Memory Hacking Software

[run32dll]

I'm new to MHS and used CE or sometimes TSearch before. This Morning I was playing araund and writing a codeinjection for the Game 'Gothic 2 1.30 german'. While overwriting the original gamecode I noticed that MHS is noping to many bytes? Is that normal? I did not completly understand the warning that poped up while replacing...
8B8481A4010000 | MOV EAX, DWORD PTR [ECX+EAX*4+1A4]
with...
B828000000 | MOV EAX, 28

Shouldn't MHS just nop the 2 bytes left from the original code? Why does MHS nop so much more?

the original code from the game:

Code: Select all

006C12F9 | C2 0400         | RETN    4                              |
006C12FC | 90              | NOP                                    |
006C12FD | 90              | NOP                                    |
006C12FE | 90              | NOP                                    |
006C12FF | 90              | NOP                                    |
006C1300 | 8B4424 04       | MOV     EAX, DWORD PTR [ESP+4]         |
006C1304 | 8B8481 A4010000 | MOV     EAX, DWORD PTR [ECX+EAX*4+1A4] |<
006C130B | C2 0400         | RETN    4                              |
006C130E | 90              | NOP                                    |
006C130F | 90              | NOP                                    |
006C1310 | 8B4424 04       | MOV     EAX, DWORD PTR [ESP+4]         |
006C1314 | 8B8481 C4010000 | MOV     EAX, DWORD PTR [ECX+EAX*4+1C4] |
006C131B | C2 0400         | RETN    4                              |


How the code looked after changing just the one line to mov eax,28:

Code: Select all

006C12F9 | C2 0400         | RETN    4                              |
006C12FC | 90              | NOP                                    |
006C12FD | 90              | NOP                                    |
006C12FE | 90              | NOP                                    |
006C12FF | 90              | NOP                                    |
006C1300 | 8B4424 04       | MOV     EAX, DWORD PTR [ESP+4]         |
006C1304 | B8 28000000     | MOV     EAX, 28                        |<
006C1309 | 90              | NOP                                    |
006C130A | 90              | NOP                                    |
006C130B | 90              | NOP                                    |
006C130C | 90              | NOP                                    |
006C130D | 90              | NOP                                    |
006C130E | 90              | NOP                                    |
006C130F | 90              | NOP                                    |
006C1310 | 90              | NOP                                    |
006C1311 | 90              | NOP                                    |
006C1312 | 90              | NOP                                    |
006C1313 | 90              | NOP                                    |
006C1314 | 8B8481 C4010000 | MOV     EAX, DWORD PTR [ECX+EAX*4+1C4] |
006C131B | C2 0400         | RETN    4                              |


what I expected or how it should look:

Code: Select all

006C12F9 | C2 0400         | RETN    4                              |
006C12FC | 90              | NOP                                    |
006C12FD | 90              | NOP                                    |
006C12FE | 90              | NOP                                    |
006C12FF | 90              | NOP                                    |
006C1300 | 8B4424 04       | MOV     EAX, DWORD PTR [ESP+4]         |
006C1304 | B8 28000000     | MOV     EAX, 28                        |<
006C1309 | 90              | NOP                                    |
006C130A | 90              | NOP                                    |
006C130B | C2 0400         | RETN    4                              |
006C130E | 90              | NOP                                    |
006C130F | 90              | NOP                                    |
006C1310 | 8B4424 04       | MOV     EAX, DWORD PTR [ESP+4]         |
006C1314 | 8B8481 C4010000 | MOV     EAX, DWORD PTR [ECX+EAX*4+1C4] |
006C131B | C2 0400         | RETN    4                              |

*confused* ...

PS: my english may suck, hope you can understand the problem

[L. Spiro]

I will look into it when I return home.


L. Spiro

[run32dll]

Today I got my Health freeze codeinjection working for Gothic 2. I wrote my asm into the codecave. Then I set a BP on some address before the jump to my codecave. If I would not do this the game will crash because after writing the jump over the original instruction the following code gets destroyed by to many NOPs. So I made a copy of the code before and reconstructed the code. Then I removed the BP and the game was running fine with my Health freezed.

In CE I just need to write my codecave and then my jump. Thats it. If the original instrution was 6Bytes and the Jump uses 5Bytes it just nop's the one byte. But CE crashes when I try to open the Gothic 2 process so I cant.

I'll take a look on the script stuff for now. May be I'll find another way to test my code instead of writing the code directly in the disasm window.

I was thinking of a solution for this problem:
Lets say the user wants to replace an instruction in the disasm window.
If the lenght of the original instruction does not match with the new code the user should be able to specify a number of bytes that will be noped *after* the new instruction. Of course an automatic solution would be better.

[L. Spiro]

It is already automatic.
There is just something wrong with it right now and I have to fix it.

I would suggest that you use the Injection Manager instead of the Auto-Assembler, but from the sounds of it you are not using the Auto-Assembler either, and I am pretty sure neither the Auto-Assembler nor Injection Manager have this problem (it should only be a problem with the Assemble command in the Disassembler, which it sounds as though you are using).


L. Spiro


[EDIT]
The fix can be found here.
[/EDIT]

[run32dll]

No I did not use the Injection Manager or Auto-Assembler until now. Guess its time to change that

Thanks for clearing things up and the very fast help L. Spiro. You are doing a great job. MHS kicks ass.