使用方法:新建文本文件,把代码复制进去,把文件后缀.txt改成.ct就是ct表了
aobscanmodule(RelicEditor,nightreign.exe,41 8B 44 80 18) // should be unique
alloc(newmem,$20,RelicEditor)
alloc(RelicEdPtr1,8)
registersymbol(RelicEdPtr1)
label(code)
label(return)
newmem:
cmp rdx,0
jne code
mov [RelicEdPtr1],r8
code:
mov eax,[r8+rax*4+18]
jmp return
RelicEditor:
jmp newmem
return:
registersymbol(RelicEditor)
[DISABLE]
RelicEditor:
db 41 8B 44 80 18
unregistersymbol(*)
dealloc(*)
{
// ORIGINAL CODE - INJECTION POINT: nightreign.exe+672650
nightreign.exe+67262D: E9 1E 27 00 00- jmp nightreign.exe+674D50
nightreign.exe+672632: 83 F8 FF- cmp eax,-01
nightreign.exe+672635: 0F 84 7B 7F 72 01- je nightreign.exe+1D9A5B6
nightreign.exe+67263B: E9 02 05 BB 06- jmp nightreign.exe+7222B42
nightreign.exe+672640: 4C 8B 41 08- mov r8,[rcx+08]
nightreign.exe+672644: 4D 85 C0- test r8,r8
nightreign.exe+672647: 74 0D- je nightreign.exe+672656
nightreign.exe+672649: 83 FA 03- cmp edx,03
nightreign.exe+67264C: 73 08- jae nightreign.exe+672656
nightreign.exe+67264E: 8B C2- mov eax,edx
// ---------- INJECTING HERE ----------
nightreign.exe+672650: 41 8B 44 80 18- mov eax,[r8+rax*4+18]
// ---------- DONE INJECTING----------
nightreign.exe+672655: C3- ret
nightreign.exe+672656: B8 FF FF FF FF- mov eax,FFFFFFFF
nightreign.exe+67265B: C3- ret
nightreign.exe+67265C: 90- nop
nightreign.exe+67265D: 48 8B 45 4C- mov rax,[rbp+4C]
nightreign.exe+672661: 8B 41 08- mov eax,[rcx+08]
nightreign.exe+672664: 4D 85 C0- test r8,r8
nightreign.exe+672667: 74 0D- je nightreign.exe+672676
nightreign.exe+672669: 83 FA 03- cmp edx,03
nightreign.exe+67266C: 73 08- jae nightreign.exe+672676
}
