View previous topic :: View next topic |
Author |
Message |
Henk How do I cheat? Reputation: 0
Joined: 16 Jan 2018 Posts: 2
|
Posted: Tue Jan 16, 2018 3:40 pm Post subject: Calling fire function in Jazz Jackrabbit 2 |
|
|
I've been trying to call the fire function in Jazz Jackrabbit 2 and I've been trying for hours and hours, but I keep crashing my game when I allocate memory and then create a thread.
I found out that the actual calling of the fire function happens at the following line:
Code: | Jazz2.exe+34E2D - E8 EE31FFFF - call Jazz2.exe+28020 |
When I do for example an AOB injection and repeat the line that calls the function (call Jazz2.exe+28020), I can see that the actual firing action is triggered multiple times.
However, allocating memory and creating a thread with the following code doesn't work:
Code: | call Jazz2.exe+28020
ret |
I know I have to push stuff on the stack and set registers, but how do I find out what I have to set? My cheat table, which contains a lot of memory addresses and some scripts, can be found on this Pastebin: pastebin[dot]com/ZP6620iC.
Please push me into the right direction.
|
|
Back to top |
|
|
FreeER Grandmaster Cheater Supreme Reputation: 53
Joined: 09 Aug 2013 Posts: 1091
|
Posted: Tue Jan 16, 2018 4:47 pm Post subject: |
|
|
look at what the code that calls it does and how those values are used inside the function, in other words, reverse engineer the code to the point that you understand what it does and how it works.
|
|
Back to top |
|
|
Henk How do I cheat? Reputation: 0
Joined: 16 Jan 2018 Posts: 2
|
Posted: Wed Jan 24, 2018 12:54 pm Post subject: |
|
|
That's what I've done, but are there any methods to support and improve the process of doing this? I have no idea where to start.
|
|
Back to top |
|
|
FreeER Grandmaster Cheater Supreme Reputation: 53
Joined: 09 Aug 2013 Posts: 1091
|
Posted: Wed Jan 24, 2018 3:34 pm Post subject: |
|
|
I really haven't done a lot of reversing on that level so all I could mention are a few popular debuggers like CE, Ollydbg, x64dbg, and IDA (most specifically the graph view which tries to show functions/loops as discrete things rather than all just one execution flow, though it has that too).
Look on some sites dedicated to reverse engineering hacking and see what tools they recommend.
|
|
Back to top |
|
|
TheyCallMeTim13 Wiki Contributor Reputation: 50
Joined: 24 Feb 2017 Posts: 976 Location: Pluto
|
Posted: Wed Jan 24, 2018 3:49 pm Post subject: |
|
|
I haven't messed with it my self yet, but I came across this in the "celua.txt" file:
Code: |
executeCode(address, parameter OPTIONAL, timeout OPTIONAL) : address - Executes a stdcall function with 1 parameter at the given address in the target process and wait for it to return. The return value is the result of the function that was called |
Not sure if this will help but perhaps.
EDIT:
I would listen to @FreeER on this one my self. This was more if you now how the function works and only uses 1 argument.
_________________
Last edited by TheyCallMeTim13 on Wed Jan 24, 2018 4:28 pm; edited 1 time in total |
|
Back to top |
|
|
FreeER Grandmaster Cheater Supreme Reputation: 53
Joined: 09 Aug 2013 Posts: 1091
|
Posted: Wed Jan 24, 2018 4:19 pm Post subject: |
|
|
TLDR: you still have to fully understand the function, it's mostly just a different way to use the asm createThread.
executeCode only allows 1 (pointer) argument and is for stdcall functions, so not generally useful to directly call game functions since they typically require multiple.
The way it tends to get used (excluding the rare win api function that take a single argument) is by using autoAssemble to create a function that takes a pointer to arguments in memory and setups up the call to the function you actually want, calls it, and returns the result, you'd then have a lua function which took the arguments, wrote them to memory and called executeCode on the asm wrapper with the address of the arguments in memory.
When I asked DB about multi-argument executeCode awhile back he mentioned several of the challenges with supporting the different standards (even x64 uses xmm registers for floats not just rcx, rdx, etc.) but did provide this https://pastebin.com/raw/NcPUe4XL as a kind of example. Haven't really needed it since then so never worked on it more though...
|
|
Back to top |
|
|
|