Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?xml version="1.0" encoding="utf-8"?>
- <CheatTable>
- <CheatEntries>
- <CheatEntry>
- <ID>151</ID>
- <Description>"x86/x64 Beep - Step 2"</Description>
- <LastState/>
- <VariableType>Auto Assembler Script</VariableType>
- <AssemblerScript>/*
- https://msdn.microsoft.com/en-us/library/windows/desktop/ms679277(v=vs.85).aspx
- BOOL WINAPI Beep(
- _In_ DWORD dwFreq,
- _In_ DWORD dwDuration
- );
- */
- [ENABLE]
- {$lua}
- if targetIs64Bit() then
- return [[//code for if it is a 64bit application
- aobscanmodule(INJECT,Tutorial-x86_64.exe,83 BB 90 07 00 00 00)
- alloc(newmem,$1000,"Tutorial-x86_64.exe"+2AD8C)
- ]]
- else
- return [[//code for if it is a 32bit application
- aobscanmodule(INJECT,Tutorial-i386.exe,83 bb ?? ?? ?? ?? ?? ?? ?? a1 24 f2)
- alloc(newmem,$1000)
- ]]
- end
- {$asm}
- label(code)
- label(return)
- newmem:
- code:
- push rax
- // align stack (ce will automatically use ebp/esp for 32 bit, at least in this test lol)
- push rbp
- mov rbp, rsp
- and rsp, -10
- {$lua}
- if targetIs64Bit() then
- return [[//code for if it is a 64bit application
- mov rcx, #700 // dwFreq
- mov rdx, #350 // dwDuration
- ]]
- else
- return [[//code for if it is a 32bit application
- push #350 // dwDuration
- push #700 // dwFreq
- ]]
- end
- {$asm}
- call beep
- // restore stack pointer
- mov rsp, rbp
- pop rbp
- pop rax
- {$lua}
- if targetIs64Bit() then
- return [[//code for if it is a 64bit application
- cmp dword ptr [rbx+00000790],00
- ]]
- else
- return [[//code for if it is a 32bit application
- cmp dword ptr [ebx+00000480],00
- ]]
- end
- {$asm}
- jmp return
- INJECT:
- jmp newmem
- db 90 90
- return:
- registersymbol(INJECT)
- [DISABLE]
- INJECT:
- {$lua}
- if targetIs64Bit() then
- return [[//code for if it is a 64bit application
- db 83 BB 90 07 00 00 00
- ]]
- else
- return [[//code for if it is a 32bit application
- db 83 BB 80 04 00 00 00
- ]]
- end
- {$asm}
- unregistersymbol(INJECT)
- dealloc(newmem)
- {
- // ORIGINAL CODE - INJECTION POINT: "Tutorial-i386.exe"+23B1C
- "Tutorial-i386.exe"+23AF0: E8 FB AB FE FF - call Tutorial-i386.exe+E6F0
- "Tutorial-i386.exe"+23AF5: 8D 50 01 - lea edx,[eax+01]
- "Tutorial-i386.exe"+23AF8: 8B 83 80 04 00 00 - mov eax,[ebx+00000480]
- "Tutorial-i386.exe"+23AFE: 29 D0 - sub eax,edx
- "Tutorial-i386.exe"+23B00: 89 83 80 04 00 00 - mov [ebx+00000480],eax
- "Tutorial-i386.exe"+23B06: 8D 55 D4 - lea edx,[ebp-2C]
- "Tutorial-i386.exe"+23B09: E8 02 62 01 00 - call Tutorial-i386.exe+39D10
- "Tutorial-i386.exe"+23B0E: 8B 55 D4 - mov edx,[ebp-2C]
- "Tutorial-i386.exe"+23B11: 8B 83 6C 04 00 00 - mov eax,[ebx+0000046C]
- "Tutorial-i386.exe"+23B17: E8 24 FB 06 00 - call Tutorial-i386.exe+93640
- // ---------- INJECTING HERE ----------
- "Tutorial-i386.exe"+23B1C: 83 BB 80 04 00 00 00 - cmp dword ptr [ebx+00000480],00
- // ---------- DONE INJECTING ----------
- "Tutorial-i386.exe"+23B23: 7D 2B - jnl Tutorial-i386.exe+23B50
- "Tutorial-i386.exe"+23B25: A1 24 F2 54 00 - mov eax,[Tutorial-i386.exe+14F224]
- "Tutorial-i386.exe"+23B2A: E8 E1 4A 0F 00 - call Tutorial-i386.exe+118610
- "Tutorial-i386.exe"+23B2F: B8 64 00 00 00 - mov eax,00000064
- "Tutorial-i386.exe"+23B34: 89 83 80 04 00 00 - mov [ebx+00000480],eax
- "Tutorial-i386.exe"+23B3A: 8D 55 D4 - lea edx,[ebp-2C]
- "Tutorial-i386.exe"+23B3D: E8 CE 61 01 00 - call Tutorial-i386.exe+39D10
- "Tutorial-i386.exe"+23B42: 8B 55 D4 - mov edx,[ebp-2C]
- "Tutorial-i386.exe"+23B45: 8B 83 6C 04 00 00 - mov eax,[ebx+0000046C]
- "Tutorial-i386.exe"+23B4B: E8 F0 FA 06 00 - call Tutorial-i386.exe+93640
- }
- </AssemblerScript>
- </CheatEntry>
- </CheatEntries>
- </CheatTable>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement