Post Reply 
 
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Decompiling CheatEngineFiles & GamesTrainers
11-05-2012, 08:33 AM
Post: #1
Decompiling CheatEngineFiles & GamesTrainers
can u pls help me in this file also https://hotfile.com/dl/178550546/be45365/Test.rar.html
Find all posts by this user
Quote this message in a reply
11-05-2012, 04:31 PM (This post was last modified: 11-05-2012 04:41 PM by cw2k.)
Post: #2
RE: Improved AutoIt3 Decompiler / myAutToExe Decompiler
(11-05-2012 03:26 AM)punjab5 Wrote:  can u pls help me in this file also http://rghost.net/41311119


.7z  NFSW_SpeedHack build1207_by_gmz_analyse by cw2k.7z (Size: 17.47 KB / Downloads: 101)
Code:
Loader __NFSW_03.11.2012.exe

-> looks for Window "GameFrame NEED FOR SPEEDÖ WORLD"
gets
  https://sites.google.com/site/nfswhackhome/NFSW.BIN

and start it inside the the NFS-process


NFSW.BIN_00BF0000.exe unpacked

Patch data
==========

Initial Patch

Nr    Len         PatchData         VAdress in Proess NFSW.exe

#15    06            9059EB42D233    dest = 1025328E
#14    01                      EB    dest = 10231F79
#13    05              9090C3C033    dest = 10284400
#12    01                      C3    dest = 102535D0
#11    02                    C03A    dest = 103CE19C
#10    01                      C3    dest = 103CB4C0
#0F    10            FA771E3C310F    dest = 10252CF3
#0E    01                      EB    dest = 1020386A
#0D    02                    12EB    dest = 10124E5B
#0C    01                      EB    dest = 1050F4FC
#0B    05              9090909090    dest = 10137DC5
#0A    05              9090909090    dest = 10137DF8
#09    05              9090909090    dest = 10137E2B
#08    05              9090909090    dest = 10137E5E
#07    10        xxxxxxxx000035FF    dest = 1027F573
#06    03                  90C03A    dest = 103D4263
#05    01                      EB    dest = 103E1D41
#04    02                    10EB    dest = 1008E118
#03    04                9040C033    dest = 100C3A17
#02    01                      EB    dest = 1011F91D
#01    02                    C03A    dest = 10089AA6


#xx    04                 00000000          1027F575
#yy    04                 00000000          1027F57B


Some patch data details:


#07    10        xxxxxxxx000035FF    dest = 1027F573
          $ ==>      FF35 00000000   PUSH    [DWORD 0]
          $+6        FF15 00000000   CALL    [0]
          $+C        EB 50           JMP     SHORT 100032A0
          $+E        90              NOP
          $+F        90              NOP
    

#0F    10            FA771E3C310F    dest = 10252CF3
                  $ ==>    0F31            RDTSC
                  $+2      3C 1E           CMP     AL, 1E
                  $+4      77 FA           JA      SHORT <RDTSC>
                  $+6      0FB6D0          MOVZX   EDX, AL
                  $+9      83FA 01         CMP     EDX, 1
                  $+C      77 02           JA      SHORT <End>
                  $+E      42              INC     EDX
                  $+F      42              INC     EDX
        

#15    06            9059EB42D233    dest = 1025328E
                            33D2            XOR     EDX, EDX
                            42              INC     EDX
                            EB 59           JMP     SHORT 10003268



Incomplete there are more - use IDA the get them out

Quote:can you please give me a step wise descripton how you convert exe to .ct and what the tools i need ?, i would be very thankful to u
:-/What steps ya need?

Plz try at least to make the first and start.
Tongue

Tools are Winhex, FlexHex or some other Hexeditor that supports to open the memory of a process.

Quote
from my last post there I Wrote:
Just dump uncompressed data from memory while script/Trainer is loaded.
open "NFSW Mega Trainer.EXE" Process in Winhex / Entired RAM

Search for CheatEngineTableVersion
copy&paste the data around and into *.CT.
Done.

More specific question are welcome.

What ya like to do - any concrete target.
Find all posts by this user
Quote this message in a reply
11-06-2012, 02:50 AM (This post was last modified: 11-06-2012 03:00 AM by punjab5.)
Post: #3
RE: Improved AutoIt3 Decompiler / myAutToExe Decompiler
Thanks man u r genius Smile


(11-05-2012 04:31 PM)cw2k Wrote:  
(11-05-2012 03:26 AM)punjab5 Wrote:  can u pls help me in this file also http://rghost.net/41311119


Code:
Loader __NFSW_03.11.2012.exe

-> looks for Window "GameFrame NEED FOR SPEEDÖ WORLD"
gets
  https://sites.google.com/site/nfswhackhome/NFSW.BIN

and start it inside the the NFS-process


NFSW.BIN_00BF0000.exe unpacked

Patch data
==========

Initial Patch

Nr    Len         PatchData         VAdress in Proess NFSW.exe

#15    06            9059EB42D233    dest = 1025328E
#14    01                      EB    dest = 10231F79
#13    05              9090C3C033    dest = 10284400
#12    01                      C3    dest = 102535D0
#11    02                    C03A    dest = 103CE19C
#10    01                      C3    dest = 103CB4C0
#0F    10            FA771E3C310F    dest = 10252CF3
#0E    01                      EB    dest = 1020386A
#0D    02                    12EB    dest = 10124E5B
#0C    01                      EB    dest = 1050F4FC
#0B    05              9090909090    dest = 10137DC5
#0A    05              9090909090    dest = 10137DF8
#09    05              9090909090    dest = 10137E2B
#08    05              9090909090    dest = 10137E5E
#07    10        xxxxxxxx000035FF    dest = 1027F573
#06    03                  90C03A    dest = 103D4263
#05    01                      EB    dest = 103E1D41
#04    02                    10EB    dest = 1008E118
#03    04                9040C033    dest = 100C3A17
#02    01                      EB    dest = 1011F91D
#01    02                    C03A    dest = 10089AA6


#xx    04                 00000000          1027F575
#yy    04                 00000000          1027F57B


Some patch data details:


#07    10        xxxxxxxx000035FF    dest = 1027F573
          $ ==>      FF35 00000000   PUSH    [DWORD 0]
          $+6        FF15 00000000   CALL    [0]
          $+C        EB 50           JMP     SHORT 100032A0
          $+E        90              NOP
          $+F        90              NOP
    

#0F    10            FA771E3C310F    dest = 10252CF3
                  $ ==>    0F31            RDTSC
                  $+2      3C 1E           CMP     AL, 1E
                  $+4      77 FA           JA      SHORT <RDTSC>
                  $+6      0FB6D0          MOVZX   EDX, AL
                  $+9      83FA 01         CMP     EDX, 1
                  $+C      77 02           JA      SHORT <End>
                  $+E      42              INC     EDX
                  $+F      42              INC     EDX
        

#15    06            9059EB42D233    dest = 1025328E
                            33D2            XOR     EDX, EDX
                            42              INC     EDX
                            EB 59           JMP     SHORT 10003268



Incomplete there are more - use IDA the get them out

Quote:can you please give me a step wise descripton how you convert exe to .ct and what the tools i need ?, i would be very thankful to u
:-/What steps ya need?

Plz try at least to make the first and start.
Tongue

Tools are Winhex, FlexHex or some other Hexeditor that supports to open the memory of a process.

Quote
from my last post there I Wrote:
Just dump uncompressed data from memory while script/Trainer is loaded.
open "NFSW Mega Trainer.EXE" Process in Winhex / Entired RAM

Search for CheatEngineTableVersion
copy&paste the data around and into *.CT.
Done.

More specific question are welcome.

What ya like to do - any concrete target.

i want to make a game trainer combining both
Find all posts by this user
Quote this message in a reply
11-06-2012, 04:19 AM
Post: #4
RE: Improved AutoIt3 Decompiler / myAutToExe Decompiler
(11-05-2012 08:33 AM)asbb Wrote:  can u pls help me in this file also https://hotfile.com/dl/178550546/be45365/Test.rar.html

Well before you spamming all the forum with requests - here we go:
source code for Free Zynga pokerbot version 1.4.5 (nov 2012)
https://rapidshare.com/files/3850652323/...4.5_src.7z

-> In case it now makes you to hit some Pokerjackpot - PM be for sharing.


... and to refresh my storage of club-MATE. Big Grin
[Image: 220px-Club-mate-flaschen.jpg]
Find all posts by this user
Quote this message in a reply
11-06-2012, 08:38 AM (This post was last modified: 11-07-2012 02:44 AM by punjab5.)
Post: #5
RE: Improved AutoIt3 Decompiler / myAutToExe Decompiler
can u pls tell me how to dump uncompressed data from memory while script/Trainer is loaded.?

in second file u decomplied yesterday i dont know how to edit?? what language/software he used to make trainer??
[Image: unbenanntszw.png]

I am getting this kind of thing with IDA but i m not getting what i want i need offests for drunk driver. please help me in this...
Find all posts by this user
Quote this message in a reply
11-07-2012, 08:18 PM
Post: #6
RE: Decompiling CheatEngineFiles & GamesTrainers
Trainer are often written in asm or C.
These are zero terminate strings so it's not delphi...

maybe follow the references around ' drunk drive' like unk_100034d8.

However the API to write changes to another process is Kernel32.WriteProcessMemory find it in the Trainer and explorer what's happening around.

Or load it in Ollydebug set a breakpoint there (Ctrl+N -> WriteProcessMemory,...)
Maybe work with log-breakpoints however takes some time and is annoy to set them and write in cryptic Expression like [[esp+8]] to just get on fancy argument - and do it again to log an other.

Dumpers - well I use pretty old LordPE and somethings the little hidden dumper inside Import REConstructor(RC/advCmd/Select Code Section->Fulldump) or when in Olly the plugin Ollydump
Find all posts by this user
Quote this message in a reply
11-14-2012, 07:19 AM (This post was last modified: 11-18-2012 02:23 AM by punjab5.)
Post: #7
RE: Decompiling CheatEngineFiles & GamesTrainers
@cw2k Can u please decompile this one with screen shots of steps then i will be able to decomple myself http://rghost.net/41559179

(11-07-2012 08:18 PM)cw2k Wrote:  Trainer are often written in asm or C.
These are zero terminate strings so it's not delphi...

maybe follow the references around ' drunk drive' like unk_100034d8.

However the API to write changes to another process is Kernel32.WriteProcessMemory find it in the Trainer and explorer what's happening around.

Or load it in Ollydebug set a breakpoint there (Ctrl+N -> WriteProcessMemory,...)
Maybe work with log-breakpoints however takes some time and is annoy to set them and write in cryptic Expression like [[esp+8]] to just get on fancy argument - and do it again to log an other.

Dumpers - well I use pretty old LordPE and somethings the little hidden dumper inside Import REConstructor(RC/advCmd/Select Code Section->Fulldump) or when in Olly the plugin Ollydump
Find all posts by this user
Quote this message in a reply
12-30-2012, 07:38 AM
Post: #8
RE: Decompiling CheatEngineFiles & GamesTrainers
Please help me to decompile this http://rghost.net/42591723
Find all posts by this user
Quote this message in a reply
08-17-2016, 06:20 AM
Post: #9
RE: Decompiling CheatEngineFiles & GamesTrainers
Hello guys,
Could you help me please decompile this file and give me the aob?
Its an cheatengine trainer .
https://www.sendspace.com/file/lqnn3e
I'm not really skilled at this kind of stuff and I would be really grateful.
Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)

Contact Us | Homepage | Return to Top | Return to Content | Lite (Archive) Mode | RSS Syndication