Untitled

<?xml version="1.0" encoding="utf-8"?>
<CheatTable>
  <CheatEntries>
    <CheatEntry>
      <ID>151</ID>
      <Description>"x86/x64 Beep - Step 2"</Description>
      <LastState/>
      <VariableType>Auto Assembler Script</VariableType>
      <AssemblerScript>/*
https://msdn.microsoft.com/en-us/library/windows/desktop/ms679277(v=vs.85).aspx
BOOL WINAPI Beep(
  _In_ DWORD dwFreq,
  _In_ DWORD dwDuration
);
*/
[ENABLE]
{$lua}
  if targetIs64Bit() then
    return [[//code for if it is a 64bit application
      aobscanmodule(INJECT,Tutorial-x86_64.exe,83 BB 90 07 00 00 00)
      alloc(newmem,$1000,"Tutorial-x86_64.exe"+2AD8C)
    ]]
  else
    return [[//code for if it is a 32bit application
      aobscanmodule(INJECT,Tutorial-i386.exe,83 bb ?? ?? ?? ?? ?? ?? ?? a1 24 f2)
      alloc(newmem,$1000)
    ]]
  end
{$asm}
label(code)
label(return)

newmem:
code:
  push rax
  // align stack (ce will automatically use ebp/esp for 32 bit, at least in this test lol)
  push rbp
  mov  rbp, rsp
  and  rsp, -10
{$lua}
  if targetIs64Bit() then
    return [[//code for if it is a 64bit application
      mov rcx, #700 // dwFreq
      mov rdx, #350 // dwDuration
    ]]
  else
    return [[//code for if it is a 32bit application
      push #350 // dwDuration
      push #700 // dwFreq
    ]]
  end
{$asm}

  call beep
  // restore stack pointer
  mov rsp, rbp
  pop rbp
  pop rax

{$lua}
  if targetIs64Bit() then
    return [[//code for if it is a 64bit application
      cmp dword ptr [rbx+00000790],00
    ]]
  else
    return [[//code for if it is a 32bit application
      cmp dword ptr [ebx+00000480],00
    ]]
  end
{$asm}
  jmp return

INJECT:
  jmp newmem
  db 90 90
return:
registersymbol(INJECT)

[DISABLE]
INJECT:
{$lua}
  if targetIs64Bit() then
    return [[//code for if it is a 64bit application
      db 83 BB 90 07 00 00 00
    ]]
  else
    return [[//code for if it is a 32bit application
      db 83 BB 80 04 00 00 00
    ]]
  end
{$asm}

unregistersymbol(INJECT)
dealloc(newmem)


{
// ORIGINAL CODE - INJECTION POINT: "Tutorial-i386.exe"+23B1C

"Tutorial-i386.exe"+23AF0: E8 FB AB FE FF        -  call Tutorial-i386.exe+E6F0
"Tutorial-i386.exe"+23AF5: 8D 50 01              -  lea edx,[eax+01]
"Tutorial-i386.exe"+23AF8: 8B 83 80 04 00 00     -  mov eax,[ebx+00000480]
"Tutorial-i386.exe"+23AFE: 29 D0                 -  sub eax,edx
"Tutorial-i386.exe"+23B00: 89 83 80 04 00 00     -  mov [ebx+00000480],eax
"Tutorial-i386.exe"+23B06: 8D 55 D4              -  lea edx,[ebp-2C]
"Tutorial-i386.exe"+23B09: E8 02 62 01 00        -  call Tutorial-i386.exe+39D10
"Tutorial-i386.exe"+23B0E: 8B 55 D4              -  mov edx,[ebp-2C]
"Tutorial-i386.exe"+23B11: 8B 83 6C 04 00 00     -  mov eax,[ebx+0000046C]
"Tutorial-i386.exe"+23B17: E8 24 FB 06 00        -  call Tutorial-i386.exe+93640
// ---------- INJECTING HERE ----------
"Tutorial-i386.exe"+23B1C: 83 BB 80 04 00 00 00  -  cmp dword ptr [ebx+00000480],00
// ---------- DONE INJECTING  ----------
"Tutorial-i386.exe"+23B23: 7D 2B                 -  jnl Tutorial-i386.exe+23B50
"Tutorial-i386.exe"+23B25: A1 24 F2 54 00        -  mov eax,[Tutorial-i386.exe+14F224]
"Tutorial-i386.exe"+23B2A: E8 E1 4A 0F 00        -  call Tutorial-i386.exe+118610
"Tutorial-i386.exe"+23B2F: B8 64 00 00 00        -  mov eax,00000064
"Tutorial-i386.exe"+23B34: 89 83 80 04 00 00     -  mov [ebx+00000480],eax
"Tutorial-i386.exe"+23B3A: 8D 55 D4              -  lea edx,[ebp-2C]
"Tutorial-i386.exe"+23B3D: E8 CE 61 01 00        -  call Tutorial-i386.exe+39D10
"Tutorial-i386.exe"+23B42: 8B 55 D4              -  mov edx,[ebp-2C]
"Tutorial-i386.exe"+23B45: 8B 83 6C 04 00 00     -  mov eax,[ebx+0000046C]
"Tutorial-i386.exe"+23B4B: E8 F0 FA 06 00        -  call Tutorial-i386.exe+93640
}
</AssemblerScript>
    </CheatEntry>
  </CheatEntries>
</CheatTable>