CE自动汇编

[ENABLE]

{$LUA}
hwnd = findWindow(null, "Getting Over It")
return "define(hwnd,#" .. hwnd .. ")"
{$ASM}

alloc(caption,20)
alloc(newmem,1000)

caption:
  db 'Flappy Bird',0

newmem:
  push eax
  push caption
  push hwnd
  call user32.SetWindowTextA
  pop eax
  ret

createthread(newmem)

[DISABLE]

dealloc(caption)
dealloc(newmem)
copy success
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
  //xorps xmm0,xmm0
  //movss xmm0,[rbx+000000C0]
  mov dword ptr [rbx+000000C0],(float)0
  movss xmm0,[rbx+000000C0]
copy success
1
2
3
4
movsd xmm0, [ecx]
xor eax, eax
inc eax
cvtsi2sd xmm1, eax
addsd xmm0, xmm1
movsd [ecx], xmm0
copy success
1
2
3
4
5
6
{ Game   : StateOfDecay2 
  Version: 
  Date   : 2024-01-28
  Author : Administrator

  This script does blah blah blah
}

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat

 
 
aobscanmodule(Build,StateOfDecay2-Win64-Shipping.exe,F3 41 0F 11 04 24 48) // should be unique
alloc(newmem,$1000,Build)

label(code)
label(return)
label(float999)

newmem:
  // movss xmm0,[float999]
  push eax
  mov eax,#999
  cvtsi2ss xmm0,eax
  pop eax
code:
  movss [r12],xmm0
  jmp return

float999:
 dd (float)999.0

Build:
  jmp newmem
  nop
return:
registersymbol(Build)

[DISABLE]
//code from here till the end of the code will be used to disable the cheat
Build:
  db F3 41 0F 11 04 24

unregistersymbol(Build)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: StateOfDecay2-Win64-Shipping.exe+46C831

StateOfDecay2-Win64-Shipping.exe+46C805: 0F 86 F5 00 00 00     - jbe StateOfDecay2-Win64-Shipping.exe+46C900
StateOfDecay2-Win64-Shipping.exe+46C80B: 49 8B 9F 00 FE FF FF  - mov rbx,[r15-00000200]
StateOfDecay2-Win64-Shipping.exe+46C812: 48 85 DB              - test rbx,rbx
StateOfDecay2-Win64-Shipping.exe+46C815: 0F 84 E5 00 00 00     - je StateOfDecay2-Win64-Shipping.exe+46C900
StateOfDecay2-Win64-Shipping.exe+46C81B: F3 41 0F 10 1C 24     - movss xmm3,[r12]
StateOfDecay2-Win64-Shipping.exe+46C821: 45 8B C6              - mov r8d,r14d
StateOfDecay2-Win64-Shipping.exe+46C824: 0F 28 C3              - movaps xmm0,xmm3
StateOfDecay2-Win64-Shipping.exe+46C827: 48 8B D6              - mov rdx,rsi
StateOfDecay2-Win64-Shipping.exe+46C82A: F3 0F 58 C7           - addss xmm0,xmm7
StateOfDecay2-Win64-Shipping.exe+46C82E: 48 8B CB              - mov rcx,rbx
// ---------- INJECTING HERE ----------
StateOfDecay2-Win64-Shipping.exe+46C831: F3 41 0F 11 04 24     - movss [r12],xmm0
// ---------- DONE INJECTING  ----------
StateOfDecay2-Win64-Shipping.exe+46C837: 48 8B 03              - mov rax,[rbx]
StateOfDecay2-Win64-Shipping.exe+46C83A: F3 0F 11 44 24 20     - movss [rsp+20],xmm0
StateOfDecay2-Win64-Shipping.exe+46C840: FF 90 38 02 00 00     - call qword ptr [rax+00000238]
StateOfDecay2-Win64-Shipping.exe+46C846: 84 C0                 - test al,al
StateOfDecay2-Win64-Shipping.exe+46C848: 0F 84 B2 00 00 00     - je StateOfDecay2-Win64-Shipping.exe+46C900
StateOfDecay2-Win64-Shipping.exe+46C84E: 8B 86 30 09 00 00     - mov eax,[rsi+00000930]
StateOfDecay2-Win64-Shipping.exe+46C854: 49 8B 17              - mov rdx,[r15]
StateOfDecay2-Win64-Shipping.exe+46C857: 3B 86 5C 09 00 00     - cmp eax,[rsi+0000095C]
StateOfDecay2-Win64-Shipping.exe+46C85D: 74 68                 - je StateOfDecay2-Win64-Shipping.exe+46C8C7
StateOfDecay2-Win64-Shipping.exe+46C85F: 8D 04 D2              - lea eax,[rdx+rdx*8]
}
copy success
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
{ Game   : dwarves.exe
  Version: 
  Date   : 2023-05-21
  Author : Administrator

  This script does blah blah blah
}

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat

 
 
aobscan(KILL,F2 0F 5C C1 F2 0F 5A E8 F3 0F 11 AE AC 00 00 00) // should be unique
alloc(newmem,$1000,KILL)

label(code)
label(return)

newmem:
cmp [rsi+D0],#1 //0是友方 1是敌方
subsd xmm0,xmm0 //秒杀操作
je code
movss xmm0,[rsi+000000B0] //满血操作
cvtss2sd xmm0,xmm0
code:
  cvtsd2ss xmm5,xmm0
  jmp return

KILL:
  jmp newmem
  nop 3
return:
registersymbol(KILL)

[DISABLE]
//code from here till the end of the code will be used to disable the cheat
KILL:
  db F2 0F 5C C1 F2 0F 5A E8 F3 0F 11 AE AC 00 00 00

unregistersymbol(KILL)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: 229E6946229

229E69461FB: F3 0F 11 4C 24 08        - movss [rsp+08],xmm1
229E6946201: 0F B6 86 A8 00 00 00     - movzx eax,byte ptr [rsi+000000A8]
229E6946208: 85 C0                    - test eax,eax
229E694620A: 74 07                    - je 229E6946213
229E694620C: 33 C0                    - xor eax,eax
229E694620E: E9 60 00 00 00           - jmp 229E6946273
229E6946213: F3 0F 10 86 AC 00 00 00  - movss xmm0,[rsi+000000AC]
229E694621B: F3 0F 5A C0              - cvtss2sd xmm0,xmm0
229E694621F: F3 0F 10 4C 24 08        - movss xmm1,[rsp+08]
229E6946225: F3 0F 5A C9              - cvtss2sd xmm1,xmm1
// ---------- INJECTING HERE ----------
229E6946229: F2 0F 5C C1              - subsd xmm0,xmm1
// ---------- DONE INJECTING  ----------
229E694622D: F2 0F 5A E8              - cvtsd2ss xmm5,xmm0
229E6946231: F3 0F 11 AE AC 00 00 00  - movss [rsi+000000AC],xmm5
229E6946239: F3 0F 10 86 AC 00 00 00  - movss xmm0,[rsi+000000AC]
229E6946241: F3 0F 5A C0              - cvtss2sd xmm0,xmm0
229E6946245: 66 0F 57 C9              - xorpd xmm1,xmm1
229E6946249: 66 0F 2F C8              - comisd xmm1,xmm0
229E694624D: 0F 82 1E 00 00 00        - jb 229E6946271
229E6946253: 66 0F 57 C0              - xorpd xmm0,xmm0
229E6946257: F2 0F 5A E8              - cvtsd2ss xmm5,xmm0
229E694625B: F3 0F 11 AE AC 00 00 00  - movss [rsi+000000AC],xmm5
}
copy success
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
`cdqe` 是 x86 汇编指令中的一条指令,用于将一个32位有符号整数扩展为一个64位有符号整数。

具体来说,`cdqe` 指令是从 EAX 寄存器中的32位有符号整数值(双字节)扩展到 RAX 寄存器中的64位有符号整数值(四字节)。

这条指令可以在进行64位有符号整数运算时使用,特别是在将32位有符号整数值扩展为64位有符号整数值时非常有用。

示例:
假设 EAX 寄存器中的值为 0xFFFFFFFF(-1 的补码形式,即 -1),执行 `cdqe` 指令后,RAX 寄存器中的值将扩展为 0xFFFFFFFFFFFFFFFF(-1 的补码形式,即 -1)。
copy success
1
2
3
4
5
6
7
8