KCD Enable Console

1. { Game : KingdomCome.exe
2. Version:
3. Date : 2018-02-18
4. This script enables the KCD console for variables and functions that were dev disabled
5. }
6.  
7. [ENABLE]
8.  
9. aobscanmodule(VariableExec,WHGame.DLL,81 E3 02 00 00 03) // should be unique
10. alloc(newmem,$1000,"WHGame.DLL"+6F7882)
11.  
12. label(code)
13. label(return)
14.  
15. newmem:
16.  
17. code:
18. and ebx,03000000
19. jmp return
20.  
21. VariableExec:
22. jmp newmem
23. nop
24. return:
25. registersymbol(VariableExec)
26.  
27. aobscanmodule(FunctionExec,WHGame.DLL,F7 47 18 02 00 00 03) // should be unique
28. alloc(newmem2,$1000,"WHGame.DLL"+6F7AF8)
29.  
30. label(code2)
31. label(return2)
32.  
33. newmem2:
34.  
35. code2:
36. test [rdi+18],3000000
37. jmp return2
38.  
39. FunctionExec:
40. jmp newmem2
41. nop
42. nop
43. return2:
44. registersymbol(FunctionExec)
45.  
46. [DISABLE]
47.  
48. VariableExec:
49. db 81 E3 02 00 00 03
50.  
51. unregistersymbol(VariableExec)
52. dealloc(newmem)
53.  
54. {
55. // ORIGINAL CODE - INJECTION POINT: "WHGame.DLL"+6F7882
56.  
57. "WHGame.DLL"+6F7861: 4D 8B F8 - mov r15,r8
58. "WHGame.DLL"+6F7864: 48 8B FA - mov rdi,rdx
59. "WHGame.DLL"+6F7867: FF 90 88 00 00 00 - call qword ptr [rax+00000088]
60. "WHGame.DLL"+6F786D: 4C 8B 0F - mov r9,[rdi]
61. "WHGame.DLL"+6F7870: 48 8B CF - mov rcx,rdi
62. "WHGame.DLL"+6F7873: 40 8A E8 - mov bpl,al
63. "WHGame.DLL"+6F7876: 41 FF 51 60 - call qword ptr [r9+60]
64. "WHGame.DLL"+6F787A: 4C 8B 07 - mov r8,[rdi]
65. "WHGame.DLL"+6F787D: 48 8B CF - mov rcx,rdi
66. "WHGame.DLL"+6F7880: 8B D8 - mov ebx,eax
67. // ---------- INJECTING HERE ----------
68. "WHGame.DLL"+6F7882: 81 E3 02 00 00 03 - and ebx,03000002
69. // ---------- DONE INJECTING ----------
70. "WHGame.DLL"+6F7888: 41 0F 95 C4 - setne r12l
71. "WHGame.DLL"+6F788C: 41 FF 50 60 - call qword ptr [r8+60]
72. "WHGame.DLL"+6F7890: 48 8B 17 - mov rdx,[rdi]
73. "WHGame.DLL"+6F7893: 48 8B CF - mov rcx,rdi
74. "WHGame.DLL"+6F7896: 44 8B F0 - mov r14d,eax
75. "WHGame.DLL"+6F7899: 41 81 E6 00 08 00 00 - and r14d,00000800
76. "WHGame.DLL"+6F78A0: 41 0F 95 C5 - setne r13l
77. "WHGame.DLL"+6F78A4: FF 52 60 - call qword ptr [rdx+60]
78. "WHGame.DLL"+6F78A7: 25 00 00 00 40 - and eax,40000000
79. "WHGame.DLL"+6F78AC: 0F 95 84 24 80 00 00 00 - setne byte ptr [rsp+00000080]
80. }
81. FunctionExec:
82. db F7 47 18 02 00 00 03
83.  
84. unregistersymbol(FunctionExec)
85. dealloc(newmem2)
86.  
87. {
88. // ORIGINAL CODE - INJECTION POINT: "WHGame.DLL"+6F7AF8
89.  
90. "WHGame.DLL"+6F7ACC: 48 8B 51 08 - mov rdx,[rcx+08]
91. "WHGame.DLL"+6F7AD0: 0F B6 05 31 06 77 01 - movzx eax,byte ptr [WHGame.DLL+1E68108]
92. "WHGame.DLL"+6F7AD7: 44 0F B6 02 - movzx r8d,byte ptr [rdx]
93. "WHGame.DLL"+6F7ADB: 44 2B C0 - sub r8d,eax
94. "WHGame.DLL"+6F7ADE: 75 0F - jne WHGame.DLL+6F7AEF
95. "WHGame.DLL"+6F7AE0: 44 0F B6 42 01 - movzx r8d,byte ptr [rdx+01]
96. "WHGame.DLL"+6F7AE5: 0F B6 05 1D 06 77 01 - movzx eax,byte ptr [WHGame.DLL+1E68109]
97. "WHGame.DLL"+6F7AEC: 44 2B C0 - sub r8d,eax
98. "WHGame.DLL"+6F7AEF: 45 85 C0 - test r8d,r8d
99. "WHGame.DLL"+6F7AF2: 0F 84 DA F3 A0 00 - je WHGame.DLL+1106ED2
100. // ---------- INJECTING HERE ----------
101. "WHGame.DLL"+6F7AF8: F7 47 18 02 00 00 03 - test [rdi+18],3000002
102. // ---------- DONE INJECTING ----------
103. "WHGame.DLL"+6F7AFF: 0F 85 E2 F3 A0 00 - jne WHGame.DLL+1106EE7
104. "WHGame.DLL"+6F7B05: 48 8B 47 20 - mov rax,[rdi+20]
105. "WHGame.DLL"+6F7B09: 48 85 C0 - test rax,rax
106. "WHGame.DLL"+6F7B0C: 0F 84 17 F4 A0 00 - je WHGame.DLL+1106F29
107. "WHGame.DLL"+6F7B12: 48 8D 0D 97 08 78 01 - lea rcx,[WHGame.DLL+1E783B0]
108. "WHGame.DLL"+6F7B19: 48 89 75 07 - mov [rbp+07],rsi
109. "WHGame.DLL"+6F7B1D: 48 89 4D F7 - mov [rbp-09],rcx
110. "WHGame.DLL"+6F7B21: 48 8D 4D D7 - lea rcx,[rbp-29]
111. "WHGame.DLL"+6F7B25: 48 89 4D FF - mov [rbp-01],rcx
112. "WHGame.DLL"+6F7B29: 48 8D 4D F7 - lea rcx,[rbp-09]
113. }