Why don't you use your 'fataly' account anymore?
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Show posts MenuQuote from: CrAzY on October 14, 2009, 10:51 AMAre you sure? He had a question about something very similar a day before you made your second post in this thread, you both referred to the architecture as "IA32" instead of the normal "x86", his IP places him in Virginia, and your profile states you live in Burke, Virginia.Quote from: brew on October 13, 2009, 12:26 PMNo.
Are you the_wiz_kid_89 on Freenode?
Quote from: CrAzY on October 13, 2009, 10:11 AMWell, that's not a string first of all. It's an integer array. I guess the first element of the array at 0x80497c0 is 0x323000 (00 30 32 00) which gdb was able to print out.
is this 4x$eax+"\002" ? If so, how does that effect the "string" "\002" ?
Quote from: CrAzY on October 13, 2009, 10:11 AMThis is irrelevant. eax is overwritten.
Stepping into this, %eax = 0x06 I think.
Quote from: CrAzY on October 13, 2009, 10:11 AMI'm not quite sure about movsbl. Really, that's movsb which moves a byte from esi to edi then increments each, but this takes two operands. So, I think what gdb really ment to say was "movzx (%edx, %ebx, 1), %eax".
Can someone explain the algorithm taking place a little better? I read that "movsbl" drags the sign bit over.
Quote from: CrAzY on October 13, 2009, 10:11 AMYou worry way too much about what flags each instruction modifies. Instead, only worry about what flags are being set right before an instruction that reads the flags, such as a conditional jump (Jcc), or a set-byte-register-to-flag instruction (SETcc).
Can someone show a small example exactly how that will look in this code?
Quote from: CrAzY on October 12, 2009, 01:23 PMThat must be killer. It's pretty painful to read AT&T syntax.
Basically I have been using gdb and stepping through each line of assembly monitoring each register and searching for the answers.
Quote from: CrAzY on October 12, 2009, 01:23 PMtest %eax,%eax checks if a value is zero or nonzero.
What is the purpose of "test %eax, %eax"? I know its a bitwise AND and I'm assuming no matter what it is, the ZF is set. I read something like it is used to see if the SF changes or something?
Quote from: CrAzY on October 12, 2009, 01:23 PMNo, they're the values contained inside of the registers.
When I do "info registers" in gdb, it will echo the register name, a hexidecimal value, and an interger value. Are the hex and int values just the address the register points to? If so, is "print /x $reg" returning the value the address points to or the address it self.
Quote from: CrAzY on October 12, 2009, 01:23 PMNo. 4(%ebp) is the stored ebp from the last frame. 0(%ebp) is the return address. But yes, 8(%ebp, %paramnumber, 4) is the expression for the parameters.
I'm aware that %ebp and %esp are the base stack pointer and the stack pointer. Is the following statement correct? 0x4(%ebp) = return address; 0x8(%ebp) = first parameter; 0xC(%ebp) = 2nd paramenter; and so on?
Quote from: CrAzY on October 12, 2009, 01:23 PM%ebi? :-? Must be a gdb thing.
Where there is a call such as "push %ebi", why does the %esp move a WORD in the negative direction?
Quote from: CrAzY on October 12, 2009, 01:23 PMMaybe the compiler overlooked the fact that it didn't need to use the stack in that instance, or maybe it wasn't optimized to use a register in the first place.
What is the purpose of pushing registers on the stack when you can use htem regaurdless?
Quote from: CrAzY on October 12, 2009, 01:23 PMHuh? That's a poor question.
is "ret" always %eax?
Quote from: CrAzY on October 12, 2009, 01:23 PMWell no, there's no difference between esp and ebp and the rest of them either.
Is there any real difference between each register (without including %esp and %ebp)?
Quote from: rabbit on October 05, 2009, 05:34 PM
All Battle.net packets use little-endian, so it doesn't matter.
Quote from: MyndFyre on September 23, 2009, 01:33 AMInteresting. I would think that wouldn't work on NT-based systems, and since everyone now is on NT or *nix it seems like that would be pointless these days....Why not? That code is communicating directly with the hardware at a level below anything NT has to do with. The operating system model being used is irrelevant.
int sm2tc(int x) {
return ((x & (~(x ^ x) >> 1)) ^ (~((x & (~(x ^ x) << 31)) >> 31) + 1)) + ((x & (~(x ^ x) << 31)) >> 31);
}
int sm2tc(int x) {
int neg1 = ~(x ^ x);
int hibitpresent = (x & (neg1 << 31);
return ((x & (neg1 >> 1)) ^ (~(hibitpresent) >> 31) + 1)) + (hibitpresent) >> 31);
}
Quote from: CrAzY on September 22, 2009, 05:46 PMWell, what you want to do is compare the two. The traditional way many processor architectures do this behind the scenes is subtraction -- however, you can't use the subtraction or negation operator. However, you do have addition. Subtraction is merely addition with the one's complement. Recall that ~x + 1 == -x. After this, the trick is to check the presense or absense of the top bit - clear means the number is 0 or greater, set means it's less than 0. In this case, it's the presense of the 31st bit... now all you need to do is move it 31 places to the right and negate your answer./*
* isLessOrEqual - if x <= y then return 1, else return 0
* Example: isLessOrEqual(4,5) = 1.
* Legal ops: ! ~ & ^ | + << >>
* Max ops: 24
* Rating: 3
*/
int isLessOrEqual(int x, int y) {
return ;
}
int isLessOrEqual(int x, int y) {
return !((y + (~x + 1)) >> 31);
}
Quote from: Hdx on September 20, 2009, 02:42 PM
Anyone wanna bother telling me what that asm does? if anything.
*note all formatting is me, his raw code is all on the left.
Quote from: ReaSoN on September 13, 2009, 04:54 PMGood question. I think it's like a typical "are you still there bro?" kind of ping to test if the connection is still active and ok at the application level, whereas the one way SID_NULL keepalive is to keep the connection active and ping at a level below the application layer.
why does BNET keep sending 0x25 if it doesnt update the ping?
Quote from: ReaSoN on September 13, 2009, 04:54 PMBy delaying the sending of all other packets until your 0x25 is sent. What I like to do is break my program off into another GetMessage/TranslateMessage/DispatchMessage loop so it could service the GUI messages and the packets from other connections while it waits for the spoofing period to be over like so:
And how can i "improve" my method to make it work?
void __stdcall PingSpoofProc(int index) {
char asdf[64];
AddChatf(vbYellow, bot[index]->hWnd_rtfChat, asdf, "Sleep()ing for %dms...", bot[index]->spoofedping);
Sleep(bot[index]->spoofedping);
AddChat(vbGreen, "Wakey wakey!", bot[index]->hWnd_rtfChat);
InsertDWORD(0);
SendPacket(0x25, index);
PostMessage(hWnd_main, WM_WAKEUP, 0, index);
}
void WaitForPingSpoof(int index) {
MSG msg;
HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)PingSpoofProc, (void *)index, 0, NULL);
while (GetMessage(&msg, (HWND)NULL, 0, 0)) {
if (msg.message == WM_WAKEUP && msg.lParam == index && msg.hwnd == hWnd_main)
break;
if (!TranslateMDISysAccel(hWnd_Client, &msg)) {
TranslateMessage(&msg);
DispatchMessage(&msg);
}
}
CloseHandle(hThread);
}
Quote from: MyndFyre on August 04, 2009, 03:51 AMYou would. For example, Warcraft 3's Storm loads at the exact same base address as Starcraft's, however they different binaries. I reckon that if a module were to request Storm, it'd like the flavor of Storm that client uses.
* If I mapped in the whole files of the games (so that it didn't depend, for instance, on the .ini files that have floated around on the forum), I'd need to create separate processes for each game, right? I'd bet (I haven't checked) that their images overlap in memory.
Quote from: MyndFyre on August 04, 2009, 03:51 AMYes. Pehaps the preferred base address of your module should be 0x70000000, or something like that. Most developers wouldn't dream of putting something there, since it's relatively close to Windows' DLLs.
* Do you recommend hosting my own code in a specific region in memory (i.e. by creating different base addresses for my assemblies)? Obviously I'll have to avoid the game memory.
Quote from: MyndFyre on August 04, 2009, 03:51 AMLoadLibraryEx with LOAD_LIBRARY_AS_DATAFILE works fine for me. Just remember, if you're using LoadLibraryEx, to trim off the 2 low bytes. Kernel32 has a penchant for tacking on flags to the address it's loaded to (remember, it's a 'handle' not a 'base address', so they can get away with that....).
* Is it adequate to load the game files using LoadLibraryEx with DONT_RESOLVE_DLL_REFERENCES, or should I plan on loading them manually?
Page created in 0.066 seconds with 12 queries.