1337163499 "--------------------------------------------- BY PRONKILL ----------------------------------------------" 1 2 "Bombs" 0 Byte

Sin.dll+1324EB0

4 "Health" 4 Bytes

Sin.dll+1324E94

3 "Infinite Bombs" Auto Assembler Script [ENABLE] aobscanmodule(InfBombs,Sin.dll,88 47 28 84 C0) // should be unique alloc(newmem,$1000,InfBombs) label(return) newmem: mov [rdi+28],6 test al,al jmp return InfBombs: jmp newmem return: registersymbol(InfBombs) [DISABLE] //code from here till the end of the code will be used to disable the cheat InfBombs: db 88 47 28 84 C0 unregistersymbol(InfBombs) dealloc(newmem) { // ORIGINAL CODE - INJECTION POINT: Sin.dll+7BC82 Sin.dll+7BC5F: 48 85 C0 - test rax,rax Sin.dll+7BC62: 74 60 - je Sin.dll+7BCC4 Sin.dll+7BC64: 89 9F 54 04 00 00 - mov [rdi+00000454],ebx Sin.dll+7BC6A: FF 87 10 05 00 00 - inc [rdi+00000510] Sin.dll+7BC70: 85 F6 - test esi,esi Sin.dll+7BC72: 75 15 - jne Sin.dll+7BC89 Sin.dll+7BC74: 39 1D E6 03 20 01 - cmp [Sin.dll+127C060],ebx Sin.dll+7BC7A: 0F B6 47 28 - movzx eax,byte ptr [rdi+28] Sin.dll+7BC7E: 75 05 - jne Sin.dll+7BC85 Sin.dll+7BC80: FE C8 - dec al // ---------- INJECTING HERE ---------- Sin.dll+7BC82: 88 47 28 - mov [rdi+28],al // ---------- DONE INJECTING ---------- Sin.dll+7BC85: 84 C0 - test al,al Sin.dll+7BC87: 7F 07 - jg Sin.dll+7BC90 Sin.dll+7BC89: 88 5F 28 - mov [rdi+28],bl Sin.dll+7BC8C: 0F 1F 40 00 - nop dword ptr [rax+00] Sin.dll+7BC90: 48 8B 8F 38 03 00 00 - mov rcx,[rdi+00000338] Sin.dll+7BC97: 8B D3 - mov edx,ebx Sin.dll+7BC99: E8 50 56 F8 FF - call Sin.dll+12EE Sin.dll+7BC9E: FF C3 - inc ebx Sin.dll+7BCA0: C7 80 18 03 00 00 40 00 00 00 - mov [rax+00000318],00000040 Sin.dll+7BCAA: 83 FB 02 - cmp ebx,02 } 8 "Invincibility" Auto Assembler Script [ENABLE] aobscanmodule(NoProjDmg,Sin.dll,40 56 41 54 41 55 48) aobscanmodule(NoHitboxDmg,Sin.dll,48 89 5C 24 08 48 89 74 24 10 48 89 7C 24 18 55 41 54) aobscanmodule(NoLaserDmg,Sin.dll,CC 48 89 6C 24 18 48 89 74 24 20 57 41 54) registersymbol(NoProjDmg) registersymbol(NoHitboxDmg) registersymbol(NoLaserDmg) //No projectile damage NoProjDmg: ret //No hitbox damage NoHitboxDmg: ret //No laser damage NoLaserDmg+01: ret [DISABLE] NoProjDmg: db 40 NoHitboxDmg: db 48 NoLaserDmg+01: db 48 unregistersymbol(*) { // ORIGINAL CODE - INJECTION POINT: NoProjDmg - Sin.dll+31440 Sin.dll+31436: CC - int 3 Sin.dll+31437: CC - int 3 Sin.dll+31438: CC - int 3 Sin.dll+31439: CC - int 3 Sin.dll+3143A: CC - int 3 Sin.dll+3143B: CC - int 3 Sin.dll+3143C: CC - int 3 Sin.dll+3143D: CC - int 3 Sin.dll+3143E: CC - int 3 Sin.dll+3143F: CC - int 3 // ---------- INJECTING HERE ---------- Sin.dll+31440: 40 56 - push rsi // ---------- DONE INJECTING ---------- Sin.dll+31442: 41 54 - push r12 Sin.dll+31444: 41 55 - push r13 Sin.dll+31446: 48 81 EC 50 01 00 00 - sub rsp,00000150 Sin.dll+3144D: 48 8B 05 14 DC 76 00 - mov rax,[Sin.dll+79F068] Sin.dll+31454: 48 33 C4 - xor rax,rsp Sin.dll+31457: 48 89 84 24 20 01 00 00 - mov [rsp+00000120],rax Sin.dll+3145F: 4C 8B E2 - mov r12,rdx Sin.dll+31462: 89 4C 24 20 - mov [rsp+20],ecx Sin.dll+31466: 8B D1 - mov edx,ecx Sin.dll+31468: 8B F1 - mov esi,ecx ----------------------------------------------------------------------------- // ORIGINAL CODE - INJECTION POINT: NoHitboxDmg - Sin.dll+34880 Sin.dll+34876: CC - int 3 Sin.dll+34877: CC - int 3 Sin.dll+34878: CC - int 3 Sin.dll+34879: CC - int 3 Sin.dll+3487A: CC - int 3 Sin.dll+3487B: CC - int 3 Sin.dll+3487C: CC - int 3 Sin.dll+3487D: CC - int 3 Sin.dll+3487E: CC - int 3 Sin.dll+3487F: CC - int 3 // ---------- INJECTING HERE ---------- Sin.dll+34880: 48 89 5C 24 08 - mov [rsp+08],rbx // ---------- DONE INJECTING ---------- Sin.dll+34885: 48 89 74 24 10 - mov [rsp+10],rsi Sin.dll+3488A: 48 89 7C 24 18 - mov [rsp+18],rdi Sin.dll+3488F: 55 - push rbp Sin.dll+34890: 41 54 - push r12 Sin.dll+34892: 41 55 - push r13 Sin.dll+34894: 41 56 - push r14 Sin.dll+34896: 41 57 - push r15 Sin.dll+34898: 48 8D 6C 24 B0 - lea rbp,[rsp-50] Sin.dll+3489D: 48 81 EC 50 01 00 00 - sub rsp,00000150 Sin.dll+348A4: 48 8B 05 BD A7 76 00 - mov rax,[Sin.dll+79F068] ----------------------------------------------------------------------------- // ORIGINAL CODE - INJECTION POINT: NoLaserDmg - Sin.dll+5F700 Sin.dll+5F6F6: CC - int 3 Sin.dll+5F6F7: CC - int 3 Sin.dll+5F6F8: CC - int 3 Sin.dll+5F6F9: CC - int 3 Sin.dll+5F6FA: CC - int 3 Sin.dll+5F6FB: CC - int 3 Sin.dll+5F6FC: CC - int 3 Sin.dll+5F6FD: CC - int 3 Sin.dll+5F6FE: CC - int 3 Sin.dll+5F6FF: CC - int 3 // ---------- INJECTING HERE ---------- Sin.dll+5F700: 48 89 6C 24 18 - mov [rsp+18],rbp // ---------- DONE INJECTING ---------- Sin.dll+5F705: 48 89 74 24 20 - mov [rsp+20],rsi Sin.dll+5F70A: 57 - push rdi Sin.dll+5F70B: 41 54 - push r12 Sin.dll+5F70D: 41 57 - push r15 Sin.dll+5F70F: 48 83 EC 20 - sub rsp,20 Sin.dll+5F713: 48 8B F1 - mov rsi,rcx Sin.dll+5F716: 49 8B F8 - mov rdi,r8 Sin.dll+5F719: 49 8B 88 88 00 00 00 - mov rcx,[r8+00000088] Sin.dll+5F720: 4C 8B FA - mov r15,rdx Sin.dll+5F723: E8 AA 50 FA FF - call Sin.dll+47D2 } 9 "Individual invicibilities" 1 5 "Projectile invincibility" Auto Assembler Script [ENABLE] aobscanmodule(Proj,Sin.dll,40 56 41 54 41 55 48) // should be unique registersymbol(Proj) Proj: ret [DISABLE] //code from here till the end of the code will be used to disable the cheat Proj: db 40 unregistersymbol(Proj) { // ORIGINAL CODE - INJECTION POINT: Sin.dll+31440 Sin.dll+31436: CC - int 3 Sin.dll+31437: CC - int 3 Sin.dll+31438: CC - int 3 Sin.dll+31439: CC - int 3 Sin.dll+3143A: CC - int 3 Sin.dll+3143B: CC - int 3 Sin.dll+3143C: CC - int 3 Sin.dll+3143D: CC - int 3 Sin.dll+3143E: CC - int 3 Sin.dll+3143F: CC - int 3 // ---------- INJECTING HERE ---------- Sin.dll+31440: 40 56 - push rsi // ---------- DONE INJECTING ---------- Sin.dll+31442: 41 54 - push r12 Sin.dll+31444: 41 55 - push r13 Sin.dll+31446: 48 81 EC 50 01 00 00 - sub rsp,00000150 Sin.dll+3144D: 48 8B 05 14 DC 76 00 - mov rax,[Sin.dll+79F068] Sin.dll+31454: 48 33 C4 - xor rax,rsp Sin.dll+31457: 48 89 84 24 20 01 00 00 - mov [rsp+00000120],rax Sin.dll+3145F: 4C 8B E2 - mov r12,rdx Sin.dll+31462: 89 4C 24 20 - mov [rsp+20],ecx Sin.dll+31466: 8B D1 - mov edx,ecx Sin.dll+31468: 8B F1 - mov esi,ecx } 6 "Hitbox invincibility" Auto Assembler Script [ENABLE] aobscanmodule(Hitbox,Sin.dll,48 89 5C 24 08 48 89 74 24 10 48 89 7C 24 18 55 41 54) // should be unique registersymbol(Hitbox) Hitbox: ret [DISABLE] Hitbox: db 48 unregistersymbol(Hitbox) { // ORIGINAL CODE - INJECTION POINT: Sin.dll+34880 Sin.dll+34876: CC - int 3 Sin.dll+34877: CC - int 3 Sin.dll+34878: CC - int 3 Sin.dll+34879: CC - int 3 Sin.dll+3487A: CC - int 3 Sin.dll+3487B: CC - int 3 Sin.dll+3487C: CC - int 3 Sin.dll+3487D: CC - int 3 Sin.dll+3487E: CC - int 3 Sin.dll+3487F: CC - int 3 // ---------- INJECTING HERE ---------- Sin.dll+34880: 48 89 5C 24 08 - mov [rsp+08],rbx // ---------- DONE INJECTING ---------- Sin.dll+34885: 48 89 74 24 10 - mov [rsp+10],rsi Sin.dll+3488A: 48 89 7C 24 18 - mov [rsp+18],rdi Sin.dll+3488F: 55 - push rbp Sin.dll+34890: 41 54 - push r12 Sin.dll+34892: 41 55 - push r13 Sin.dll+34894: 41 56 - push r14 Sin.dll+34896: 41 57 - push r15 Sin.dll+34898: 48 8D 6C 24 B0 - lea rbp,[rsp-50] Sin.dll+3489D: 48 81 EC 50 01 00 00 - sub rsp,00000150 Sin.dll+348A4: 48 8B 05 BD A7 76 00 - mov rax,[Sin.dll+79F068] } 7 "Laser invincibility" Auto Assembler Script [ENABLE] aobscanmodule(Laser,Sin.dll,CC 48 89 6C 24 18 48 89 74 24 20 57 41 54) registersymbol(Laser) Laser+01: ret [DISABLE] Laser+01: db 48 unregistersymbol(Laser) { // ORIGINAL CODE - INJECTION POINT: Sin.dll+5F700 Sin.dll+5F6F6: CC - int 3 Sin.dll+5F6F7: CC - int 3 Sin.dll+5F6F8: CC - int 3 Sin.dll+5F6F9: CC - int 3 Sin.dll+5F6FA: CC - int 3 Sin.dll+5F6FB: CC - int 3 Sin.dll+5F6FC: CC - int 3 Sin.dll+5F6FD: CC - int 3 Sin.dll+5F6FE: CC - int 3 Sin.dll+5F6FF: CC - int 3 // ---------- INJECTING HERE ---------- Sin.dll+5F700: 48 89 6C 24 18 - mov [rsp+18],rbp // ---------- DONE INJECTING ---------- Sin.dll+5F705: 48 89 74 24 20 - mov [rsp+20],rsi Sin.dll+5F70A: 57 - push rdi Sin.dll+5F70B: 41 54 - push r12 Sin.dll+5F70D: 41 57 - push r15 Sin.dll+5F70F: 48 83 EC 20 - sub rsp,20 Sin.dll+5F713: 48 8B F1 - mov rsi,rcx Sin.dll+5F716: 49 8B F8 - mov rdi,r8 Sin.dll+5F719: 49 8B 88 88 00 00 00 - mov rcx,[r8+00000088] Sin.dll+5F720: 4C 8B FA - mov r15,rdx Sin.dll+5F723: E8 AA 50 FA FF - call Sin.dll+47D2 } 1337163500 "--------------------------------------------- BY PRONKILL ----------------------------------------------" 1 1337163497 "--------------------------------------------- BY SERYOGASK ----------------------------------------------" 1 1337163493 "Projectile invincibility" Auto Assembler Script { ply_projectile "Sin.dll"+313F0: 7FF92A2D13F0 4 Bytes } [ENABLE] {$lua} -- Define the newmem content with processing local newmemContent = [[ ]] if syntaxcheck then return end function aob_register(sym, ...) local patterns = {...} local found = false local addy = nil for i, pat in ipairs(patterns) do local instr = AOBScan(pat, "+X") if instr and instr.Count == 1 then addy = instr[0] instr.destroy() found = true break end if instr then instr.destroy() end end if not found then for i, pat in ipairs(patterns) do local instr = AOBScan(pat) if instr and instr.Count == 1 then addy = instr[0] instr.destroy() found = true break end if instr then instr.destroy() end end end if not found then error('None of the patterns found a unique match!') end unregisterSymbol(sym) registerSymbol(sym, tonumber(addy,16)) end function getInstructionLength(address) local addr if type(address) == "string" then addr = tonumber(address, 16) else addr = address end local result = disassemble(addr) if result then local bytes_section = result:match("- ([%x%s]+) -") if bytes_section then local cleaned = bytes_section:gsub("%s", "") local byte_count = #cleaned / 2 if byte_count > 0 and byte_count <= 15 then return math.floor(byte_count) end end end local firstByte = readBytes(addr, 1) if not firstByte then error("Cannot read memory at address: " .. string.format("%X", addr)) end local opcode = firstByte if opcode == 0x66 or opcode == 0x67 or opcode == 0xF2 or opcode == 0xF3 then local secondByte = readBytes(addr + 1, 1) if secondByte == 0x0F then return 5 end end if opcode == 0xE9 then return 5 end if opcode == 0xEB then return 2 end if opcode == 0xE8 then return 5 end for len = 1, 15 do local testAddr = addr + len local disasm2 = disassemble(testAddr) if disasm2 and not disasm2:match("??") then return len end end return 5 end -- Global variables to store analyzed instruction details local originalInstruction = "" local sourceRegister = "" local destinationRegister = "" local memoryBase = "" local memoryOffset = "" local memoryFullExpr = "" local detectedXMMRegs = {} local detectedGPRegs = {} local detectedMemoryRefs = {} function analyzeOriginalCode(address, length) -- Reset detection arrays detectedXMMRegs = {} detectedGPRegs = {} detectedMemoryRefs = {} sourceRegister = "" destinationRegister = "" memoryBase = "" memoryOffset = "" memoryFullExpr = "" local disasm = disassemble(address) if not disasm then return end -- Extract the instruction part after the bytes local instructionPart = disasm:match("-%s+([^-]+)$") if not instructionPart then instructionPart = disasm:match("-%s+(.+)") end if instructionPart then instructionPart = instructionPart:gsub("^%s+", ""):gsub("%s+$", "") originalInstruction = instructionPart -- Detect all memory references (supports SIB, scale, absolute, multiple terms) for memRef in originalInstruction:gmatch("%[([^%]]+)%]") do table.insert(detectedMemoryRefs, memRef) -- Store full expression so we can re-emit it verbatim later if memoryBase == "" then memoryFullExpr = memRef end -- Also try legacy base+offset split for templates that use %s+%s local base, rest = memRef:match("^([^%+%-%*]+)([%+%-].+)$") if base and rest then base = base:gsub("^%s+",""):gsub("%s+$","") rest = rest:gsub("^[%+]","") if memoryBase == "" then memoryBase = base end if memoryOffset == "" then memoryOffset = rest end else if memoryBase == "" then memoryBase = memRef end end end -- Detect all GP registers (use boundary-friendly approach) -- Strip memory expressions first to avoid matching size keywords like 'qword' local cleaned = originalInstruction cleaned = cleaned:gsub("%[[^%]]+%]", " ") cleaned = cleaned:gsub("[qdfx]?word%s+ptr", " ") cleaned = cleaned:gsub("[qdfx]?word", " ") cleaned = cleaned:gsub("%s+ptr", " ") local gpKnown = { "rax","rbx","rcx","rdx","rsi","rdi","rsp","rbp", "r8","r9","r10","r11","r12","r13","r14","r15", "eax","ebx","ecx","edx","esi","edi","esp","ebp", "r8d","r9d","r10d","r11d","r12d","r13d","r14d","r15d", "ax","bx","cx","dx","si","di","sp","bp", "r8w","r9w","r10w","r11w","r12w","r13w","r14w","r15w", "al","bl","cl","dl","ah","bh","ch","dh","sil","dil","bpl","spl", "r8b","r9b","r10b","r11b","r12b","r13b","r14b","r15b" } local lcCleaned = " " .. cleaned:lower() .. " " for _, reg in ipairs(gpKnown) do if lcCleaned:find("[^%w]" .. reg .. "[^%w]") then if not table.concat(detectedGPRegs, ","):find(reg) then table.insert(detectedGPRegs, reg) end end end -- Detect all XMM registers local xmmRegisterPattern = "[xyz]mm[0-9]+" for reg in originalInstruction:gmatch(xmmRegisterPattern) do if not table.concat(detectedXMMRegs, ","):find(reg) then table.insert(detectedXMMRegs, reg) end end -- Analyze instruction patterns to determine source and destination -- Pattern 1: instruction dest,src - Register to Register local dest, src = originalInstruction:match("^%w+%s+([^%s,]+),([^%s,]+)$") if dest and src and not dest:match("%[") and not src:match("%[") then destinationRegister = dest sourceRegister = src end -- Pattern 2: instruction dest,[mem] - Memory to Register local dest2, mem = originalInstruction:match("^%w+%s+([^%s,]+),[^%[]*%[([^%]]+)%]") if dest2 and mem then destinationRegister = dest2 if memoryFullExpr == "" then memoryFullExpr = mem end local base, rest = mem:match("^([^%+%-%*]+)([%+%-].+)$") if base and rest then base = base:gsub("^%s+",""):gsub("%s+$","") rest = rest:gsub("^[%+]","") memoryBase = base memoryOffset = rest else memoryBase = mem end end -- Pattern 3: instruction [mem],src - Register to Memory local mem2, src2 = originalInstruction:match("^%w+%s+[^%[]*%[([^%]]+)%],([^%s,]+)") if mem2 and src2 then sourceRegister = src2 if memoryFullExpr == "" then memoryFullExpr = mem2 end local base, rest = mem2:match("^([^%+%-%*]+)([%+%-].+)$") if base and rest then base = base:gsub("^%s+",""):gsub("%s+$","") rest = rest:gsub("^[%+]","") memoryBase = base memoryOffset = rest else memoryBase = mem2 end end end end function getAppropriateRegister(instruction, context, position) -- For Pattern A and B: mov/movss [%s+%s],(type)value - position 1 is memory base, position 2 is offset if context == "memory" and position == 1 then if memoryBase ~= "" then return memoryBase end end if context == "offset" and position == 2 then if memoryOffset ~= "" then return memoryOffset end end -- For Pattern C: mov/movss %s,(type)value - loading value into register if context == "destination" then if destinationRegister ~= "" then return destinationRegister end if sourceRegister ~= "" then return sourceRegister end end -- For Pattern E: mov %s,[setValue] - loading value FROM memory TO register if context == "load" then if destinationRegister ~= "" then return destinationRegister end if sourceRegister ~= "" then return sourceRegister end end -- For Pattern F: mov [seeValue],%s - storing value FROM register TO memory if context == "see" then if memoryBase ~= "" then return memoryBase end if sourceRegister ~= "" then return sourceRegister end if destinationRegister ~= "" then return destinationRegister end end -- For single memory reference patterns like mov [%s],(int)1 if context == "single_memory" then if memoryBase ~= "" then return memoryBase end end -- For full memory expression placeholder %m (preserves SIB/scale/absolute) if context == "full_memory" then if memoryFullExpr ~= "" then return memoryFullExpr end if memoryBase ~= "" and memoryOffset ~= "" then return memoryBase .. "+" .. memoryOffset end if memoryBase ~= "" then return memoryBase end end -- Default fallback based on instruction type if instruction:match("movss") or instruction:match("movsd") or instruction:match("addss") or instruction:match("subss") or instruction:match("mulss") or instruction:match("divss") then if #detectedXMMRegs > 0 then return detectedXMMRegs[1] end end if #detectedGPRegs > 0 then return detectedGPRegs[1] end if #detectedXMMRegs > 0 then return detectedXMMRegs[1] end return "rax" end function processAssemblyLine(line) -- Trim whitespace line = line:gsub("^%s*(.-)%s*$", "%1") -- Replace full-memory placeholder %m with the captured expression if line:find("%%m") then local fullMem = getAppropriateRegister("", "full_memory", 1) line = line:gsub("%%m", fullMem) end if not line:find("%%s") then return line end -- Extract instruction name local instruction = line:match("^(%w+)") if not instruction then instruction = "mov" end -- Pattern A: mov [%s+%s],(type)value if line:match("^%w+%s+%[%%s%+%%s%],%(" ) then local prefix, middle, suffix = line:match("^(%w+%s+%[)%%s(%+)%%s(%],.*)$") if prefix and middle and suffix then local reg1 = getAppropriateRegister(instruction, "memory", 1) local reg2 = getAppropriateRegister(instruction, "offset", 2) local result = prefix .. reg1 .. middle .. reg2 .. suffix return result end end -- Pattern B: movss [%s+%s],(type)value if line:match("^movs[sd]%s+%[%%s%+%%s%],%(" ) then local inst, prefix, middle, suffix = line:match("^(movs[sd])(%s+%[)%%s(%+)%%s(%],.*)$") if inst and prefix and middle and suffix then local reg1 = getAppropriateRegister(inst, "memory", 1) local reg2 = getAppropriateRegister(inst, "offset", 2) local result = inst .. prefix .. reg1 .. middle .. reg2 .. suffix return result end end -- Pattern C: mov %s,(type)value if line:match("^%w+%s+%%s,%(" ) then local prefix, suffix = line:match("^(%w+%s+)%%s(.*)$") if prefix and suffix then local reg = getAppropriateRegister(instruction, "destination", 1) local result = prefix .. reg .. suffix return result end end -- Pattern D: mov [%s+%s],register (without parentheses) if line:match("^%w+%s+%[%%s%+%%s%]," ) and not line:match("%(" ) then local prefix, middle, suffix = line:match("^(%w+%s+%[)%%s(%+)%%s(%],.*)$") if prefix and middle and suffix then local reg1 = getAppropriateRegister(instruction, "memory", 1) local reg2 = getAppropriateRegister(instruction, "offset", 2) local result = prefix .. reg1 .. middle .. reg2 .. suffix return result end end -- Pattern E: mov %s,[setValue] if line:match("^%w+%s+%%s,%[" ) then local reg = getAppropriateRegister(instruction, "load", 1) local result = line:gsub("%%s", reg) return result end -- Pattern F: mov [seeValue],%s if line:match("^%w+%s+%[[^%]]*%],%%s" ) then local reg = getAppropriateRegister(instruction, "see", 1) local result = line:gsub("%%s", reg) return result end -- Pattern G: mov [%s],(type)value - single memory reference if line:match("^%w+%s+%[%%s%],%(" ) then local reg = getAppropriateRegister(instruction, "single_memory", 1) local result = line:gsub("%%s", reg) return result end -- Pattern H: mov [%s],register - single memory reference without parentheses if line:match("^%w+%s+%[%%s%]," ) and not line:match("%(" ) then local reg = getAppropriateRegister(instruction, "single_memory", 1) local result = line:gsub("%%s", reg) return result end -- Generic %s replacement local reg = getAppropriateRegister(instruction, "destination", 1) return line:gsub("%%s", reg) end -- Register the symbol with wildcard and exact patterns aob_register("ply_projectile", "40 56 41 54 41 55 48 81 EC 50", "40 ?? 41 ?? 41 ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 4C ?? ?? 89") -- Get address and walk instructions until we cover the JMP size (5 bytes) local expAddr = getAddress("ply_projectile") local instrLength = getInstructionLength(expAddr) -- Detect RIP-relative addressing by scanning instruction bytes for ModR/M = 00 xxx 101 (x64) function isRipRelative(addr, len) if not targetIs64Bit() then return false end local bytes = readBytes(addr, len, true) if not bytes or #bytes < 2 then return false end local i = 1 -- Skip legacy prefixes while i <= #bytes do local b = bytes[i] if b == 0xF0 or b == 0xF2 or b == 0xF3 or b == 0x2E or b == 0x36 or b == 0x3E or b == 0x26 or b == 0x64 or b == 0x65 or b == 0x66 or b == 0x67 then i = i + 1 else break end end -- Skip REX (0x40-0x4F) if i <= #bytes and bytes[i] >= 0x40 and bytes[i] <= 0x4F then i = i + 1 end if i > #bytes then return false end local op = bytes[i]; i = i + 1 -- Handle 2-byte opcode 0F xx (and 3-byte 0F 38 / 0F 3A) if op == 0x0F then if i > #bytes then return false end local op2 = bytes[i]; i = i + 1 if op2 == 0x38 or op2 == 0x3A then if i > #bytes then return false end i = i + 1 end end -- Now i points to ModR/M (if present). Check mod=00 (top 2 bits) and rm=101 (low 3 bits) if i > #bytes then return false end local modrm = bytes[i] local mod = math.floor(modrm / 64) -- bits 7-6 local rm = modrm % 8 -- bits 2-0 return (mod == 0 and rm == 5) end -- Build list of instructions to replicate (until total >= 5 bytes) local replicatedInstrs = {} local totalReplacedLength = 0 do local cur = expAddr while totalReplacedLength < 5 do local len = getInstructionLength(cur) if not len or len == 0 then break end local dis = disassemble(cur) local mnemonic = "" local target = "" if dis then -- Extract instruction text after the last ' - ' local instrText = dis:match("-%s+([^-]+)$") or dis:match("-%s+(.+)$") or "" instrText = instrText:gsub("^%s+",""):gsub("%s+$","") mnemonic = instrText:match("^(%w+)") or "" -- Detect relative branches that must be rewritten as absolute local lcm = mnemonic:lower() if lcm == "call" or lcm == "jmp" or lcm:sub(1,1) == "j" then target = instrText:match("^%w+%s+(.+)$") or "" target = target:gsub("^%s+",""):gsub("%s+$","") end end -- Flag RIP-relative non-branch instructions for reassemble local ripRel = isRipRelative(cur, len) table.insert(replicatedInstrs, {addr=cur, len=len, mnemonic=mnemonic, target=target, ripRel=ripRel}) totalReplacedLength = totalReplacedLength + len cur = cur + len end end -- Build the code: block: -- - relative branches (call/jmp/jcc) -> emit as absolute target -- - RIP-relative instructions (mov reg,[rip+x], lea, cmp [rip+x],..) -> reassemble() to fix displacement -- - everything else -> readmem() (raw byte copy, fastest and safest for simple instructions) local codeBlockLines = {} for _, it in ipairs(replicatedInstrs) do local lcm = (it.mnemonic or ""):lower() if (lcm == "call" or lcm == "jmp" or lcm:sub(1,1) == "j") and it.target ~= "" then table.insert(codeBlockLines, " " .. lcm .. " " .. it.target) elseif it.ripRel then table.insert(codeBlockLines, " reassemble(" .. string.format("%X", it.addr) .. ")") else table.insert(codeBlockLines, " readmem(" .. string.format("%X", it.addr) .. "," .. it.len .. ")") end end local codeBlock = table.concat(codeBlockLines, "\n") -- Compute NOPs needed after the 5-byte JMP to pad up to totalReplacedLength local nopCount = totalReplacedLength - 5 local nopLine = "" if nopCount == 1 then nopLine = " nop" elseif nopCount > 1 then local s = "" for i = 1, nopCount do s = s .. "90 " end nopLine = " db " .. s:gsub("%s+$","") end -- Analyze the original code to detect registers and offsets analyzeOriginalCode(expAddr, instrLength) -- Process each line in newmem content local lines = {} for line in newmemContent:gmatch("([^\r\n]*)") do if line and line ~= "" then local processedLine = processAssemblyLine(line) if processedLine and processedLine ~= "" then table.insert(lines, " " .. processedLine) end end end local processedNewmem = table.concat(lines, "\n") -- Generate assembly code with detected length return [[ alloc(newmem_ply_projectile,$1000,ply_projectile) alloc(ply_projectileCopy,$50) registersymbol(newmem_ply_projectile) registersymbol(ply_projectileCopy) ply_projectileCopy: readmem(ply_projectile,]] .. totalReplacedLength .. [[) // Save totalReplacedLength as a marker byte at Copy+0x40 for DISABLE to read ply_projectileCopy+40: db ]] .. string.format("%02X", totalReplacedLength) .. [[ label(code) label(return) newmem_ply_projectile: ret code: ]] .. codeBlock .. "\n" .. [[ jmp return ply_projectile: jmp newmem_ply_projectile ]] .. (nopLine ~= "" and (nopLine .. "\n") or "") .. [[ return: ]] {$asm} // The assembly code is generated by the Lua script above [DISABLE] {$lua} if syntaxcheck then return end local symName = "ply_projectile" local copyName = symName .. "Copy" -- Read original bytes length from the marker at Copy+0x40 local copyAddr = getAddress(copyName) local origin = getAddress(symName) local restoreLen = 0 if copyAddr and copyAddr ~= 0 then local marker = readBytes(copyAddr + 0x40, 1) if marker and marker > 0 then restoreLen = marker end end if restoreLen == 0 then restoreLen = 16 end -- Restore original bytes directly via writeBytes (safer than readmem) if origin and origin ~= 0 and copyAddr and copyAddr ~= 0 then local bytes = readBytes(copyAddr, restoreLen, true) if bytes then writeBytes(origin, bytes) end end -- Free newmem allocation explicitly local newmemAddr = getAddress("newmem_" .. symName) if newmemAddr and newmemAddr ~= 0 then deAlloc(newmemAddr) end -- Free copy allocation explicitly if copyAddr and copyAddr ~= 0 then deAlloc(copyAddr) end -- Unregister symbols explicitly if getAddress(symName) then unregisterSymbol(symName) end if getAddress(copyName) then unregisterSymbol(copyName) end if getAddress("newmem_" .. symName) then unregisterSymbol("newmem_" .. symName) end return "" {$asm} { 8D 4C 24 58 48 89 44 24 48 41 B8 20 00 00 00 0F BF 84 24 70 01 00 00 89 44 24 40 C7 84 24 A0 00 00 00 80 00 00 00 8B 46 60 89 84 24 A4 00 00 00 E8 03 01 FD FF 48 8D 96 A0 00 00 00 41 B8 20 00 00 00 48 8D 8C 24 B8 00 00 00 E8 E9 00 FD FF 48 8B 43 30 48 85 C0 74 16 4C 8B 43 38 48 8D 56 20 48 8D 4C 24 40 FF D0 85 C0 75 03 89 46 14 83 7C 24 40 01 75 32 49 8B 45 30 48 85 C0 74 29 4D 8B 45 38 49 8D 54 24 20 48 8D 8C 24 A0 00 00 00 FF D0 8B 7C 24 20 4D 8D 44 24 20 85 C0 75 12 41 89 44 24 14 33 ED EB 09 4D 8D 44 24 20 8B 7C 24 20 41 0F BF 47 66 8B 4C 24 34 8B D0 2B C8 B8 E9 A2 8B 2E 2B 54 24 34 0F 49 CA F7 E9 D1 FA 8B C2 C1 E8 1F 03 D0 41 89 96 74 01 00 00 EB 09 FF C8 41 89 86 74 01 00 00 48 8B 1B 48 85 DB 0F 85 63 FE FF FF 4C 8B BC 24 10 01 00 00 4C 8B B4 24 18 01 00 00 48 8B B4 24 20 01 00 00 48 8B AC 24 28 01 00 00 B8 01 00 00 00 48 8B 9C 24 58 01 00 00 EB 02 33 C0 48 8B 8C 24 00 01 00 00 48 33 CC E8 8A 0C FD FF 48 81 C4 30 01 00 00 41 5D 41 5C 5F C3 CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC // ORIGINAL CODE - INJECTION POINT: "Sin.dll"+313F0 "Sin.dll"+313E5: 7FF92A2D13E5 - CC - int 3 "Sin.dll"+313E6: 7FF92A2D13E6 - CC - int 3 "Sin.dll"+313E7: 7FF92A2D13E7 - CC - int 3 "Sin.dll"+313E8: 7FF92A2D13E8 - CC - int 3 "Sin.dll"+313E9: 7FF92A2D13E9 - CC - int 3 "Sin.dll"+313EA: 7FF92A2D13EA - CC - int 3 "Sin.dll"+313EB: 7FF92A2D13EB - CC - int 3 "Sin.dll"+313EC: 7FF92A2D13EC - CC - int 3 "Sin.dll"+313ED: 7FF92A2D13ED - CC - int 3 "Sin.dll"+313EE: 7FF92A2D13EE - CC - int 3 // ---------- INJECTING HERE ---------- "Sin.dll"+313EF: 7FF92A2D13EF - CC - int 3 "Sin.dll"+313F0: 7FF92A2D13F0 - 40 56 - push rsi - 40 56 // ---------- DONE INJECTING ---------- "Sin.dll"+313F2: 7FF92A2D13F2 - 41 54 - push r12 "Sin.dll"+313F4: 7FF92A2D13F4 - 41 55 - push r13 "Sin.dll"+313F6: 7FF92A2D13F6 - 48 81 EC 50010000 - sub rsp,00000150 "Sin.dll"+313FD: 7FF92A2D13FD - 48 8B 05 34CC7600 - mov rax,[7FF92AA3E038] "Sin.dll"+31404: 7FF92A2D1404 - 48 33 C4 - xor rax,rsp "Sin.dll"+31407: 7FF92A2D1407 - 48 89 84 24 20010000 - mov [rsp+00000120],rax "Sin.dll"+3140F: 7FF92A2D140F - 4C 8B E2 - mov r12,rdx "Sin.dll"+31412: 7FF92A2D1412 - 89 4C 24 20 - mov [rsp+20],ecx "Sin.dll"+31416: 7FF92A2D1416 - 8B D1 - mov edx,ecx "Sin.dll"+31418: 7FF92A2D1418 - 8B F1 - mov esi,ecx "Sin.dll"+3141A: 7FF92A2D141A - 48 8B 0D 97E8F500 - mov rcx,[7FF92B22FCB8] "Sin.dll"+31421: 7FF92A2D1421 - 4D 8B E8 - mov r13,r8 "Sin.dll"+31424: 7FF92A2D1424 - E8 C5FEFCFF - call 7FF92A2A12EE "Sin.dll"+31429: 7FF92A2D1429 - 48 89 44 24 48 - mov [rsp+48],rax "Sin.dll"+3142E: 7FF92A2D142E - 48 85 C0 - test rax,rax "Sin.dll"+31431: 7FF92A2D1431 - 0F84 F8020000 - je 7FF92A2D172F "Sin.dll"+31437: 7FF92A2D1437 - 41 8B 44 24 10 - mov eax,[r12+10] "Sin.dll"+3143C: 7FF92A2D143C - 45 8B 0C 24 - mov r9d,[r12] "Sin.dll"+31440: 7FF92A2D1440 - 45 8B 44 24 04 - mov r8d,[r12+04] "Sin.dll"+31445: 7FF92A2D1445 - 45 8B 54 24 08 - mov r10d,[r12+08] "Sin.dll"+3144A: 7FF92A2D144A - 45 8B 5C 24 0C - mov r11d,[r12+0C] "Sin.dll"+3144F: 7FF92A2D144F - 89 44 24 38 - mov [rsp+38],eax "Sin.dll"+31453: 7FF92A2D1453 - 41 8B 44 24 14 - mov eax,[r12+14] 40 56 41 54 41 55 48 81 EC 50 01 00 00 48 8B 05 34 CC 76 00 48 33 C4 48 89 84 24 20 01 00 00 4C 8B E2 89 4C 24 20 8B D1 8B F1 48 8B 0D 97 E8 F5 00 4D 8B E8 E8 C5 FE FC FF 48 89 44 24 48 48 85 C0 0F 84 F8 02 00 00 41 8B 44 24 10 45 8B 0C 24 45 8B 44 24 04 45 8B 54 24 08 45 8B 5C 24 0C 89 44 24 38 41 8B 44 24 14 48 89 BC 24 40 01 00 00 48 8B 3D 41 E7 F5 00 4C 89 BC 24 30 01 00 00 45 33 FF 89 44 24 34 49 8B 45 28 44 89 4C 24 30 44 89 44 24 2C 44 89 54 24 24 44 39 78 14 48 8D 50 20 44 89 5C 24 28 41 0F 95 C7 48 89 44 24 50 48 89 54 24 40 48 85 FF 0F 84 6D 02 00 00 48 89 9C 24 88 01 00 00 48 89 AC 24 48 01 00 00 4C 89 B4 24 38 01 00 00 83 7F 10 00 0F 84 27 02 00 00 48 8B 5F 38 44 8B F6 42 8B 8C B3 60 01 00 00 85 C9 0F 85 06 02 00 00 45 85 FF 0F 84 7D 01 00 00 48 8B 77 28 48 85 F6 0F 84 6C 01 00 00 39 4E 10 0F 84 63 01 00 00 39 4E 14 0F 84 5A 01 00 00 48 8B 4E 48 0F BF 41 06 41 3B C3 0F 8C 49 01 00 00 41 3B C2 0F 8F 40 01 00 00 0F BF 41 02 41 3B C1 0F 8F 33 01 00 00 41 3B C0 0F 8C 2A 01 00 00 33 D2 48 8D 4C 24 60 44 8D 42 58 E8 CB 0E FD FF 33 D2 48 8D 8C 24 C0 00 00 00 44 8D 42 58 E8 B8 0E FD FF 83 4E 1C 01 41 B8 20 00 00 00 48 8B 44 24 48 48 89 44 24 68 41 8B 44 24 10 89 84 24 A0 00 00 00 41 8B 44 24 14 89 84 24 A4 00 00 00 C7 44 24 60 01 00 00 00 48 8B 46 48 8B 08 89 8C 24 00 01 00 00 48 8B 46 48 8B 48 04 89 8C 24 04 01 00 00 48 8B 4C 24 40 8B 41 04 48 8D 91 80 00 00 00 48 8D 4C 24 78 89 84 24 AC 00 00 00 C7 84 24 C0 00 00 00 10 00 00 00 C7 84 24 C4 00 00 00 FF FF 00 00 E8 4E FD aobscanmodule(ply_projectile, Sin.dll, 40 ?? 41 ?? 41 ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 4C ?? ?? 89) } 1337163494 "Hitbox invincibility" Auto Assembler Script { ply_hitboxest "Sin.dll"+34830: 7FF92A2D4830 4 Bytes } [ENABLE] {$lua} -- Define the newmem content with processing local newmemContent = [[ ]] if syntaxcheck then return end function aob_register(sym, ...) local patterns = {...} local found = false local addy = nil for i, pat in ipairs(patterns) do local instr = AOBScan(pat, "+X") if instr and instr.Count == 1 then addy = instr[0] instr.destroy() found = true break end if instr then instr.destroy() end end if not found then for i, pat in ipairs(patterns) do local instr = AOBScan(pat) if instr and instr.Count == 1 then addy = instr[0] instr.destroy() found = true break end if instr then instr.destroy() end end end if not found then error('None of the patterns found a unique match!') end unregisterSymbol(sym) registerSymbol(sym, tonumber(addy,16)) end function getInstructionLength(address) local addr if type(address) == "string" then addr = tonumber(address, 16) else addr = address end local result = disassemble(addr) if result then local bytes_section = result:match("- ([%x%s]+) -") if bytes_section then local cleaned = bytes_section:gsub("%s", "") local byte_count = #cleaned / 2 if byte_count > 0 and byte_count <= 15 then return math.floor(byte_count) end end end local firstByte = readBytes(addr, 1) if not firstByte then error("Cannot read memory at address: " .. string.format("%X", addr)) end local opcode = firstByte if opcode == 0x66 or opcode == 0x67 or opcode == 0xF2 or opcode == 0xF3 then local secondByte = readBytes(addr + 1, 1) if secondByte == 0x0F then return 5 end end if opcode == 0xE9 then return 5 end if opcode == 0xEB then return 2 end if opcode == 0xE8 then return 5 end for len = 1, 15 do local testAddr = addr + len local disasm2 = disassemble(testAddr) if disasm2 and not disasm2:match("??") then return len end end return 5 end -- Global variables to store analyzed instruction details local originalInstruction = "" local sourceRegister = "" local destinationRegister = "" local memoryBase = "" local memoryOffset = "" local memoryFullExpr = "" local detectedXMMRegs = {} local detectedGPRegs = {} local detectedMemoryRefs = {} function analyzeOriginalCode(address, length) -- Reset detection arrays detectedXMMRegs = {} detectedGPRegs = {} detectedMemoryRefs = {} sourceRegister = "" destinationRegister = "" memoryBase = "" memoryOffset = "" memoryFullExpr = "" local disasm = disassemble(address) if not disasm then return end -- Extract the instruction part after the bytes local instructionPart = disasm:match("-%s+([^-]+)$") if not instructionPart then instructionPart = disasm:match("-%s+(.+)") end if instructionPart then instructionPart = instructionPart:gsub("^%s+", ""):gsub("%s+$", "") originalInstruction = instructionPart -- Detect all memory references (supports SIB, scale, absolute, multiple terms) for memRef in originalInstruction:gmatch("%[([^%]]+)%]") do table.insert(detectedMemoryRefs, memRef) -- Store full expression so we can re-emit it verbatim later if memoryBase == "" then memoryFullExpr = memRef end -- Also try legacy base+offset split for templates that use %s+%s local base, rest = memRef:match("^([^%+%-%*]+)([%+%-].+)$") if base and rest then base = base:gsub("^%s+",""):gsub("%s+$","") rest = rest:gsub("^[%+]","") if memoryBase == "" then memoryBase = base end if memoryOffset == "" then memoryOffset = rest end else if memoryBase == "" then memoryBase = memRef end end end -- Detect all GP registers (use boundary-friendly approach) -- Strip memory expressions first to avoid matching size keywords like 'qword' local cleaned = originalInstruction cleaned = cleaned:gsub("%[[^%]]+%]", " ") cleaned = cleaned:gsub("[qdfx]?word%s+ptr", " ") cleaned = cleaned:gsub("[qdfx]?word", " ") cleaned = cleaned:gsub("%s+ptr", " ") local gpKnown = { "rax","rbx","rcx","rdx","rsi","rdi","rsp","rbp", "r8","r9","r10","r11","r12","r13","r14","r15", "eax","ebx","ecx","edx","esi","edi","esp","ebp", "r8d","r9d","r10d","r11d","r12d","r13d","r14d","r15d", "ax","bx","cx","dx","si","di","sp","bp", "r8w","r9w","r10w","r11w","r12w","r13w","r14w","r15w", "al","bl","cl","dl","ah","bh","ch","dh","sil","dil","bpl","spl", "r8b","r9b","r10b","r11b","r12b","r13b","r14b","r15b" } local lcCleaned = " " .. cleaned:lower() .. " " for _, reg in ipairs(gpKnown) do if lcCleaned:find("[^%w]" .. reg .. "[^%w]") then if not table.concat(detectedGPRegs, ","):find(reg) then table.insert(detectedGPRegs, reg) end end end -- Detect all XMM registers local xmmRegisterPattern = "[xyz]mm[0-9]+" for reg in originalInstruction:gmatch(xmmRegisterPattern) do if not table.concat(detectedXMMRegs, ","):find(reg) then table.insert(detectedXMMRegs, reg) end end -- Analyze instruction patterns to determine source and destination -- Pattern 1: instruction dest,src - Register to Register local dest, src = originalInstruction:match("^%w+%s+([^%s,]+),([^%s,]+)$") if dest and src and not dest:match("%[") and not src:match("%[") then destinationRegister = dest sourceRegister = src end -- Pattern 2: instruction dest,[mem] - Memory to Register local dest2, mem = originalInstruction:match("^%w+%s+([^%s,]+),[^%[]*%[([^%]]+)%]") if dest2 and mem then destinationRegister = dest2 if memoryFullExpr == "" then memoryFullExpr = mem end local base, rest = mem:match("^([^%+%-%*]+)([%+%-].+)$") if base and rest then base = base:gsub("^%s+",""):gsub("%s+$","") rest = rest:gsub("^[%+]","") memoryBase = base memoryOffset = rest else memoryBase = mem end end -- Pattern 3: instruction [mem],src - Register to Memory local mem2, src2 = originalInstruction:match("^%w+%s+[^%[]*%[([^%]]+)%],([^%s,]+)") if mem2 and src2 then sourceRegister = src2 if memoryFullExpr == "" then memoryFullExpr = mem2 end local base, rest = mem2:match("^([^%+%-%*]+)([%+%-].+)$") if base and rest then base = base:gsub("^%s+",""):gsub("%s+$","") rest = rest:gsub("^[%+]","") memoryBase = base memoryOffset = rest else memoryBase = mem2 end end end end function getAppropriateRegister(instruction, context, position) -- For Pattern A and B: mov/movss [%s+%s],(type)value - position 1 is memory base, position 2 is offset if context == "memory" and position == 1 then if memoryBase ~= "" then return memoryBase end end if context == "offset" and position == 2 then if memoryOffset ~= "" then return memoryOffset end end -- For Pattern C: mov/movss %s,(type)value - loading value into register if context == "destination" then if destinationRegister ~= "" then return destinationRegister end if sourceRegister ~= "" then return sourceRegister end end -- For Pattern E: mov %s,[setValue] - loading value FROM memory TO register if context == "load" then if destinationRegister ~= "" then return destinationRegister end if sourceRegister ~= "" then return sourceRegister end end -- For Pattern F: mov [seeValue],%s - storing value FROM register TO memory if context == "see" then if memoryBase ~= "" then return memoryBase end if sourceRegister ~= "" then return sourceRegister end if destinationRegister ~= "" then return destinationRegister end end -- For single memory reference patterns like mov [%s],(int)1 if context == "single_memory" then if memoryBase ~= "" then return memoryBase end end -- For full memory expression placeholder %m (preserves SIB/scale/absolute) if context == "full_memory" then if memoryFullExpr ~= "" then return memoryFullExpr end if memoryBase ~= "" and memoryOffset ~= "" then return memoryBase .. "+" .. memoryOffset end if memoryBase ~= "" then return memoryBase end end -- Default fallback based on instruction type if instruction:match("movss") or instruction:match("movsd") or instruction:match("addss") or instruction:match("subss") or instruction:match("mulss") or instruction:match("divss") then if #detectedXMMRegs > 0 then return detectedXMMRegs[1] end end if #detectedGPRegs > 0 then return detectedGPRegs[1] end if #detectedXMMRegs > 0 then return detectedXMMRegs[1] end return "rax" end function processAssemblyLine(line) -- Trim whitespace line = line:gsub("^%s*(.-)%s*$", "%1") -- Replace full-memory placeholder %m with the captured expression if line:find("%%m") then local fullMem = getAppropriateRegister("", "full_memory", 1) line = line:gsub("%%m", fullMem) end if not line:find("%%s") then return line end -- Extract instruction name local instruction = line:match("^(%w+)") if not instruction then instruction = "mov" end -- Pattern A: mov [%s+%s],(type)value if line:match("^%w+%s+%[%%s%+%%s%],%(" ) then local prefix, middle, suffix = line:match("^(%w+%s+%[)%%s(%+)%%s(%],.*)$") if prefix and middle and suffix then local reg1 = getAppropriateRegister(instruction, "memory", 1) local reg2 = getAppropriateRegister(instruction, "offset", 2) local result = prefix .. reg1 .. middle .. reg2 .. suffix return result end end -- Pattern B: movss [%s+%s],(type)value if line:match("^movs[sd]%s+%[%%s%+%%s%],%(" ) then local inst, prefix, middle, suffix = line:match("^(movs[sd])(%s+%[)%%s(%+)%%s(%],.*)$") if inst and prefix and middle and suffix then local reg1 = getAppropriateRegister(inst, "memory", 1) local reg2 = getAppropriateRegister(inst, "offset", 2) local result = inst .. prefix .. reg1 .. middle .. reg2 .. suffix return result end end -- Pattern C: mov %s,(type)value if line:match("^%w+%s+%%s,%(" ) then local prefix, suffix = line:match("^(%w+%s+)%%s(.*)$") if prefix and suffix then local reg = getAppropriateRegister(instruction, "destination", 1) local result = prefix .. reg .. suffix return result end end -- Pattern D: mov [%s+%s],register (without parentheses) if line:match("^%w+%s+%[%%s%+%%s%]," ) and not line:match("%(" ) then local prefix, middle, suffix = line:match("^(%w+%s+%[)%%s(%+)%%s(%],.*)$") if prefix and middle and suffix then local reg1 = getAppropriateRegister(instruction, "memory", 1) local reg2 = getAppropriateRegister(instruction, "offset", 2) local result = prefix .. reg1 .. middle .. reg2 .. suffix return result end end -- Pattern E: mov %s,[setValue] if line:match("^%w+%s+%%s,%[" ) then local reg = getAppropriateRegister(instruction, "load", 1) local result = line:gsub("%%s", reg) return result end -- Pattern F: mov [seeValue],%s if line:match("^%w+%s+%[[^%]]*%],%%s" ) then local reg = getAppropriateRegister(instruction, "see", 1) local result = line:gsub("%%s", reg) return result end -- Pattern G: mov [%s],(type)value - single memory reference if line:match("^%w+%s+%[%%s%],%(" ) then local reg = getAppropriateRegister(instruction, "single_memory", 1) local result = line:gsub("%%s", reg) return result end -- Pattern H: mov [%s],register - single memory reference without parentheses if line:match("^%w+%s+%[%%s%]," ) and not line:match("%(" ) then local reg = getAppropriateRegister(instruction, "single_memory", 1) local result = line:gsub("%%s", reg) return result end -- Generic %s replacement local reg = getAppropriateRegister(instruction, "destination", 1) return line:gsub("%%s", reg) end -- Register the symbol with wildcard and exact patterns aob_register("ply_hitboxest", "48 89 5C 24 08 48 89 74 24 10 48 89 7C 24 18 55 41 54 41 55 41 56 41 57 48 8D 6C 24 B0 48 81 EC 50 01 00 00 48", "48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 55 41 ?? 41 ?? 41 ?? 41 ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? E8") -- Get address and walk instructions until we cover the JMP size (5 bytes) local expAddr = getAddress("ply_hitboxest") local instrLength = getInstructionLength(expAddr) -- Detect RIP-relative addressing by scanning instruction bytes for ModR/M = 00 xxx 101 (x64) function isRipRelative(addr, len) if not targetIs64Bit() then return false end local bytes = readBytes(addr, len, true) if not bytes or #bytes < 2 then return false end local i = 1 -- Skip legacy prefixes while i <= #bytes do local b = bytes[i] if b == 0xF0 or b == 0xF2 or b == 0xF3 or b == 0x2E or b == 0x36 or b == 0x3E or b == 0x26 or b == 0x64 or b == 0x65 or b == 0x66 or b == 0x67 then i = i + 1 else break end end -- Skip REX (0x40-0x4F) if i <= #bytes and bytes[i] >= 0x40 and bytes[i] <= 0x4F then i = i + 1 end if i > #bytes then return false end local op = bytes[i]; i = i + 1 -- Handle 2-byte opcode 0F xx (and 3-byte 0F 38 / 0F 3A) if op == 0x0F then if i > #bytes then return false end local op2 = bytes[i]; i = i + 1 if op2 == 0x38 or op2 == 0x3A then if i > #bytes then return false end i = i + 1 end end -- Now i points to ModR/M (if present). Check mod=00 (top 2 bits) and rm=101 (low 3 bits) if i > #bytes then return false end local modrm = bytes[i] local mod = math.floor(modrm / 64) -- bits 7-6 local rm = modrm % 8 -- bits 2-0 return (mod == 0 and rm == 5) end -- Build list of instructions to replicate (until total >= 5 bytes) local replicatedInstrs = {} local totalReplacedLength = 0 do local cur = expAddr while totalReplacedLength < 5 do local len = getInstructionLength(cur) if not len or len == 0 then break end local dis = disassemble(cur) local mnemonic = "" local target = "" if dis then -- Extract instruction text after the last ' - ' local instrText = dis:match("-%s+([^-]+)$") or dis:match("-%s+(.+)$") or "" instrText = instrText:gsub("^%s+",""):gsub("%s+$","") mnemonic = instrText:match("^(%w+)") or "" -- Detect relative branches that must be rewritten as absolute local lcm = mnemonic:lower() if lcm == "call" or lcm == "jmp" or lcm:sub(1,1) == "j" then target = instrText:match("^%w+%s+(.+)$") or "" target = target:gsub("^%s+",""):gsub("%s+$","") end end -- Flag RIP-relative non-branch instructions for reassemble local ripRel = isRipRelative(cur, len) table.insert(replicatedInstrs, {addr=cur, len=len, mnemonic=mnemonic, target=target, ripRel=ripRel}) totalReplacedLength = totalReplacedLength + len cur = cur + len end end -- Build the code: block: -- - relative branches (call/jmp/jcc) -> emit as absolute target -- - RIP-relative instructions (mov reg,[rip+x], lea, cmp [rip+x],..) -> reassemble() to fix displacement -- - everything else -> readmem() (raw byte copy, fastest and safest for simple instructions) local codeBlockLines = {} for _, it in ipairs(replicatedInstrs) do local lcm = (it.mnemonic or ""):lower() if (lcm == "call" or lcm == "jmp" or lcm:sub(1,1) == "j") and it.target ~= "" then table.insert(codeBlockLines, " " .. lcm .. " " .. it.target) elseif it.ripRel then table.insert(codeBlockLines, " reassemble(" .. string.format("%X", it.addr) .. ")") else table.insert(codeBlockLines, " readmem(" .. string.format("%X", it.addr) .. "," .. it.len .. ")") end end local codeBlock = table.concat(codeBlockLines, "\n") -- Compute NOPs needed after the 5-byte JMP to pad up to totalReplacedLength local nopCount = totalReplacedLength - 5 local nopLine = "" if nopCount == 1 then nopLine = " nop" elseif nopCount > 1 then local s = "" for i = 1, nopCount do s = s .. "90 " end nopLine = " db " .. s:gsub("%s+$","") end -- Analyze the original code to detect registers and offsets analyzeOriginalCode(expAddr, instrLength) -- Process each line in newmem content local lines = {} for line in newmemContent:gmatch("([^\r\n]*)") do if line and line ~= "" then local processedLine = processAssemblyLine(line) if processedLine and processedLine ~= "" then table.insert(lines, " " .. processedLine) end end end local processedNewmem = table.concat(lines, "\n") -- Generate assembly code with detected length return [[ alloc(newmem_ply_hitboxest,$1000,ply_hitboxest) alloc(ply_hitboxestCopy,$50) registersymbol(newmem_ply_hitboxest) registersymbol(ply_hitboxestCopy) ply_hitboxestCopy: readmem(ply_hitboxest,]] .. totalReplacedLength .. [[) // Save totalReplacedLength as a marker byte at Copy+0x40 for DISABLE to read ply_hitboxestCopy+40: db ]] .. string.format("%02X", totalReplacedLength) .. [[ label(code) label(return) newmem_ply_hitboxest: ret code: ]] .. codeBlock .. "\n" .. [[ jmp return ply_hitboxest: jmp newmem_ply_hitboxest ]] .. (nopLine ~= "" and (nopLine .. "\n") or "") .. [[ return: ]] {$asm} // The assembly code is generated by the Lua script above [DISABLE] {$lua} if syntaxcheck then return end local symName = "ply_hitboxest" local copyName = symName .. "Copy" -- Read original bytes length from the marker at Copy+0x40 local copyAddr = getAddress(copyName) local origin = getAddress(symName) local restoreLen = 0 if copyAddr and copyAddr ~= 0 then local marker = readBytes(copyAddr + 0x40, 1) if marker and marker > 0 then restoreLen = marker end end if restoreLen == 0 then restoreLen = 16 end -- Restore original bytes directly via writeBytes (safer than readmem) if origin and origin ~= 0 and copyAddr and copyAddr ~= 0 then local bytes = readBytes(copyAddr, restoreLen, true) if bytes then writeBytes(origin, bytes) end end -- Free newmem allocation explicitly local newmemAddr = getAddress("newmem_" .. symName) if newmemAddr and newmemAddr ~= 0 then deAlloc(newmemAddr) end -- Free copy allocation explicitly if copyAddr and copyAddr ~= 0 then deAlloc(copyAddr) end -- Unregister symbols explicitly if getAddress(symName) then unregisterSymbol(symName) end if getAddress(copyName) then unregisterSymbol(copyName) end if getAddress("newmem_" .. symName) then unregisterSymbol("newmem_" .. symName) end return "" {$asm} { 28 EB 1E 8B 54 24 20 EB 18 8B 74 24 2C 44 8B 5C 24 28 44 8B 4C 24 24 8B 54 24 20 41 BA 01 00 00 00 4D 8B 24 24 4D 85 E4 0F 85 98 FA FF FF 48 8B 9C 24 58 01 00 00 41 8B C2 EB 05 B8 01 00 00 00 48 8B 4D 00 48 33 CC E8 31 D9 FC FF 48 81 C4 10 01 00 00 41 5F 41 5E 41 5D 41 5C 5F 5E 5D C3 CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC // ORIGINAL CODE - INJECTION POINT: "Sin.dll"+34830 "Sin.dll"+34822: 7FF92A2D4822 - CC - int 3 "Sin.dll"+34823: 7FF92A2D4823 - CC - int 3 "Sin.dll"+34824: 7FF92A2D4824 - CC - int 3 "Sin.dll"+34825: 7FF92A2D4825 - CC - int 3 "Sin.dll"+34826: 7FF92A2D4826 - CC - int 3 "Sin.dll"+34827: 7FF92A2D4827 - CC - int 3 "Sin.dll"+34828: 7FF92A2D4828 - CC - int 3 "Sin.dll"+34829: 7FF92A2D4829 - CC - int 3 "Sin.dll"+3482A: 7FF92A2D482A - CC - int 3 "Sin.dll"+3482B: 7FF92A2D482B - CC - int 3 "Sin.dll"+3482C: 7FF92A2D482C - CC - int 3 "Sin.dll"+3482D: 7FF92A2D482D - CC - int 3 "Sin.dll"+3482E: 7FF92A2D482E - CC - int 3 // ---------- INJECTING HERE ---------- "Sin.dll"+3482F: 7FF92A2D482F - CC - int 3 "Sin.dll"+34830: 7FF92A2D4830 - 48 89 5C 24 08 - mov [rsp+08],rbx - 48 89 5C 24 08 // ---------- DONE INJECTING ---------- "Sin.dll"+34835: 7FF92A2D4835 - 48 89 74 24 10 - mov [rsp+10],rsi "Sin.dll"+3483A: 7FF92A2D483A - 48 89 7C 24 18 - mov [rsp+18],rdi "Sin.dll"+3483F: 7FF92A2D483F - 55 - push rbp "Sin.dll"+34840: 7FF92A2D4840 - 41 54 - push r12 "Sin.dll"+34842: 7FF92A2D4842 - 41 55 - push r13 "Sin.dll"+34844: 7FF92A2D4844 - 41 56 - push r14 "Sin.dll"+34846: 7FF92A2D4846 - 41 57 - push r15 "Sin.dll"+34848: 7FF92A2D4848 - 48 8D 6C 24 B0 - lea rbp,[rsp-50] "Sin.dll"+3484D: 7FF92A2D484D - 48 81 EC 50010000 - sub rsp,00000150 "Sin.dll"+34854: 7FF92A2D4854 - 48 8B 05 DD977600 - mov rax,[7FF92AA3E038] "Sin.dll"+3485B: 7FF92A2D485B - 48 33 C4 - xor rax,rsp "Sin.dll"+3485E: 7FF92A2D485E - 48 89 45 40 - mov [rbp+40],rax "Sin.dll"+34862: 7FF92A2D4862 - E8 59F3FCFF - call 7FF92A2A3BC0 "Sin.dll"+34867: 7FF92A2D4867 - 83 F8 01 - cmp eax,01 "Sin.dll"+3486A: 7FF92A2D486A - 75 27 - jne 7FF92A2D4893 "Sin.dll"+3486C: 7FF92A2D486C - E8 B4D4FCFF - call 7FF92A2A1D25 "Sin.dll"+34871: 7FF92A2D4871 - 8B C8 - mov ecx,eax "Sin.dll"+34873: 7FF92A2D4873 - E8 F301FDFF - call 7FF92A2A4A6B "Sin.dll"+34878: 7FF92A2D4878 - E8 AAFAFCFF - call 7FF92A2A4327 "Sin.dll"+3487D: 7FF92A2D487D - 66 0F6E C0 - movd xmm0,eax "Sin.dll"+34881: 7FF92A2D4881 - 0F5B C0 - cvtdq2ps xmm0,xmm0 "Sin.dll"+34884: 7FF92A2D4884 - E8 5FE9FCFF - call 7FF92A2A31E8 "Sin.dll"+34889: 7FF92A2D4889 - B9 02000000 - mov ecx,00000002 "Sin.dll"+3488E: 7FF92A2D488E - E8 8AF5FCFF - call 7FF92A2A3E1D "Sin.dll"+34893: 7FF92A2D4893 - 33 FF - xor edi,edi 48 89 5C 24 08 48 89 74 24 10 48 89 7C 24 18 55 41 54 41 55 41 56 41 57 48 8D 6C 24 B0 48 81 EC 50 01 00 00 48 8B 05 DD 97 76 00 48 33 C4 48 89 45 40 E8 59 F3 FC FF 83 F8 01 75 27 E8 B4 D4 FC FF 8B C8 E8 F3 01 FD FF E8 AA FA FC FF 66 0F 6E C0 0F 5B C0 E8 5F E9 FC FF B9 02 00 00 00 E8 8A F5 FC FF 33 FF 48 8D 35 24 B1 F5 00 33 DB 89 7C 24 40 48 89 5C 24 78 66 0F 1F 84 00 00 00 00 00 48 8B 0D 01 B4 F5 00 8B D7 E8 30 CA FC FF 33 D2 48 8B C8 E8 4E 06 FD FF 48 8D 04 5B 48 8B 9C C6 58 01 00 00 48 89 5C 24 30 48 85 DB 0F 84 02 02 00 00 83 7B 10 00 0F 84 DC 01 00 00 48 8B 7B 28 48 89 7C 24 38 48 85 FF 0F 84 CA 01 00 00 66 90 83 7F 10 00 0F 84 AD 01 00 00 0F BF 57 46 0F BF 4F 42 44 8B EA 44 2B 6F 38 44 8B C1 44 2B 47 30 03 4F 2C 44 8B 67 34 8B 05 63 D4 2E 01 44 03 E2 8B 54 24 40 83 E0 01 44 89 44 24 48 89 4C 24 44 44 89 6C 24 4C 44 89 64 24 50 3B D0 0F 84 7C 02 00 00 C1 E1 10 89 4C 24 44 48 8B 0D 58 B3 F5 00 41 C1 E0 10 44 89 44 24 48 41 C1 E4 10 41 C1 E5 10 E8 78 C9 FC FF 4C 8B F8 48 85 C0 0F 84 35 01 00 00 48 8B 3D 1F B2 F5 00 4C 8B 73 28 48 85 FF 0F 84 1C 01 00 00 83 7F 10 00 0F 84 06 01 00 00 48 8B 5F 28 48 85 DB 0F 84 F4 00 00 00 83 7B 10 00 0F 84 EA 00 00 00 83 7B 14 00 0F 84 E0 00 00 00 48 8B 4B 48 8B 41 04 41 3B C5 0F 8C D0 00 00 00 41 3B C4 0F 8F C7 00 00 00 8B 01 3B 44 24 44 0F 8F BB 00 00 00 3B 44 24 48 0F 8C B1 00 00 00 33 D2 48 8D 4D 80 44 8D 42 58 E8 1A DA FC FF 33 D2 48 8D 4D E0 44 8D 42 58 E8 0B DA FC FF 83 4B 1C 01 49 8D 96 A0 00 00 00 4C 89 7D 88 48 8D 4D 98 C7 45 80 aobscanmodule(ply_hitboxest, Sin.dll, 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 55 41 ?? 41 ?? 41 ?? 41 ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? E8) } 1337163495 "Infinite Bombs" Auto Assembler Script { ply_bombser "Sin.dll"+7BA72: 7FF92A31BA72 4 Bytes } [ENABLE] {$lua} -- Define the newmem content with processing local newmemContent = [[ ]] if syntaxcheck then return end function aob_register(sym, ...) local patterns = {...} local found = false local addy = nil for i, pat in ipairs(patterns) do local instr = AOBScan(pat, "+X") if instr and instr.Count == 1 then addy = instr[0] instr.destroy() found = true break end if instr then instr.destroy() end end if not found then for i, pat in ipairs(patterns) do local instr = AOBScan(pat) if instr and instr.Count == 1 then addy = instr[0] instr.destroy() found = true break end if instr then instr.destroy() end end end if not found then error('None of the patterns found a unique match!') end unregisterSymbol(sym) registerSymbol(sym, tonumber(addy,16)) end function getInstructionLength(address) local addr if type(address) == "string" then addr = tonumber(address, 16) else addr = address end local result = disassemble(addr) if result then local bytes_section = result:match("- ([%x%s]+) -") if bytes_section then local cleaned = bytes_section:gsub("%s", "") local byte_count = #cleaned / 2 if byte_count > 0 and byte_count <= 15 then return math.floor(byte_count) end end end local firstByte = readBytes(addr, 1) if not firstByte then error("Cannot read memory at address: " .. string.format("%X", addr)) end local opcode = firstByte if opcode == 0x66 or opcode == 0x67 or opcode == 0xF2 or opcode == 0xF3 then local secondByte = readBytes(addr + 1, 1) if secondByte == 0x0F then return 5 end end if opcode == 0xE9 then return 5 end if opcode == 0xEB then return 2 end if opcode == 0xE8 then return 5 end for len = 1, 15 do local testAddr = addr + len local disasm2 = disassemble(testAddr) if disasm2 and not disasm2:match("??") then return len end end return 5 end -- Global variables to store analyzed instruction details local originalInstruction = "" local sourceRegister = "" local destinationRegister = "" local memoryBase = "" local memoryOffset = "" local memoryFullExpr = "" local detectedXMMRegs = {} local detectedGPRegs = {} local detectedMemoryRefs = {} function analyzeOriginalCode(address, length) -- Reset detection arrays detectedXMMRegs = {} detectedGPRegs = {} detectedMemoryRefs = {} sourceRegister = "" destinationRegister = "" memoryBase = "" memoryOffset = "" memoryFullExpr = "" local disasm = disassemble(address) if not disasm then return end -- Extract the instruction part after the bytes local instructionPart = disasm:match("-%s+([^-]+)$") if not instructionPart then instructionPart = disasm:match("-%s+(.+)") end if instructionPart then instructionPart = instructionPart:gsub("^%s+", ""):gsub("%s+$", "") originalInstruction = instructionPart -- Detect all memory references (supports SIB, scale, absolute, multiple terms) for memRef in originalInstruction:gmatch("%[([^%]]+)%]") do table.insert(detectedMemoryRefs, memRef) -- Store full expression so we can re-emit it verbatim later if memoryBase == "" then memoryFullExpr = memRef end -- Also try legacy base+offset split for templates that use %s+%s local base, rest = memRef:match("^([^%+%-%*]+)([%+%-].+)$") if base and rest then base = base:gsub("^%s+",""):gsub("%s+$","") rest = rest:gsub("^[%+]","") if memoryBase == "" then memoryBase = base end if memoryOffset == "" then memoryOffset = rest end else if memoryBase == "" then memoryBase = memRef end end end -- Detect all GP registers (use boundary-friendly approach) -- Strip memory expressions first to avoid matching size keywords like 'qword' local cleaned = originalInstruction cleaned = cleaned:gsub("%[[^%]]+%]", " ") cleaned = cleaned:gsub("[qdfx]?word%s+ptr", " ") cleaned = cleaned:gsub("[qdfx]?word", " ") cleaned = cleaned:gsub("%s+ptr", " ") local gpKnown = { "rax","rbx","rcx","rdx","rsi","rdi","rsp","rbp", "r8","r9","r10","r11","r12","r13","r14","r15", "eax","ebx","ecx","edx","esi","edi","esp","ebp", "r8d","r9d","r10d","r11d","r12d","r13d","r14d","r15d", "ax","bx","cx","dx","si","di","sp","bp", "r8w","r9w","r10w","r11w","r12w","r13w","r14w","r15w", "al","bl","cl","dl","ah","bh","ch","dh","sil","dil","bpl","spl", "r8b","r9b","r10b","r11b","r12b","r13b","r14b","r15b" } local lcCleaned = " " .. cleaned:lower() .. " " for _, reg in ipairs(gpKnown) do if lcCleaned:find("[^%w]" .. reg .. "[^%w]") then if not table.concat(detectedGPRegs, ","):find(reg) then table.insert(detectedGPRegs, reg) end end end -- Detect all XMM registers local xmmRegisterPattern = "[xyz]mm[0-9]+" for reg in originalInstruction:gmatch(xmmRegisterPattern) do if not table.concat(detectedXMMRegs, ","):find(reg) then table.insert(detectedXMMRegs, reg) end end -- Analyze instruction patterns to determine source and destination -- Pattern 1: instruction dest,src - Register to Register local dest, src = originalInstruction:match("^%w+%s+([^%s,]+),([^%s,]+)$") if dest and src and not dest:match("%[") and not src:match("%[") then destinationRegister = dest sourceRegister = src end -- Pattern 2: instruction dest,[mem] - Memory to Register local dest2, mem = originalInstruction:match("^%w+%s+([^%s,]+),[^%[]*%[([^%]]+)%]") if dest2 and mem then destinationRegister = dest2 if memoryFullExpr == "" then memoryFullExpr = mem end local base, rest = mem:match("^([^%+%-%*]+)([%+%-].+)$") if base and rest then base = base:gsub("^%s+",""):gsub("%s+$","") rest = rest:gsub("^[%+]","") memoryBase = base memoryOffset = rest else memoryBase = mem end end -- Pattern 3: instruction [mem],src - Register to Memory local mem2, src2 = originalInstruction:match("^%w+%s+[^%[]*%[([^%]]+)%],([^%s,]+)") if mem2 and src2 then sourceRegister = src2 if memoryFullExpr == "" then memoryFullExpr = mem2 end local base, rest = mem2:match("^([^%+%-%*]+)([%+%-].+)$") if base and rest then base = base:gsub("^%s+",""):gsub("%s+$","") rest = rest:gsub("^[%+]","") memoryBase = base memoryOffset = rest else memoryBase = mem2 end end end end function getAppropriateRegister(instruction, context, position) -- For Pattern A and B: mov/movss [%s+%s],(type)value - position 1 is memory base, position 2 is offset if context == "memory" and position == 1 then if memoryBase ~= "" then return memoryBase end end if context == "offset" and position == 2 then if memoryOffset ~= "" then return memoryOffset end end -- For Pattern C: mov/movss %s,(type)value - loading value into register if context == "destination" then if destinationRegister ~= "" then return destinationRegister end if sourceRegister ~= "" then return sourceRegister end end -- For Pattern E: mov %s,[setValue] - loading value FROM memory TO register if context == "load" then if destinationRegister ~= "" then return destinationRegister end if sourceRegister ~= "" then return sourceRegister end end -- For Pattern F: mov [seeValue],%s - storing value FROM register TO memory if context == "see" then if memoryBase ~= "" then return memoryBase end if sourceRegister ~= "" then return sourceRegister end if destinationRegister ~= "" then return destinationRegister end end -- For single memory reference patterns like mov [%s],(int)1 if context == "single_memory" then if memoryBase ~= "" then return memoryBase end end -- For full memory expression placeholder %m (preserves SIB/scale/absolute) if context == "full_memory" then if memoryFullExpr ~= "" then return memoryFullExpr end if memoryBase ~= "" and memoryOffset ~= "" then return memoryBase .. "+" .. memoryOffset end if memoryBase ~= "" then return memoryBase end end -- Default fallback based on instruction type if instruction:match("movss") or instruction:match("movsd") or instruction:match("addss") or instruction:match("subss") or instruction:match("mulss") or instruction:match("divss") then if #detectedXMMRegs > 0 then return detectedXMMRegs[1] end end if #detectedGPRegs > 0 then return detectedGPRegs[1] end if #detectedXMMRegs > 0 then return detectedXMMRegs[1] end return "rax" end function processAssemblyLine(line) -- Trim whitespace line = line:gsub("^%s*(.-)%s*$", "%1") -- Replace full-memory placeholder %m with the captured expression if line:find("%%m") then local fullMem = getAppropriateRegister("", "full_memory", 1) line = line:gsub("%%m", fullMem) end if not line:find("%%s") then return line end -- Extract instruction name local instruction = line:match("^(%w+)") if not instruction then instruction = "mov" end -- Pattern A: mov [%s+%s],(type)value if line:match("^%w+%s+%[%%s%+%%s%],%(" ) then local prefix, middle, suffix = line:match("^(%w+%s+%[)%%s(%+)%%s(%],.*)$") if prefix and middle and suffix then local reg1 = getAppropriateRegister(instruction, "memory", 1) local reg2 = getAppropriateRegister(instruction, "offset", 2) local result = prefix .. reg1 .. middle .. reg2 .. suffix return result end end -- Pattern B: movss [%s+%s],(type)value if line:match("^movs[sd]%s+%[%%s%+%%s%],%(" ) then local inst, prefix, middle, suffix = line:match("^(movs[sd])(%s+%[)%%s(%+)%%s(%],.*)$") if inst and prefix and middle and suffix then local reg1 = getAppropriateRegister(inst, "memory", 1) local reg2 = getAppropriateRegister(inst, "offset", 2) local result = inst .. prefix .. reg1 .. middle .. reg2 .. suffix return result end end -- Pattern C: mov %s,(type)value if line:match("^%w+%s+%%s,%(" ) then local prefix, suffix = line:match("^(%w+%s+)%%s(.*)$") if prefix and suffix then local reg = getAppropriateRegister(instruction, "destination", 1) local result = prefix .. reg .. suffix return result end end -- Pattern D: mov [%s+%s],register (without parentheses) if line:match("^%w+%s+%[%%s%+%%s%]," ) and not line:match("%(" ) then local prefix, middle, suffix = line:match("^(%w+%s+%[)%%s(%+)%%s(%],.*)$") if prefix and middle and suffix then local reg1 = getAppropriateRegister(instruction, "memory", 1) local reg2 = getAppropriateRegister(instruction, "offset", 2) local result = prefix .. reg1 .. middle .. reg2 .. suffix return result end end -- Pattern E: mov %s,[setValue] if line:match("^%w+%s+%%s,%[" ) then local reg = getAppropriateRegister(instruction, "load", 1) local result = line:gsub("%%s", reg) return result end -- Pattern F: mov [seeValue],%s if line:match("^%w+%s+%[[^%]]*%],%%s" ) then local reg = getAppropriateRegister(instruction, "see", 1) local result = line:gsub("%%s", reg) return result end -- Pattern G: mov [%s],(type)value - single memory reference if line:match("^%w+%s+%[%%s%],%(" ) then local reg = getAppropriateRegister(instruction, "single_memory", 1) local result = line:gsub("%%s", reg) return result end -- Pattern H: mov [%s],register - single memory reference without parentheses if line:match("^%w+%s+%[%%s%]," ) and not line:match("%(" ) then local reg = getAppropriateRegister(instruction, "single_memory", 1) local result = line:gsub("%%s", reg) return result end -- Generic %s replacement local reg = getAppropriateRegister(instruction, "destination", 1) return line:gsub("%%s", reg) end -- Register the symbol with wildcard and exact patterns aob_register("ply_bombser", "88 47 28 84 C0 7F 07 88", "88 ?? ?? 84 ?? 7F ?? 88") -- Get address and walk instructions until we cover the JMP size (5 bytes) local expAddr = getAddress("ply_bombser") local instrLength = getInstructionLength(expAddr) -- Detect RIP-relative addressing by scanning instruction bytes for ModR/M = 00 xxx 101 (x64) function isRipRelative(addr, len) if not targetIs64Bit() then return false end local bytes = readBytes(addr, len, true) if not bytes or #bytes < 2 then return false end local i = 1 -- Skip legacy prefixes while i <= #bytes do local b = bytes[i] if b == 0xF0 or b == 0xF2 or b == 0xF3 or b == 0x2E or b == 0x36 or b == 0x3E or b == 0x26 or b == 0x64 or b == 0x65 or b == 0x66 or b == 0x67 then i = i + 1 else break end end -- Skip REX (0x40-0x4F) if i <= #bytes and bytes[i] >= 0x40 and bytes[i] <= 0x4F then i = i + 1 end if i > #bytes then return false end local op = bytes[i]; i = i + 1 -- Handle 2-byte opcode 0F xx (and 3-byte 0F 38 / 0F 3A) if op == 0x0F then if i > #bytes then return false end local op2 = bytes[i]; i = i + 1 if op2 == 0x38 or op2 == 0x3A then if i > #bytes then return false end i = i + 1 end end -- Now i points to ModR/M (if present). Check mod=00 (top 2 bits) and rm=101 (low 3 bits) if i > #bytes then return false end local modrm = bytes[i] local mod = math.floor(modrm / 64) -- bits 7-6 local rm = modrm % 8 -- bits 2-0 return (mod == 0 and rm == 5) end -- Build list of instructions to replicate (until total >= 5 bytes) local replicatedInstrs = {} local totalReplacedLength = 0 do local cur = expAddr while totalReplacedLength < 5 do local len = getInstructionLength(cur) if not len or len == 0 then break end local dis = disassemble(cur) local mnemonic = "" local target = "" if dis then -- Extract instruction text after the last ' - ' local instrText = dis:match("-%s+([^-]+)$") or dis:match("-%s+(.+)$") or "" instrText = instrText:gsub("^%s+",""):gsub("%s+$","") mnemonic = instrText:match("^(%w+)") or "" -- Detect relative branches that must be rewritten as absolute local lcm = mnemonic:lower() if lcm == "call" or lcm == "jmp" or lcm:sub(1,1) == "j" then target = instrText:match("^%w+%s+(.+)$") or "" target = target:gsub("^%s+",""):gsub("%s+$","") end end -- Flag RIP-relative non-branch instructions for reassemble local ripRel = isRipRelative(cur, len) table.insert(replicatedInstrs, {addr=cur, len=len, mnemonic=mnemonic, target=target, ripRel=ripRel}) totalReplacedLength = totalReplacedLength + len cur = cur + len end end -- Build the code: block: -- - relative branches (call/jmp/jcc) -> emit as absolute target -- - RIP-relative instructions (mov reg,[rip+x], lea, cmp [rip+x],..) -> reassemble() to fix displacement -- - everything else -> readmem() (raw byte copy, fastest and safest for simple instructions) local codeBlockLines = {} for _, it in ipairs(replicatedInstrs) do local lcm = (it.mnemonic or ""):lower() if (lcm == "call" or lcm == "jmp" or lcm:sub(1,1) == "j") and it.target ~= "" then table.insert(codeBlockLines, " " .. lcm .. " " .. it.target) elseif it.ripRel then table.insert(codeBlockLines, " reassemble(" .. string.format("%X", it.addr) .. ")") else table.insert(codeBlockLines, " readmem(" .. string.format("%X", it.addr) .. "," .. it.len .. ")") end end local codeBlock = table.concat(codeBlockLines, "\n") -- Compute NOPs needed after the 5-byte JMP to pad up to totalReplacedLength local nopCount = totalReplacedLength - 5 local nopLine = "" if nopCount == 1 then nopLine = " nop" elseif nopCount > 1 then local s = "" for i = 1, nopCount do s = s .. "90 " end nopLine = " db " .. s:gsub("%s+$","") end -- Analyze the original code to detect registers and offsets analyzeOriginalCode(expAddr, instrLength) -- Process each line in newmem content local lines = {} for line in newmemContent:gmatch("([^\r\n]*)") do if line and line ~= "" then local processedLine = processAssemblyLine(line) if processedLine and processedLine ~= "" then table.insert(lines, " " .. processedLine) end end end local processedNewmem = table.concat(lines, "\n") -- Generate assembly code with detected length return [[ alloc(newmem_ply_bombser,$1000,ply_bombser) alloc(ply_bombserCopy,$50) registersymbol(newmem_ply_bombser) registersymbol(ply_bombserCopy) ply_bombserCopy: readmem(ply_bombser,]] .. totalReplacedLength .. [[) // Save totalReplacedLength as a marker byte at Copy+0x40 for DISABLE to read ply_bombserCopy+40: db ]] .. string.format("%02X", totalReplacedLength) .. [[ label(code) label(return) newmem_ply_bombser: mov [rdi+28],6 test al,al jmp return code: ]] .. codeBlock .. "\n" .. [[ jmp return ply_bombser: jmp newmem_ply_bombser ]] .. (nopLine ~= "" and (nopLine .. "\n") or "") .. [[ return: ]] {$asm} // The assembly code is generated by the Lua script above [DISABLE] {$lua} if syntaxcheck then return end local symName = "ply_bombser" local copyName = symName .. "Copy" -- Read original bytes length from the marker at Copy+0x40 local copyAddr = getAddress(copyName) local origin = getAddress(symName) local restoreLen = 0 if copyAddr and copyAddr ~= 0 then local marker = readBytes(copyAddr + 0x40, 1) if marker and marker > 0 then restoreLen = marker end end if restoreLen == 0 then restoreLen = 16 end -- Restore original bytes directly via writeBytes (safer than readmem) if origin and origin ~= 0 and copyAddr and copyAddr ~= 0 then local bytes = readBytes(copyAddr, restoreLen, true) if bytes then writeBytes(origin, bytes) end end -- Free newmem allocation explicitly local newmemAddr = getAddress("newmem_" .. symName) if newmemAddr and newmemAddr ~= 0 then deAlloc(newmemAddr) end -- Free copy allocation explicitly if copyAddr and copyAddr ~= 0 then deAlloc(copyAddr) end -- Unregister symbols explicitly if getAddress(symName) then unregisterSymbol(symName) end if getAddress(copyName) then unregisterSymbol(copyName) end if getAddress("newmem_" .. symName) then unregisterSymbol("newmem_" .. symName) end return "" {$asm} { DA 78 F8 FF 48 8B 5C 24 30 B8 01 00 00 00 48 8B 74 24 38 48 83 C4 20 5F C3 CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC 01 51 04 8B 41 04 3B 41 0C 0F 47 41 0C 89 41 04 C3 CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC 44 8B 41 04 8B 41 08 44 03 C2 2B C2 44 89 41 04 BA 00 00 00 00 0F 48 C2 89 41 08 44 3B 41 0C 76 19 8B 41 1C 44 89 41 0C 44 3B C0 76 07 89 41 0C 89 41 04 C3 41 8B C0 89 41 04 C3 CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC 01 51 08 8B 41 08 3B 41 0C 0F 47 41 0C 89 41 08 C3 CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC 01 51 08 8B 51 08 3B 51 0C 76 16 8B 41 1C 89 51 0C 3B D0 76 07 89 41 0C 89 41 08 C3 8B C2 89 51 08 C3 CC CC CC CC CC CC CC CC CC CC CC CC CC CC 40 53 48 83 EC 20 48 8B D9 48 85 C9 74 35 F6 01 01 74 30 0F BE 51 01 48 8B 89 38 03 00 00 E8 7C 73 F8 FF 48 8B C8 E8 CC 6B F8 FF 85 C0 74 14 83 BB 44 03 00 00 00 75 0B B8 01 00 00 00 48 83 C4 20 5B C3 33 C0 48 83 C4 20 5B C3 CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC C7 81 70 03 00 00 00 00 00 00 C3 CC CC CC CC CC 89 51 54 C3 CC CC CC CC CC CC CC CC CC CC CC CC 48 89 5C 24 08 48 89 74 24 10 57 48 83 EC 30 33 DB 41 8B F0 44 8B C2 48 8B F9 8B D3 48 85 C9 74 04 0F BE 51 01 38 59 28 0F 84 86 00 00 00 44 8B 89 B8 01 00 00 8B 81 BC 01 00 00 41 81 C1 00 00 60 00 89 74 24 28 89 44 24 20 E8 97 88 F8 FF 48 85 C0 74 60 89 9F 54 04 00 00 FF 87 10 05 00 00 85 F6 75 15 39 1D B6 F5 1F 01 0F B6 47 28 75 05 FE C8 // ORIGINAL CODE - INJECTION POINT: "Sin.dll"+7BA72 "Sin.dll"+7BA4E: 7FF92A31BA4E - FF 48 85 - dec [rax-7B] "Sin.dll"+7BA51: 7FF92A31BA51 - C0 74 60 89 9F - rol byte ptr [rax-77],-61 "Sin.dll"+7BA56: 7FF92A31BA56 - 54 - push rsp "Sin.dll"+7BA57: 7FF92A31BA57 - 04 00 - add al,00 "Sin.dll"+7BA59: 7FF92A31BA59 - 00 FF - add bh,bh "Sin.dll"+7BA5B: 7FF92A31BA5B - 87 10 - xchg [rax],edx "Sin.dll"+7BA5D: 7FF92A31BA5D - 05 000085F6 - add eax,F6850000 "Sin.dll"+7BA62: 7FF92A31BA62 - 75 15 - jne 7FF92A31BA79 "Sin.dll"+7BA64: 7FF92A31BA64 - 39 1D B6F51F01 - cmp [7FF92B51B020],ebx "Sin.dll"+7BA6A: 7FF92A31BA6A - 0FB6 47 28 - movzx eax,byte ptr [rdi+28] "Sin.dll"+7BA6E: 7FF92A31BA6E - 75 05 - jne 7FF92A31BA75 // ---------- INJECTING HERE ---------- "Sin.dll"+7BA70: 7FF92A31BA70 - FE C8 - dec al "Sin.dll"+7BA72: 7FF92A31BA72 - 88 47 28 - mov [rdi+28],al - 88 47 28 // ---------- DONE INJECTING ---------- "Sin.dll"+7BA75: 7FF92A31BA75 - 84 C0 - test al,al "Sin.dll"+7BA77: 7FF92A31BA77 - 7F 07 - jg 7FF92A31BA80 "Sin.dll"+7BA79: 7FF92A31BA79 - 88 5F 28 - mov [rdi+28],bl "Sin.dll"+7BA7C: 7FF92A31BA7C - 0F1F 40 00 - nop dword ptr [rax+00] "Sin.dll"+7BA80: 7FF92A31BA80 - 48 8B 8F 38030000 - mov rcx,[rdi+00000338] "Sin.dll"+7BA87: 7FF92A31BA87 - 8B D3 - mov edx,ebx "Sin.dll"+7BA89: 7FF92A31BA89 - E8 6058F8FF - call 7FF92A2A12EE "Sin.dll"+7BA8E: 7FF92A31BA8E - FF C3 - inc ebx "Sin.dll"+7BA90: 7FF92A31BA90 - C7 80 18030000 40000000 - mov [rax+00000318],00000040 "Sin.dll"+7BA9A: 7FF92A31BA9A - 83 FB 02 - cmp ebx,02 "Sin.dll"+7BA9D: 7FF92A31BA9D - 7C E1 - jl 7FF92A31BA80 "Sin.dll"+7BA9F: 7FF92A31BA9F - B8 01000000 - mov eax,00000001 "Sin.dll"+7BAA4: 7FF92A31BAA4 - 48 8B 5C 24 40 - mov rbx,[rsp+40] "Sin.dll"+7BAA9: 7FF92A31BAA9 - 48 8B 74 24 48 - mov rsi,[rsp+48] "Sin.dll"+7BAAE: 7FF92A31BAAE - 48 83 C4 30 - add rsp,30 "Sin.dll"+7BAB2: 7FF92A31BAB2 - 5F - pop rdi "Sin.dll"+7BAB3: 7FF92A31BAB3 - C3 - ret "Sin.dll"+7BAB4: 7FF92A31BAB4 - 48 8B 5C 24 40 - mov rbx,[rsp+40] "Sin.dll"+7BAB9: 7FF92A31BAB9 - 33 C0 - xor eax,eax "Sin.dll"+7BABB: 7FF92A31BABB - 48 8B 74 24 48 - mov rsi,[rsp+48] "Sin.dll"+7BAC0: 7FF92A31BAC0 - 48 83 C4 30 - add rsp,30 "Sin.dll"+7BAC4: 7FF92A31BAC4 - 5F - pop rdi "Sin.dll"+7BAC5: 7FF92A31BAC5 - C3 - ret "Sin.dll"+7BAC6: 7FF92A31BAC6 - CC - int 3 "Sin.dll"+7BAC7: 7FF92A31BAC7 - CC - int 3 "Sin.dll"+7BAC8: 7FF92A31BAC8 - CC - int 3 "Sin.dll"+7BAC9: 7FF92A31BAC9 - CC - int 3 "Sin.dll"+7BACA: 7FF92A31BACA - CC - int 3 "Sin.dll"+7BACB: 7FF92A31BACB - CC - int 3 "Sin.dll"+7BACC: 7FF92A31BACC - CC - int 3 "Sin.dll"+7BACD: 7FF92A31BACD - CC - int 3 "Sin.dll"+7BACE: 7FF92A31BACE - CC - int 3 "Sin.dll"+7BACF: 7FF92A31BACF - CC - int 3 "Sin.dll"+7BAD0: 7FF92A31BAD0 - CC - int 3 "Sin.dll"+7BAD1: 7FF92A31BAD1 - CC - int 3 "Sin.dll"+7BAD2: 7FF92A31BAD2 - CC - int 3 "Sin.dll"+7BAD3: 7FF92A31BAD3 - CC - int 3 "Sin.dll"+7BAD4: 7FF92A31BAD4 - CC - int 3 "Sin.dll"+7BAD5: 7FF92A31BAD5 - CC - int 3 88 47 28 84 C0 7F 07 88 5F 28 0F 1F 40 00 48 8B 8F 38 03 00 00 8B D3 E8 60 58 F8 FF FF C3 C7 80 18 03 00 00 40 00 00 00 83 FB 02 7C E1 B8 01 00 00 00 48 8B 5C 24 40 48 8B 74 24 48 48 83 C4 30 5F C3 48 8B 5C 24 40 33 C0 48 8B 74 24 48 48 83 C4 30 5F C3 CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC 8B 41 54 C3 CC CC CC CC CC CC CC CC CC CC CC CC 8B 81 90 01 00 00 C3 CC CC CC CC CC CC CC CC CC 40 56 48 83 EC 30 48 8B F1 E8 77 5A F8 FF 85 C0 0F 85 7D 01 00 00 8B 46 30 48 89 5C 24 40 48 89 6C 24 48 48 89 7C 24 50 8D 2C 40 4C 89 7C 24 20 03 6E 3C 33 DB 66 66 66 0F 1F 84 00 00 00 00 00 48 8B 8E 38 03 00 00 44 8B C3 8B D5 E8 5C 8C F8 FF 48 8B D0 48 8D 8E 88 00 00 00 48 8B F8 E8 9E 92 F8 FF 85 C0 79 0C FF C3 83 FB 0A 7C D2 E9 8E 00 00 00 83 FB 09 75 0D 48 8B D6 48 8B CF E8 8D 33 00 00 EB 7C 48 8B 8E 38 03 00 00 41 B8 08 00 00 00 4C 89 64 24 58 8B D5 4C 89 74 24 28 E8 0A 8C F8 FF 48 8B 8E 38 03 00 00 41 BC 09 00 00 00 45 8B C4 8B D5 48 8D 78 54 E8 EF 8B F8 FF 44 2B E3 4C 8D 70 54 45 85 E4 7E 22 4C 2B F7 41 8B EC 48 83 EF 54 41 B8 54 00 00 00 48 8B D7 49 8D 0C 3E E8 2E 57 F8 FF 48 83 ED 01 75 E4 48 8B D6 48 8B CF E8 19 33 00 00 4C 8B 74 24 28 4C 8B 64 24 58 0F BE 6E 01 8B CD E8 BA 72 F8 FF 85 DB 75 6F 8D 53 01 8B CD E8 B7 67 F8 FF 48 8D 96 88 00 00 00 8B CD E8 F7 8C F8 FF 48 8D 96 A8 00 00 00 8B CD E8 56 8E F8 FF 8B 56 30 8B CD E8 32 71 F8 FF 48 8B 8E 38 03 00 aobscanmodule(ply_bombser, Sin.dll, 88 ?? ?? 84 ?? 7F ?? 88) } 1337163498 "--------------------------------------------- BY SERYOGASK ----------------------------------------------" 1