runconsole in nasm

**BadBurrito** · 10-06-2012

Hey guys since hackshield checks for the memory hacks, I just put off some functions from this hack so that there are just a jew pushtoconsoles left that I will share

... I coded it in NASM with the nasmx - project... so it is not really new but maybe someone is interested in another programming language, because I love assembler because it is so basic

As you can see there is also a function ('proc findaddys') that uses sig scans so that the hack updates after an update

Code:

%include 'C:\Programme\asm\inc\nasmx.inc'

IMPORT VirtualProtect, 16
IMPORT CreateThread, 24
IMPORT GetModuleHandleA, 4

extern Sleep

entry	DllEntry

[section .text]

d3d9hook:

	push oldprotect
	push 40h
	push 10
	push dword [addyrc]
	call VirtualProtect

	mov ecx, dword [addyrc]

	mov byte [ecx+1Bh], 90h
	mov byte [ecx+1Ch], 90h
	mov byte [ecx+24h], 90h
	mov byte [ecx+25h], 90h
	
push szfps
call [addyrc]
add esp, 4

push sznxchams
call [addyrc]
add esp, 4

push szfrunvel
call [addyrc]
add esp, 4

push szsrunvel
call [addyrc]
add esp, 4

push szbrunvel
call [addyrc]
add esp, 4

push szspread1
call [addyrc]
add esp, 4

push szspread2
call [addyrc]
add esp, 4

push szspread3
call [addyrc]
add esp, 4

push szspread4
call [addyrc]
add esp, 4

push szhulk
call [addyrc]
add esp, 4

push szfps
call [addyrc]
add esp, 4

	mov ecx, dword [addyrc]

	mov byte [ecx+1Bh], 72h
	mov byte [ecx+1Ch], 0Eh
	mov byte [ecx+24h], 73h
	mov byte [ecx+25h], 05h

mov eax, [endsceneaddy]
add eax, 2
mov byte [eax], 55h
mov byte [eax+1], 8Bh
mov byte [eax+2], 0xEC
mov byte [eax+3], 6Ah
mov byte [eax+4], 0xFF

push ebp
mov ebp, esp
push 0FFFFFFFFh
jmp [rchookback]



proc attachrc
locals none

	loopwait:
	push 10000
	call Sleep

	mov eax, dword [endsceneaddy]	
	mov dword [moduled3d9], eax

	mov eax, [moduled3d9]
	mov dword [rchookback], eax

	add dword [rchookback], 7

	invoke VirtualProtect, [moduled3d9], 10, 40h, oldprotect
	
	add dword [moduled3d9], 2

	mov ecx, dword [moduled3d9]

	mov byte [ecx], 0xE9	
	mov eax, d3d9hook
	sub eax, dword [moduled3d9]
	sub eax, 5
	mov dword [ecx+1], eax

	jmp loopwait
endproc


proc findaddys
locals none

	loopcshell:
	invoke GetModuleHandleA, szCshell
	cmp eax, 0
	je loopcshell

	mov [modulecshell], eax		

	loopclientfx:
	invoke GetModuleHandleA, szClientFX
	cmp eax, 0
	je loopclientfx


	loopd3d9:
	invoke GetModuleHandleA, szD3D9
	cmp eax, 0
	je loopd3d9

	mov [moduled3d9], eax

	mov ecx, [modulecshell]

	looprcbyte:
	inc ecx

	cmp byte [ecx], 0xA1
	jne looprcbyte

	cmp byte [ecx+4], 37h
	jne looprcbyte

	cmp byte [ecx+5], 8Bh
	jne looprcbyte

	cmp byte [ecx+6], 88h
	jne looprcbyte

	cmp byte [ecx+11], 68h
	jne looprcbyte

	cmp byte [ecx+15], 37h
	jne looprcbyte

	cmp byte [ecx+16], 0xFF
	jne looprcbyte

	cmp byte [ecx+17], 0xD1
	jne looprcbyte

	cmp byte [ecx+18], 59h
	jne looprcbyte

	cmp byte [ecx+19], 0xC2
	jne looprcbyte

	cmp byte [ecx+20], 10h
	jne looprcbyte

	cmp byte [ecx+21], 00h
	jne looprcbyte

	mov ebx, [ecx+7]
	mov dword [rcoffset], ebx	
	mov ebx, [ecx+1]
	mov ebx, [ebx]
	add ebx, [rcoffset]
	mov ecx, [ebx]
	mov dword [addyrc], ecx


	mov ecx, [moduled3d9]

	loopsearchd3d9:
	inc ecx

	cmp byte [ecx], 0xC7
	jne loopsearchd3d9

	cmp byte [ecx+1], 06h
	jne loopsearchd3d9

	cmp byte [ecx+6], 89h
	jne loopsearchd3d9

	cmp byte [ecx+7], 86h
	jne loopsearchd3d9

	cmp byte [ecx+12], 89h
	jne loopsearchd3d9

	cmp byte [ecx+13], 86h
	jne loopsearchd3d9

	add ecx, 2
	mov ebx, [ecx]
	add ebx, 168
	mov eax, [ebx]
	mov dword [endsceneaddy], eax

invoke	CreateThread, 0, 0, attachrc, 0, 0, 0
endproc



proc   DllEntry, ptrdiff_t hinst, size_t reason, size_t reserved
locals none
	mov	ecx, 1
	cmp	[ebp+0Ch], ecx 
	jne	goon
	invoke	CreateThread, 0, 0, findaddys, 0, 0, 0
	goon:
	mov	eax, 1
endproc




[section .data]

    szCshell:    declare(NASMX_TCHAR) NASMX_TEXT('cshell.dll'), 0x0
    szClientFX:    declare(NASMX_TCHAR) NASMX_TEXT('ClientFX.fxd'), 0x0
    szD3D9:    declare(NASMX_TCHAR) NASMX_TEXT('d3d9.dll'), 0x0
    sznxchams:    declare(NASMX_TCHAR) NASMX_TEXT('SkelModelStencil -1'), 0x0
    szfrunvel:    declare(NASMX_TCHAR) NASMX_TEXT('FRunVel 500.000000'), 0x0
    szbrunvel:    declare(NASMX_TCHAR) NASMX_TEXT('BRunVel 500.000000'), 0x0
    szsrunvel:    declare(NASMX_TCHAR) NASMX_TEXT('SRunVel 500.000000'), 0x0
    szspread1:    declare(NASMX_TCHAR) NASMX_TEXT('PerturbRotationEffect  0.000000'), 0x0
    szspread2:    declare(NASMX_TCHAR) NASMX_TEXT('PerturbIncreaseSpeed 0.000000'), 0x0
    szspread3:    declare(NASMX_TCHAR) NASMX_TEXT('PerturbWalkPercent 0.000000'), 0x0
    szspread4:    declare(NASMX_TCHAR) NASMX_TEXT('PerturbFiringIncreaseSpeed 0.000000'), 0x0   
    szfps:    declare(NASMX_TCHAR) NASMX_TEXT('ShowFps 1'), 0x0
    szhulk:	declare(NASMX_TCHAR) NASMX_TEXT('JumpVel 660.000000'), 0x0 


[section .bss]
	
	modulecshell : resd 2
	addyrc : resd 2
	rcoffset : resd 2
	rchookback : resd 2
	moduled3d9 : resd 2	
	oldprotect : resd 2
	endsceneaddy : resd 2

**Ch40zz-C0d3r** · 10-07-2012

Nice done mate!

**topblast** · 10-07-2012

putting it in another language wont change anything.

**BadBurrito** · 10-07-2012

I have already said that it is nothing new, but in my opinion some things are easier done for example the hook (you do not copy any bytes from the original endscene) ... also the output is really small, the DLL is just 3KB, that might be not important and it is more playing around... maybe someone is interested in

Thread: runconsole in nasm

Thread Tools

Display

runconsole in nasm

Similar Threads

[Help] NASM or MASM?

[Tutorial] RunConsole & ILTClient

Display a box with a dynamic size [nasm]