Cheat Engine

Zanzer · Posted: Tue Mar 01, 2016 7:06 pm Post subject:

That appears to be a function calling two other functions.
Not sure what you hope us to discover through that code.

Dr.Disrespect · Posted: Tue Mar 01, 2016 7:23 pm Post subject:

ParkourPenguin · Posted: Tue Mar 01, 2016 11:15 pm Post subject:

It's usually safe to assume everything in ASM is in hex. The only exception I can think of off the top of my head is the size of memory allocated via alloc(...) in an AA script. Note that when writing you own ASM, you can prepend some numbers with a # symbol to turn them into decimal. For example, "mov eax,10" would move 16 (decimal) into eax, while "mov eax,#10" would move 10 (decimal) into eax. It will still be translated into its hex equivalent, however, so that #10 would turn into "A" when looking at it in the disassembler.

Registers beginning with "e" (ebp) are 32-bit. If they begin with "r" (rbp), they're 64 bit. If they don't begin with anything, they're 16-bit.

ebp is usually used with controlling and accessing the stack (it can also be used as a general-purpose register). Basically, the stack is an area of memory. While it does have a fixed amount of memory it can store, you generally won't have to worry about that unless you have some major bug in any code you write. esp always points to the top of the stack, and ebp points to some address in the stack (when it's not being used as a general-purpose register).

To understand why ebp is useful, you first need to know about a couple things- subroutines and stack frames. A subroutine is a set of contiguous instructions that can be called to run and expected to return eventually. If you ever see a "call" instruction, that's calling a subroutine to run. I'll refer to a "calling subroutine" as one that calls another "called subroutine".

Most subroutines have a "stack frame" - basically a section of the stack that they're using. The bottom (aka base) of the stack frame is generally fixed, but the top can change as it pushes/pops stuff on/of the stack. A calling subroutine's stack frame shouldn't change, however, since a called subroutine shouldn't mess with a calling subroutine's stack frame. Once the called subroutine returns, then it's stack frame is freed and the calling subroutine is free to modify its stack frame as it wants to (even if it overrides the old called subroutine's stack frame).

If you see the sequence of instructions "push ebp / mov ebp,esp", those two instructions set up the stack frame. "push ebp" saves the base address of the calling subroutine's stack frame. "mov ebp,esp" moves esp (the top of the stack) into ebp, effectively establishing the base address of it's stack frame.

To tear a stack frame down, you should first make sure the stack is at where it was after it set up the stack frame. Sometimes, it already is this way, and other times, you may need to do something like "mov esp,ebp". After that, just pop the calling subroutine's stack frame back into ebp via "pop ebp", then return.

Dr.Disrespect · Posted: Tue Mar 01, 2016 11:36 pm Post subject:

@ParkourPenguin,
Thank you so much, man! Your explanation is very helpful.
I have some following up questions:
1. I know a bit about some high-level programming languages, such as Lua , Swift. Can I think of subroutine as functions, just like in Lua?

2. the last paragraph of your post:

ParkourPenguin · Posted: Wed Mar 02, 2016 12:13 am Post subject:

1: Sure. You can call both of them to run. When both of them end, they go back to where they were called and continue from there. You can pass arguments to subroutines too (via the stack for 32-bit processes).

2: Basically, subroutines should clean up whatever they did to the stack when they return.

For example, let's say a subroutine is called to run. After establishing the stack frame, esp (the top of the stack) and thus ebp is at 00241DE0. That means the base of the calling subroutine's stack frame is stored at that address ([ebp] == ebp of calling subroutine).

Assume the called subroutine modifies the stack; namely, it pushes something onto it. Now, the stack is 4 bytes off of where it needs to be in order to pop the right value back into ebp. So, you can either pop whatever you pushed onto the stack back off, or modify esp directly to move it back to 00241DE0 (e.g. mov esp,ebp). Then it's safe to pop the value at the top of the stack back into ebp since you're certain it's the same thing you pushed onto the stack at the beginning of the subroutine.

Thus, ebp is safely reverted back to what it was before the call, and everything is happy.

I learned ASM primarily by screwing around in games and googling specific stuff I didn't know. This YouTube playlist helped me get a kickstart into it, but it's not completely beginner-friendly. With your experience, however, you should be fine. If you do want something more beginner friendly, there's this CEF topic, but it oversimplifies a few things IIRC. I suppose I've neglected to mention a few important things too (e.g. how the top of the stack grows downward), so I shouldn't be one to speak.

Dr.Disrespect · Posted: Wed Mar 02, 2016 12:47 am Post subject: