043C+C],#20 ///статичное смещение - пистолет je next_code /// перепрыгиваем отнимание если пистолет cmp [esi+0000043C+C],#80 ///статичное смещение - автомат je next_code /// перепрыгиваем отнимание если автомат ///my code dec edi ///отнимает всё остальное next_code: mov [esi+0000043C],edi jmp return_1 InfAmmo: jmp newmem_1 nop 2 return_1: ///NoReload label(code_2) label(return_2) label(orig_code) label(part_2) newmem_2: code_2: ///my code ///пистолет cmp [esi+00000434+4],#20 ///сравниваем с макс обоймой - статичное jne part_2 ///прыгаем на следующий если не пистолет mov ebx,[esi+00000434+4] ///заносим максимальное значение в обойму part_2: ///автомат cmp [esi+00000434+4],#30 ///сравниваем с макс обоймой - статичное jne orig_code ///прыгаем на оригинальный код если не автомат mov ebx,[esi+00000434+4] ///заносим максимальное значение в обойму ///my code orig_code: mov [esi+00000434],ebx jmp return_2 NoReload: jmp newmem_2 nop return_2: [DISABLE] InfAmmo: db 4F 89 BE 3C 04 00 00 unregistersymbol(InfAmmo) dealloc(newmem_1) NoReload: db 89 9E 34 04 00 00 unregistersymbol(NoReload) dealloc(newmem_2) { // ORIGINAL CODE - INJECTION POINT: splintercell3.AEGameplayObject::PostBeginPlay+BBBB splintercell3.AEGameplayObject::PostBeginPlay+BB98: 89 50 04 - mov [eax+04],edx splintercell3.AEGameplayObject::PostBeginPlay+BB9B: 8B 91 B4 02 00 00 - mov edx,[ecx+000002B4] splintercell3.AEGameplayObject::PostBeginPlay+BBA1: 52 - push edx splintercell3.AEGameplayObject::PostBeginPlay+BBA2: 8B CE - mov ecx,esi splintercell3.AEGameplayObject::PostBeginPlay+BBA4: 89 78 08 - mov [eax+08],edi splintercell3.AEGameplayObject::PostBeginPlay+BBA7: E8 84 F0 FF FF - call splintercell3.AEGameplayObject::PostBeginPlay+AC30 splintercell3.AEGameplayObject::PostBeginPlay+BBAC: 8B 9E 34 04 00 00 - mov ebx,[esi+00000434] splintercell3.AEGameplayObject::PostBeginPlay+BBB2: 8B BE 3C 04 00 00 - mov edi,[esi+0000043C] splintercell3.AEGameplayObject::PostBeginPlay+BBB8: 6A 00 - push 00 splintercell3.AEGameplayObject::PostBeginPlay+BBBA: 4B - dec ebx // ---------- INJECTING HERE ---------- splintercell3.AEGameplayObject::PostBeginPlay+BBBB: 4F - dec edi // ---------- DONE INJECTING ---------- splintercell3.AEGameplayObject::PostBeginPlay+BBBC: 89 BE 3C 04 00 00 - mov [esi+0000043C],edi splintercell3.AEGameplayObject::PostBeginPlay+BBC2: 8B BE 20 04 00 00 - mov edi,[esi+00000420] splintercell3.AEGameplayObject::PostBeginPlay+BBC8: 6A 00 - push 00 splintercell3.AEGameplayObject::PostBeginPlay+BBCA: 89 9E 34 04 00 00 - mov [esi+00000434],ebx splintercell3.AEGameplayObject::PostBeginPlay+BBD0: A1 A0 A0 1F 11 - mov eax,[splintercell3.exe+8FA0A0] splintercell3.AEGameplayObject::PostBeginPlay+BBD5: 8B 1F - mov ebx,[edi] splintercell3.AEGameplayObject::PostBeginPlay+BBD7: 6A 00 - push 00 splintercell3.AEGameplayObject::PostBeginPlay+BBD9: 50 - push eax splintercell3.AEGameplayObject::PostBeginPlay+BBDA: 8B CF - mov ecx,edi splintercell3.AEGameplayObject::PostBeginPlay+BBDC: E8 5F F4 0D 00 - call splintercell3.exe+3D92D0 } SuperAccuracy: Спойлер { Game : splintercell3.exe Version: Date : 2021-03-13 Author : Templar This script does blah blah blah } [ENABLE] aobscanmodule(SuperAccuracy,splintercell3.exe,8B 96 2C 05 00 00 89) // should be unique alloc(newmem,$1000) label(code) label(return) newmem: code: mov edx,[esi+0000052C] xor edx,edx ///обнуляем прицел jmp return SuperAccuracy: jmp newmem nop return: registersymbol(SuperAccuracy) [DISABLE] SuperAccuracy: db 8B 96 2C 05 00 00 unregistersymbol(SuperAccuracy) dealloc(newmem) { // ORIGINAL CODE - INJECTION POINT: splintercell3.AEGameplayObject::PostBeginPlay+A23F splintercell3.AEGameplayObject::PostBeginPlay+A21D: F6 47 2C 10 - test byte ptr [edi+2C],10 splintercell3.AEGameplayObject::PostBeginPlay+A221: 75 07 - jne splintercell3.AEGameplayObject::PostBeginPlay+A22A splintercell3.AEGameplayObject::PostBeginPlay+A223: BF 01 00 00 00 - mov edi,00000001 splintercell3.AEGameplayObject::PostBeginPlay+A228: EB 02 - jmp splintercell3.AEGameplayObject::PostBeginPlay+A22C splintercell3.AEGameplayObject::PostBeginPlay+A22A: 33 FF - xor edi,edi splintercell3.AEGameplayObject::PostBeginPlay+A22C: D9 86 30 05 00 00 - fld dword ptr [esi+00000530] splintercell3.AEGameplayObject::PostBeginPlay+A232: D8 9E 2C 05 00 00 - fcomp dword ptr [esi+0000052C] splintercell3.AEGameplayObject::PostBeginPlay+A238: DF E0 - fnstsw ax splintercell3.AEGameplayObject::PostBeginPlay+A23A: F6 C4 05 - test ah,05 splintercell3.AEGameplayObject::PostBeginPlay+A23D: 7A 11 - jp splintercell3.AEGameplayObject::PostBeginPlay+A250 // ---------- INJECTING HERE ---------- splintercell3.AEGameplayObject::PostBeginPlay+A23F: 8B 96 2C 05 00 00 - mov edx,[esi+0000052C] // ---------- DONE INJECTING ---------- splintercell3.AEGameplayObject::PostBeginPlay+A245: 89 96 30 05 00 00 - mov [esi+00000530],edx splintercell3.AEGameplayObject::PostBeginPlay+A24B: E9 87 00 00 00 - jmp splintercell3.AEGameplayObject::PostBeginPlay+A2D7 splintercell3.AEGameplayObject::PostBeginPlay+A250: D9 86 2C 05 00 00 - fld dword ptr [esi+0000052C] splintercell3.AEGameplayObject::PostBeginPlay+A256: D9 86 30 05 00 00 - fld dword ptr [esi+00000530] splintercell3.AEGameplayObject::PostBeginPlay+A25C: DA E9 - fucompp splintercell3.AEGameplayObject::PostBeginPlay+A25E: DF E0 - fnstsw ax splintercell3.AEGameplayObject::PostBeginPlay+A260: F6 C4 44 - test ah,44 splintercell3.AEGameplayObject::PostBeginPlay+A263: 7B 72 - jnp splintercell3.AEGameplayObject::PostBeginPlay+A2D7 splintercell3.AEGameplayObject::PostBeginPlay+A265: D9 86 30 05 00 00 - fld dword ptr [esi+00000530] splintercell3.AEGameplayObject::PostBeginPlay+A26B: 68 0A D7 23 3C - push 3C23D70A } 2 Ссылка на комментарий Поделиться на другие сайты Поделиться
Tzeentch Опубликовано 13 марта, 2022 Автор Поделиться Опубликовано 13 марта, 2022 Сделал ещё пару функций. Невидимость(камеры всё равно видят, люди не видят): Спойлер { Game : splintercell3.exe Version: Date : 2022-03-06 Author : Templar This script does blah blah blah Там за видимость отвечает несколько адресов. Камеры всё равно видят. Люди не видят, если не подходить вплотную. } [ENABLE] aobscanmodule(Invisible,splintercell3.exe,D8 00 83 C0 08) // should be unique alloc(newmem,$1000) label(code) label(return) newmem: mov [eax],(float)0 ///обнуляем видимость code: fadd dword ptr [eax] add eax,08 jmp return Invisible: jmp newmem return: registersymbol(Invisible) [DISABLE] Invisible: db D8 00 83 C0 08 unregistersymbol(Invisible) dealloc(newmem) { Address of signature = splintercell3.exe + 0x0027F150 "\xD8\x00\x83\xC0\x00\x49\x75\x00\xDB\x44", "xxxx?xx?xx" "D8 00 83 C0 ? 49 75 ? DB 44" // ORIGINAL CODE - INJECTION POINT: splintercell3.exe+27F150 splintercell3.exe+27F129: D9 5F 04 - fstp dword ptr [edi+04] splintercell3.exe+27F12C: 8B 86 18 15 00 00 - mov eax,[esi+00001518] splintercell3.exe+27F132: D9 05 20 82 0B 11 - fld dword ptr [splintercell3.exe+7B8220] splintercell3.exe+27F138: 85 C0 - test eax,eax splintercell3.exe+27F13A: 89 44 24 0C - mov [esp+0C],eax splintercell3.exe+27F13E: 7E 18 - jle splintercell3.exe+27F158 splintercell3.exe+27F140: 8B 86 14 15 00 00 - mov eax,[esi+00001514] splintercell3.exe+27F146: 8B 8E 18 15 00 00 - mov ecx,[esi+00001518] splintercell3.exe+27F14C: 83 C0 04 - add eax,04 splintercell3.exe+27F14F: 90 - nop // ---------- INJECTING HERE ---------- splintercell3.exe+27F150: D8 00 - fadd dword ptr [eax] // ---------- DONE INJECTING ---------- splintercell3.exe+27F152: 83 C0 08 - add eax,08 splintercell3.exe+27F155: 49 - dec ecx splintercell3.exe+27F156: 75 F8 - jne splintercell3.exe+27F150 splintercell3.exe+27F158: DB 44 24 0C - fild dword ptr [esp+0C] splintercell3.exe+27F15C: 5F - pop edi splintercell3.exe+27F15D: D8 F9 - fdivr st(0),st(1) splintercell3.exe+27F15F: D9 9E 64 02 00 00 - fstp dword ptr [esi+00000264] splintercell3.exe+27F165: 5E - pop esi splintercell3.exe+27F166: DD D8 - fstp st(0) splintercell3.exe+27F168: 5B - pop ebx } Скрывает шум от ходьбы и выстрелов: Спойлер { Game : splintercell3.exe Version: Date : 2022-03-13 Author : Templar This script does blah blah blah Скрывает шум от ходьбы и выстрелов. } [ENABLE] aobscanmodule(NoiseHiding,splintercell3.exe,D9 9E 38 04 00 00 8B 8E) // should be unique alloc(newmem,$1000) label(code) label(return) newmem: code: fstp dword ptr [esi+00000438] mov [esi+00000438],(float)110 ///поднимаем порог скрытия шума jmp return NoiseHiding: jmp newmem nop return: registersymbol(NoiseHiding) [DISABLE] NoiseHiding: db D9 9E 38 04 00 00 unregistersymbol(NoiseHiding) dealloc(newmem) { Address of signature = splintercell3.exe + 0x00417C5D "\xD9\x9E\x00\x00\x00\x00\x8B\x8E\x00\x00\x00\x00\x51\x8B\xCB", "xx????xx????xxx" "D9 9E ? ? ? ? 8B 8E ? ? ? ? 51 8B CB" // ORIGINAL CODE - INJECTION POINT: splintercell3.UDareAudioSubsystem::SEC_InitSound+48BD splintercell3.UDareAudioSubsystem::SEC_InitSound+4887: 0F 8C 90 FD FF FF - jl splintercell3.UDareAudioSubsystem::SEC_InitSound+461D splintercell3.UDareAudioSubsystem::SEC_InitSound+488D: E9 91 02 00 00 - jmp splintercell3.UDareAudioSubsystem::SEC_InitSound+4B23 splintercell3.UDareAudioSubsystem::SEC_InitSound+4892: 8B B3 C8 00 00 00 - mov esi,[ebx+000000C8] splintercell3.UDareAudioSubsystem::SEC_InitSound+4898: 3B F7 - cmp esi,edi splintercell3.UDareAudioSubsystem::SEC_InitSound+489A: 0F 84 83 02 00 00 - je splintercell3.UDareAudioSubsystem::SEC_InitSound+4B23 splintercell3.UDareAudioSubsystem::SEC_InitSound+48A0: 8B 86 B4 02 00 00 - mov eax,[esi+000002B4] NoiseHiding: 89 BE 38 04 00 00 - mov [esi+00000438],edi splintercell3.UDareAudioSubsystem::SEC_InitSound+48AC: 89 BE 3C 04 00 00 - mov [esi+0000043C],edi splintercell3.UDareAudioSubsystem::SEC_InitSound+48B2: 8B 88 AC 00 00 00 - mov ecx,[eax+000000AC] splintercell3.UDareAudioSubsystem::SEC_InitSound+48B8: E8 33 80 C7 FF - call splintercell3.ULevel::HavokCreateWorld+5C80 // ---------- INJECTING HERE ---------- splintercell3.UDareAudioSubsystem::SEC_InitSound+48BD: D9 9E 38 04 00 00 - fstp dword ptr [esi+00000438] // ---------- DONE INJECTING ---------- splintercell3.UDareAudioSubsystem::SEC_InitSound+48C3: 8B 8E B4 02 00 00 - mov ecx,[esi+000002B4] splintercell3.UDareAudioSubsystem::SEC_InitSound+48C9: 51 - push ecx splintercell3.UDareAudioSubsystem::SEC_InitSound+48CA: 8B CB - mov ecx,ebx splintercell3.UDareAudioSubsystem::SEC_InitSound+48CC: E8 4F FB FF FF - call splintercell3.UDareAudioSubsystem::SEC_InitSound+4420 splintercell3.UDareAudioSubsystem::SEC_InitSound+48D1: D9 05 20 82 0B 11 - fld dword ptr [splintercell3.exe+7B8220] splintercell3.UDareAudioSubsystem::SEC_InitSound+48D7: D9 86 38 04 00 00 - fld dword ptr [esi+00000438] splintercell3.UDareAudioSubsystem::SEC_InitSound+48DD: DA E9 - fucompp splintercell3.UDareAudioSubsystem::SEC_InitSound+48DF: DF E0 - fnstsw ax splintercell3.UDareAudioSubsystem::SEC_InitSound+48E1: F6 C4 44 - test ah,44 splintercell3.UDareAudioSubsystem::SEC_InitSound+48E4: 7B 61 - jnp splintercell3.UDareAudioSubsystem::SEC_InitSound+4947 } Ссылка на комментарий Поделиться на другие сайты Поделиться
Рекомендуемые сообщения
Пожалуйста, войдите, чтобы комментировать
Вы сможете оставить комментарий после входа в
Войти