10 "Activate Mono" Auto Assembler Script [ENABLE] {$lua} LaunchMonoDataCollector() {$asm} [DISABLE] 33 "GodMode and 1-Hit-Kill" Auto Assembler Script { CE does not find the address DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+681 Find_Method_bySignature does not help me here because no idea how to pass the damageType parameter to the find-function. AOB is hard bedause there are two ALMOST identical functions. To differ beetween them, we have to use a much bigger AOB :( AOB starts at DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+636 and ends at DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+681 } [ENABLE] aobscan(godmode,7E 22 8B 85 ECFEFFFF 8B 8E 9C000000 8B 49 54 3B C1 7E 0F 8B 86 9C 00 00 00 8B 40 54 89 85 EC FE FF FF 8B 85 EC FE FF FF 33 C9 85 C0 8B 85 EC FE FF FF 0F 4C C1 89 85 EC FE FF FF 8B 86 A8 01 00 00 8B 8D EC FE FF FF 2B C1 89 86 A8 01 00 00) // should be unique alloc(newmem,$100) label(code) label(return) newmem: cmp [esi+00000110],1 jne @f mov eax,#100 jmp code @@: mov eax,0 code: mov [esi+000001A8],eax jmp return godmode+4b: jmp newmem nop return: registersymbol(godmode) [DISABLE] godmode: db 89 86 A8 01 00 00 unregistersymbol(godmode) dealloc(newmem) { // ORIGINAL CODE - INJECTION POINT: DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+681 DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+654: 89 85 EC FE FF FF - mov [ebp-00000114],eax DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+65a: 8B 85 EC FE FF FF - mov eax,[ebp-00000114] DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+660: 33 C9 - xor ecx,ecx DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+662: 85 C0 - test eax,eax DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+664: 8B 85 EC FE FF FF - mov eax,[ebp-00000114] DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+66a: 0F 4C C1 - cmovl eax,ecx DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+66d: 89 85 EC FE FF FF - mov [ebp-00000114],eax DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+673: 8B 86 A8 01 00 00 - mov eax,[esi+000001A8] DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+679: 8B 8D EC FE FF FF - mov ecx,[ebp-00000114] DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+67f: 2B C1 - sub eax,ecx // ---------- INJECTING HERE ---------- DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+681: 89 86 A8 01 00 00 - mov [esi+000001A8],eax // ---------- DONE INJECTING ---------- DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+687: 8B 85 EC FE FF FF - mov eax,[ebp-00000114] DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+68d: 89 85 E0 FE FF FF - mov [ebp-00000120],eax DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+693: 83 BD E4 FE FF FF 03 - cmp dword ptr [ebp-0000011C],03 DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+69a: 74 12 - je DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+6ae DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+69c: 83 BD E4 FE FF FF 04 - cmp dword ptr [ebp-0000011C],04 DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+6a3: 74 09 - je DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+6ae DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+6a5: 83 BD E4 FE FF FF 09 - cmp dword ptr [ebp-0000011C],09 DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+6ac: 75 2E - jne DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+6dc DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+6ae: 8B 86 A8 01 00 00 - mov eax,[esi+000001A8] DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+6b4: 85 C0 - test eax,eax } 26 "Don't spend blue Potions when learning" Auto Assembler Script define(address1,VillageUIScript:OnDragDropOperationFinished+819) define(bytes1,49) define(address2,VillageUIScript:OnDragDropOperationFinished+91b) define(bytes2,49) [ENABLE] assert(address1,bytes1) assert(address2,bytes2) address1: nop address2: nop [DISABLE] address1: db bytes1 address2: db bytes2 dealloc(newmem) { // ORIGINAL CODE - INJECTION POINT: VillageUIScript:OnDragDropOperationFinished+819 VillageUIScript:OnDragDropOperationFinished+7ed: 39 00 - cmp [eax],eax VillageUIScript:OnDragDropOperationFinished+7ef: E8 EC 02 F8 FF - call UnityEngine.Object:get_name VillageUIScript:OnDragDropOperationFinished+7f4: 83 C4 10 - add esp,10 VillageUIScript:OnDragDropOperationFinished+7f7: 8B C8 - mov ecx,eax VillageUIScript:OnDragDropOperationFinished+7f9: 8B 85 F4 FE FF FF - mov eax,[ebp-0000010C] VillageUIScript:OnDragDropOperationFinished+7ff: 89 48 0C - mov [eax+0C],ecx VillageUIScript:OnDragDropOperationFinished+802: C7 40 18 00 00 00 00 - mov [eax+18],00000000 VillageUIScript:OnDragDropOperationFinished+809: C7 40 10 01 00 00 00 - mov [eax+10],00000001 VillageUIScript:OnDragDropOperationFinished+810: 8B 05 78 BC 4F 06 - mov eax,[064FBC78] VillageUIScript:OnDragDropOperationFinished+816: 8B 48 64 - mov ecx,[eax+64] // ---------- INJECTING HERE ---------- VillageUIScript:OnDragDropOperationFinished+819: 49 - dec ecx // ---------- DONE INJECTING ---------- VillageUIScript:OnDragDropOperationFinished+81a: 89 48 64 - mov [eax+64],ecx VillageUIScript:OnDragDropOperationFinished+81d: 8B 05 78 BC 4F 06 - mov eax,[064FBC78] VillageUIScript:OnDragDropOperationFinished+823: 83 EC 0C - sub esp,0C VillageUIScript:OnDragDropOperationFinished+826: 50 - push eax VillageUIScript:OnDragDropOperationFinished+827: 39 00 - cmp [eax],eax VillageUIScript:OnDragDropOperationFinished+829: E8 3A 6F 02 00 - call DarkQuestSilverlight.PlayerProfileData:SaveToDisk VillageUIScript:OnDragDropOperationFinished+82e: 83 C4 10 - add esp,10 VillageUIScript:OnDragDropOperationFinished+831: 8B 83 34 02 00 00 - mov eax,[ebx+00000234] VillageUIScript:OnDragDropOperationFinished+837: 83 EC 08 - sub esp,08 VillageUIScript:OnDragDropOperationFinished+83a: 6A 00 - push 00 } { // ORIGINAL CODE - INJECTION POINT: VillageUIScript:OnDragDropOperationFinished+91b VillageUIScript:OnDragDropOperationFinished+8fd: 50 - push eax VillageUIScript:OnDragDropOperationFinished+8fe: 39 00 - cmp [eax],eax VillageUIScript:OnDragDropOperationFinished+900: E8 0B D6 FE FF - call SoundFxPlayerScript:Play VillageUIScript:OnDragDropOperationFinished+905: 83 C4 10 - add esp,10 VillageUIScript:OnDragDropOperationFinished+908: 8B 45 84 - mov eax,[ebp-7C] VillageUIScript:OnDragDropOperationFinished+90b: 8B 48 1C - mov ecx,[eax+1C] VillageUIScript:OnDragDropOperationFinished+90e: 41 - inc ecx VillageUIScript:OnDragDropOperationFinished+90f: 89 48 1C - mov [eax+1C],ecx VillageUIScript:OnDragDropOperationFinished+912: 8B 05 78 BC 4F 06 - mov eax,[064FBC78] VillageUIScript:OnDragDropOperationFinished+918: 8B 48 64 - mov ecx,[eax+64] // ---------- INJECTING HERE ---------- VillageUIScript:OnDragDropOperationFinished+91b: 49 - dec ecx // ---------- DONE INJECTING ---------- VillageUIScript:OnDragDropOperationFinished+91c: 89 48 64 - mov [eax+64],ecx VillageUIScript:OnDragDropOperationFinished+91f: 8B 05 78 BC 4F 06 - mov eax,[064FBC78] VillageUIScript:OnDragDropOperationFinished+925: 83 EC 0C - sub esp,0C VillageUIScript:OnDragDropOperationFinished+928: 50 - push eax VillageUIScript:OnDragDropOperationFinished+929: 39 00 - cmp [eax],eax VillageUIScript:OnDragDropOperationFinished+92b: E8 38 6E 02 00 - call DarkQuestSilverlight.PlayerProfileData:SaveToDisk VillageUIScript:OnDragDropOperationFinished+930: 83 C4 10 - add esp,10 VillageUIScript:OnDragDropOperationFinished+933: 83 EC 0C - sub esp,0C VillageUIScript:OnDragDropOperationFinished+936: 53 - push ebx VillageUIScript:OnDragDropOperationFinished+937: E8 0C E4 01 17 - call VillageUIScript:UpdateMagicianShop } 21 "Don't spend gold in Town when buying" Auto Assembler Script define(address,VillageUIScript:OnDragDropOperationFinished+e46) define(bytes,2B CA) [ENABLE] assert(address,bytes) address: nop nop return: [DISABLE] address: db bytes // sub ecx,edx dealloc(newmem) { // ORIGINAL CODE - INJECTION POINT: VillageUIScript:OnDragDropOperationFinished+e46 VillageUIScript:OnDragDropOperationFinished+e22: 39 00 - cmp [eax],eax VillageUIScript:OnDragDropOperationFinished+e24: BA 60 F0 E7 19 - mov edx,19E7F060 VillageUIScript:OnDragDropOperationFinished+e29: 83 EC 0C - sub esp,0C VillageUIScript:OnDragDropOperationFinished+e2c: 50 - push eax VillageUIScript:OnDragDropOperationFinished+e2d: E8 86 B6 FB FF - call 07138A40 VillageUIScript:OnDragDropOperationFinished+e32: 83 C4 10 - add esp,10 VillageUIScript:OnDragDropOperationFinished+e35: 8B D0 - mov edx,eax VillageUIScript:OnDragDropOperationFinished+e37: 8B 85 F0 FE FF FF - mov eax,[ebp-00000110] VillageUIScript:OnDragDropOperationFinished+e3d: 8B 8D EC FE FF FF - mov ecx,[ebp-00000114] VillageUIScript:OnDragDropOperationFinished+e43: 8B 52 3C - mov edx,[edx+3C] // ---------- INJECTING HERE ---------- VillageUIScript:OnDragDropOperationFinished+e46: 2B CA - sub ecx,edx // ---------- DONE INJECTING ---------- VillageUIScript:OnDragDropOperationFinished+e48: 89 48 48 - mov [eax+48],ecx VillageUIScript:OnDragDropOperationFinished+e4b: E8 24 3E FF FF - call 071711FC VillageUIScript:OnDragDropOperationFinished+e50: 8B 8B 2C 02 00 00 - mov ecx,[ebx+0000022C] VillageUIScript:OnDragDropOperationFinished+e56: 83 EC 08 - sub esp,08 VillageUIScript:OnDragDropOperationFinished+e59: 51 - push ecx VillageUIScript:OnDragDropOperationFinished+e5a: 50 - push eax VillageUIScript:OnDragDropOperationFinished+e5b: 39 00 - cmp [eax],eax VillageUIScript:OnDragDropOperationFinished+e5d: E8 06 3E FF FF - call 071711F0 VillageUIScript:OnDragDropOperationFinished+e62: 83 C4 10 - add esp,10 VillageUIScript:OnDragDropOperationFinished+e65: 83 EC 0C - sub esp,0C } 32 "debug - not working" C0C0C0 Auto Assembler Script { CE does not like to resolve the address DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+681 because of... dafuq?! so the workaround with lua... } [ENABLE] {$lua} if syntaxcheck==true then return '' end -- assume LaunchMonoDataCollector has been called if (LaunchMonoDataCollector()==0) then error("no mono") end function reEscape(s) local escPatChars = [[().%+-*?[^]] s = s:gsub('.',function(c) if escPatChars:find(c,1,true) then return '%'..c end end) return s end function findMethod_Addr_BySignature(namespace,classname,methodname,signature,check) local meth = findMethod_BySignature(namespace,classname,methodname,signature,check) if meth~=nil and meth>0 then return mono_compile_method(meth) end end function findMethod_BySignature(namespace,classname,methodname,signature,check) assert(type(signature)=='string',"invalid signature") signature="^"..reEscape(signature:gsub(";",",")) local class = mono_findClass(namespace,classname) if type(class)~='number' or class==0 then print('Class ' .. classname .. ' not found') return nil end local methods=mono_class_enumMethods(class) if type(methods)~='table' or #methods<1 then return nil end if check then for i=1,#methods do if methodname == methods[i].name then local sign = mono_method_getSignature(methods[i].method) if sign:match(signature) then return methods[i].method end end end end end function tohex(n)return string.format('%X',n or 0)end desired_function = findMethod_Addr_BySignature('','AppSupportFunctions','ReceiveDamage','MapObject,MapObject,int,DamageType',true) address = "0x" .. (tohex(desired_function)) registersymbol(godmode, address) {$asm} alloc(newmem,$1000) label(code) label(return) newmem: code: mov [esi+000001A8],eax jmp return godmode: jmp newmem nop return: registersymbol(godmode) [DISABLE] godmode: db 89 86 A8 01 00 00 unregistersymbol(godmode) dealloc(newmem) { // ORIGINAL CODE - INJECTION POINT: DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+681 DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+654: 89 85 EC FE FF FF - mov [ebp-00000114],eax DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+65a: 8B 85 EC FE FF FF - mov eax,[ebp-00000114] DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+660: 33 C9 - xor ecx,ecx DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+662: 85 C0 - test eax,eax DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+664: 8B 85 EC FE FF FF - mov eax,[ebp-00000114] DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+66a: 0F 4C C1 - cmovl eax,ecx DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+66d: 89 85 EC FE FF FF - mov [ebp-00000114],eax DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+673: 8B 86 A8 01 00 00 - mov eax,[esi+000001A8] DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+679: 8B 8D EC FE FF FF - mov ecx,[ebp-00000114] DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+67f: 2B C1 - sub eax,ecx // ---------- INJECTING HERE ---------- DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+681: 89 86 A8 01 00 00 - mov [esi+000001A8],eax // ---------- DONE INJECTING ---------- DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+687: 8B 85 EC FE FF FF - mov eax,[ebp-00000114] DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+68d: 89 85 E0 FE FF FF - mov [ebp-00000120],eax DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+693: 83 BD E4 FE FF FF 03 - cmp dword ptr [ebp-0000011C],03 DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+69a: 74 12 - je DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+6ae DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+69c: 83 BD E4 FE FF FF 04 - cmp dword ptr [ebp-0000011C],04 DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+6a3: 74 09 - je DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+6ae DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+6a5: 83 BD E4 FE FF FF 09 - cmp dword ptr [ebp-0000011C],09 DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+6ac: 75 2E - jne DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+6dc DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+6ae: 8B 86 A8 01 00 00 - mov eax,[esi+000001A8] DarkQuestSilverlight.AppSupportFunctions:ReceiveDamage+6b4: 85 C0 - test eax,eax } 34 "one-hit-kill and godmode by Dharmang1910" Auto Assembler Script [ENABLE] alloc(newmem,2048) label(returnhere) label(originalcode) label(exit) newmem: cmp [edi+110],1 jne @f mov [edi+1A8],64 jmp originalcode @@: mov [edi+1A8],0 originalcode: mov eax,[esi+0000009C] exit: jmp returnhere dqScriptDefaultAttack:OnAttack+1a5: jmp newmem nop returnhere: [DISABLE] dealloc(newmem) dqScriptDefaultAttack:OnAttack+1a5: mov eax,[esi+0000009C]