Originally Posted by
moathebest
Guys when i made a base for the hack "_CShell" and i try to open CF it gives me this proplem W[2007] L[0] CShell is changed...
That doesn't mather. Its becouse some one dumpt it. You can make your own "dump". It is easy and you alway's have the last addies.
Load Cshell.dll in to a procces. Then freeze it.
Attach olly. Done.
Originally Posted by
moathebest
and where is the add or offset in this:
10134B98 . 68 4C4C2F10 PUSH _CShell.102F4C4C ; ASCII "ReloadAnimRatio"
Where the (class + and offset) gets called.
Code:
10131D68 68 040D2F10 PUSH 102F0D04 ; ASCII "ReloadAnimRatio"
10131D6D D998 98260000 FSTP DWORD PTR DS:[EAX+2698]
10131D73 55 PUSH EBP
10131D74 E8 57D41700 CALL 102AF1D0
10131D79 83C4 08 ADD ESP,8
10131D7C 85C0 TEST EAX,EAX
10131D7E 74 46 JE SHORT 10131DC6
10131D80 8B48 04 MOV ECX,DWORD PTR DS:[EAX+4]
10131D83 8B51 04 MOV EDX,DWORD PTR DS:[ECX+4]
10131D86 8B0D E85EA610 MOV ECX,DWORD PTR DS:[10A65EE8]
10131D8C 85C9 TEST ECX,ECX
10131D8E 8B5A 04 MOV EBX,DWORD PTR DS:[EDX+4]
10131D91 74 0E JE SHORT 10131DA1
10131D93 A1 EC5EA610 MOV EAX,DWORD PTR DS:[10A65EEC]
10131D98 2BC1 SUB EAX,ECX
10131D9A C1F8 02 SAR EAX,2
10131D9D 3BF0 CMP ESI,EAX
10131D9F 72 08 JB SHORT 10131DA9
10131DA1 FFD7 CALL EDI
10131DA3 8B0D E85EA610 MOV ECX,DWORD PTR DS:[10A65EE8]
10131DA9 53 PUSH EBX
10131DAA 8D3CB1 LEA EDI,DWORD PTR DS:[ECX+ESI*4]
10131DAD 90 NOP
10131DAE E8 C2FF3A62 CALL MSVCR80.atof
10131DB3 D95C24 14 FSTP DWORD PTR SS:[ESP+14]
10131DB7 D94424 14 FLD DWORD PTR SS:[ESP+14]
10131DBB 8B07 MOV EAX,DWORD PTR DS:[EDI]
10131DBD D998 98260000 FSTP DWORD PTR DS:[EAX+2698]
10131DC3 83C4 04 ADD ESP,4
You need to learn how this works The address in here is the address of the class.
The offset is the place in the class.
In this case, it isn't a class. But I'm not going to bother you with this :P