Cheat Engine

[foggyspider]

Cheatengine can set the memory but the program does not check the memory or reflect the change until you press a button ingame.
Is it possible to change memory and call the function in the game that runs when you change it through their interface?

[FreeER]

If you know what you are doing...(I've _mostly_ avoided calling game functions, especially gui ones). Sometimes you can just find the address for the display value and change it too, rather than trying to track down the function and figure out how to properly call it without crashing the game.

[foggyspider]

[FreeER]

Essentially, you find the address of the start of the function and use the instruction call <address>.

Obviously it's not always that simple. If it takes arguments, and they often do, then you have to figure out what type of arguments it takes and what values you can pass your self when calling it. If it takes a pointer to a GUI object and to the player then you have to give it valid pointers to those objects when you call it or it's going to crash trying to use the ones it believes are there. If you're using CreateThread rather than hooking existing code to call the function then you're not going to have any usable values in registers already so you'd probably need some way to find them (probably by reading pointers to those pointers manually in assembly, using an aobscan find the pointer, or hooking some other code and copying the pointer to some allocated memory you can then read from).

Once you actually know what all of the arguments are and how you are going to get them then you have to determine how to pass them, if it's an x64 game then it's fairly simple, you subtract 0x20 from rsp for "shadowspace" (a place for the function to save register values it needs to overwrite), and move the values into the correct registers (in order- RCX, RDX, R8, R9 / XMM0, XMM1, XMM2, XMM3 for floating point values, if there happen to be more than four then you use the stack like x86 for the rest), call the function, and then (I believe) add 0x20 back to rsp to "delete" the shadowspace memory.

If it's x86 then you have to figure out if it's stdcall, cdecl, thiscall, or (rarely) something else. With stdcall you just push all the arguments on the stack and call the function, with cdecl you also have to remove the arguments from the stack after the call, and thiscall is basically the same as cdecl except that you have a pointer in ecx (many object methods only need one argument, the pointer to the object to work with, so using 1 register rather than the stack is faster).

Obviously, finding where the game is calling the function can help a lot in figuring out what the arguments are, how it gets them, and how it provides them to the function.

[foggyspider]