200
"Working Cheats"
FF0000
1
202
"HUD + Visibility"
008000
1
257
"_HudToggle ( h )"
808000
Auto Assembler Script
[ENABLE]
aobscanmodule(_HudToggle,GameClient.dll,3B 43 18 7F 07)
registersymbol(_HudToggle)
_HudToggle:
cmp eax,[ebx+18]
je GameClient.dll+62931
[DISABLE]
_HudToggle:
db 3B 43 18 7F 07
unregistersymbol(_HudToggle)
{
// ORIGINAL CODE - INJECTION POINT: "GameClient.dll"+62925
"GameClient.dll"+6290D: 8B CE - mov ecx,esi
"GameClient.dll"+6290F: FF 50 24 - call dword ptr [eax+24]
"GameClient.dll"+62912: 85 43 14 - test [ebx+14],eax
"GameClient.dll"+62915: 74 07 - je GameClient.dll+6291E
"GameClient.dll"+62917: 8B 16 - mov edx,[esi]
"GameClient.dll"+62919: 8B CE - mov ecx,esi
"GameClient.dll"+6291B: FF 52 14 - call dword ptr [edx+14]
"GameClient.dll"+6291E: 8B 06 - mov eax,[esi]
"GameClient.dll"+62920: 8B CE - mov ecx,esi
"GameClient.dll"+62922: FF 50 28 - call dword ptr [eax+28]
// ---------- INJECTING HERE ----------
"GameClient.dll"+62925: E9 D6 D6 ED 03 - jmp 081C0000
// ---------- DONE INJECTING ----------
"GameClient.dll"+6292A: 8B 16 - mov edx,[esi]
"GameClient.dll"+6292C: 8B CE - mov ecx,esi
"GameClient.dll"+6292E: FF 52 10 - call dword ptr [edx+10]
"GameClient.dll"+62931: 8B 83 50 04 00 00 - mov eax,[ebx+00000450]
"GameClient.dll"+62937: 83 C7 04 - add edi,04
"GameClient.dll"+6293A: 3B F8 - cmp edi,eax
"GameClient.dll"+6293C: 75 C6 - jne GameClient.dll+62904
"GameClient.dll"+6293E: 5E - pop esi
"GameClient.dll"+6293F: 5D - pop ebp
"GameClient.dll"+62940: 8B 0D B8 9E 3E 04 - mov ecx,[GameClient.dll+169EB8]
}
Toggle Activation
72
0
282
"_Invisible - ( j ) - needs work"
808000
Auto Assembler Script
// By noping the instruction below, playermodell will turn invisible but also enemies
// need to filter enemies out.
// Doesn't really make you invisible, disconeccts player model from position and
//puts them high in the sky (you can see them looking straight up, even through
//geometry.
[ENABLE]
aobscanmodule(_Invisible,Condemned.exe,8B 55 28 89 51 1C)
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
nop
nop
nop
// mov edx,[ebp+28]
mov [ecx+1C],edx
jmp return
_Invisible:
jmp code
nop
return:
registersymbol(_Invisible)
[DISABLE]
_Invisible:
db 8B 55 28 89 51 1C
unregistersymbol(_Invisible)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "Condemned.exe"+11DE77
"Condemned.exe"+11DE58: D9 43 08 - fld dword ptr [ebx+08]
"Condemned.exe"+11DE5B: 89 4B 08 - mov [ebx+08],ecx
"Condemned.exe"+11DE5E: 8B 4C 24 24 - mov ecx,[esp+24]
"Condemned.exe"+11DE62: D9 5B 20 - fstp dword ptr [ebx+20]
"Condemned.exe"+11DE65: D9 43 24 - fld dword ptr [ebx+24]
"Condemned.exe"+11DE68: 89 43 04 - mov [ebx+04],eax
"Condemned.exe"+11DE6B: D9 5B 18 - fstp dword ptr [ebx+18]
"Condemned.exe"+11DE6E: 89 53 24 - mov [ebx+24],edx
"Condemned.exe"+11DE71: 8B 45 24 - mov eax,[ebp+24]
"Condemned.exe"+11DE74: 89 41 0C - mov [ecx+0C],eax
// ---------- INJECTING HERE ----------
"Condemned.exe"+11DE77: 8B 55 28 - mov edx,[ebp+28]
"Condemned.exe"+11DE7A: 89 51 1C - mov [ecx+1C],edx
// ---------- DONE INJECTING ----------
"Condemned.exe"+11DE7D: 8B 45 2C - mov eax,[ebp+2C]
"Condemned.exe"+11DE80: 89 41 2C - mov [ecx+2C],eax
"Condemned.exe"+11DE83: 8B 45 40 - mov eax,[ebp+40]
"Condemned.exe"+11DE86: 3D 00 00 80 3F - cmp eax,3F800000
"Condemned.exe"+11DE8B: 74 39 - je Condemned.exe+11DEC6
"Condemned.exe"+11DE8D: 8B D0 - mov edx,eax
"Condemned.exe"+11DE8F: 89 44 24 14 - mov [esp+14],eax
"Condemned.exe"+11DE93: 8D 44 24 10 - lea eax,[esp+10]
"Condemned.exe"+11DE97: 50 - push eax
"Condemned.exe"+11DE98: 89 54 24 14 - mov [esp+14],edx
}
Toggle Activation
74
0
323
"Holster Weapons finder and Info script - stabel AOB ( 7 )"
808000
Auto Assembler Script
// This noped holsters weapon and disables walking animation.
// This script is only here to find the spot again. Originally found by 4byte menu
// on/off scan (change/unchanged) It's an instruction that sets 1 to 5 or the other
// way around.
// Do not hit escape with this active, probably breaks the aob and screws up the game.
[ENABLE]
aobscanmodule(_HolsterWeapon,GameClient.dll,00 94 25 ?? ?? 00 00 00 00 01 00 00 00 ?? ??) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
//nop first line below to holster weapon.
// add [eax],eax
add [eax],al
js GameClient.GetBuildNumber+5AF12
jmp return
_HolsterWeapon+9:
jmp code
nop
return:
registersymbol(_HolsterWeapon)
[DISABLE]
_HolsterWeapon+9:
db 01 00 00 00 78 FC
unregistersymbol(_HolsterWeapon)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "GameClient.dll"+169F40
"GameClient.dll"+169F26: 34 04 - xor al,04
"GameClient.dll"+169F28: 68 00 00 00 B8 - push B8000000
"GameClient.dll"+169F2D: 9E - sahf
"GameClient.dll"+169F2E: 37 - aaa
"GameClient.dll"+169F2F: 04 14 - add al,14
"GameClient.dll"+169F31: E7 34 - out 34,eax
"GameClient.dll"+169F33: 04 00 - add al,00
"GameClient.dll"+169F35: 00 00 - add [eax],al
"GameClient.dll"+169F37: 00 94 25 35 04 00 00 - add [ebp+00000435],dl
"GameClient.dll"+169F3E: 00 00 - add [eax],al
// ---------- INJECTING HERE ----------
"GameClient.dll"+169F40: 01 00 - add [eax],eax
"GameClient.dll"+169F42: 00 00 - add [eax],al
"GameClient.dll"+169F44: 78 FC - js GameClient.dll+169F42
// ---------- DONE INJECTING ----------
"GameClient.dll"+169F46: 69 03 5C 26 35 04 - imul eax,[ebx],GameClient.dll+14265C
"GameClient.dll"+169F4C: 01 00 - add [eax],eax
"GameClient.dll"+169F4E: 00 00 - add [eax],al
"GameClient.dll"+169F50: 00 00 - add [eax],al
"GameClient.dll"+169F52: 00 00 - add [eax],al
"GameClient.dll"+169F54: 00 00 - add [eax],al
"GameClient.dll"+169F56: 00 00 - add [eax],al
"GameClient.dll"+169F58: 00 00 - add [eax],al
"GameClient.dll"+169F5A: 80 3F 00 - cmp byte ptr [edi],00
"GameClient.dll"+169F5D: 00 80 3F 80 02 00 - add [eax+0002803F],al
}
Toggle Activation
55
0
283
"Shadow on / off"
808000
Auto Assembler Script
// NOP will kill your shadow (maybe dynamic shadows, I dunno)
[ENABLE]
aobscanmodule(_NoShadow,Condemned.exe,D9 45 28 D8 4B 24)
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
fld dword ptr [ebp+28]
fmul dword ptr [ebx+24]
jmp return
_NoShadow:
jmp code
nop
return:
registersymbol(_NoShadow)
[DISABLE]
_NoShadow:
db D9 45 28 D8 4B 24
unregistersymbol(_NoShadow)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "Condemned.exe"+11DF09
"Condemned.exe"+11DEEE: D9 43 18 - fld dword ptr [ebx+18]
"Condemned.exe"+11DEF1: D8 4D 2C - fmul dword ptr [ebp+2C]
"Condemned.exe"+11DEF4: DE C1 - faddp
"Condemned.exe"+11DEF6: D9 E0 - fchs
"Condemned.exe"+11DEF8: D9 5B 1C - fstp dword ptr [ebx+1C]
"Condemned.exe"+11DEFB: D9 43 28 - fld dword ptr [ebx+28]
"Condemned.exe"+11DEFE: D8 4D 2C - fmul dword ptr [ebp+2C]
"Condemned.exe"+11DF01: D9 45 24 - fld dword ptr [ebp+24]
"Condemned.exe"+11DF04: D8 4B 20 - fmul dword ptr [ebx+20]
"Condemned.exe"+11DF07: DE C1 - faddp
// ---------- INJECTING HERE ----------
"Condemned.exe"+11DF09: D9 45 28 - fld dword ptr [ebp+28]
"Condemned.exe"+11DF0C: D8 4B 24 - fmul dword ptr [ebx+24]
// ---------- DONE INJECTING ----------
"Condemned.exe"+11DF0F: DE C1 - faddp
"Condemned.exe"+11DF11: D9 E0 - fchs
"Condemned.exe"+11DF13: D9 5B 2C - fstp dword ptr [ebx+2C]
"Condemned.exe"+11DF16: 5B - pop ebx
"Condemned.exe"+11DF17: 5F - pop edi
"Condemned.exe"+11DF18: 5E - pop esi
"Condemned.exe"+11DF19: 5D - pop ebp
"Condemned.exe"+11DF1A: 83 C4 0C - add esp,0C
"Condemned.exe"+11DF1D: C3 - ret
"Condemned.exe"+11DF1E: CC - int 3
}
192
"Horizontal Res"
80000008
4 Bytes
Condemned.exe+165BEC
193
"Vertical Res"
80000008
4 Bytes
565BF0
185
"Pause Menu Stop ( esc 1 and 0 )"
80000008
4 Bytes
GameClient.dll+16A50C
197
"game running under menuoverlay"
80000008
Auto Assembler Script
{ Game : Condemned.exe
Version:
Date : 2016-04-03
Author : User
This script does blah blah blah
}
define(address,"GameClient.dll"+71910)
define(bytes,89 5E 08 E8 C8 A4 FF FF)
[ENABLE]
assert(address,bytes)
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
//in ebx is 5
mov [esi+08],ebx
// like below will make the game running under the menu overlay
//mov [esi+08],05
call GameClient.dll+6BDE0
jmp return
address:
jmp code
nop
nop
nop
return:
[DISABLE]
address:
db bytes
// mov [esi+08],ebx
// call GameClient.dll+6BDE0
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "GameClient.dll"+71910
"GameClient.dll"+718FC: 57 - push edi
"GameClient.dll"+718FD: 8B 7E 08 - mov edi,[esi+08]
"GameClient.dll"+71900: 50 - push eax
"GameClient.dll"+71901: 53 - push ebx
"GameClient.dll"+71902: 57 - push edi
"GameClient.dll"+71903: 8B CE - mov ecx,esi
"GameClient.dll"+71905: E8 46 E5 FF FF - call GameClient.dll+6FE50
"GameClient.dll"+7190A: 84 C0 - test al,al
"GameClient.dll"+7190C: 74 18 - je GameClient.dll+71926
"GameClient.dll"+7190E: 8B CE - mov ecx,esi
// ---------- INJECTING HERE ----------
"GameClient.dll"+71910: 89 5E 08 - mov [esi+08],ebx
"GameClient.dll"+71913: E8 C8 A4 FF FF - call GameClient.dll+6BDE0
// ---------- DONE INJECTING ----------
"GameClient.dll"+71918: 89 BE 1C 29 00 00 - mov [esi+0000291C],edi
"GameClient.dll"+7191E: 5F - pop edi
"GameClient.dll"+7191F: 5B - pop ebx
"GameClient.dll"+71920: B0 01 - mov al,01
"GameClient.dll"+71922: 5E - pop esi
"GameClient.dll"+71923: C2 08 00 - ret 0008
"GameClient.dll"+71926: 5F - pop edi
"GameClient.dll"+71927: 5B - pop ebx
"GameClient.dll"+71928: 32 C0 - xor al,al
"GameClient.dll"+7192A: 5E - pop esi
}
203
"Gameplay"
008000
1
261
"_half Godmode ( 5 ) - needs work"
000080
Auto Assembler Script
//Combined script for godmode - needs work
// Doesn't work always and everytime.
// Unl health is missing proper compare to enemies so sometimes enemies can't be
//harmes via gun fire, only melee attacks work.
//// ENABLE SECTION
[ENABLE]
//
//Invincibility
//Can behave strange, attache ce when ingame, level loaded to make it work if it wasn't prior.
//Also player filter not perfect by all means, more directly addressed health.
aobscanmodule(_Invincible,GameServer.dll,D9 83 F4 06 00 00 8B)
alloc(newmema,$1000)
label(codea)
label(returna)
//
//Unlimited Sprint
// Replaces fsubr with fadd, countdown timer (goes down and up to 1.0 again)
//increases above 1, sprintbar becomes invisible until hitting 1 again after
//running around with disabled script. Probably no overflow risk because
//you'd have to run for quite some time with enabled script.
aobscanmodule(_UnlSprint,GameClient.dll,D8 AE 98 04 00 00)
alloc(newmemb,$1000)
label(codeb)
label(returnb)
//
//Unlimited Ammo
// mov ecx,9 will put 9 rounds in the pistol ammo counter, maybe other weapons too.
aobscanmodule(_PistolAmmo,GameClient.dll,8B 4C 24 38 8B 74 24 20 89 0C 90) // should be unique
alloc(newmemc,$1000)
label(codec)
label(returnc)
//// NEWMEM SECTION
//
//Invincibility
newmema:
codea:
mov [ebx+000006F4],(float)200
fld dword ptr [ebx+000006F4]
jmp returna
_Invincible:
jmp codea
nop
returna:
registersymbol(_Invincible)
//
//Unlimited Sprint
newmemb:
codeb:
fadd dword ptr [esi+00000498]
// fsubr dword ptr [esi+00000498]
jmp returnb
_UnlSprint:
jmp codeb
nop
returnb:
registersymbol(_UnlSprint)
//
// Unlimited Ammo
newmemc:
codec:
mov ecx,9
// mov ecx,[esp+38]
mov esi,[esp+20]
jmp returnc
_PistolAmmo:
jmp codec
nop
nop
nop
returnc:
registersymbol(_PistolAmmo)
//// DISABLE SECTION
[DISABLE]
//
//Invincibility
_Invincible:
db D9 83 F4 06 00 00
unregistersymbol(_Invincible)
dealloc(newmema)
//
//Unlimited Sprint
_UnlSprint:
db D8 AE 98 04 00 00
unregistersymbol(_UnlSprint)
dealloc(newmemb)
//
//Unlimited Ammo
_PistolAmmo:
db 8B 4C 24 38 8B 74 24 20 89 0C 90
unregistersymbol(_PistolAmmo)
dealloc(newmemc)
Toggle Activation
53
1
292
"Single Scripts"
80000008
1
290
"_Invincible ( i I"
808000
Auto Assembler Script
//Can behave strange, attache ce when ingame, level loaded to make it work if it wasn't prior.
[ENABLE]
aobscanmodule(_Invincible,GameServer.dll,D9 83 F4 06 00 00 8B) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
mov [ebx+000006F4],(float)200
fld dword ptr [ebx+000006F4]
jmp return
_Invincible:
jmp code
nop
return:
registersymbol(_Invincible)
[DISABLE]
_Invincible:
db D9 83 F4 06 00 00
unregistersymbol(_Invincible)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "GameServer.dll"+134EDC
"GameServer.dll"+134EC0: 57 - push edi
"GameServer.dll"+134EC1: 8B CE - mov ecx,esi
"GameServer.dll"+134EC3: FF 52 34 - call dword ptr [edx+34]
"GameServer.dll"+134EC6: 85 FF - test edi,edi
"GameServer.dll"+134EC8: 74 07 - je GameServer.dll+134ED1
"GameServer.dll"+134ECA: 8B 07 - mov eax,[edi]
"GameServer.dll"+134ECC: 8B CF - mov ecx,edi
"GameServer.dll"+134ECE: FF 50 08 - call dword ptr [eax+08]
"GameServer.dll"+134ED1: D9 83 6C 0B 00 00 - fld dword ptr [ebx+00000B6C]
"GameServer.dll"+134ED7: E8 14 D4 06 00 - call GameServer.dll+1A22F0
// ---------- INJECTING HERE ----------
"GameServer.dll"+134EDC: E9 1F B1 19 FA - jmp 07170000
"GameServer.dll"+134EE1: 90 - nop
// ---------- DONE INJECTING ----------
"GameServer.dll"+134EE2: 8B F8 - mov edi,eax
"GameServer.dll"+134EE4: E8 07 D4 06 00 - call GameServer.dll+1A22F0
"GameServer.dll"+134EE9: 2B F8 - sub edi,eax
"GameServer.dll"+134EEB: 8B C7 - mov eax,edi
"GameServer.dll"+134EED: 99 - cdq
"GameServer.dll"+134EEE: 33 C2 - xor eax,edx
"GameServer.dll"+134EF0: 2B C2 - sub eax,edx
"GameServer.dll"+134EF2: 83 F8 01 - cmp eax,01
"GameServer.dll"+134EF5: 7D 0D - jnl GameServer.dll+134F04
"GameServer.dll"+134EF7: 8A 44 24 2C - mov al,[esp+2C]
}
291
"Invincible AOB old version"
80000008
Auto Assembler Script
//Can behave strange, attache ce when ingame, level loaded to make it work if it wasn't prior.
[ENABLE]
aobscanmodule(hpsearch,GameServer.dll,D9 83 F4 06 00 00 8B)
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
mov [ebx+000006F4],(float)200
fld dword ptr [ebx+000006F4]
jmp return
hpsearch:
jmp code
nop
return:
registersymbol(hpsearch)
[DISABLE]
hpsearch:
db D9 83 F4 06 00 00
unregistersymbol(hpsearch)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "GameServer.dll"+134EDC
"GameServer.dll"+134EC0: 57 - push edi
"GameServer.dll"+134EC1: 8B CE - mov ecx,esi
"GameServer.dll"+134EC3: FF 52 34 - call dword ptr [edx+34]
"GameServer.dll"+134EC6: 85 FF - test edi,edi
"GameServer.dll"+134EC8: 74 07 - je GameServer.dll+134ED1
"GameServer.dll"+134ECA: 8B 07 - mov eax,[edi]
"GameServer.dll"+134ECC: 8B CF - mov ecx,edi
"GameServer.dll"+134ECE: FF 50 08 - call dword ptr [eax+08]
"GameServer.dll"+134ED1: D9 83 6C 0B 00 00 - fld dword ptr [ebx+00000B6C]
"GameServer.dll"+134ED7: E8 14 D4 06 00 - call GameServer.dll+1A22F0
// ---------- INJECTING HERE ----------
"GameServer.dll"+134EDC: D9 83 F4 06 00 00 - fld dword ptr [ebx+000006F4]
// ---------- DONE INJECTING ----------
"GameServer.dll"+134EE2: 8B F8 - mov edi,eax
"GameServer.dll"+134EE4: E8 07 D4 06 00 - call GameServer.dll+1A22F0
"GameServer.dll"+134EE9: 2B F8 - sub edi,eax
"GameServer.dll"+134EEB: 8B C7 - mov eax,edi
"GameServer.dll"+134EED: 99 - cdq
"GameServer.dll"+134EEE: 33 C2 - xor eax,edx
"GameServer.dll"+134EF0: 2B C2 - sub eax,edx
"GameServer.dll"+134EF2: 83 F8 01 - cmp eax,01
"GameServer.dll"+134EF5: 7D 0D - jnl GameServer.dll+134F04
"GameServer.dll"+134EF7: 8A 44 24 2C - mov al,[esp+2C]
}
265
"_UnlSprint ( 5 ) - needs work"
808000
Auto Assembler Script
// Nops the subtraction instruction that decreases sprint energy.
// Could be improved because of low energy delay to sprint again right after sprinting.
[ENABLE]
aobscanmodule(_UnlSprint,GameClient.dll,D8 AE 98 04 00 00)
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
nop
nop
nop
nop
nop
nop
// fsubr dword ptr [esi+00000498]
jmp return
_UnlSprint:
jmp code
nop
return:
registersymbol(_UnlSprint)
[DISABLE]
_UnlSprint:
db D8 AE 98 04 00 00
unregistersymbol(_UnlSprint)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "GameClient.dll"+3443D
"GameClient.dll"+34418: 8B 0D 14 90 35 04 - mov ecx,[GameClient.dll+169014]
"GameClient.dll"+3441E: 3B CB - cmp ecx,ebx
"GameClient.dll"+34420: 74 11 - je GameClient.dll+34433
"GameClient.dll"+34422: 8B 15 10 90 35 04 - mov edx,[GameClient.dll+169010]
"GameClient.dll"+34428: 8B 01 - mov eax,[ecx]
"GameClient.dll"+3442A: 52 - push edx
"GameClient.dll"+3442B: FF 90 00 01 00 00 - call dword ptr [eax+00000100]
"GameClient.dll"+34431: EB 06 - jmp GameClient.dll+34439
"GameClient.dll"+34433: D9 05 A4 82 32 04 - fld dword ptr [GameClient.dll+1382A4]
"GameClient.dll"+34439: D8 7C 24 08 - fdivr dword ptr [esp+08]
// ---------- INJECTING HERE ----------
"GameClient.dll"+3443D: D8 AE 98 04 00 00 - fsubr dword ptr [esi+00000498]
// ---------- DONE INJECTING ----------
"GameClient.dll"+34443: D9 96 98 04 00 00 - fst dword ptr [esi+00000498]
"GameClient.dll"+34449: D8 1D A4 82 32 04 - fcomp dword ptr [GameClient.dll+1382A4]
"GameClient.dll"+3444F: DF E0 - fnstsw ax
"GameClient.dll"+34451: F6 C4 41 - test ah,41
"GameClient.dll"+34454: 7A 7A - jp GameClient.dll+344D0
"GameClient.dll"+34456: 8B 0D 24 FE 35 04 - mov ecx,[GameClient.dll+16FE24]
"GameClient.dll"+3445C: E8 0F 32 06 00 - call GameClient.dll+97670
"GameClient.dll"+34461: 84 C0 - test al,al
"GameClient.dll"+34463: 75 06 - jne GameClient.dll+3446B
"GameClient.dll"+34465: 88 9E 9C 04 00 00 - mov [esi+0000049C],bl
}
259
"_PistolAmmo set ammo to 9 unlimited ( u )"
808000
Auto Assembler Script
// mov ecx,9 will put 9 rounds in the pistol ammo counter.
[ENABLE]
aobscanmodule(_PistolAmmo,GameClient.dll,8B 4C 24 38 8B 74 24 20 89 0C 90) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
mov ecx,9
// mov ecx,[esp+38]
mov esi,[esp+20]
jmp return
_PistolAmmo:
jmp code
nop
nop
nop
return:
registersymbol(_PistolAmmo)
[DISABLE]
_PistolAmmo:
db 8B 4C 24 38 8B 74 24 20 89 0C 90
unregistersymbol(_PistolAmmo)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "GameClient.dll"+A80A1
"GameClient.dll"+A8084: 8B 54 24 24 - mov edx,[esp+24]
"GameClient.dll"+A8088: 8B 34 91 - mov esi,[ecx+edx*4]
"GameClient.dll"+A808B: 3B F0 - cmp esi,eax
"GameClient.dll"+A808D: 8D 0C 91 - lea ecx,[ecx+edx*4]
"GameClient.dll"+A8090: 76 02 - jna GameClient.dll+A8094
"GameClient.dll"+A8092: 89 01 - mov [ecx],eax
"GameClient.dll"+A8094: 39 44 24 38 - cmp [esp+38],eax
"GameClient.dll"+A8098: 76 04 - jna GameClient.dll+A809E
"GameClient.dll"+A809A: 89 44 24 38 - mov [esp+38],eax
"GameClient.dll"+A809E: 8B 45 18 - mov eax,[ebp+18]
// ---------- INJECTING HERE ----------
"GameClient.dll"+A80A1: 8B 4C 24 38 - mov ecx,[esp+38]
"GameClient.dll"+A80A5: 8B 74 24 20 - mov esi,[esp+20]
// ---------- DONE INJECTING ----------
"GameClient.dll"+A80A9: 89 0C 90 - mov [eax+edx*4],ecx
"GameClient.dll"+A80AC: 8B 15 24 FE 3E 04 - mov edx,[GameClient.dll+16FE24]
"GameClient.dll"+A80B2: 8B 4A 1C - mov ecx,[edx+1C]
"GameClient.dll"+A80B5: E8 56 78 F8 FF - call GameClient.dll+2F910
"GameClient.dll"+A80BA: 85 C0 - test eax,eax
"GameClient.dll"+A80BC: 75 11 - jne GameClient.dll+A80CF
"GameClient.dll"+A80BE: A1 24 FE 3E 04 - mov eax,[GameClient.dll+16FE24]
"GameClient.dll"+A80C3: 8B 48 1C - mov ecx,[eax+1C]
"GameClient.dll"+A80C6: 39 71 14 - cmp [ecx+14],esi
"GameClient.dll"+A80C9: 75 04 - jne GameClient.dll+A80CF
}
137
"Pistol Ammo (old version still works)"
80000008
Auto Assembler Script
[ENABLE]
aobscanmodule(PistolAmmo,GameClient.dll,8B 4C 24 38 8B 74 24 20 89 0C 90)
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
mov ecx,7
// mov ecx,[esp+38]
mov esi,[esp+20]
jmp return
PistolAmmo:
jmp code
nop
nop
nop
return:
registersymbol(PistolAmmo)
[DISABLE]
PistolAmmo:
db 8B 4C 24 38 8B 74 24 20
unregistersymbol(PistolAmmo)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "GameClient.dll"+A80A1
"GameClient.dll"+A8084: 8B 54 24 24 - mov edx,[esp+24]
"GameClient.dll"+A8088: 8B 34 91 - mov esi,[ecx+edx*4]
"GameClient.dll"+A808B: 3B F0 - cmp esi,eax
"GameClient.dll"+A808D: 8D 0C 91 - lea ecx,[ecx+edx*4]
"GameClient.dll"+A8090: 76 02 - jna GameClient.dll+A8094
"GameClient.dll"+A8092: 89 01 - mov [ecx],eax
"GameClient.dll"+A8094: 39 44 24 38 - cmp [esp+38],eax
"GameClient.dll"+A8098: 76 04 - jna GameClient.dll+A809E
"GameClient.dll"+A809A: 89 44 24 38 - mov [esp+38],eax
"GameClient.dll"+A809E: 8B 45 18 - mov eax,[ebp+18]
// ---------- INJECTING HERE ----------
"GameClient.dll"+A80A1: 8B 4C 24 38 - mov ecx,[esp+38]
"GameClient.dll"+A80A5: 8B 74 24 20 - mov esi,[esp+20]
// ---------- DONE INJECTING ----------
"GameClient.dll"+A80A9: 89 0C 90 - mov [eax+edx*4],ecx
"GameClient.dll"+A80AC: 8B 15 24 FE 35 04 - mov edx,[GameClient.dll+16FE24]
"GameClient.dll"+A80B2: 8B 4A 1C - mov ecx,[edx+1C]
"GameClient.dll"+A80B5: E8 56 78 F8 FF - call GameClient.dll+2F910
"GameClient.dll"+A80BA: 85 C0 - test eax,eax
"GameClient.dll"+A80BC: 75 11 - jne GameClient.dll+A80CF
"GameClient.dll"+A80BE: A1 24 FE 35 04 - mov eax,[GameClient.dll+16FE24]
"GameClient.dll"+A80C3: 8B 48 1C - mov ecx,[eax+1C]
"GameClient.dll"+A80C6: 39 71 14 - cmp [ecx+14],esi
"GameClient.dll"+A80C9: 75 04 - jne GameClient.dll+A80CF
}
277
"_NoAttackRun - searchscript - Enemies run but dont attack"
80000008
Auto Assembler Script
//This line noped and enemies just run at you constantly and dont attack.
//Maybe there is more here like complete disabling of enemy aggresiveness?
[ENABLE]
aobscanmodule(NoAttackRun,Condemned.exe,D8 62 28 D9 5C 24 04)
label(_NoAttackRun)
registersymbol(_NoAttackRun)
NoAttackRun:
_NoAttackRun:
fsub dword ptr [edx+28]
[DISABLE]
_NoAttackRun:
db D8 62 28
unregistersymbol(_NoAttackRun)
{
// ORIGINAL CODE - INJECTION POINT: "Condemned.exe"+1C22E
"Condemned.exe"+1C210: D9 C9 - fxch st(1)
"Condemned.exe"+1C212: D8 01 - fadd dword ptr [ecx]
"Condemned.exe"+1C214: D9 5C 24 0C - fstp dword ptr [esp+0C]
"Condemned.exe"+1C218: D8 41 04 - fadd dword ptr [ecx+04]
"Condemned.exe"+1C21B: D9 44 24 08 - fld dword ptr [esp+08]
"Condemned.exe"+1C21F: D8 41 08 - fadd dword ptr [ecx+08]
"Condemned.exe"+1C222: D9 44 24 0C - fld dword ptr [esp+0C]
"Condemned.exe"+1C226: D8 62 24 - fsub dword ptr [edx+24]
"Condemned.exe"+1C229: D9 1C 24 - fstp dword ptr [esp]
"Condemned.exe"+1C22C: D9 C9 - fxch st(1)
// ---------- INJECTING HERE ----------
"Condemned.exe"+1C22E: D8 62 28 - fsub dword ptr [edx+28]
"Condemned.exe"+1C231: D9 5C 24 04 - fstp dword ptr [esp+04]
// ---------- DONE INJECTING ----------
"Condemned.exe"+1C235: D8 62 2C - fsub dword ptr [edx+2C]
"Condemned.exe"+1C238: D9 C0 - fld st(0)
"Condemned.exe"+1C23A: D8 C9 - fmul st(0),st(1)
"Condemned.exe"+1C23C: D9 44 24 04 - fld dword ptr [esp+04]
"Condemned.exe"+1C240: D8 4C 24 04 - fmul dword ptr [esp+04]
"Condemned.exe"+1C244: DE C1 - faddp
"Condemned.exe"+1C246: D9 04 24 - fld dword ptr [esp]
"Condemned.exe"+1C249: D8 0C 24 - fmul dword ptr [esp]
"Condemned.exe"+1C24C: DE C1 - faddp
"Condemned.exe"+1C24E: D9 44 24 1C - fld dword ptr [esp+1C]
}
241
"NoClip"
008000
1
262
"NoClip - only need two addresses but needs work"
808000
1
242
"_NoClipTwoOfFour Go up walls"
8080FF
Auto Assembler Script
// Walk against geometry and you walk up, even buildings.
[ENABLE]
aobscanmodule(_NoClipTwoOfFour,Condemned.exe,8B 50 04 8B 40 08 89 44 24 0C 8A) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
nop
nop
nop
//mov edx,[eax+04]
mov eax,[eax+08]
jmp return
_NoClipTwoOfFour:
jmp code
nop
return:
registersymbol(_NoClipTwoOfFour)
[DISABLE]
_NoClipTwoOfFour:
db 8B 50 04 8B 40 08
unregistersymbol(_NoClipTwoOfFour)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "Condemned.exe"+43E6D
"Condemned.exe"+43E59: 5B - pop ebx
"Condemned.exe"+43E5A: 8B E5 - mov esp,ebp
"Condemned.exe"+43E5C: 5D - pop ebp
"Condemned.exe"+43E5D: C2 08 00 - ret 0008
"Condemned.exe"+43E60: 83 EC 50 - sub esp,50
"Condemned.exe"+43E63: 53 - push ebx
"Condemned.exe"+43E64: 8B D9 - mov ebx,ecx
"Condemned.exe"+43E66: 8B 03 - mov eax,[ebx]
"Condemned.exe"+43E68: 83 C0 24 - add eax,24
"Condemned.exe"+43E6B: 8B 08 - mov ecx,[eax]
// ---------- INJECTING HERE ----------
"Condemned.exe"+43E6D: 8B 50 04 - mov edx,[eax+04]
"Condemned.exe"+43E70: 8B 40 08 - mov eax,[eax+08]
// ---------- DONE INJECTING ----------
"Condemned.exe"+43E73: 89 44 24 0C - mov [esp+0C],eax
"Condemned.exe"+43E77: 8A 43 26 - mov al,[ebx+26]
"Condemned.exe"+43E7A: 84 C0 - test al,al
"Condemned.exe"+43E7C: 56 - push esi
"Condemned.exe"+43E7D: 57 - push edi
"Condemned.exe"+43E7E: 8B 7C 24 60 - mov edi,[esp+60]
"Condemned.exe"+43E82: 89 4C 24 0C - mov [esp+0C],ecx
"Condemned.exe"+43E86: 89 54 24 10 - mov [esp+10],edx
"Condemned.exe"+43E8A: 0F 85 DE 00 00 00 - jne Condemned.exe+43F6E
"Condemned.exe"+43E90: 57 - push edi
}
243
"_NoClipThreeOfFour Diasables Hight - Falling"
8080FF
Auto Assembler Script
// Disables hight/falling but not momentum or it corrupts momentum, not sure.
// You nearly walk forever in the walking direction when above ground.
[ENABLE]
aobscanmodule(_NoClipThreeOfFour,Condemned.exe,89 56 28 8B 48 08 89 4E 2C D9)
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
nop
nop
nop
//mov [esi+28],edx
mov ecx,[eax+08]
jmp return
_NoClipThreeOfFour:
jmp code
nop
return:
registersymbol(_NoClipThreeOfFour)
[DISABLE]
_NoClipThreeOfFour:
db 89 56 28 8B 48 08
unregistersymbol(_NoClipThreeOfFour)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "Condemned.exe"+27A02
"Condemned.exe"+279ED: CC - int 3
"Condemned.exe"+279EE: CC - int 3
"Condemned.exe"+279EF: CC - int 3
"Condemned.exe"+279F0: 83 EC 18 - sub esp,18
"Condemned.exe"+279F3: 8B 44 24 1C - mov eax,[esp+1C]
"Condemned.exe"+279F7: 56 - push esi
"Condemned.exe"+279F8: 8B F1 - mov esi,ecx
"Condemned.exe"+279FA: 8B 08 - mov ecx,[eax]
"Condemned.exe"+279FC: 89 4E 24 - mov [esi+24],ecx
"Condemned.exe"+279FF: 8B 50 04 - mov edx,[eax+04]
// ---------- INJECTING HERE ----------
"Condemned.exe"+27A02: 89 56 28 - mov [esi+28],edx
"Condemned.exe"+27A05: 8B 48 08 - mov ecx,[eax+08]
// ---------- DONE INJECTING ----------
"Condemned.exe"+27A08: 89 4E 2C - mov [esi+2C],ecx
"Condemned.exe"+27A0B: D9 46 78 - fld dword ptr [esi+78]
"Condemned.exe"+27A0E: D8 00 - fadd dword ptr [eax]
"Condemned.exe"+27A10: 56 - push esi
"Condemned.exe"+27A11: D9 46 7C - fld dword ptr [esi+7C]
"Condemned.exe"+27A14: D8 40 04 - fadd dword ptr [eax+04]
"Condemned.exe"+27A17: D9 86 80 00 00 00 - fld dword ptr [esi+00000080]
"Condemned.exe"+27A1D: D8 40 08 - fadd dword ptr [eax+08]
"Condemned.exe"+27A20: D9 5C 24 1C - fstp dword ptr [esp+1C]
"Condemned.exe"+27A24: D9 00 - fld dword ptr [eax]
}
286
"No Collision Deadly"
80000008
Auto Assembler Script
//je to jne and that kills collision, but physics kill you if re-enabled.
// there must be way around this.
[ENABLE]
aobscanmodule(INJECT,Condemned.exe,CC CC CC 8B 4C 24 04 85 C9 74 1E 8B 44 24 08)
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
test ecx,ecx
jne Condemned.exe+8B86
mov eax,[esp+08]
jmp return
INJECT+07:
jmp code
nop
nop
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT+07:
db 85 C9 74 1E 8B 44 24 08
unregistersymbol(INJECT)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "Condemned.exe"+8B64
"Condemned.exe"+8B57: CC - int 3
"Condemned.exe"+8B58: CC - int 3
"Condemned.exe"+8B59: CC - int 3
"Condemned.exe"+8B5A: CC - int 3
"Condemned.exe"+8B5B: CC - int 3
"Condemned.exe"+8B5C: CC - int 3
"Condemned.exe"+8B5D: CC - int 3
"Condemned.exe"+8B5E: CC - int 3
"Condemned.exe"+8B5F: CC - int 3
"Condemned.exe"+8B60: 8B 4C 24 04 - mov ecx,[esp+04]
// ---------- INJECTING HERE ----------
"Condemned.exe"+8B64: 85 C9 - test ecx,ecx
"Condemned.exe"+8B66: 74 1E - je Condemned.exe+8B86
"Condemned.exe"+8B68: 8B 44 24 08 - mov eax,[esp+08]
// ---------- DONE INJECTING ----------
"Condemned.exe"+8B6C: 85 C0 - test eax,eax
"Condemned.exe"+8B6E: 74 16 - je Condemned.exe+8B86
"Condemned.exe"+8B70: 8B 51 24 - mov edx,[ecx+24]
"Condemned.exe"+8B73: 89 10 - mov [eax],edx
"Condemned.exe"+8B75: 8B 51 28 - mov edx,[ecx+28]
"Condemned.exe"+8B78: 89 50 04 - mov [eax+04],edx
"Condemned.exe"+8B7B: 8B 49 2C - mov ecx,[ecx+2C]
"Condemned.exe"+8B7E: 89 48 08 - mov [eax+08],ecx
"Condemned.exe"+8B81: 33 C0 - xor eax,eax
"Condemned.exe"+8B83: C2 08 00 - ret 0008
}
201
"Player Position"
008000
1
278
"_PlayerPosXYZ - This writes to all Player Pos Coords"
800080
Auto Assembler Script
// This instruction writes to Player Position Y, where the actual value is stored in float.
[ENABLE]
aobscanmodule(PlayerPosY,Condemned.exe,89 4E 24 8B 50 04 89 56 28 8B 48 08 89 4E 2C D9)
label(_PlayerPosY)
registersymbol(_PlayerPosY)
PlayerPosY:
_PlayerPosY:
mov [esi+24],ecx
[DISABLE]
_PlayerPosY:
db 89 4E 24
unregistersymbol(_PlayerPosY)
{
// ORIGINAL CODE - INJECTION POINT: "Condemned.exe"+279FC
"Condemned.exe"+279EB: CC - int 3
"Condemned.exe"+279EC: CC - int 3
"Condemned.exe"+279ED: CC - int 3
"Condemned.exe"+279EE: CC - int 3
"Condemned.exe"+279EF: CC - int 3
"Condemned.exe"+279F0: 83 EC 18 - sub esp,18
"Condemned.exe"+279F3: 8B 44 24 1C - mov eax,[esp+1C]
"Condemned.exe"+279F7: 56 - push esi
"Condemned.exe"+279F8: 8B F1 - mov esi,ecx
"Condemned.exe"+279FA: 8B 08 - mov ecx,[eax]
// ---------- INJECTING HERE ----------
"Condemned.exe"+279FC: 89 4E 24 - mov [esi+24],ecx
"Condemned.exe"+279FF: 8B 50 04 - mov edx,[eax+04]
// ---------- DONE INJECTING ----------
"Condemned.exe"+27A02: 89 56 28 - mov [esi+28],edx
"Condemned.exe"+27A05: 8B 48 08 - mov ecx,[eax+08]
"Condemned.exe"+27A08: 89 4E 2C - mov [esi+2C],ecx
"Condemned.exe"+27A0B: D9 46 78 - fld dword ptr [esi+78]
"Condemned.exe"+27A0E: D8 00 - fadd dword ptr [eax]
"Condemned.exe"+27A10: 56 - push esi
"Condemned.exe"+27A11: D9 46 7C - fld dword ptr [esi+7C]
"Condemned.exe"+27A14: D8 40 04 - fadd dword ptr [eax+04]
"Condemned.exe"+27A17: D9 86 80 00 00 00 - fld dword ptr [esi+00000080]
"Condemned.exe"+27A1D: D8 40 08 - fadd dword ptr [eax+08]
}
111
"Player z hight ( ü and ä + Alt)"
80000008
Float
"Condemned.exe"+0016CC98
28
148
24
790
7B4
Increase Value
186
5
0
Decrease Value
222
5
1
Increase Value
18
186
20
2
Decrease Value
18
222
20
3
267
"_PlayerPosZInstr - This writes to Player Pos Z"
800080
Auto Assembler Script
// This instruction writes to Player Position Z, where the actual value in float is stored.
[ENABLE]
aobscanmodule(PlayerPosZ,Condemned.exe,89 56 28 8B 48 08 89 4E 2C D9)
label(_PlayerPosZ)
registersymbol(_PlayerPosZ)
PlayerPosZ:
_PlayerPosZ:
mov [esi+28],edx
[DISABLE]
_PlayerPosZ:
db 89 56 28
unregistersymbol(_PlayerPosZ)
{
// ORIGINAL CODE - INJECTION POINT: "Condemned.exe"+27A02
"Condemned.exe"+279ED: CC - int 3
"Condemned.exe"+279EE: CC - int 3
"Condemned.exe"+279EF: CC - int 3
"Condemned.exe"+279F0: 83 EC 18 - sub esp,18
"Condemned.exe"+279F3: 8B 44 24 1C - mov eax,[esp+1C]
"Condemned.exe"+279F7: 56 - push esi
"Condemned.exe"+279F8: 8B F1 - mov esi,ecx
"Condemned.exe"+279FA: 8B 08 - mov ecx,[eax]
"Condemned.exe"+279FC: 89 4E 24 - mov [esi+24],ecx
"Condemned.exe"+279FF: 8B 50 04 - mov edx,[eax+04]
// ---------- INJECTING HERE ----------
"Condemned.exe"+27A02: 89 56 28 - mov [esi+28],edx
"Condemned.exe"+27A05: 8B 48 08 - mov ecx,[eax+08]
// ---------- DONE INJECTING ----------
"Condemned.exe"+27A08: 89 4E 2C - mov [esi+2C],ecx
"Condemned.exe"+27A0B: D9 46 78 - fld dword ptr [esi+78]
"Condemned.exe"+27A0E: D8 00 - fadd dword ptr [eax]
"Condemned.exe"+27A10: 56 - push esi
"Condemned.exe"+27A11: D9 46 7C - fld dword ptr [esi+7C]
"Condemned.exe"+27A14: D8 40 04 - fadd dword ptr [eax+04]
"Condemned.exe"+27A17: D9 86 80 00 00 00 - fld dword ptr [esi+00000080]
"Condemned.exe"+27A1D: D8 40 08 - fadd dword ptr [eax+08]
"Condemned.exe"+27A20: D9 5C 24 1C - fstp dword ptr [esp+1C]
"Condemned.exe"+27A24: D9 00 - fld dword ptr [eax]
}
112
"Player y ( 0 and L + Alt)"
80000008
Float
"Condemned.exe"+0016CC98
24
148
24
790
7B4
Increase Value
48
5
0
Decrease Value
76
5
1
Increase Value
18
48
20
2
Decrease Value
18
76
20
3
269
"_PlayerPosYInstr - This writes to Player Pos Y"
800080
Auto Assembler Script
// This instruction writes to Player Position Y, where the actual value is stored in float.
[ENABLE]
aobscanmodule(PlayerPosY,Condemned.exe,89 4E 24 8B 50 04 89 56 28 8B 48 08 89 4E 2C D9)
label(_PlayerPosY)
registersymbol(_PlayerPosY)
PlayerPosY:
_PlayerPosY:
mov [esi+24],ecx
[DISABLE]
_PlayerPosY:
db 89 4E 24 8B 50 04
unregistersymbol(_PlayerPosY)
{
// ORIGINAL CODE - INJECTION POINT: "Condemned.exe"+279FC
"Condemned.exe"+279EB: CC - int 3
"Condemned.exe"+279EC: CC - int 3
"Condemned.exe"+279ED: CC - int 3
"Condemned.exe"+279EE: CC - int 3
"Condemned.exe"+279EF: CC - int 3
"Condemned.exe"+279F0: 83 EC 18 - sub esp,18
"Condemned.exe"+279F3: 8B 44 24 1C - mov eax,[esp+1C]
"Condemned.exe"+279F7: 56 - push esi
"Condemned.exe"+279F8: 8B F1 - mov esi,ecx
"Condemned.exe"+279FA: 8B 08 - mov ecx,[eax]
// ---------- INJECTING HERE ----------
"Condemned.exe"+279FC: 89 4E 24 - mov [esi+24],ecx
"Condemned.exe"+279FF: 8B 50 04 - mov edx,[eax+04]
// ---------- DONE INJECTING ----------
"Condemned.exe"+27A02: 89 56 28 - mov [esi+28],edx
"Condemned.exe"+27A05: 8B 48 08 - mov ecx,[eax+08]
"Condemned.exe"+27A08: 89 4E 2C - mov [esi+2C],ecx
"Condemned.exe"+27A0B: D9 46 78 - fld dword ptr [esi+78]
"Condemned.exe"+27A0E: D8 00 - fadd dword ptr [eax]
"Condemned.exe"+27A10: 56 - push esi
"Condemned.exe"+27A11: D9 46 7C - fld dword ptr [esi+7C]
"Condemned.exe"+27A14: D8 40 04 - fadd dword ptr [eax+04]
"Condemned.exe"+27A17: D9 86 80 00 00 00 - fld dword ptr [esi+00000080]
"Condemned.exe"+27A1D: D8 40 08 - fadd dword ptr [eax+08]
}
15
"Player x (or Y) p-scan (o-p)"
80000008
Float
"Condemned.exe"+0016CC98
2C
148
24
790
7B4
Increase Value
80
5
0
Decrease Value
79
5
1
Increase Value
18
80
20
2
Decrease Value
18
79
20
3
271
"_PlayerPosXInstr - This writes to Player Pos X"
800080
Auto Assembler Script
// This instruction writes to Player Position X, where the actual value is stored in float.
[ENABLE]
aobscanmodule(PlayerPosX,Condemned.exe,89 4E 2C D9 46 78)
label(_PlayerPosX)
registersymbol(_PlayerPosX)
PlayerPosX:
_PlayerPosX:
mov [esi+2C],ecx
[DISABLE]
_PlayerPosX:
db 89 4E 2C
unregistersymbol(_PlayerPosX)
{
// ORIGINAL CODE - INJECTION POINT: "Condemned.exe"+27A08
"Condemned.exe"+279EF: CC - int 3
"Condemned.exe"+279F0: 83 EC 18 - sub esp,18
"Condemned.exe"+279F3: 8B 44 24 1C - mov eax,[esp+1C]
"Condemned.exe"+279F7: 56 - push esi
"Condemned.exe"+279F8: 8B F1 - mov esi,ecx
"Condemned.exe"+279FA: 8B 08 - mov ecx,[eax]
"Condemned.exe"+279FC: 89 4E 24 - mov [esi+24],ecx
"Condemned.exe"+279FF: 8B 50 04 - mov edx,[eax+04]
"Condemned.exe"+27A02: 89 56 28 - mov [esi+28],edx
"Condemned.exe"+27A05: 8B 48 08 - mov ecx,[eax+08]
// ---------- INJECTING HERE ----------
"Condemned.exe"+27A08: 89 4E 2C - mov [esi+2C],ecx
"Condemned.exe"+27A0B: D9 46 78 - fld dword ptr [esi+78]
// ---------- DONE INJECTING ----------
"Condemned.exe"+27A0E: D8 00 - fadd dword ptr [eax]
"Condemned.exe"+27A10: 56 - push esi
"Condemned.exe"+27A11: D9 46 7C - fld dword ptr [esi+7C]
"Condemned.exe"+27A14: D8 40 04 - fadd dword ptr [eax+04]
"Condemned.exe"+27A17: D9 86 80 00 00 00 - fld dword ptr [esi+00000080]
"Condemned.exe"+27A1D: D8 40 08 - fadd dword ptr [eax+08]
"Condemned.exe"+27A20: D9 5C 24 1C - fstp dword ptr [esp+1C]
"Condemned.exe"+27A24: D9 00 - fld dword ptr [eax]
"Condemned.exe"+27A26: D8 66 78 - fsub dword ptr [esi+78]
"Condemned.exe"+27A29: D9 40 04 - fld dword ptr [eax+04]
}
Code :mov [esi+000001BC],eax
0439519E
GameClient.dll
9519E
D8
8B
44
24
58
89
86
BC
01
00
00
C6
86
B8
01
00
Change of mov [esi+000001BC],eax
0446519E
GameClient.dll
9519E
D8
8B
44
24
58
89
86
BC
01
00
00
C6
86
B8
01
00
Change of push 74
0053A9E8
Condemned.exe
13A9E8
25
EC
A2
54
00
6A
74
68
B0
D7
55
00
Change of fstp dword ptr [eax+30]
0448FC73
GameClient.dll
5FC73
50
18
89
48
38
D9
58
30
D9
44
24
38
D8
Change of mov [esi+74],eax
042F8D50
GameClient.dll
38D50
1C
D8
64
24
1C
89
46
74
D9
54
24
14
D8
Change of mov [esi+28],edx
00427AB2
Condemned.exe
27AB2
4E
24
8B
50
04
89
56
28
8B
48
08
89
4E
Change of mov edx,[ecx+28]
00408B75
Condemned.exe
8B75
8B
51
24
89
10
8B
51
28
89
50
04
8B
49
Change of fadd dword ptr [edi+04]
004355B9
Condemned.exe
355B9
C9
D8
07
D9
1E
D8
47
04
D9
5E
04
D9
44
Change of mov ebx,[eax+28]
00434EAC
Condemned.exe
34EAC
24
89
5C
24
2C
8B
58
28
89
5C
24
30
8B
Change of fld dword ptr [edx+28]
0041C1AB
Condemned.exe
1C1AB
20
8B
4C
24
1C
D9
42
28
D8
49
04
8B
42
Change of fsub dword ptr [edx+28]
0041C22E
Condemned.exe
1C22E
D9
1C
24
D9
C9
D8
62
28
D9
5C
24
04
D8
Change of fadd dword ptr [esi+04]
0043565B
Condemned.exe
3565B
18
8B
54
24
18
D8
46
04
D9
5C
24
1C
D9
Change of mov edx,[ecx+28]
004356FB
Condemned.exe
356FB
D8
49
40
89
10
8B
51
28
89
50
04
8B
49
Change of fld dword ptr [edx+04]
00407C24
Condemned.exe
7C24
7A
26
D9
41
04
D9
42
04
DA
E9
DF
E0
F6
Change of fld dword ptr [ecx+28]
0040C769
Condemned.exe
C769
51
2C
D9
41
24
D9
41
28
89
54
24
08
8B
Change of fld dword ptr [ecx+04]
00407C21
Condemned.exe
7C21
F6
C4
44
7A
26
D9
41
04
D9
42
04
DA
E9
Change of fld dword ptr [esi+3C]
0040E31B
Condemned.exe
E31B
7A
0F
D9
41
0C
D9
46
3C
DA
E9
DF
E0
F6
Change of mov edx,[ecx+04]
0040C71C
Condemned.exe
C71C
04
8B
11
89
10
8B
51
04
89
50
04
8B
49
Change of mov [esi+28],edx
00427A02
Condemned.exe
27A02
4E
24
8B
50
04
89
56
28
8B
48
08
89
4E
Change of mov edx,[eax+04]
00443E6D
Condemned.exe
43E6D
83
C0
24
8B
08
8B
50
04
8B
40
08
89
44
Change of mov ecx,[eax+04]
0043EB5A
Condemned.exe
3EB5A
24
89
4C
24
18
8B
48
04
8B
40
08
89
44
Change of fld dword ptr [ebp+28]
0051DF09
Condemned.exe
11DF09
D8
4B
20
DE
C1
D9
45
28
D8
4B
24
DE
C1
Change of fmul dword ptr [ebp+28]
0051DEE3
Condemned.exe
11DEE3
5B
0C
D9
43
14
D8
4D
28
D9
45
24
D8
4B
Change of fmul dword ptr [ebp+28]
0051DED6
Condemned.exe
11DED6
DE
C1
D9
43
04
D8
4D
28
DE
C1
D9
E0
D9
Change of mov edx,[ebp+28]
0051DE77
Condemned.exe
11DE77
45
24
89
41
0C
8B
55
28
89
51
1C
8B
45
Change of fsub dword ptr [eax+28]
0051FAEC
Condemned.exe
11FAEC
60
24
D9
41
04
D8
60
28
D9
41
08
D8
60
Change of fsub dword ptr [edi+28]
0052AB21
Condemned.exe
12AB21
80
84
02
00
00
D8
67
28
D9
80
88
02
00
Change of mov ecx,[esi+28]
0043614C
Condemned.exe
3614C
36
01
00
00
00
8B
4E
28
8B
46
24
8B
56
Change of fstp dword ptr [esi+04]
004355BC
Condemned.exe
355BC
D9
1E
D8
47
04
D9
5E
04
D9
44
24
18
D8
Change of fld dword ptr [esp+18]
004355BF
Condemned.exe
355BF
47
04
D9
5E
04
D9
44
24
18
D8
47
08
D9
5E
Change of fstp dword ptr [esi+08]
004355C6
Condemned.exe
355C6
24
18
D8
47
08
D9
5E
08
D9
45
1C
D8
4F
Change of fmul dword ptr [edi+1C]
004355CC
Condemned.exe
355CC
5E
08
D9
45
1C
D8
4F
1C
5F
D9
5E
1C
5E
Change of fst dword ptr [esp+18]
004355A3
Condemned.exe
355A3
24
24
D8
48
08
D9
54
24
18
D9
C2
D9
1E
D9
Change of fmul dword ptr [eax+04]
00435599
Condemned.exe
35599
08
D9
44
24
24
D8
48
04
D9
44
24
24
D8
Change of mov edx,[ecx+24]
00408B70
Condemned.exe
8B70
08
85
C0
74
16
8B
51
24
89
10
8B
51
28
Change of mov ecx,[esp+04]
00408B60
Condemned.exe
8B60
CC
CC
CC
CC
CC
8B
4C
24
04
85
C9
74
1E
8B
Change of mov [esp+30],ebx
00434EAF
Condemned.exe
34EAF
24
2C
8B
58
28
89
5C
24
30
8B
58
2C
89
5C
Change of mov [esp+14],eax
0051DE8F
Condemned.exe
11DE8F
3F
74
39
8B
D0
89
44
24
14
8D
44
24
10
50
Change of mov eax,[esi+24]
0043614F
Condemned.exe
3614F
00
00
8B
4E
28
8B
46
24
8B
56
2C
89
4C
Change of fadd dword ptr [edi]
004355B5
Condemned.exe
355B5
D9
5E
08
D9
C9
D8
07
D9
1E
D8
47
04
Change of mov edx,[eax+04]
004279FF
Condemned.exe
279FF
8B
08
89
4E
24
8B
50
04
89
56
28
8B
48
Change of mov ecx,[eax+08]
00427A05
Condemned.exe
27A05
90
90
89
56
28
8B
48
08
89
4E
2C
D9
46
Change of fld dword ptr [esi+78]
00427A0B
Condemned.exe
27A0B
90
90
89
4E
2C
D9
46
78
D8
00
56
D9
46
Change of mov [esi+24],ecx
004279FC
Condemned.exe
279FC
56
8B
F1
8B
08
89
4E
24
8B
50
04
89
56
Change of mov [esi+2C],ecx
00427A08
Condemned.exe
27A08
90
90
8B
48
08
89
4E
2C
D9
46
78
D8
00
Change of add ecx,eax
0053AA0C
Condemned.exe
13AA0C
75
1F
8B
48
3C
03
C8
81
39
50
45
00
Change of mov edi,ebx
0430E6ED
GameClient.dll
8E6ED
B9
20
00
00
00
8B
FB
F3
A5
8B
7D
08
Change of mov edi,ebx
0430E71A
GameClient.dll
8E71A
B9
20
00
00
00
8B
FB
F3
A5
8B
7D
00
Change of mov edi,ebx
0430E74E
GameClient.dll
8E74E
00
00
00
8B
F0
8B
FB
F3
A5
8B
CD
E8
Change of fld dword ptr [esp+24]
0043558F
Condemned.exe
3558F
E8
41
07
FD
FF
D9
44
24
24
D8
08
D9
44
24
Change of fmul dword ptr [eax]
00435593
Condemned.exe
35593
FF
D9
44
24
24
D8
08
D9
44
24
24
D8
Change of fld dword ptr [esp+24]
00435595
Condemned.exe
35595
44
24
24
D8
08
D9
44
24
24
D8
48
04
D9
44
Change of fld dword ptr [esp+24]
0043559C
Condemned.exe
3559C
24
24
D8
48
04
D9
44
24
24
D8
48
08
D9
54
Change of mov ecx,[edi+1C]
0043557B
Condemned.exe
3557B
40
0C
89
46
18
8B
4F
1C
55
8D
54
24
14
Change of mov [esi+0C],edx
00435566
Condemned.exe
35566
83
FF
FF
8B
10
89
56
0C
8B
48
04
89
4E
Change of mov [esi+14],edx
00435572
Condemned.exe
35572
4E
10
8B
50
08
89
56
14
8B
40
0C
89
46
Change of mov edi,[esp+24]
0043554B
Condemned.exe
3554B
6C
24
20
56
57
8B
7C
24
24
8B
F1
8D
45
0C
Change of mov [esi+08],eax
00435527
Condemned.exe
35527
44
24
0C
D9
C9
89
46
08
D9
1E
D9
5E
04
Change of mov [esp+14],eax
004354E7
Condemned.exe
354E7
41
04
56
D9
E0
89
44
24
14
D9
41
08
89
41
Change of mov edx,[esp+20]
0041C1A3
Condemned.exe
1C1A3
CC
CC
83
EC
18
8B
54
24
20
8B
4C
24
1C
D9
Change of add [eax],eax
04379F40
GameClient.dll
169F40
04
00
00
00
00
01
00
00
00
78
FC
69
Change of add [eax],eax
044C9F40
GameClient.dll
169F40
04
00
00
00
00
01
00
00
00
30
FA
6F