1
"Cheat Script - Assembler Version"
Auto Assembler Script
[ENABLE]
aobscanmodule(INJECT,lua51.dll,8B 29 8B 49 04) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
label(hearts)
label(gold)
label(lifes)
newmem:
mov ebp,[ecx+8] // get the very first pointer-offset to the string
// check for the string player_gold
cmp dword ptr [ebp+10],'play'
jne hearts
cmp dword ptr [ebp+14],'er_g'
jne hearts
// optional: assign constant value of 9999
// mov [ecx],(double)9999
// mov [ecx+4],(double32H)9999
mov [gold], ecx
jmp code
// check for the string lives (player-hearts)
hearts:
cmp [ebp+c],5
jne code
cmp dword ptr [ebp+10],'live'
jne code
cmp word ptr [ebp+14],'s'
jne code
// optional: assign constant value of 20
// mov [ecx],(double)9999
// mov [ecx+4],(double32H)9999
mov [lifes], ecx
// put additional checks here
code:
mov ebp,[ecx]
mov ecx,[ecx+04]
jmp return
gold:
dd 0
lifes:
dd 0
INJECT:
jmp newmem
return:
registersymbol(INJECT gold lifes)
[DISABLE]
INJECT:
db 8B 29 8B 49 04 89 2c c2
unregistersymbol(*)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: lua51.dll.text+BDA
lua51.dll.text+BBC: 23 48 08 - and ecx,[eax+08]
lua51.dll.text+BBF: 6B C9 18 - imul ecx,ecx,18
lua51.dll.text+BC2: 03 4D 14 - add ecx,[ebp+14]
lua51.dll.text+BC5: 83 79 0C FB - cmp dword ptr [ecx+0C],-05
lua51.dll.text+BC9: 75 3A - jne lua51.dll.text+C05
lua51.dll.text+BCB: 39 41 08 - cmp [ecx+08],eax
lua51.dll.text+BCE: 75 35 - jne lua51.dll.text+C05
lua51.dll.text+BD0: 83 79 04 FF - cmp dword ptr [ecx+04],-01
lua51.dll.text+BD4: 74 36 - je lua51.dll.text+C0C
lua51.dll.text+BD6: 0F B6 46 FD - movzx eax,byte ptr [esi-03]
// ---------- INJECTING HERE ----------
lua51.dll.text+BDA: 8B 29 - mov ebp,[ecx]
lua51.dll.text+BDC: 8B 49 04 - mov ecx,[ecx+04]
// ---------- DONE INJECTING ----------
lua51.dll.text+BDF: 89 2C C2 - mov [edx+eax*8],ebp
lua51.dll.text+BE2: 89 4C C2 04 - mov [edx+eax*8+04],ecx
lua51.dll.text+BE6: 8B 06 - mov eax,[esi]
lua51.dll.text+BE8: 0F B6 CC - movzx ecx,ah
lua51.dll.text+BEB: 0F B6 E8 - movzx ebp,al
lua51.dll.text+BEE: 83 C6 04 - add esi,04
lua51.dll.text+BF1: C1 E8 10 - shr eax,10
lua51.dll.text+BF4: FF 24 AB - jmp dword ptr [ebx+ebp*4]
lua51.dll.text+BF7: 0F B6 46 FD - movzx eax,byte ptr [esi-03]
}
3
"Gold"
0
Double
gold
0
4
"Hearts"
0
Double
lifes
0
14
"Cheat Script - Lua Version by dharmang1910"
Auto Assembler Script
[ENABLE]
aobscanmodule(base,lua51.dll,8B 29 8B 49 04) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
cmp [ecx],0
jne code
{$luacode pBase=ecx}
if readPointer(pBase+0x08) ~= 0 then
local gname = readString(readPointer(pBase+0x08)+0x10)
if gname == 'player_gold' then
-- writeDouble(pBase,9999)
registerSymbol("gold",pBase)
elseif gname == 'lives' then
-- writeDouble(pBase,20)
registerSymbol("lifes",pBase)
end
end
{$asm}
code:
mov ebp,[ecx]
mov ecx,[ecx+04]
jmp return
base:
jmp newmem
return:
registersymbol(base)
[DISABLE]
base:
db 8B 29 8B 49 04
unregistersymbol(base)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: lua51.dll+1BDA
lua51.dll+1BBC: 23 48 08 - and ecx,[eax+08]
lua51.dll+1BBF: 6B C9 18 - imul ecx,ecx,18
lua51.dll+1BC2: 03 4D 14 - add ecx,[ebp+14]
lua51.dll+1BC5: 83 79 0C FB - cmp dword ptr [ecx+0C],-05
lua51.dll+1BC9: 75 3A - jne lua51.dll+1C05
lua51.dll+1BCB: 39 41 08 - cmp [ecx+08],eax
lua51.dll+1BCE: 75 35 - jne lua51.dll+1C05
lua51.dll+1BD0: 83 79 04 FF - cmp dword ptr [ecx+04],-01
lua51.dll+1BD4: 74 36 - je lua51.dll+1C0C
lua51.dll+1BD6: 0F B6 46 FD - movzx eax,byte ptr [esi-03]
// ---------- INJECTING HERE ----------
lua51.dll+1BDA: 8B 29 - mov ebp,[ecx]
// ---------- DONE INJECTING ----------
lua51.dll+1BDC: 8B 49 04 - mov ecx,[ecx+04]
lua51.dll+1BDF: 89 2C C2 - mov [edx+eax*8],ebp
lua51.dll+1BE2: 89 4C C2 04 - mov [edx+eax*8+04],ecx
lua51.dll+1BE6: 8B 06 - mov eax,[esi]
lua51.dll+1BE8: 0F B6 CC - movzx ecx,ah
lua51.dll+1BEB: 0F B6 E8 - movzx ebp,al
lua51.dll+1BEE: 83 C6 04 - add esi,04
lua51.dll+1BF1: C1 E8 10 - shr eax,10
lua51.dll+1BF4: FF 24 AB - jmp dword ptr [ebx+ebp*4]
lua51.dll+1BF7: 0F B6 46 FD - movzx eax,byte ptr [esi-03]
}
15
"Gold"
0
Double
gold
16
"Hearts"
0
Double
lifes
11
"Cheat Script - $ccode Version by DarkByte"
Auto Assembler Script
// DarkByte himself helped me to get this thing running.
// in fact, it is his code here. :)
[ENABLE]
aobscanmodule(INJECT,lua51.dll,8B 29 8B 49 04) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
// important! the registered symbols must be created with alloc
// using just label + registersymbol causes issues with $ccode!
alloc(gold,4)
alloc(lifes,4)
newmem:
{$ccode vBase=ecx}
extern int gold; // import the gold-symbol from above
extern int lifes; // import the lifes-symbol from above
unsigned long *p1=(unsigned long *)(vBase+8); // define a pointer to [vBase+8]
if (*p1) // if pointer is valid
{
char *str=(char *)(*p1+0x10); // define pointer to a string at p1+0x10 = [[vBase+0x8]+0x10]
if (strncmp(str,"player_gold",11)==0) // if the text fits
{
// *(double *)vBase=9999.0f; // set value to 9999
gold = vBase; // save the address for gold into the gold-symbol
}
else
if (strncmp(str,"lives",5)==0) // if the text fits
{
// *(double *)vBase=20.0f; // set value to 9999
lifes = vBase; // save the address for gold into the lifes-symbol
}
}
{$asm}
code:
mov ebp,[ecx]
mov ecx,[ecx+04]
jmp return
gold:
dd 0
lifes:
dd 0
INJECT:
jmp newmem
return:
registersymbol(INJECT gold lifes)
[DISABLE]
INJECT:
db 8B 29 8B 49 04 89 2c c2
unregistersymbol(*)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: lua51.dll.text+BDA
lua51.dll.text+BBC: 23 48 08 - and ecx,[eax+08]
lua51.dll.text+BBF: 6B C9 18 - imul ecx,ecx,18
lua51.dll.text+BC2: 03 4D 14 - add ecx,[ebp+14]
lua51.dll.text+BC5: 83 79 0C FB - cmp dword ptr [ecx+0C],-05
lua51.dll.text+BC9: 75 3A - jne lua51.dll.text+C05
lua51.dll.text+BCB: 39 41 08 - cmp [ecx+08],eax
lua51.dll.text+BCE: 75 35 - jne lua51.dll.text+C05
lua51.dll.text+BD0: 83 79 04 FF - cmp dword ptr [ecx+04],-01
lua51.dll.text+BD4: 74 36 - je lua51.dll.text+C0C
lua51.dll.text+BD6: 0F B6 46 FD - movzx eax,byte ptr [esi-03]
// ---------- INJECTING HERE ----------
lua51.dll.text+BDA: 8B 29 - mov ebp,[ecx]
lua51.dll.text+BDC: 8B 49 04 - mov ecx,[ecx+04]
// ---------- DONE INJECTING ----------
lua51.dll.text+BDF: 89 2C C2 - mov [edx+eax*8],ebp
lua51.dll.text+BE2: 89 4C C2 04 - mov [edx+eax*8+04],ecx
lua51.dll.text+BE6: 8B 06 - mov eax,[esi]
lua51.dll.text+BE8: 0F B6 CC - movzx ecx,ah
lua51.dll.text+BEB: 0F B6 E8 - movzx ebp,al
lua51.dll.text+BEE: 83 C6 04 - add esi,04
lua51.dll.text+BF1: C1 E8 10 - shr eax,10
lua51.dll.text+BF4: FF 24 AB - jmp dword ptr [ebx+ebp*4]
lua51.dll.text+BF7: 0F B6 46 FD - movzx eax,byte ptr [esi-03]
}
12
"Gold"
0
Double
gold
0
13
"Hearts"
0
Double
lifes
0
25
""`-._,-'"`-._,-'"`-._,-'"`-. Cooldown Modifier _,-"`-._,-'"`-._,-'"`-._,-'"`-._,-"
FF0000
1
24
"1. Use an ability with a cooldown (the Buttons with 1,2,3 on the bottom of your screen)"
FF00FF
1
27
"2. Actvite the Script below"
FF00FF
1
26
"3. set the Value to 0.01 and freeze it"
FF00FF
1
28
"4. set value to 60 again before entering the map again else crash"
FF00FF
1
22
"Get Cooldown Divider"
Auto Assembler Script
{
Gets the address of the Multiplier/Divider for cooldowns.
For those interested:
When casting a spell, timer is set to -1
and then counts up to 0.
If 0 is reached and enemies are active, spell is activated again.
Default value of multiplier is 60.
If we set it to 0.01, spells are 6000 times faster ready again. :)
}
[ENABLE]
aobscan(cooldown,F2 0F 5E BB 50 04 00 00) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
alloc(divider,4)
newmem:
mov [divider],ebx
code:
divsd xmm7,[ebx+00000450]
jmp return
divider:
dd 0
cooldown:
jmp newmem
nop 3
return:
registersymbol(cooldown divider)
[DISABLE]
cooldown:
db F2 0F 5E BB 50 04 00 00
unregistersymbol(*)
dealloc(*)
{
// ORIGINAL CODE - INJECTION POINT: 7FAD9FB2
7FAD9F71: 0F 85 91 60 02 00 - jne 7FB00008
7FAD9F77: 83 BE 6C 04 00 00 F1 - cmp dword ptr [esi+0000046C],-0F
7FAD9F7E: 0F 83 84 60 02 00 - jae 7FB00008
7FAD9F84: F2 0F 5C BE 68 04 00 00 - subsd xmm7,[esi+00000468]
7FAD9F8C: 83 BB 5C 04 00 00 FB - cmp dword ptr [ebx+0000045C],-05
7FAD9F93: 75 0A - jne 7FAD9F9F
7FAD9F95: 81 BB 58 04 00 00 D8 AA B6 15 - cmp [ebx+00000458],15B6AAD8
7FAD9F9F: 0F 85 63 60 02 00 - jne 7FB00008
7FAD9FA5: 83 BB 54 04 00 00 F1 - cmp dword ptr [ebx+00000454],-0F
7FAD9FAC: 0F 83 56 60 02 00 - jae 7FB00008
// ---------- INJECTING HERE ----------
7FAD9FB2: F2 0F 5E BB 50 04 00 00 - divsd xmm7,[ebx+00000450]
// ---------- DONE INJECTING ----------
7FAD9FBA: 81 FD 38 DA 3C 06 - cmp ebp,063CDA38
7FAD9FC0: 0F 85 42 60 02 00 - jne 7FB00008
7FAD9FC6: 66 0F 2E EF - ucomisd xmm5,xmm7
7FAD9FCA: 0F 87 3C 60 02 00 - ja 7FB0000C
7FAD9FD0: 66 0F 2E FE - ucomisd xmm7,xmm6
7FAD9FD4: 0F 87 36 60 02 00 - ja 7FB00010
7FAD9FDA: 83 BE 24 03 00 00 FB - cmp dword ptr [esi+00000324],-05
7FAD9FE1: 75 0A - jne 7FAD9FED
7FAD9FE3: 81 BE 20 03 00 00 30 61 7A 05 - cmp [esi+00000320],057A6130
7FAD9FED: 0F 85 21 60 02 00 - jne 7FB00014
}
23
"No description"
0
Double
divider
450