View previous topic :: View next topic |
Author |
Message |
cioace9 How do I cheat? Reputation: 0
Joined: 26 Jan 2016 Posts: 3
|
Posted: Tue Feb 14, 2017 11:13 am Post subject: Calling a function using CreateRemoteThread |
|
|
Hi guys. I'm beginner in cheat engine but i know c++ and i have a project which used assembly code. In this project, i need to call a function from client game and when i call this function i give crash at game, so my question is, how to put my value in parameters function like as this:
Code: |
mov ecx,[0151800C] // this is a pointer from Streaming
push [esp]
add ecx,04
mov eax,[ecx]
call dword ptr[eax+08] // until here, when i create thread in function, work perfectly
// test eax,eax
// je 00633D2F
mov ecx, eax // i don't know what is this
call 0061D1A0 // this is function from the game which i need to call for return value in eax
mov [004000000], eax // i put a fictive address for example where i stock value from eax.
ret
|
So, you can see "test" and "je" in comments because i no need to used it..
In bottom is my concept code
Code: |
push VID // i set my VID value in parameters for send in function to call
mov ecx, eax
call 0061D1A0 //function to call
mov [address], eax // i give return value from call
ret
|
When i create a RemoteThread i give a crash but i don't know why? I change at final "ret" in "int 3" or "int 24" but again i give crash at game...
So, can help me to find error in my concept code?
_________________
Hacker |
|
Back to top |
|
|
ulysse31 Master Cheater Reputation: 2
Joined: 19 Mar 2015 Posts: 324 Location: Paris
|
Posted: Tue Feb 14, 2017 1:22 pm Post subject: |
|
|
Because it is unclear to me what the original not messed up code is, I can't tell you what is wrong but I can tell you a more effective way to proceed :
Step 1/
Use cheat engine to make a code template (in disasembler window ctrl+A )after allocating some memory that only belongs to you.
Step2/
In the allocated memory put your code
Code: |
push VID // i set my VID value in parameters for send in function to call
mov ecx, eax
call 0061D1A0 //function to call
mov [address], eax // i give return value from call
add esp,4
ret |
notice i added 4 to esp because you pushed VID (maybe that's not the only thing you did wrong)
Step 3/
Use cheat engine to create thread where you assembled your code (memory view -> tool -> create thread and give the virtual address
Step4/
Does it work as intended ? if not keep debugging (only debugging with CE is a lot faster than debugging by compiling code as byte to translate into asm and create remote thread), if yes go step 5
Step5/
Go in the hex viewer and copy the bytes corresponding to your assembled code.
Step6/
Put it in your compiler as an array of byte and use writeprocessmemory to write it, then createremote thread.
Note that for step 6 in order to format the bytes correctly and gain time i use some autoIt script.
|
|
Back to top |
|
|
cioace9 How do I cheat? Reputation: 0
Joined: 26 Jan 2016 Posts: 3
|
Posted: Tue Feb 14, 2017 1:51 pm Post subject: Explicit |
|
|
I know to use Auto Assembly ( CTRL+A -> CTRL+i) and assembly my code at allocate memory but this is not important now. Look at images.
Description: |
|
Filesize: |
24.49 KB |
Viewed: |
18205 Time(s) |
|
_________________
Hacker |
|
Back to top |
|
|
ulysse31 Master Cheater Reputation: 2
Joined: 19 Mar 2015 Posts: 324 Location: Paris
|
Posted: Wed Feb 15, 2017 3:13 am Post subject: |
|
|
Code: |
push VID // i set my VID value in parameters for send in function to call
mov ecx, eax
call 0061D1A0 //function to call
mov [address], eax // i give return value from call
ret
|
If you modify the stack with push VID you need to to pop this value out of the stack afterwards, try this
push VID // i set my VID value in parameters for send in function to call
mov ecx, eax
call 0061D1A0 //function to call
mov [address], eax // i give return value from call
add esp,4
ret
|
|
Back to top |
|
|
SunBeam I post too much Reputation: 65
Joined: 25 Feb 2005 Posts: 4022 Location: Romania
|
Posted: Wed Feb 15, 2017 3:37 am Post subject: |
|
|
In short, check if "61D1A0" is stdcall or cdecl.
stdcall
push a
push b
call 61D1A0
61D1A0:
push ebp
mov ebp,esp
..
pop ebp
ret 8 <- the number of params you pushed are resolved by the callee
cdecl
push a
push b
call 61D1A0
add esp,8 <- fix stack here
61D1A0:
push ebp
mov ebp,esp
..
pop ebp
ret <- there's a simple ret here, hence the stack needs to be resolved by the caller
BR,
Sun
|
|
Back to top |
|
|
cioace9 How do I cheat? Reputation: 0
Joined: 26 Jan 2016 Posts: 3
|
Posted: Fri Feb 17, 2017 9:53 am Post subject: Resolve |
|
|
Thank you guys, but i fix this function. The problem not was in "push vid" or "call function". The problem was in last call because i must to add push vid in "call dword ptr [ecx+08]" because this function give a parameter which change my vid in a new value for "call function". Is complicated but i fix that. Thanks again for help and replies guys!
_________________
Hacker |
|
Back to top |
|
|
|