Jump to content
Moopler
Sign in to follow this  
lapeiro

Help How to get the values from Variables C++ (inline asm)

Recommended Posts

Hello, I'm trying to convert some scripts into a trainer but there's a problem when i try to get maplestory addresses...
Here is what it looks like:

Spoiler

	DWORD Aggro= 0x01E07DE0;
DWORD AggroRet = ( Aggro + 6 );
DWORD UserLocal = 0x029E6028;
	__declspec(naked) void __stdcall AutoAggro()
{
    __asm
    {
        mov eax, [UserLocal] // CUserLocal: 8B 3D ? ? ? ? 8B 40
        lea eax, [eax + 0x04]
        mov[ecx + 0x438 + 0x08], eax // Aggro Offset: 83 ? ? ? ? ? ? 0F 85 ? ? ? ? 8B ? ? 8B ? ? 8D ? ? FF D0 [Offset+0x08]
	        push ebp
        mov ebp, esp
        and esp, [-0x40 ]
         jmp dword ptr [AggroRet] <--- this isnt calling the value defined above which would be Aggro + 6 ( 0x01E07DE6 )
	        AggroRet:
	    }
}

 

( it crashes instantly on ticking , and other hacks might be crashing too but take a while longer to crash due to same problem), i thought adding dword ptr [addy] would make it get the value defined, but it doesnt? how can i make it get the value defined?

Edited by lapeiro

Share this post


Link to post
Guest

https://msdn.microsoft.com/en-us/library/5sds75we.aspx

https://msdn.microsoft.com/en-us/library/fabdxz08.aspx

https://www.ibm.com/developerworks/rational/library/inline-assembly-c-cpp-guide/
 

Here is pseudo code to help after you use sprux's asm.

void bool_me(bool do)
  if (do)
      make a jump function(&AutoAggro, boolean) to save memory and hook to asm script
  else
      make a restore function() to get saved memory back

 

Edited by Guest

Share this post


Link to post

Your problem isn't just with the jmp. There's multiple things wrong with this script.

First of all, you're doing

DWORD UserLocal = 0x029E6028;

__asm mov eax,[UserLocal]

Basically, UserLocal in this case, is a singleton, that contains the ACTUAL UserLocal-object. This means that [0x029E6028] = 0xYYYYYYYY (some arbitrary value), and you want eax to contain 0xYYYYYYYY. However, when you define UserLocal as the singleton-pointer (0x029E6028), the above instruction sets eax to 0x029E6028, not [0x029E6028].

What you want instead, is:

DWORD UserLocal = 0x029E6028;

__asm mov eax,[UserLocal]
__asm mov eax,[eax]

Secondly, your jump fails, because you've allocated a so-called label at the end of the function with the following statement:

AggroRet:

In C, the scoping-order is defined to go one level "up" for every search cycle, which means it starts by searching for so-called 'local' variables, then a level higher (e.g. nested brackets/scopes), and finally 'global' variables. Since you've allocated a local "variable" (label), the compiler completely ignores your 'global' variable, which contains the actual address at hand. The label you allocated points to the address of the instruction after your jmp-command, so the jmp will basically jump just 2-5 bytes forward, into (probably) an unallocated process-space.

Thirdly, the and-command seems sketchy, I don't know if using [-0x40] is clever (It's probably some kind of CE optimization that shows it as a negative. You should show it as it is - which is probably 0xC0. Also, you can't do [C0], since all that does is take the value of [C0], which is (in 99.99999% of all cases) an invalid region, as most processes doesn't start at 0x00000000.

 

Edit: I just went ahead and checked MapleStory, and I was very much right - the and-command is very much sketchy. The way you want to actually do it, is:

__asm and esp,0xC0

 

As such, the final script should look like this:

DWORD Aggro = 0x01E07DE0;
DWORD AggroRet = ( Aggro + 6 );

DWORD UserLocal = 0x029E6028;

__declspec(naked) void __stdcall AutoAggro()
{
	__asm
	{
		mov eax,[UserLocal]
		mov eax,[eax]
		lea eax,[eax+0x04]		// Could essentially be shortened down, by using the 'mov' instruction above properly, but I don't want to complicate things too much.
		
		mov [ecx + 0x438 + 0x08],eax
		
		push ebp
		mov ebp,esp
		and esp,0xC0
		jmp dword ptr [AggroRet]
	}
}

 

Edited by NewSprux2.0?
  • Like 5
  • Thanks 1

Share this post


Link to post

Thank you for all the insight Sprux, what is really confusing me ( on the jump part inicially i had it like that ), is that it still jumps to a memory from the trainer, not maplestory(the defined memories) and some of them after initial jump, seem to go to random allocations, which makes it still crash whenever ticked, i tried using some breakpoints and i think it crashes in the mov part too

Share this post


Link to post
9 hours ago, NewSprux2.0? said:

Well, it sounds to me like you're using detours?

actually, i'm not

Should i learn on how to convert the scripts using detours?

Edited by lapeiro

Share this post


Link to post
29 minutes ago, lapeiro said:

actually, i'm not

Should i learn on how to convert the scripts using detours?

Nah, just sounded like maybe you were mutating the hook-address, like detours does.

Share this post


Link to post
Spoiler

    DWORD Write_Hook(char code[], DWORD Prev, DWORD Next, int nop_count = 0);                
                             
            DWORD Asm::Write_Hook(char code[], DWORD Prev, DWORD Next, int nop_count) {
            int i;
            BOOL Flag = FALSE;                
                if (Enable_Write_Memory(Prev, 7 + nop_count) == FALSE) {
                return FALSE;
            }                
                switch (*(DWORD *)code) {
            case 0x00706D6A://jmp
                *(BYTE *)Prev = 0xE9;
                break;                
                case 0x6C6C6163://call
                *(BYTE *)Prev = 0xE8;
                break;                
                case 0x0000656A://je
                *(WORD *)Prev = 0x840F;
                Flag = TRUE;
                break;                
                case 0x00656E6A://jne
                *(WORD *)Prev = 0x850F;
                Flag = TRUE;
                break;                
                case 0x0000626A://jb
                *(WORD *)Prev = 0x820F;
                Flag = TRUE;
                break;                
                case 0x0000616A://ja
                *(WORD *)Prev = 0x870F;
                Flag = TRUE;
                break;                
                default:
                ErrorMessage("@Write_Hook");
                return FALSE;
                break;
            }                
                *(DWORD *)(Prev + 1 + Flag) = Next - Prev - 5 - Flag;                
                if (nop_count == 0) {
                return Prev + 5 + Flag;
            }                
                for (i = 0; i < nop_count; i++) {
                *(BYTE *)(Prev + 5 + Flag + i) = 0x90;//nop
            }                
                return Prev + 5 + nop_count + Flag;                
            

This is what i got for writing the hook (AIRRIDE  ASM Library)

Edited by lapeiro

Share this post


Link to post
8 minutes ago, NewSprux2.0? said:

That library is a really wierd way to do it O.o

the real problem is that the inline asm isnt going to the Variables Value(the inicial jump to the codecave works fine), even though everywhere i read that dword ptr[addy] or simply [addy] should go for the value of the addy 

Edited by lapeiro

Share this post


Link to post
Just now, NewSprux2.0? said:

It should, and it does - you must've done something wrong. Maybe you defined it multiple times?

Sadly(or not), it's defined only once so its not the definition

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×