|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
Matukaa How do I cheat? Reputation: 0
Joined: 16 Dec 2015 Posts: 5
|
Posted: Thu Dec 17, 2015 8:24 am Post subject: WTB help on tracking down function calls |
|
|
Hey guys!
I've been trying to learn how to mess around in CE. So far I've managed to track down multilevel pointers for different things (atm I'm working on Binding of Isaac: Afterbirth) and by using C++ I can edit these values (using WriteProcessMemory()). I successfully allocated memory (VirtualAllocEx()), injected bytecode for decrementing my bombs for example, created a new thread (CreateRemoteThread()) which runs from the allocated memory, so these works fine for me
For example:
Code: | push eax
mov eax,bombpointer //this is a multi level pointer
dec [eax]
pop eax
ret |
I'm learning assembly as well on the uni, so that's not a problem, I'm aware of a lots of things, but I simply cannot make calls. I tried to call the function which drops a bomb for me, and I think I successfully tracked down the call using Ultimap, but if I try to inject the bytecode for the call, it instantly crashes (who would've thought?), since I need to set first parameters and stuff. But I have no idea which parameters does the function use, what to push and pop, and how to track down the values of the parameters and inject the call correctly.
Nuthsell: if anyone could teach me how to track down calls and their parameters, and how to call them without crashing the application, I would be really grateful, I'm even thinking about paying for it
Cheers!
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 138
Joined: 06 Jul 2014 Posts: 4275
|
Posted: Thu Dec 17, 2015 9:58 am Post subject: |
|
|
Find some call to that subroutine in the code that works, then just look at what values are pushed onto the stack right before it. You can also look at the subroutine itself to find out what things on the stack it uses.
Looking at the call to the subroutine:
First of all, look at anything that's pushed onto the stack right before the call. The first few might be saving the caller-saved registers (eax, ecx, edx; it should pop them back in after the call), but most of the pushes are probably the arguments passed to the subroutine it's calling. Then, look at how the program is calculating these values; where it's getting them from. If every call you find is pushing the same address onto the stack before the call, then try to find a pointer to that address (preferably using the asm before the call) so that you can do the same. If it's pushing some value onto the stack, you might be able to figure out what that value represents just by what it is. If so, you may not need to calculate it in the same manner the game is, and you can simply push it onto the stack as an immediate.
Beyond that, I'm not sure how much more information you can get out by looking at a call to a subroutine, so moving on...
Looking at the subroutine itself:
I'll assume the subroutine has its own stack frame (first two lines are push ebp / mov ebp,esp). Look for any instructions that access any address of the form ebp+X, where X is some offset (probably not that large; less than 255). [ebp] is the ebp of the caller, [ebp+4] is the return address of the call, and anything above that ([ebp+8], [ebp+C], etc) are the arguments passed to this subroutine.
There's no definite way to analyze these arguments past this point. It's up to you to analyze how the subroutine uses them by looking through the subroutine. Breaking and tracing the start of the subroutine could help by giving you all the registers' values at any given instruction. Setting a breakpoint before a call to it and setting "break on access" data breakpoints on the addresses of the arguments can let you find out when/where the subroutine is accessing the arguments, which then leads to showing you how it's using them (the important part).
If you'd like specific help with something, posting the assembly around the area you're working with will help.
PS: in that example, if bombpointer is the base address of a multilevel pointer, then dec [eax] wouldn't modify the end value bombpointer is pointing to, it would just modify the value of bombpointer itself.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
Matukaa How do I cheat? Reputation: 0
Joined: 16 Dec 2015 Posts: 5
|
Posted: Thu Dec 17, 2015 10:31 am Post subject: |
|
|
When I inject the bytecode for that example, the bombpointer is already calculated in C++. I do ReadProcessMemory() from the basepointer+offset1, then do again for that+offset2, and again with that+offset3, so that actually works just fine "bombpointer" in that case is the final address that points to the memory area on which the bombs are stored.
Thanks for the tips anyway, you are right, the function starts with push ebp and esp, I'll try do some progress following your tips
Okay, so here's where I got:
On the aftercall.png I highlighted again a call, because I can't really decide which one is the dropping bomb. Both of them breaks only when I press the button for dropping the bomb
Description: |
This is when the function is called. |
|
Filesize: |
99.78 KB |
Viewed: |
11931 Time(s) |
|
Description: |
The line that calls the function |
|
Filesize: |
212.4 KB |
Viewed: |
11932 Time(s) |
|
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|