Sign in to follow this  
Followers 0
Nomad

Reading Registers

6 posts in this topic

I've seen wOuter's _mem () functions, but I was curious. Is there any way to read a dword value stored in any of the registers, such as eax, ebx, ecx, etc..? (using AutoIt)

If not, then a point in the right direction to accomplish this would be very much appreciated.

Thanks in advance,

Nomad


Share this post


Link to post
Share on other sites



The registers of your script or of another program?

Share this post


Link to post
Share on other sites

The registers of another program.


Share this post


Link to post
Share on other sites

#4 ·  Posted (edited)

Code injection would be the way to go. Here are the steps:

1. Use a debugger to find the address in the game at which you want to read the register's value.

2. Allocate a chunk of memory (VirtualAllocateEx) and create a JMP from the game's function to your allocated chunk. Be sure to restore any opcodes you overwrite (JMPs are 5 opcodes long, so be sure you're overwriting something like MOV that's at least 5 opcodes in length, and not an ADD or PUSH or something).

3. After restoring the opcodes you overwrote, MOV the register to a static address somewhere in the client, or somewhere in the chunk of memory you allocated. This way, every time you want to get the register's value, you just ReadProcessMemory from the static address to which you wrote the register.

4. JMP back to the regular game routine.

This isn't terribly difficult to do, though it sounds like it. There's a shitload of examples and tutorials floating around and everything that needs to be done can be done with AutoIt. The only slightly difficult part is converting from ASM to the opcodes that need to be written, and even that is pretty easy as there's myriad applications out there that will do it for you.

Edit: here's a link to a thread I wrote about it a while back. You can convert the C++ functions CreateJmp and CreateStaticMov to AutoIt easily enough. http://forum.gamedeception.net/showthread.php?t=8088

Edited by Outshynd

Share this post


Link to post
Share on other sites

Outshynd i find it interesting that you actually calculate the jump"E9 & (jmpAddress - (BaseAddress + 5))" instead of "68 & jmpAddress; C3". (push & ret)

but back OT:

to get hex code i usually just assemble an small exe using masm and then rip the hex code out of that :)


My UDF's:;mem stuff_Mem;ftp stuff_FTP ( OLD );inet stuff_INetGetSource ( OLD )_INetGetImage _INetBrowse ( Collection )_EncodeUrl_NetStat_Google;random stuff_iPixelSearch_DiceRoll

Share this post


Link to post
Share on other sites

Thanks for the info, I'm going to look into it right now. I've been asleep and just got up.

Nomad.


Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0