Jump to content
Moopler
Sign in to follow this  
hackbotmaple

Help C++ Code Cave Crashes

Recommended Posts

Hello, I'm having trouble converting this type of script that has a undefined return label to c++.

While this is the original CE script

[ENABLE]
alloc(Aggro,128)
label(return)

Aggro:
mov eax,[02FE8730] // CUserLocal: 8B 3D ? ? ? ? 8B CF F3
lea eax,[eax+04]
mov [ecx+4A8+08],eax // Aggro Offset: 83 BE ? ? ? ? 00 0F 85 ? ? 00 00 8B CE E8 ? ? ? ? 85 C0 74 [Offset+0x08]

push ebp
mov ebp,esp
push -01
jmp return

02398220: // CVecCtrlMob::WorkUpdateActive
jmp Aggro
return:

[DISABLE]
02398220: // 55 8B EC 6A FF 68 ? ? ? ? 64 A1 00 00 00 00 50 83 EC ? 56 57 A1 ? ? ? ? 33 C5 50 8D ? ? 64 A3 00 00 00 00 8B F9 89 ? ? 8B ? FF
push ebp
mov ebp,esp
push -01

dealloc(Aggro)

Here's my code

DWORD mobaggroret = 0x02398225; // +5 original

__declspec(naked) void __stdcall MobAggroCC(){
_asm
	{
		mov eax, [cuserlocal]
		lea eax, [eax + 0x04]
		mov[ecx + 0x4A8 + 0x08], eax 
		push ebp
		mov ebp, esp
		push 0xFF
		jmp [mobaggroret] // this part is what confuses me. I tried it without brackets, jmp dword ptr [mobaggroret] , jmp dword ptr mobaggroret and all doesn't work...
	
	}
}

Function

void mobAggro(HWND hwnd)
{
	if(mobAggroCheck)
	{
		*(BYTE*)mobaggro = 0xE9;
		*(DWORD*)(mobaggro + 1) = jmp(mobaggro, MobAggroCC);
	}

	else
	{
		mobaggro = mobaggroOri;
		memcpy((void*)mobaggro, "\x55\x8B\xEC\x6A\xFF", 5);

	}

}

 

What's the proper way of converting this? Would need some help :/

Thanks!

 

Share this post


Link to post
DWORD mobaggroret = 0x02398225; // +5 original

__declspec(naked) void __stdcall MobAggroCC(){
_asm
	{
		mov eax, [cuserlocal]
                mov eax, [eax]
		lea eax, [eax + 0x04]
		mov[ecx + 0x4A8 + 0x08], eax 
		push ebp
		mov ebp, esp
		push 0xFF
		jmp dword ptr[mobaggroret]	
	}

}

 

This should work.

Just fix the {}.

 

Edited by koreanrice
  • Like 1

Share this post


Link to post

I would advice against mindlessly copy pasting the solution from koreanrice, as he should have explained his solution and you'll learn nothing from it.

I can think of a few things that might have happened off the top of my head, but to properly learn what you might be doing wrong (or what VS is annoyingly doing); attach CE to maple and go to 02398220 to see your hook after you've placed it. If the maple process doesn't hang but immediately exits, you'll need to place a breakpoint on the hook address for you to see what went wrong.

 

If you're having trouble seeing anything wrong after examining, feel free to post again, but this is assuming you also know basic assembler syntax and know what each instruction actually does.

Edited by Erotica
  • Like 2

Share this post


Link to post
1 hour ago, koreanrice said:

DWORD mobaggroret = 0x02398225; // +5 original

__declspec(naked) void __stdcall MobAggroCC(){
_asm
	{
		mov eax, [cuserlocal]
                mov eax, [eax]
		lea eax, [eax + 0x04]
		mov[ecx + 0x4A8 + 0x08], eax 
		push ebp
		mov ebp, esp
		push 0xFF
		jmp dword ptr[mobaggroret]	
	}

}

 

This should work.

Just fix the {}.

 

That's weird. I certainly tried that yesterday but it doesn't work. All seems to be fine now. Thanks!

 

4 minutes ago, Erotica said:

I would advice against mindlessly copy pasting the solution from koreanrice, as he should have explained his solution and you'll learn nothing from it.

I can think of a few things that might have happened off the top of my head, but to properly learn what you might be doing wrong (or what VS is annoyingly doing); attach CE to maple and go to 02398220 to see your hook after you've placed it. If the maple process doesn't hang but immediately exists, you'll need to place a breakpoint on the hook address for you to see what went wrong.

 

If you're having trouble seeing anything wrong after examining, feel free to post again, but this is assuming you also know basic assembler syntax and know what each instruction actually does.

I have been examining the function after enabling the hack in CE and my own prog. They both change to diff opcodes which I'm not really sure where went wrong. Tho both changed the same number of bytes including the jump. I tried placing a breakpoint but my maple would crash immediately before I'm able to toggle my hack. Any solution for that?

Share this post


Link to post
1 minute ago, hackbotmaple said:

That's weird. I certainly tried that yesterday but it doesn't work. All seems to be fine now. Thanks!

 

I have been examining the function after enabling the hack in CE and my own prog. They both change to diff opcodes which I'm not really sure where went wrong. Tho both changed the same number of bytes including the jump. I tried placing a breakpoint but my maple would crash immediately before I'm able to toggle my hack. Any solution for that?

i regret posting in this thread

  • Like 1
  • Haha 1

Share this post


Link to post
1 hour ago, southernemblem said:

Attach the debugger to MS before entering game. I just do it by placing a breakpoint somewhere then removing it. 

Thanks for the tips! Trying now.

Share this post


Link to post

The solution have already been provided by @koreanrice however with no explanation

mov eax, [cuserlocal] // eax = 02FE8730
lea eax, [eax + 0x04]  // eax = memorylocation of 02FE8730+4
mov[ecx + 0x4A8 + 0x08], eax

 

mov eax, [02FE8730] // eax = value of 02FE8730
lea eax, [eax + 0x04] // eax = memorylocation of (value of 02FE8730)+4
mov[ecx + 0x4A8 + 0x08], eax

 

 

dword  cuserlocal = 0x02FE8730

mov eax, [cuserlocal] // eax = value of cuserlocal = 0x02FE8730
mov eax, [eax]             // eax = value of 02FE8730
lea eax, [eax + 0x04]  // eax = memorylocation of (value of 02FE8730)+4
mov[ecx + 0x4A8 + 0x08], eax

 

[] basiclly means that you grab the value at the location

example

eax = 02FE8730

02FE8730 = value 1

ecx = 02FE8734

02FE8734 = value 5

 

 

mov ecx, eax

eax = 02FE8730 (1)

ecx = 02FE8730 (1)

///////////////////////////

mov ecx, [eax]

eax  = 02FE8730 (1)

ecx = 1

///////////////////////////////////

mov [ecx], eax

eax = 02FE8730 (1)

ecx  = 02FE8734 (02FE8730)

///////////////////////////////

mov eax, [eax]

mov [ecx], eax

eax = 1

ecx = 02FE8734 (1)

/////////////////////////////

 

alloc(cLocalUser, 4)

 

cLocalUser:

dd 02FE8730

 

mov eax, [cLocalUser]

mov eax, [eax]

lea eax, [eax + 0x04] 
mov[ecx + 0x4A8 + 0x08], eax

Edited by Chubbylitooo
Tired, fixed typo
  • Like 3

Share this post


Link to post
8 hours ago, Chubbylitooo said:

 

I love how you always help explaining everything in full details. Learnt a lot from what you'd post. <3

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×