[ENABLE] {$LUA} hwnd = findWindow(null, "Getting Over It") return "define(hwnd,#" .. hwnd .. ")" {$ASM} alloc(caption,20) alloc(newmem,1000) caption: db 'Flappy Bird',0 newmem: push eax push caption push hwnd call user32.SetWindowTextA pop eax ret createthread(newmem) [DISABLE] dealloc(caption) dealloc(newmem)
copy success
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
//xorps xmm0,xmm0 //movss xmm0,[rbx+000000C0] mov dword ptr [rbx+000000C0],(float)0 movss xmm0,[rbx+000000C0]
copy success
1
2
3
4
2
3
4
movsd xmm0, [ecx] xor eax, eax inc eax cvtsi2sd xmm1, eax addsd xmm0, xmm1 movsd [ecx], xmm0
copy success
1
2
3
4
5
6
2
3
4
5
6
{ Game : StateOfDecay2 Version: Date : 2024-01-28 Author : Administrator This script does blah blah blah } [ENABLE] //code from here to '[DISABLE]' will be used to enable the cheat aobscanmodule(Build,StateOfDecay2-Win64-Shipping.exe,F3 41 0F 11 04 24 48) // should be unique alloc(newmem,$1000,Build) label(code) label(return) label(float999) newmem: // movss xmm0,[float999] push eax mov eax,#999 cvtsi2ss xmm0,eax pop eax code: movss [r12],xmm0 jmp return float999: dd (float)999.0 Build: jmp newmem nop return: registersymbol(Build) [DISABLE] //code from here till the end of the code will be used to disable the cheat Build: db F3 41 0F 11 04 24 unregistersymbol(Build) dealloc(newmem) { // ORIGINAL CODE - INJECTION POINT: StateOfDecay2-Win64-Shipping.exe+46C831 StateOfDecay2-Win64-Shipping.exe+46C805: 0F 86 F5 00 00 00 - jbe StateOfDecay2-Win64-Shipping.exe+46C900 StateOfDecay2-Win64-Shipping.exe+46C80B: 49 8B 9F 00 FE FF FF - mov rbx,[r15-00000200] StateOfDecay2-Win64-Shipping.exe+46C812: 48 85 DB - test rbx,rbx StateOfDecay2-Win64-Shipping.exe+46C815: 0F 84 E5 00 00 00 - je StateOfDecay2-Win64-Shipping.exe+46C900 StateOfDecay2-Win64-Shipping.exe+46C81B: F3 41 0F 10 1C 24 - movss xmm3,[r12] StateOfDecay2-Win64-Shipping.exe+46C821: 45 8B C6 - mov r8d,r14d StateOfDecay2-Win64-Shipping.exe+46C824: 0F 28 C3 - movaps xmm0,xmm3 StateOfDecay2-Win64-Shipping.exe+46C827: 48 8B D6 - mov rdx,rsi StateOfDecay2-Win64-Shipping.exe+46C82A: F3 0F 58 C7 - addss xmm0,xmm7 StateOfDecay2-Win64-Shipping.exe+46C82E: 48 8B CB - mov rcx,rbx // ---------- INJECTING HERE ---------- StateOfDecay2-Win64-Shipping.exe+46C831: F3 41 0F 11 04 24 - movss [r12],xmm0 // ---------- DONE INJECTING ---------- StateOfDecay2-Win64-Shipping.exe+46C837: 48 8B 03 - mov rax,[rbx] StateOfDecay2-Win64-Shipping.exe+46C83A: F3 0F 11 44 24 20 - movss [rsp+20],xmm0 StateOfDecay2-Win64-Shipping.exe+46C840: FF 90 38 02 00 00 - call qword ptr [rax+00000238] StateOfDecay2-Win64-Shipping.exe+46C846: 84 C0 - test al,al StateOfDecay2-Win64-Shipping.exe+46C848: 0F 84 B2 00 00 00 - je StateOfDecay2-Win64-Shipping.exe+46C900 StateOfDecay2-Win64-Shipping.exe+46C84E: 8B 86 30 09 00 00 - mov eax,[rsi+00000930] StateOfDecay2-Win64-Shipping.exe+46C854: 49 8B 17 - mov rdx,[r15] StateOfDecay2-Win64-Shipping.exe+46C857: 3B 86 5C 09 00 00 - cmp eax,[rsi+0000095C] StateOfDecay2-Win64-Shipping.exe+46C85D: 74 68 - je StateOfDecay2-Win64-Shipping.exe+46C8C7 StateOfDecay2-Win64-Shipping.exe+46C85F: 8D 04 D2 - lea eax,[rdx+rdx*8] }
copy success
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
{ Game : dwarves.exe Version: Date : 2023-05-21 Author : Administrator This script does blah blah blah } [ENABLE] //code from here to '[DISABLE]' will be used to enable the cheat aobscan(KILL,F2 0F 5C C1 F2 0F 5A E8 F3 0F 11 AE AC 00 00 00) // should be unique alloc(newmem,$1000,KILL) label(code) label(return) newmem: cmp [rsi+D0],#1 //0是友方 1是敌方 subsd xmm0,xmm0 //秒杀操作 je code movss xmm0,[rsi+000000B0] //满血操作 cvtss2sd xmm0,xmm0 code: cvtsd2ss xmm5,xmm0 jmp return KILL: jmp newmem nop 3 return: registersymbol(KILL) [DISABLE] //code from here till the end of the code will be used to disable the cheat KILL: db F2 0F 5C C1 F2 0F 5A E8 F3 0F 11 AE AC 00 00 00 unregistersymbol(KILL) dealloc(newmem) { // ORIGINAL CODE - INJECTION POINT: 229E6946229 229E69461FB: F3 0F 11 4C 24 08 - movss [rsp+08],xmm1 229E6946201: 0F B6 86 A8 00 00 00 - movzx eax,byte ptr [rsi+000000A8] 229E6946208: 85 C0 - test eax,eax 229E694620A: 74 07 - je 229E6946213 229E694620C: 33 C0 - xor eax,eax 229E694620E: E9 60 00 00 00 - jmp 229E6946273 229E6946213: F3 0F 10 86 AC 00 00 00 - movss xmm0,[rsi+000000AC] 229E694621B: F3 0F 5A C0 - cvtss2sd xmm0,xmm0 229E694621F: F3 0F 10 4C 24 08 - movss xmm1,[rsp+08] 229E6946225: F3 0F 5A C9 - cvtss2sd xmm1,xmm1 // ---------- INJECTING HERE ---------- 229E6946229: F2 0F 5C C1 - subsd xmm0,xmm1 // ---------- DONE INJECTING ---------- 229E694622D: F2 0F 5A E8 - cvtsd2ss xmm5,xmm0 229E6946231: F3 0F 11 AE AC 00 00 00 - movss [rsi+000000AC],xmm5 229E6946239: F3 0F 10 86 AC 00 00 00 - movss xmm0,[rsi+000000AC] 229E6946241: F3 0F 5A C0 - cvtss2sd xmm0,xmm0 229E6946245: 66 0F 57 C9 - xorpd xmm1,xmm1 229E6946249: 66 0F 2F C8 - comisd xmm1,xmm0 229E694624D: 0F 82 1E 00 00 00 - jb 229E6946271 229E6946253: 66 0F 57 C0 - xorpd xmm0,xmm0 229E6946257: F2 0F 5A E8 - cvtsd2ss xmm5,xmm0 229E694625B: F3 0F 11 AE AC 00 00 00 - movss [rsi+000000AC],xmm5 }
copy success
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
`cdqe` 是 x86 汇编指令中的一条指令,用于将一个32位有符号整数扩展为一个64位有符号整数。 具体来说,`cdqe` 指令是从 EAX 寄存器中的32位有符号整数值(双字节)扩展到 RAX 寄存器中的64位有符号整数值(四字节)。 这条指令可以在进行64位有符号整数运算时使用,特别是在将32位有符号整数值扩展为64位有符号整数值时非常有用。 示例: 假设 EAX 寄存器中的值为 0xFFFFFFFF(-1 的补码形式,即 -1),执行 `cdqe` 指令后,RAX 寄存器中的值将扩展为 0xFFFFFFFFFFFFFFFF(-1 的补码形式,即 -1)。
copy success
1
2
3
4
5
6
7
8
2
3
4
5
6
7
8