Code:
00401390 /$ 55 PUSH EBP
00401391 |. 89E5 MOV EBP,ESP
00401393 |. 83EC 18 SUB ESP,18
00401396 |. 83E4 F0 AND
ESP,FFFFFFF0
00401399 |. B8 00000000 MOV EAX,0
0040139E |. 83C0 0F ADD EAX,0F
004013A1 |. 83C0 0F ADD EAX,0F
004013A4 |. C1E8 04 SHR EAX,4
004013A7 |. C1E0 04 SHL EAX,4
004013AA |. 8945 FC MOV DWORD PTR
SS:[EBP-4],EAX
004013AD |. 8B45 FC MOV EAX,DWORD
PTR SS:[EBP-4]
004013B0 |. E8 ABBF0000 CALL
TBG.0040D360
004013B5 |. E8 E6BB0000 CALL
TBG.0040CFA0
004013BA |. C70424 00004400 MOV DWORD PTR
SS:[ESP],TBG.00440000 ; |ASCII "title
TBG"
004013C1 |. E8 9AF50000 CALL
<JMP.&msvcrt.system> ;
system
004013C6 |> 833D 00F04300 00 /CMP DWORD PTR
DS:[43F000],0
004013CD |. 0F8E C1020000 |JLE
TBG.00401694
004013D3 |. 833D 10F04300 01 |CMP DWORD PTR
DS:[43F010],1
004013DA |.^75 EA |JNZ SHORT
TBG.004013C6
004013DC |. FF0D 10F04300 |DEC DWORD PTR
DS:[43F010]
004013E2 |. C74424 04 0A004400 |MOV DWORD PTR
SS:[ESP+4],TBG.0044000A ; ASCII "It is
YOUR turn hero.
"
004013EA |. C70424 D0334400 |MOV DWORD PTR
SS:[ESP],TBG.004433D0
004013F1 |. E8 52AF0300 |CALL
TBG.0043C348
004013F6 |. C74424 04 21004400 |MOV DWORD PTR
SS:[ESP+4],TBG.00440021 ; ASCII "Your
HP is: "
004013FE |. C70424 D0334400 |MOV DWORD PTR
SS:[ESP],TBG.004433D0
00401405 |. E8 3EAF0300 |CALL
TBG.0043C348
0040140A |. 89C2 |MOV EDX,EAX
0040140C |. A1 00F04300 |MOV EAX,DWORD
PTR DS:[43F000]
00401411 |. 894424 04 |MOV DWORD PTR
SS:[ESP+4],EAX
00401415 |. 891424 |MOV DWORD PTR
SS:[ESP],EDX
00401418 |. E8 C39C0200 |CALL
TBG.0042B0E0
0040141D |. C74424 04 2E004400 |MOV DWORD PTR
SS:[ESP+4],TBG.0044002E
00401425 |. 890424 |MOV DWORD PTR
SS:[ESP],EAX
00401428 |. E8 1BAF0300 |CALL
TBG.0043C348
0040142D |. C74424 04 30004400 |MOV DWORD PTR
SS:[ESP+4],TBG.00440030 ; ASCII "Your
SP is: "
00401435 |. C70424 D0334400 |MOV DWORD PTR
SS:[ESP],TBG.004433D0
0040143C |. E8 07AF0300 |CALL
TBG.0043C348
00401441 |. 89C2 |MOV EDX,EAX
00401443 |. A1 04F04300 |MOV EAX,DWORD
PTR DS:[43F004]
00401448 |. 894424 04 |MOV DWORD PTR
SS:[ESP+4],EAX
0040144C |. 891424 |MOV DWORD PTR
SS:[ESP],EDX
0040144F |. E8 8C9C0200 |CALL
TBG.0042B0E0
00401454 |. C74424 04 2E004400 |MOV DWORD PTR
SS:[ESP+4],TBG.0044002E
0040145C |. 890424 |MOV DWORD PTR
SS:[ESP],EAX
0040145F |. E8 E4AE0300 |CALL
TBG.0043C348
00401464 |. C74424 04 3D004400 |MOV DWORD PTR
SS:[ESP+4],TBG.0044003D ; ASCII "Decide
Your Next Move
"
0040146C |. C70424 D0334400 |MOV DWORD PTR
SS:[ESP],TBG.004433D0
00401473 |. E8 D0AE0300 |CALL
TBG.0043C348
00401478 |. C74424 04 54004400 |MOV DWORD PTR
SS:[ESP+4],TBG.00440054 ; ASCII "1.
Punch(10 DMG 0 SP)
"
00401480 |. C70424 D0334400 |MOV DWORD PTR
SS:[ESP],TBG.004433D0
00401487 |. E8 BCAE0300 |CALL
TBG.0043C348
0040148C |. C74424 04 6B004400 |MOV DWORD PTR
SS:[ESP+4],TBG.0044006B ; ASCII "2.
Psyki(20 DMG 5 SP)
"
00401494 |. C70424 D0334400 |MOV DWORD PTR
SS:[ESP],TBG.004433D0
0040149B |. E8 A8AE0300 |CALL
TBG.0043C348
004014A0 |. C74424 04 10304400 |MOV DWORD PTR
SS:[ESP+4],TBG.00443010
004014A8 |. C70424 70344400 |MOV DWORD PTR
SS:[ESP],TBG.00443470
004014AF |. E8 5C6F0200 |CALL
TBG.00428410
004014B4 |. 833D 10304400 01 |CMP DWORD PTR
DS:[443010],1
004014BB |. 0F85 88000000 |JNZ
TBG.00401549
004014C1 |. C705 14304400 0A000000 |MOV DWORD PTR
DS:[443014],0A
004014CB |. C74424 04 82004400 |MOV DWORD PTR
SS:[ESP+4],TBG.00440082 ; ASCII "You
do: "
004014D3 |. C70424 D0334400 |MOV DWORD PTR
SS:[ESP],TBG.004433D0
004014DA |. E8 69AE0300 |CALL
TBG.0043C348
004014DF |. 89C2 |MOV EDX,EAX
004014E1 |. A1 14304400 |MOV EAX,DWORD
PTR DS:[443014]
004014E6 |. 894424 04 |MOV DWORD PTR
SS:[ESP+4],EAX
004014EA |. 891424 |MOV DWORD PTR
SS:[ESP],EDX
004014ED |. E8 EE9B0200 |CALL
TBG.0042B0E0
004014F2 |. C74424 04 8B004400 |MOV DWORD PTR
SS:[ESP+4],TBG.0044008B ; ASCII " DMG
"
004014FA |. 890424 |MOV DWORD PTR
SS:[ESP],EAX
004014FD |. E8 46AE0300 |CALL
TBG.0043C348
00401502 |. A1 14304400 |MOV EAX,DWORD
PTR DS:[443014]
00401507 |. 2905 08F04300 |SUB DWORD PTR
DS:[43F008],EAX
0040150D |. C74424 04 91004400 |MOV DWORD PTR
SS:[ESP+4],TBG.00440091 ; ASCII "Monstr
Life: "
00401515 |. C70424 D0334400 |MOV DWORD PTR
SS:[ESP],TBG.004433D0
0040151C |. E8 27AE0300 |CALL
TBG.0043C348
00401521 |. 89C2 |MOV EDX,EAX
00401523 |. A1 08F04300 |MOV EAX,DWORD
PTR DS:[43F008]
00401528 |. 894424 04 |MOV DWORD PTR
SS:[ESP+4],EAX
0040152C |. 891424 |MOV DWORD PTR
SS:[ESP],EDX
0040152F |. E8 AC9B0200 |CALL
TBG.0042B0E0
00401534 |. C74424 04 2E004400 |MOV DWORD PTR
SS:[ESP+4],TBG.0044002E
0040153C |. 890424 |MOV DWORD PTR
SS:[ESP],EAX
0040153F |. E8 04AE0300 |CALL
TBG.0043C348
00401544 |. E9 8A000000 |JMP
TBG.004015D3
00401549 |> C705 14304400 14000000 |MOV DWORD PTR
DS:[443014],14
00401553 |. C74424 04 82004400 |MOV DWORD PTR
SS:[ESP+4],TBG.00440082 ; ASCII "You
do: "
0040155B |. C70424 D0334400 |MOV DWORD PTR
SS:[ESP],TBG.004433D0
00401562 |. E8 E1AD0300 |CALL
TBG.0043C348
00401567 |. 89C2 |MOV EDX,EAX
00401569 |. A1 14304400 |MOV EAX,DWORD
PTR DS:[443014]
0040156E |. 894424 04 |MOV DWORD PTR
SS:[ESP+4],EAX
00401572 |. 891424 |MOV DWORD PTR
SS:[ESP],EDX
00401575 |. E8 669B0200 |CALL
TBG.0042B0E0
0040157A |. C74424 04 8B004400 |MOV DWORD PTR
SS:[ESP+4],TBG.0044008B ; ASCII " DMG
"
00401582 |. 890424 |MOV DWORD PTR
SS:[ESP],EAX
00401585 |. E8 BEAD0300 |CALL
TBG.0043C348
0040158A |. A1 14304400 |MOV EAX,DWORD
PTR DS:[443014]
0040158F |. 2905 08F04300 |SUB DWORD PTR
DS:[43F008],EAX
00401595 |. 832D 04F04300 05 |SUB DWORD PTR
DS:[43F004],5
0040159C |. C74424 04 91004400 |MOV DWORD PTR
SS:[ESP+4],TBG.00440091 ; ASCII "Monstr
Life: "
004015A4 |. C70424 D0334400 |MOV DWORD PTR
SS:[ESP],TBG.004433D0
004015AB |. E8 98AD0300 |CALL
TBG.0043C348
004015B0 |. 89C2 |MOV EDX,EAX
004015B2 |. A1 08F04300 |MOV EAX,DWORD
PTR DS:[43F008]
004015B7 |. 894424 04 |MOV DWORD PTR
SS:[ESP+4],EAX
004015BB |. 891424 |MOV DWORD PTR
SS:[ESP],EDX
004015BE |. E8 1D9B0200 |CALL
TBG.0042B0E0
004015C3 |. C74424 04 2E004400 |MOV DWORD PTR
SS:[ESP+4],TBG.0044002E
004015CB |. 890424 |MOV DWORD PTR
SS:[ESP],EAX
004015CE |. E8 75AD0300 |CALL
TBG.0043C348
004015D3 |> 833D 10F04300 00 |CMP DWORD PTR
DS:[43F010],0
004015DA |. 75 7F |JNZ SHORT
TBG.0040165B
004015DC |. FF05 10F04300 |INC DWORD PTR
DS:[43F010]
004015E2 |. C74424 04 9F004400 |MOV DWORD PTR
SS:[ESP+4],TBG.0044009F ; ASCII
"Computer AIs Turn
"
004015EA |. C70424 D0334400 |MOV DWORD PTR
SS:[ESP],TBG.004433D0
004015F1 |. E8 52AD0300 |CALL
TBG.0043C348
004015F6 |. C74424 04 B2004400 |MOV DWORD PTR
SS:[ESP+4],TBG.004400B2 ; ASCII
"Computer Hits You
"
004015FE |. C70424 D0334400 |MOV DWORD PTR
SS:[ESP],TBG.004433D0
00401605 |. E8 3EAD0300 |CALL
TBG.0043C348
0040160A |. C74424 04 C5004400 |MOV DWORD PTR
SS:[ESP+4],TBG.004400C5 ; ASCII
"Suffer: 10 Damage
"
00401612 |. C70424 D0334400 |MOV DWORD PTR
SS:[ESP],TBG.004433D0
00401619 |. E8 2AAD0300 |CALL
TBG.0043C348
0040161E |. 832D 00F04300 0A |SUB DWORD PTR
DS:[43F000],0A
00401625 |. C74424 04 D8004400 |MOV DWORD PTR
SS:[ESP+4],TBG.004400D8 ; ASCII "New
HP: "
0040162D |. C70424 D0334400 |MOV DWORD PTR
SS:[ESP],TBG.004433D0
00401634 |. E8 0FAD0300 |CALL
TBG.0043C348
00401639 |. 8B15 00F04300 |MOV EDX,DWORD
PTR DS:[43F000]
0040163F |. 895424 04 |MOV DWORD PTR
SS:[ESP+4],EDX
00401643 |. 890424 |MOV DWORD PTR
SS:[ESP],EAX
00401646 |. E8 959A0200 |CALL
TBG.0042B0E0
0040164B |. C74424 04 2E004400 |MOV DWORD PTR
SS:[ESP+4],TBG.0044002E
00401653 |. 890424 |MOV DWORD PTR
SS:[ESP],EAX
00401656 |. E8 EDAC0300 |CALL
TBG.0043C348
0040165B |> 833D 08F04300 04 |CMP DWORD PTR
DS:[43F008],4
00401662 |.^0F8F 5EFDFFFF JG
TBG.004013C6
00401668 |. C74424 04 E1004400 MOV DWORD PTR
SS:[ESP+4],TBG.004400E1 ; ASCII "You
Just Won"
00401670 |. C70424 D0334400 MOV DWORD PTR
SS:[ESP],TBG.004433D0
00401677 |. E8 CCAC0300 CALL
TBG.0043C348
0040167C |. C70424 EF004400 MOV DWORD PTR
SS:[ESP],TBG.004400EF ; ||ASCII
"pause"
00401683 |. E8 D8F20000 CALL
<JMP.&msvcrt.system> ;
|system
00401688 |. C70424 00000000 MOV DWORD PTR
SS:[ESP],0 ; |
0040168F |. E8 BCF20000 CALL
<JMP.&msvcrt.exit> ;
exit
00401694 |> C74424 04 F5004400 MOV DWORD PTR
SS:[ESP+4],TBG.004400F5 ; ASCII
"Thanks For Playin
"
0040169C |. C70424 D0334400 MOV DWORD PTR
SS:[ESP],TBG.004433D0
004016A3 |. E8 A0AC0300 CALL
TBG.0043C348
004016A8 |. C70424 EF004400 MOV DWORD PTR
SS:[ESP],TBG.004400EF ; |ASCII
"pause"
004016AF |. E8 ACF20000 CALL
<JMP.&msvcrt.system> ;
system
004016B4 |. B8 00000000 MOV EAX,0
004016B9 |. C9 LEAVE
004016BA . C3 RETN
Step 4. You are now looking at the assembly version of your C++ coding in memory execution. You notice key parts are labeld with ASCII ; such as 'Monster Life.' I just wanted to show you this rewind trick but really now what you need to do is press CTLR+G so the 'Goto Expression' box pops up. Enter that offset we found and press search:
Code:
#include <windows.h>
#include <iostream>
using namespace std;
HWND hHack=FindWindow(NULL,"TBG");
void write(LPVOID addy, DWORD mydata);
void adddebugtokens();
void calltohack();
int main() {
if(!hHack)
{
cout << "Window not found" << endl;
system("pause");
exit(0);
}
cout << "Loading Hack" << endl;
enableDebugPrivileges();
calltohack();
system("pause");
}
void write(LPVOID addy, DWORD mydata)
{
DWORD PID, TID;
TID = ::GetWindowThreadProcessId (hHack, &PID);
HANDLE hopen=OpenProcess(
PROCESS_ALL_ACCESS|PROCESS_TERMINATE|PROCESS_VM_OPE
RATION|PROCESS_VM_READ|
PROCESS_VM_WRITE,FALSE,PID);
WriteProcessMemory(hopen,addy,&mydata,1,0);
CloseHandle(hopen);
}
void adddebugtokens()
{
HANDLE hcurrent=GetCurrentProcess();
HANDLE hToken;
BOOL
bret=OpenProcessToken(hcurrent,40,&hToken);
LUID luid;
bret=LookupPrivilegeValue(NULL,"SeDebugPrivilege",&
luid);
TOKEN_PRIVILEGES NewState,PreviousState;
DWORD ReturnLength;
NewState.PrivilegeCount =1;
NewState.Privileges[0].Luid =luid;
NewState.Privileges[0].Attributes=2;
AdjustTokenPrivileges(hToken,FALSE,&NewState,28,&Pr
eviousState,&ReturnLength);
}
void calltohack()
{
write((LPVOID)0x0040161F, 0x05);
}