0 "AddrRead (DBVM)" Auto Assembler Script [ENABLE] {$lua} symbols = createSymbolList(); symbols.register(); function onOpenProcess(pid) symbols.unregister(); symbols = createSymbolList(); symbols.register(); reinitializeSymbolhandler(); if (pid == 4) then return; end local proc = dbk_getPEProcess(pid); --printf("proc: %08X", proc); local peb = readQword(proc + 0x550); --printf("peb: %08X", peb); local ldr = readQword(peb + 0x18); --printf("ldr: %08X", ldr); local index = readQword(ldr + 0x10); --printf("index: %08X\n", index); for i = 1, 100 do local mod = readQword(index); --printf("mod: %08X", mod); local name = readString(readQword(mod + 0x58 + 0x8), readSmallInteger(mod + 0x58), true); --printf("name: %s", name); local base = readQword(mod + 0x30); --printf("base: %08X", base); local size = readInteger(mod + 0x40); --printf("size: %04X\n", size); symbols.addModule(name, "", base, size, true); index = readQword(mod); end local name = readString(proc + 0x5A8, 15); --print("name:", name); local base = readQword(proc + 0x520); --printf("base: %08X", base); local size = readQword(proc + 0x498); --printf("size: %04X", size); symbols.addModule(name, "", base, size); reinitializeSymbolhandler(); --print("finished!"); end {$asm} [DISABLE] 152 "Inf Health" Auto Assembler Script [ENABLE] aobscanmodule(health,Disrupt_64.dll,F3 0F 11 71 18 0F 84) // should be unique alloc(newmem,$1000,health) alloc(comp,8) label(code) label(return) comp: dd (float)100 newmem: movss xmm4,[comp] comiss xmm7,xmm4 jne code mov [rcx+18],(float)100 jmp return code: movss [rcx+18],xmm6 jmp return health: jmp newmem return: registersymbol(health,comp) [DISABLE] health: db F3 0F 11 71 18 unregistersymbol(*) dealloc(*) { // ORIGINAL CODE - INJECTION POINT: Disrupt_64.dll+6962B7B Disrupt_64.dll+6962B55: 44 89 C7 - mov edi,r8d Disrupt_64.dll+6962B58: 48 89 CB - mov rbx,rcx Disrupt_64.dll+6962B5B: 0F 28 F1 - movaps xmm6,xmm1 Disrupt_64.dll+6962B5E: 0F 2E F7 - ucomiss xmm6,xmm7 Disrupt_64.dll+6962B61: 0F 84 E2 00 00 00 - je Disrupt_64.dll+6962C49 Disrupt_64.dll+6962B67: 4C 89 49 20 - mov [rcx+20],r9 Disrupt_64.dll+6962B6B: 0F 2F 71 1C - comiss xmm6,[rcx+1C] Disrupt_64.dll+6962B6F: 72 05 - jb Disrupt_64.dll+6962B76 Disrupt_64.dll+6962B71: F3 0F 10 71 1C - movss xmm6,[rcx+1C] Disrupt_64.dll+6962B76: 48 83 79 08 00 - cmp qword ptr [rcx+08],00 // ---------- INJECTING HERE ---------- Disrupt_64.dll+6962B7B: F3 0F 11 71 18 - movss [rcx+18],xmm6 // ---------- DONE INJECTING ---------- Disrupt_64.dll+6962B80: 0F 84 C3 00 00 00 - je Disrupt_64.dll+6962C49 Disrupt_64.dll+6962B86: 80 79 14 00 - cmp byte ptr [rcx+14],00 Disrupt_64.dll+6962B8A: 0F 84 B9 00 00 00 - je Disrupt_64.dll+6962C49 Disrupt_64.dll+6962B90: 48 8D 4C 24 50 - lea rcx,[rsp+50] Disrupt_64.dll+6962B95: E8 06 6C EF FF - call Disrupt_64.dll+68597A0 Disrupt_64.dll+6962B9A: 48 83 C8 FF - or rax,-01 Disrupt_64.dll+6962B9E: C7 44 24 68 A7 D8 73 B4 - mov [rsp+68],B473D8A7 Disrupt_64.dll+6962BA6: F3 0F 11 75 80 - movss [rbp-80],xmm6 Disrupt_64.dll+6962BAB: 48 89 44 24 70 - mov [rsp+70],rax Disrupt_64.dll+6962BB0: 48 89 44 24 78 - mov [rsp+78],rax } 4 "No Reload" Auto Assembler Script [ENABLE] aobscanmodule(ammo,Disrupt_64.dll,FF 8B A8 00 00 00 85) // should be unique alloc(newmem,$1000,ammo) label(code) label(return) newmem: code: //dec [rbx+000000A8] jmp return ammo: jmp newmem nop return: registersymbol(ammo) [DISABLE] ammo: db FF 8B A8 00 00 00 unregistersymbol(ammo) dealloc(newmem) { // ORIGINAL CODE - INJECTION POINT: Disrupt_64.dll+56FD911 Disrupt_64.dll+56FD8E7: 80 BB AC 00 00 00 00 - cmp byte ptr [rbx+000000AC],00 Disrupt_64.dll+56FD8EE: 75 33 - jne Disrupt_64.dll+56FD923 Disrupt_64.dll+56FD8F0: 80 BB AD 00 00 00 00 - cmp byte ptr [rbx+000000AD],00 Disrupt_64.dll+56FD8F7: 74 2A - je Disrupt_64.dll+56FD923 Disrupt_64.dll+56FD8F9: 48 8B 83 48 05 00 00 - mov rax,[rbx+00000548] Disrupt_64.dll+56FD900: 48 85 C0 - test rax,rax Disrupt_64.dll+56FD903: 74 06 - je Disrupt_64.dll+56FD90B Disrupt_64.dll+56FD905: 80 78 44 00 - cmp byte ptr [rax+44],00 Disrupt_64.dll+56FD909: 75 18 - jne Disrupt_64.dll+56FD923 Disrupt_64.dll+56FD90B: 8B 83 A0 00 00 00 - mov eax,[rbx+000000A0] // ---------- INJECTING HERE ---------- Disrupt_64.dll+56FD911: FF 8B A8 00 00 00 - dec [rbx+000000A8] // ---------- DONE INJECTING ---------- Disrupt_64.dll+56FD917: 85 C0 - test eax,eax Disrupt_64.dll+56FD919: 7E 08 - jle Disrupt_64.dll+56FD923 Disrupt_64.dll+56FD91B: FF C8 - dec eax Disrupt_64.dll+56FD91D: 89 83 A0 00 00 00 - mov [rbx+000000A0],eax Disrupt_64.dll+56FD923: 48 8B 0F - mov rcx,[rdi] Disrupt_64.dll+56FD926: FF 49 20 - dec [rcx+20] Disrupt_64.dll+56FD929: 75 10 - jne Disrupt_64.dll+56FD93B Disrupt_64.dll+56FD92B: 48 8B 01 - mov rax,[rcx] Disrupt_64.dll+56FD92E: BA 0F A2 4F C3 - mov edx,C34FA20F Disrupt_64.dll+56FD933: 8D 92 F2 5D B0 3C - lea edx,[rdx+3CB05DF2] } 9 "Inf Gadgets" Auto Assembler Script [ENABLE] aobscanmodule(throwables,Disrupt_64.dll,89 41 10 B0 01 EB) // should be unique alloc(newmem,$1000,throwables) label(code) label(return) newmem: code: mov eax,#5 mov [rcx+10],eax mov al,01 jmp return throwables: jmp newmem return: registersymbol(throwables) [DISABLE] throwables: db 89 41 10 B0 01 unregistersymbol(throwables) dealloc(newmem) { // ORIGINAL CODE - INJECTION POINT: Disrupt_64.dll+56FB99F Disrupt_64.dll+56FB988: 48 85 C9 - test rcx,rcx Disrupt_64.dll+56FB98B: 74 1B - je Disrupt_64.dll+56FB9A8 Disrupt_64.dll+56FB98D: 8B 41 10 - mov eax,[rcx+10] Disrupt_64.dll+56FB990: 83 F8 FF - cmp eax,-01 Disrupt_64.dll+56FB993: 74 13 - je Disrupt_64.dll+56FB9A8 Disrupt_64.dll+56FB995: 39 F8 - cmp eax,edi Disrupt_64.dll+56FB997: 76 04 - jna Disrupt_64.dll+56FB99D Disrupt_64.dll+56FB999: 29 F8 - sub eax,edi Disrupt_64.dll+56FB99B: EB 02 - jmp Disrupt_64.dll+56FB99F Disrupt_64.dll+56FB99D: 31 C0 - xor eax,eax // ---------- INJECTING HERE ---------- Disrupt_64.dll+56FB99F: 89 41 10 - mov [rcx+10],eax // ---------- DONE INJECTING ---------- Disrupt_64.dll+56FB9A2: B0 01 - mov al,01 Disrupt_64.dll+56FB9A4: EB 04 - jmp Disrupt_64.dll+56FB9AA Disrupt_64.dll+56FB9A6: 60 - pushad (invalid) Disrupt_64.dll+56FB9A7: 3F - db 3F Disrupt_64.dll+56FB9A8: 30 C0 - xor al,al Disrupt_64.dll+56FB9AA: 48 8B 5C 24 48 - mov rbx,[rsp+48] Disrupt_64.dll+56FB9AF: 48 83 C4 30 - add rsp,30 Disrupt_64.dll+56FB9B3: 5F - pop rdi Disrupt_64.dll+56FB9B4: C3 - ret Disrupt_64.dll+56FB9B5: 53 - push rbx } 11 "Inf Money" Auto Assembler Script [ENABLE] aobscanmodule(money,Disrupt_64.dll,48 29 9C F7 28 07 00 00) // should be unique alloc(newmem,$1000,money) label(code) label(return) newmem: code: //sub [rdi+rsi*8+00000728],rbx jmp return money: jmp newmem nop 3 return: registersymbol(money) [DISABLE] money: db 48 29 9C F7 28 07 00 00 unregistersymbol(money) dealloc(newmem) { // ORIGINAL CODE - INJECTION POINT: Disrupt_64.dll+5C99AD2 Disrupt_64.dll+5C99AB1: B9 01 01 00 00 - mov ecx,00000101 Disrupt_64.dll+5C99AB6: EB 0D - jmp Disrupt_64.dll+5C99AC5 Disrupt_64.dll+5C99AB8: B9 FD 00 00 00 - mov ecx,000000FD Disrupt_64.dll+5C99ABD: EB 06 - jmp Disrupt_64.dll+5C99AC5 Disrupt_64.dll+5C99ABF: 00 B9 FB 00 00 00 - add [rcx+000000FB],bh Disrupt_64.dll+5C99AC5: 48 89 DA - mov rdx,rbx Disrupt_64.dll+5C99AC8: E8 39 A8 34 01 - call Disrupt_64.dll+6FE4306 Disrupt_64.dll+5C99ACD: 48 85 DB - test rbx,rbx Disrupt_64.dll+5C99AD0: 74 36 - je Disrupt_64.dll+5C99B08 Disrupt_64.dll+5C99AD2: 48 29 9C F7 28 07 00 00 - sub [rdi+rsi*8+00000728],rbx // ---------- INJECTING HERE ---------- Disrupt_64.dll+5C99ADA: 48 8D 15 E7 D0 89 FD - lea rdx,[Disrupt_64.dll+3536BC8] // ---------- DONE INJECTING ---------- Disrupt_64.dll+5C99AE1: 48 8D 4C 24 30 - lea rcx,[rsp+30] Disrupt_64.dll+5C99AE6: E8 75 63 E0 FE - call Disrupt_64.dll+4A9FE60 Disrupt_64.dll+5C99AEB: 48 F7 DB - neg rbx Disrupt_64.dll+5C99AEE: 89 F2 - mov edx,esi Disrupt_64.dll+5C99AF0: 48 89 F9 - mov rcx,rdi Disrupt_64.dll+5C99AF3: 49 89 C1 - mov r9,rax Disrupt_64.dll+5C99AF6: 49 89 D8 - mov r8,rbx Disrupt_64.dll+5C99AF9: C6 44 24 28 01 - mov byte ptr [rsp+28],01 Disrupt_64.dll+5C99AFE: C6 44 24 20 01 - mov byte ptr [rsp+20],01 Disrupt_64.dll+5C99B03: E8 C3 5A FF FF - call Disrupt_64.dll+5C8F5CB } 13 "Followers" Auto Assembler Script [ENABLE] aobscanmodule(follower,Disrupt_64.dll,48 8B 84 C1 28 07 00 00) // should be unique alloc(newmem,$1000,follower) alloc(newval,8) registersymbol(newval) label(code) label(return) newval: dd 00 newmem: cmp [newval],0 je code push rbp mov rbp,[newval] mov [rcx+rax*8+00000728],rbp pop rbp mov [newval],0 jmp return code: mov rax,[rcx+rax*8+00000728] jmp return follower: jmp newmem nop 3 return: registersymbol(follower) [DISABLE] follower: db 48 8B 84 C1 28 07 00 00 unregistersymbol(*) dealloc(*) { // ORIGINAL CODE - INJECTION POINT: Disrupt_64.dll+5C83DC5 Disrupt_64.dll+5C83DAF: 5F - pop rdi Disrupt_64.dll+5C83DB0: C3 - ret Disrupt_64.dll+5C83DB1: F3 0F 10 81 A8 07 00 00 - movss xmm0,[rcx+000007A8] Disrupt_64.dll+5C83DB9: C3 - ret Disrupt_64.dll+5C83DBA: CC - int 3 Disrupt_64.dll+5C83DBB: CC - int 3 Disrupt_64.dll+5C83DBC: CC - int 3 Disrupt_64.dll+5C83DBD: 83 FA 06 - cmp edx,06 Disrupt_64.dll+5C83DC0: 77 0C - ja Disrupt_64.dll+5C83DCE Disrupt_64.dll+5C83DC2: 48 63 C2 - movsxd rax,edx // ---------- INJECTING HERE ---------- Disrupt_64.dll+5C83DC5: 48 8B 84 C1 28 07 00 00 - mov rax,[rcx+rax*8+00000728] // ---------- DONE INJECTING ---------- Disrupt_64.dll+5C83DCD: C3 - ret Disrupt_64.dll+5C83DCE: 31 C0 - xor eax,eax Disrupt_64.dll+5C83DD0: C3 - ret Disrupt_64.dll+5C83DD1: 53 - push rbx Disrupt_64.dll+5C83DD2: 48 83 EC 20 - sub rsp,20 Disrupt_64.dll+5C83DD6: 48 89 D3 - mov rbx,rdx Disrupt_64.dll+5C83DD9: E8 E1 05 00 00 - call Disrupt_64.dll+5C843BF Disrupt_64.dll+5C83DDE: 48 85 C0 - test rax,rax Disrupt_64.dll+5C83DE1: 74 07 - je Disrupt_64.dll+5C83DEA Disrupt_64.dll+5C83DE3: 48 8B 40 40 - mov rax,[rax+40] } 16 "Inf Energy" Auto Assembler Script [ENABLE] aobscanmodule(energy,Disrupt_64.dll,89 81 90 00 00 00 4D) // should be unique alloc(newmem,$1000,energy) label(code) label(return) newmem: code: mov eax,#20 mov [rcx+00000090],eax jmp return energy: jmp newmem nop return: registersymbol(energy) [DISABLE] energy: db 89 81 90 00 00 00 unregistersymbol(energy) dealloc(newmem) { // ORIGINAL CODE - INJECTION POINT: Disrupt_64.dll+53B1020 Disrupt_64.dll+53B0FF6: F3 0F 59 49 74 - mulss xmm1,[rcx+74] Disrupt_64.dll+53B0FFB: F3 0F 11 49 78 - movss [rcx+78],xmm1 Disrupt_64.dll+53B1000: C3 - ret Disrupt_64.dll+53B1001: CC - int 3 Disrupt_64.dll+53B1002: 3B 91 90 00 00 00 - cmp edx,[rcx+00000090] Disrupt_64.dll+53B1008: 0F 84 DF 00 00 00 - je Disrupt_64.dll+53B10ED Disrupt_64.dll+53B100E: 8B 81 88 00 00 00 - mov eax,[rcx+00000088] Disrupt_64.dll+53B1014: 4C 8B 81 E0 01 00 00 - mov r8,[rcx+000001E0] Disrupt_64.dll+53B101B: 39 C2 - cmp edx,eax Disrupt_64.dll+53B101D: 0F 42 C2 - cmovb eax,edx // ---------- INJECTING HERE ---------- Disrupt_64.dll+53B1020: 89 81 90 00 00 00 - mov [rcx+00000090],eax // ---------- DONE INJECTING ---------- Disrupt_64.dll+53B1026: 4D 85 C0 - test r8,r8 Disrupt_64.dll+53B1029: 0F 84 BE 00 00 00 - je Disrupt_64.dll+53B10ED Disrupt_64.dll+53B102F: 83 79 7C 00 - cmp dword ptr [rcx+7C],00 Disrupt_64.dll+53B1033: F3 0F 10 0D 5D 65 16 FE - movss xmm1,[Disrupt_64.dll+3517598] Disrupt_64.dll+53B103B: 0F 57 E4 - xorps xmm4,xmm4 Disrupt_64.dll+53B103E: 0F 28 D9 - movaps xmm3,xmm1 Disrupt_64.dll+53B1041: 74 2A - je Disrupt_64.dll+53B106D Disrupt_64.dll+53B1043: 0F 57 DB - xorps xmm3,xmm3 Disrupt_64.dll+53B1046: 0F 57 C0 - xorps xmm0,xmm0 Disrupt_64.dll+53B1049: F3 48 0F 2A D8 - cvtsi2ss xmm3,rax }