| View previous topic :: View next topic |
| Author |
Message |
spoofy
Cheater
![]() Reputation: 0
Joined: 19 Sep 2015
Posts: 33
|
 Posted: Fri Jan 06, 2017 7:28 am Post subject: Find code triggered by ingame hotkey? |
 |
|
Is there any way to find code triggered by a hotkey?
Specifically am looking to disable camera reset in dark souls 3, as there's another function (target lock) which uses the exact same hotkey.
It just seems too obscure to find the code in any other way.
|
|
| Back to top |
|
 |
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Fri Jan 06, 2017 12:02 pm Post subject: |
|
|
| Ultimap.
|
|
| Back to top |
|
|
spoofy
Cheater
![]() Reputation: 0
Joined: 19 Sep 2015
Posts: 33
|
| Posted: Fri Jan 06, 2017 11:53 pm Post subject: |
|
|
Cheers ++METHOS.
Gave Ultimap a go, pretty simple to use, got 50 results (11 if filtering CALLs only).
But not sure how to find the relevant one and go from there, tried replacing the CALLs/JNE with NOPs the game crashes, any advice?
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Sat Jan 07, 2017 4:53 am Post subject: |
|
|
| Ultimap is not for newbies; it requires an understanding of assembly. You'll have to analyze the code and figure out what's going on and what you need to do to get the desired outcome. There's no simple answer, unfortunately.
|
|
| Back to top |
|
|
spoofy
Cheater
![]() Reputation: 0
Joined: 19 Sep 2015
Posts: 33
|
| Posted: Sat Jan 07, 2017 7:31 am Post subject: |
|
|
| Ah damn, was hoping it would be simple like the scanning part & AOB injections.
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Sat Jan 07, 2017 2:53 pm Post subject: |
|
|
| It might be something as simple as changing a jump or nop'ing an instruction, but you'll have to figure out where that needs to happen.
|
|
| Back to top |
|
|
atom0s
Moderator
 Reputation: 198
Joined: 25 Jan 2006
Posts: 8517
Location: 127.0.0.1
|
| Posted: Sat Jan 07, 2017 8:51 pm Post subject: |
|
|
Determine how the game handles the key presses then go from there is normally what I do. For example, if the game processes the input via Direct Input, I would look for where the data is being queried for (GetDeviceData / GetDeviceState) and trace back to the call that invoked it. From there trace back as needed til you find where keys are being either compared or checked for input actions.
_________________
- Retired. |
|
| Back to top |
|
|
spoofy
Cheater
![]() Reputation: 0
Joined: 19 Sep 2015
Posts: 33
|
| Posted: Sun Jan 08, 2017 4:59 pm Post subject: |
|
|
| ++METHOS wrote: | | It might be something as simple as changing a jump or nop'ing an instruction, but you'll have to figure out where that needs to happen. |
Thanks, using Ultimap I found a code which only gets executed during the action I wish to disable (camera reset).
Is there any way to find the call/jump that led to this code, and recursively find the source?
That code was in DS3:Scaleform though, iirc that's UI middleware, so maybe I'm on the wrong trail.
| atom0s wrote: | | Determine how the game handles the key presses then go from there is normally what I do. For example, if the game processes the input via Direct Input, I would look for where the data is being queried for (GetDeviceData / GetDeviceState) and trace back to the call that invoked it. From there trace back as needed til you find where keys are being either compared or checked for input actions. |
Nice, how do you find where the directinput data is being queried?
I did a memory search for the text you posted above and found something in protected memory, dunno if it's useful.
Another thing you mention is "tracing back", does that mean cheatengine has capabilities to find the original call that led to the selected code?
I tried doing "back trace" but from what I gather it's a trace with a confusing name, cheers 
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Sun Jan 08, 2017 5:21 pm Post subject: |
|
|
| Yes, CE will allow you to backtrace and see all of the calls that led to that sub-routine. You can go back as many levels as you want, set breakpoints and step through code to see what is happening and when, to determine what/where you need to manipulate in order to achieve the desired effect.
|
|
| Back to top |
|
|
ulysse31
Master Cheater
![]() Reputation: 2
Joined: 19 Mar 2015
Posts: 324
Location: Paris
|
| Posted: Sun Jan 08, 2017 5:41 pm Post subject: |
|
|
| spoofy wrote: |
Nice, how do you find where the directinput data is being queried?
|
In memory viewer go to View and click on "Enumerate DLL's and Symbols".
In the new form search for GetDeviceState and GetDeviceData APIs.
Put breakpoint on them.
Start reversing.
Make sure you check the MSDN doc for both APIs
|
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 198
Joined: 25 Jan 2006
Posts: 8517
Location: 127.0.0.1
|
| Posted: Mon Jan 09, 2017 12:36 am Post subject: |
|
|
| spoofy wrote: | | ++METHOS wrote: | | It might be something as simple as changing a jump or nop'ing an instruction, but you'll have to figure out where that needs to happen. |
Thanks, using Ultimap I found a code which only gets executed during the action I wish to disable (camera reset).
Is there any way to find the call/jump that led to this code, and recursively find the source?
That code was in DS3:Scaleform though, iirc that's UI middleware, so maybe I'm on the wrong trail.
| atom0s wrote: | | Determine how the game handles the key presses then go from there is normally what I do. For example, if the game processes the input via Direct Input, I would look for where the data is being queried for (GetDeviceData / GetDeviceState) and trace back to the call that invoked it. From there trace back as needed til you find where keys are being either compared or checked for input actions. |
Nice, how do you find where the directinput data is being queried?
I did a memory search for the text you posted above and found something in protected memory, dunno if it's useful.
Another thing you mention is "tracing back", does that mean cheatengine has capabilities to find the original call that led to the selected code?
I tried doing "back trace" but from what I gather it's a trace with a confusing name, cheers |
For DirectInput find where the device pointer is being stored, ie. break on DirectInputCreate8 and hold onto the pointer or find it in memory somewhere. Then find where CreateDevice is being called with it and ensure the GUID is that of Sys_Keyboard. From there you will have the keyboard device pointer and can monitor for GetDeviceData/GetDeviceState calls. The easiest way to do this is to inject and wrap DirectInput assuming that is what is being used for input.
Just depends on the game. If not, check for the window message handler instead, and look for WM_CHAR/WM_KEYDOWN/WM_KEYUP messages, GetAsyncKeyState / GetKeyState etc. type APIs instead.
_________________
- Retired. |
|
| Back to top |
|
|
spoofy
Cheater
![]() Reputation: 0
Joined: 19 Sep 2015
Posts: 33
|
| Posted: Mon Jan 09, 2017 4:33 pm Post subject: |
|
|
@ulysse31 & @atom0s: wow thanks so much for the detailed instructions, looks really advanced but amazing stuff!
@++METHOS : I spent 3 hour last night and couldn't find any way to get the calling jump, does CE back trace only work with CALLs?
i.e. the only useful code I got with Ultimap has a jump, I already know where the jump leads to a XOR. So to test I tried putting break points check the stack, and also tried break & trace, but it never gave me the the jump that led to it.
Edit also found the CALL when any key is pressed, so what I need is somewhere between this and the scaleform jump below.
Edit2 found a jne which diffrentiate keys in the middle, however it seems much more complicated than that, and what I need might be even farther back, damn so complex ...
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
