Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


WTB help on tracking down function calls

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials
View previous topic :: View next topic  
Author Message
Matukaa
How do I cheat?
Reputation: 0

Joined: 16 Dec 2015
Posts: 5

PostPosted: Thu Dec 17, 2015 8:24 am    Post subject: WTB help on tracking down function calls Reply with quote

Hey guys!

I've been trying to learn how to mess around in CE. So far I've managed to track down multilevel pointers for different things (atm I'm working on Binding of Isaac: Afterbirth) and by using C++ I can edit these values (using WriteProcessMemory()). I successfully allocated memory (VirtualAllocEx()), injected bytecode for decrementing my bombs for example, created a new thread (CreateRemoteThread()) which runs from the allocated memory, so these works fine for me Smile
For example:
Code:
push eax
mov eax,bombpointer //this is a multi level pointer
dec [eax]
pop eax
ret

I'm learning assembly as well on the uni, so that's not a problem, I'm aware of a lots of things, but I simply cannot make calls. I tried to call the function which drops a bomb for me, and I think I successfully tracked down the call using Ultimap, but if I try to inject the bytecode for the call, it instantly crashes (who would've thought?), since I need to set first parameters and stuff. But I have no idea which parameters does the function use, what to push and pop, and how to track down the values of the parameters and inject the call correctly.

Nuthsell: if anyone could teach me how to track down calls and their parameters, and how to call them without crashing the application, I would be really grateful, I'm even thinking about paying for it Smile

Cheers!
Back to top
View user's profile Send private message AIM Address
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Thu Dec 17, 2015 9:58 am    Post subject: Reply with quote

Find some call to that subroutine in the code that works, then just look at what values are pushed onto the stack right before it. You can also look at the subroutine itself to find out what things on the stack it uses.

Looking at the call to the subroutine:
First of all, look at anything that's pushed onto the stack right before the call. The first few might be saving the caller-saved registers (eax, ecx, edx; it should pop them back in after the call), but most of the pushes are probably the arguments passed to the subroutine it's calling. Then, look at how the program is calculating these values; where it's getting them from. If every call you find is pushing the same address onto the stack before the call, then try to find a pointer to that address (preferably using the asm before the call) so that you can do the same. If it's pushing some value onto the stack, you might be able to figure out what that value represents just by what it is. If so, you may not need to calculate it in the same manner the game is, and you can simply push it onto the stack as an immediate.

Beyond that, I'm not sure how much more information you can get out by looking at a call to a subroutine, so moving on...

Looking at the subroutine itself:
I'll assume the subroutine has its own stack frame (first two lines are push ebp / mov ebp,esp). Look for any instructions that access any address of the form ebp+X, where X is some offset (probably not that large; less than 255). [ebp] is the ebp of the caller, [ebp+4] is the return address of the call, and anything above that ([ebp+8], [ebp+C], etc) are the arguments passed to this subroutine.

There's no definite way to analyze these arguments past this point. It's up to you to analyze how the subroutine uses them by looking through the subroutine. Breaking and tracing the start of the subroutine could help by giving you all the registers' values at any given instruction. Setting a breakpoint before a call to it and setting "break on access" data breakpoints on the addresses of the arguments can let you find out when/where the subroutine is accessing the arguments, which then leads to showing you how it's using them (the important part).

If you'd like specific help with something, posting the assembly around the area you're working with will help.

PS: in that example, if bombpointer is the base address of a multilevel pointer, then dec [eax] wouldn't modify the end value bombpointer is pointing to, it would just modify the value of bombpointer itself.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Matukaa
How do I cheat?
Reputation: 0

Joined: 16 Dec 2015
Posts: 5

PostPosted: Thu Dec 17, 2015 10:31 am    Post subject: Reply with quote

When I inject the bytecode for that example, the bombpointer is already calculated in C++. I do ReadProcessMemory() from the basepointer+offset1, then do again for that+offset2, and again with that+offset3, so that actually works just fine Very Happy "bombpointer" in that case is the final address that points to the memory area on which the bombs are stored.

Thanks for the tips anyway, you are right, the function starts with push ebp and esp, I'll try do some progress following your tips Smile

Okay, so here's where I got:
On the aftercall.png I highlighted again a call, because I can't really decide which one is the dropping bomb. Both of them breaks only when I press the button for dropping the bomb



aftercall.png
 Description:
This is when the function is called.
 Filesize:  99.78 KB
 Viewed:  11931 Time(s)

aftercall.png



beforecall.png
 Description:
The line that calls the function
 Filesize:  212.4 KB
 Viewed:  11932 Time(s)

beforecall.png


Back to top
View user's profile Send private message AIM Address
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites