這是外國人寫的腳本,無敵+一即必殺代碼
大方向算是看得懂,但有些不明白用意,請看得懂的網友解答

ai部分,看來是要把EAX 的XOR加密結果為0
我一看代碼以為寫錯了,遊戲會崩潰....但是執行是正確的沒問題
為什麼是pop eax 之後又是push eax
看底下的原始代碼,先前並沒有push動作卻pop,之後也push也無pop動作
為何這樣寫? 沒有崩潰?








define(address,"Chaosbane.exe"+3F32A5)
define(bytes,89 83 30 02 00 00)

[ENABLE]

assert(address,bytes)
alloc(newmem,$1000,"Chaosbane.exe"+3F32A5)

label(code)
label(return)
label(ai)
label(player)


newmem:
cmp rdx,00002DA5
je player
cmp rdx,00002DA5
jne ai
jmp code

code:
mov [rbx+00000230],eax
jmp return

player:
mov eax,[rbx+00000228]
mov [rbx+00000230],eax
jmp return

ai:
pop eax
mov eax,BABEEBAB
push eax
mov [rbx+00000230],eax
jmp return




address:
jmp newmem
nop
return:

[DISABLE]

address:
db bytes
// mov [rbx+00000230],eax

dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "Chaosbane.exe"+3F32A5

"Chaosbane.exe"+3F3276: 8B 44 24 50 - mov eax,[rsp+50]
"Chaosbane.exe"+3F327A: 0F 2F 44 24 58 - comiss xmm0,[rsp+58]
"Chaosbane.exe"+3F327F: 0F 47 C1 - cmova eax,ecx
"Chaosbane.exe"+3F3282: 89 44 24 50 - mov [rsp+50],eax
"Chaosbane.exe"+3F3286: 89 4C 24 58 - mov [rsp+58],ecx
"Chaosbane.exe"+3F328A: F3 0F 10 44 24 58 - movss xmm0,[rsp+58]
"Chaosbane.exe"+3F3290: F3 0F 5C 44 24 50 - subss xmm0,[rsp+50]
"Chaosbane.exe"+3F3296: F3 0F 11 44 24 58 - movss [rsp+58],xmm0
"Chaosbane.exe"+3F329C: 8B 44 24 58 - mov eax,[rsp+58]
"Chaosbane.exe"+3F32A0: 35 AB EB BE BA - xor eax,BABEEBAB
// ---------- INJECTING HERE ----------
"Chaosbane.exe"+3F32A5: 89 83 30 02 00 00 - mov [rbx+00000230],eax
// ---------- DONE INJECTING ----------
"Chaosbane.exe"+3F32AB: 35 AB EB BE BA - xor eax,BABEEBAB
"Chaosbane.exe"+3F32B0: 89 44 24 58 - mov [rsp+58],eax
"Chaosbane.exe"+3F32B4: F3 0F 10 44 24 58 - movss xmm0,[rsp+58]
"Chaosbane.exe"+3F32BA: 0F 2E C6 - ucomiss xmm0,xmm6
"Chaosbane.exe"+3F32BD: 7A 10 - jp Chaosbane.exe+3F32CF
"Chaosbane.exe"+3F32BF: 75 0E - jne Chaosbane.exe+3F32CF
"Chaosbane.exe"+3F32C1: 48 8D 55 B0 - lea rdx,[rbp-50]
"Chaosbane.exe"+3F32C5: 48 8B CB - mov rcx,rbx
"Chaosbane.exe"+3F32C8: E8 83 F1 FF FF - call Chaosbane.exe+3F2450
"Chaosbane.exe"+3F32CD: EB 17 - jmp Chaosbane.exe+3F32E6