 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
cooleko
Grandmaster Cheater
![]() Reputation: 11
Joined: 04 May 2016
Posts: 717
|
 Posted: Wed Aug 23, 2017 4:25 pm Post subject: Break and Trace tips needed or alternative suggestion |
 |
|
I'm not certain what I'm looking for because I am outside of my comfort zone on how to accomplish my goal.
My Goal: Find a structure A that holds or points to all of the structures B I want to access.
My Haves: an instruction that accesses all of the structures B I want to access
My Needs: Find how the game increments through the unknown Goal structure A to provide my known function having the instruction with address to the structures B I want to acccess.
To this end, I have break and traced the instruction to find where the function X returns (just a mere 5 lines below) and where the function Y that calls this function X returns (another 30 lines). I stepped up one line after second return to see the function Y that calls my function X in its entirety (reproduced below). In the hopes that I may see how the address that gets used by my instruction is set.
Unfortunately, after about an hour of just breaking and tracing function Y randomly, I have yet to get a trace that actually calls function X, instead, it seems to always jump over it.
Frustrated, but not deterred, I scrolled through the trace and found where the function Y jumps over function X, went one line past the jump and break and traced from there. This also jumped over function X. I rinsed and repeated this until I essentially have to break and trace only my function call because the jumps happen too frequently for my random luck. This means I don't get a live walk through of how the address is populated.
My bright idea, I need to break and trace the function that calls my function and only save the trace if EIP reaches the address of my instruction. OR perform the same procedure on a further parent function until it is shown. However, I don't see how this is possible using the tools available to me in CE.
Any suggestions on how to proceed? Should I learn a new technique? Try looking at the code without the trace?
I recognize that I could use CE to store the base address of the structures using the AOB template, but I want to solve this rather than cheat out the end result.
Essentially I have a function that gets called 1000s of times a second. The function that calls my function gets called 100000s of times a second and I want a trace where it does call my instruction so I can see what the trace tells me (if anything) about where the game is getting the addresses from.
Function that calls my function: (my Function is called at 1404635E2)
| Code: | 140463520 - 48 8B C4 - mov rax,rsp
140463523 - 53 - push rbx
140463524 - 56 - push rsi
140463525 - 57 - push rdi
140463526 - 41 54 - push r12
140463528 - 41 57 - push r15
14046352A - 48 81 EC F0000000 - sub rsp,000000F0 { 240 }
140463531 - 0F29 70 C8 - movaps [rax-38],xmm6
140463535 - 48 8B FA - mov rdi,rdx
140463538 - 0F29 78 B8 - movaps [rax-48],xmm7
14046353C - 48 8B F1 - mov rsi,rcx
14046353F - 48 8B 02 - mov rax,[rdx]
140463542 - 48 8B CF - mov rcx,rdi
140463545 - 33 D2 - xor edx,edx
140463547 - 4D 8B E1 - mov r12,r9
14046354A - 4D 8B F8 - mov r15,r8
14046354D - FF 50 28 - call qword ptr [rax+28]
140463550 - F3 0F10 35 88A64600 - movss xmm6,[1408CDBE0] { [0.40] }
140463558 - 48 8B CF - mov rcx,rdi
14046355B - F3 0F5F F0 - maxss xmm6,xmm0
14046355F - E8 9C09A5FF - call 13FEB3F00
140463564 - 48 8B D8 - mov rbx,rax
140463567 - 48 85 C0 - test rax,rax
14046356A - 74 0E - je 14046357A
14046356C - 80 B8 E2160000 00 - cmp byte ptr [rax+000016E2],00 { 0 }
140463573 - 74 05 - je 14046357A
140463575 - 41 B1 01 - mov r9l,01 { 1 }
140463578 - EB 03 - jmp 14046357D
14046357A - 45 33 C9 - xor r9d,r9d
14046357D - 4D 8B C7 - mov r8,r15
140463580 - 48 8B D7 - mov rdx,rdi
140463583 - 48 8B CE - mov rcx,rsi
140463586 - E8 E50A0000 - call 140464070
14046358B - 0F28 F8 - movaps xmm7,xmm0
14046358E - 48 85 DB - test rbx,rbx
140463591 - 0F84 1D010000 - je 1404636B4
140463597 - 80 BB 8C000000 02 - cmp byte ptr [rbx+0000008C],02 { 2 }
14046359E - 75 13 - jne 1404635B3
1404635A0 - 81 BB 80000000 121B0000 - cmp [rbx+00000080],00001B12 { 6930 }
1404635AA - 75 07 - jne 1404635B3
1404635AC - B0 01 - mov al,01 { 1 }
1404635AE - E9 8D030000 - jmp 140463940
1404635B3 - 4C 89 B4 24 30010000 - mov [rsp+00000130],r14
1404635BB - 4C 8B 35 EE7CA600 - mov r14,[140ECB2B0] { [38350050] }
1404635C2 - 4D 85 F6 - test r14,r14
1404635C5 - 0F84 E1000000 - je 1404636AC
1404635CB - 48 89 AC 24 20010000 - mov [rsp+00000120],rbp
1404635D3 - 49 3B DE - cmp rbx,r14
1404635D6 - 74 13 - je 1404635EB
1404635D8 - 48 8B D3 - mov rdx,rbx
1404635DB - 48 8D 0D 5E97AA00 - lea rcx,[140F0CD40] { [37EAA350] }
****************************************************************************************
1404635E2 - E8 E921FCFF - call 1404257D0
****************************************************************************************
1404635E7 - 84 C0 - test al,al
1404635E9 - 74 5B - je 140463646
1404635EB - 48 8B AB A0150000 - mov rbp,[rbx+000015A0]
1404635F2 - 48 85 ED - test rbp,rbp
1404635F5 - 74 4F - je 140463646
1404635F7 - F6 83 EB160000 10 - test byte ptr [rbx+000016EB],10 { 16 }
1404635FE - 75 46 - jne 140463646
140463600 - 0FB6 8B E2160000 - movzx ecx,byte ptr [rbx+000016E2]
140463607 - E8 A495A0FF - call 13FE6CBB0
14046360C - 48 85 C0 - test rax,rax
14046360F - 74 17 - je 140463628
140463611 - 0FB6 40 71 - movzx eax,byte ptr [rax+71]
140463615 - 66 0F6E C0 - movd xmm0,eax
140463619 - 0F5B C0 - cvtdq2ps xmm0,xmm0
14046361C - F3 0F5E 05 D0A54600 - divss xmm0,[1408CDBF4] { [100.00] }
140463624 - F3 0F59 F0 - mulss xmm6,xmm0
140463628 - 45 33 C9 - xor r9d,r9d
14046362B - 4D 8B C7 - mov r8,r15
14046362E - 48 8B D5 - mov rdx,rbp
140463631 - 48 8B CE - mov rcx,rsi
140463634 - E8 370A0000 - call 140464070
140463639 - 0F2F F8 - comiss xmm7,xmm0
14046363C - 76 66 - jna 1404636A4
14046363E - 0F28 F8 - movaps xmm7,xmm0
140463641 - 48 8B FD - mov rdi,rbp
140463644 - EB 5E - jmp 1404636A4
140463646 - 48 8B 03 - mov rax,[rbx]
140463649 - 48 8B CB - mov rcx,rbx
14046364C - FF 50 08 - call qword ptr [rax+08]
14046364F - 83 F8 08 - cmp eax,08 { 8 }
140463652 - 75 50 - jne 1404636A4
140463654 - 48 8B CB - mov rcx,rbx
140463657 - E8 F486A9FF - call 13FEFBD50
14046365C - 48 8B E8 - mov rbp,rax
14046365F - 48 85 C0 - test rax,rax
140463662 - 74 40 - je 1404636A4
140463664 - 49 3B C6 - cmp rax,r14
140463667 - 74 13 - je 14046367C
140463669 - 48 8B D0 - mov rdx,rax
14046366C - 48 8D 0D CD96AA00 - lea rcx,[140F0CD40] { [37EAA350] }
140463673 - E8 5821FCFF - call 1404257D0
140463678 - 84 C0 - test al,al
14046367A - 74 28 - je 1404636A4
14046367C - 0FB6 8D E2160000 - movzx ecx,byte ptr [rbp+000016E2]
140463683 - E8 2895A0FF - call 13FE6CBB0
140463688 - 48 85 C0 - test rax,rax
14046368B - 74 17 - je 1404636A4
14046368D - 0FB6 40 71 - movzx eax,byte ptr [rax+71]
140463691 - 66 0F6E C0 - movd xmm0,eax
140463695 - 0F5B C0 - cvtdq2ps xmm0,xmm0
140463698 - F3 0F5E 05 54A54600 - divss xmm0,[1408CDBF4] { [100.00] }
1404636A0 - F3 0F59 F0 - mulss xmm6,xmm0
1404636A4 - 48 8B AC 24 20010000 - mov rbp,[rsp+00000120]
1404636AC - 4C 8B B4 24 30010000 - mov r14,[rsp+00000130]
1404636B4 - F3 0F59 F6 - mulss xmm6,xmm6
1404636B8 - 0F2F FE - comiss xmm7,xmm6
1404636BB - 0F87 EBFEFFFF - ja 1404635AC
1404636C1 - 83 BE 04010000 00 - cmp dword ptr [rsi+00000104],00 { 0 }
1404636C8 - 0F85 70020000 - jne 14046393E
1404636CE - 48 85 FF - test rdi,rdi
1404636D1 - 0F84 67020000 - je 14046393E
1404636D7 - 48 3B FB - cmp rdi,rbx
1404636DA - 0F85 5E020000 - jne 14046393E
1404636E0 - 80 BB CA160000 01 - cmp byte ptr [rbx+000016CA],01 { 1 }
1404636E7 - 0F85 51020000 - jne 14046393E
1404636ED - 80 BB E2160000 00 - cmp byte ptr [rbx+000016E2],00 { 0 }
1404636F4 - 0F85 44020000 - jne 14046393E
1404636FA - 48 8B 06 - mov rax,[rsi]
1404636FD - 48 8B D3 - mov rdx,rbx
140463700 - 48 8B CE - mov rcx,rsi
140463703 - FF 50 50 - call qword ptr [rax+50]
140463706 - 84 C0 - test al,al
140463708 - 0F85 30020000 - jne 14046393E
14046370E - 44 0F29 84 24 C0000000 - movaps [rsp+000000C0],xmm8
140463717 - 44 0F29 8C 24 B0000000 - movaps [rsp+000000B0],xmm9
140463720 - F3 45 0F10 4F 08 - movss xmm9,[r15+08]
140463726 - 44 0F29 94 24 A0000000 - movaps [rsp+000000A0],xmm10
14046372F - 41 0F28 F1 - movaps xmm6,xmm9
140463733 - F3 41 0F5C 74 24 08 - subss xmm6,[r12+08]
14046373A - F3 45 0F10 57 04 - movss xmm10,[r15+04]
140463740 - 41 0F28 FA - movaps xmm7,xmm10
140463744 - 44 0F29 9C 24 90000000 - movaps [rsp+00000090],xmm11
14046374D - F3 41 0F5C 7C 24 04 - subss xmm7,[r12+04]
140463754 - F3 45 0F10 1F - movss xmm11,[r15]
140463759 - 45 0F28 C3 - movaps xmm8,xmm11
14046375D - 0F28 D6 - movaps xmm2,xmm6
140463760 - F3 45 0F5C 04 24 - subss xmm8,[r12]
140463766 - F3 0F59 D6 - mulss xmm2,xmm6
14046376A - 0F28 CF - movaps xmm1,xmm7
14046376D - F3 0F59 CF - mulss xmm1,xmm7
140463771 - 41 0F28 C0 - movaps xmm0,xmm8
140463775 - F3 41 0F59 C0 - mulss xmm0,xmm8
14046377A - F3 0F58 C1 - addss xmm0,xmm1
14046377E - F3 0F58 C2 - addss xmm0,xmm2
140463782 - E8 41911D00 - call 14063C8C8
140463787 - F3 0F10 0D 51984600 - movss xmm1,[1408CCFE0] { [1.00] }
14046378F - 4C 8D 8C 24 28010000 - lea r9,[rsp+00000128]
140463797 - 48 8B 86 F0000000 - mov rax,[rsi+000000F0]
14046379E - 4C 8D 44 24 30 - lea r8,[rsp+30]
1404637A3 - F3 0F5E C8 - divss xmm1,xmm0
1404637A7 - 48 8D 54 24 70 - lea rdx,[rsp+70]
1404637AC - 48 8B CF - mov rcx,rdi
1404637AF - F3 0F10 80 AC000000 - movss xmm0,[rax+000000AC]
1404637B7 - F3 0F59 05 41A44600 - mulss xmm0,[1408CDC00] { [-1.00] }
1404637BF - 48 8B 07 - mov rax,[rdi]
1404637C2 - F3 0F59 F1 - mulss xmm6,xmm1
1404637C6 - C6 84 24 28010000 00 - mov byte ptr [rsp+00000128],00 { 0 }
1404637CE - F3 44 0F59 C1 - mulss xmm8,xmm1
1404637D3 - F3 0F59 F9 - mulss xmm7,xmm1
1404637D7 - 0F28 DE - movaps xmm3,xmm6
1404637DA - F3 0F59 D8 - mulss xmm3,xmm0
1404637DE - 41 0F28 C8 - movaps xmm1,xmm8
1404637E2 - F3 0F59 C8 - mulss xmm1,xmm0
1404637E6 - 0F28 D7 - movaps xmm2,xmm7
1404637E9 - F3 0F59 D0 - mulss xmm2,xmm0
1404637ED - F3 44 0F58 CB - addss xmm9,xmm3
1404637F2 - F3 44 0F58 D9 - addss xmm11,xmm1
1404637F7 - F3 44 0F58 D2 - addss xmm10,xmm2
1404637FC - 41 0F28 C1 - movaps xmm0,xmm9
140463800 - F3 44 0F11 4C 24 78 - movss [rsp+78],xmm9
140463807 - F3 0F58 C6 - addss xmm0,xmm6
14046380B - 41 0F28 D3 - movaps xmm2,xmm11
14046380F - F3 44 0F11 5C 24 70 - movss [rsp+70],xmm11
140463816 - F3 41 0F58 D0 - addss xmm2,xmm8
14046381B - 41 0F28 CA - movaps xmm1,xmm10
14046381F - F3 44 0F11 54 24 74 - movss [rsp+74],xmm10
140463826 - F3 0F58 CF - addss xmm1,xmm7
14046382A - F3 0F11 84 24 88000000 - movss [rsp+00000088],xmm0
140463833 - F3 0F11 94 24 80000000 - movss [rsp+00000080],xmm2
14046383C - F3 0F11 8C 24 84000000 - movss [rsp+00000084],xmm1
140463845 - FF 90 68020000 - call qword ptr [rax+00000268]
14046384B - 44 0F28 9C 24 90000000 - movaps xmm11,[rsp+00000090]
140463854 - 44 0F28 94 24 A0000000 - movaps xmm10,[rsp+000000A0]
14046385D - 44 0F28 8C 24 B0000000 - movaps xmm9,[rsp+000000B0]
140463866 - 44 0F28 84 24 C0000000 - movaps xmm8,[rsp+000000C0]
14046386F - 84 C0 - test al,al
140463871 - 0F84 35FDFFFF - je 1404635AC
140463877 - F6 86 08010000 01 - test byte ptr [rsi+00000108],01 { 1 }
14046387E - 0F84 BA000000 - je 14046393E
140463884 - 80 BB D0150000 03 - cmp byte ptr [rbx+000015D0],03 { 3 }
14046388B - 0F84 AD000000 - je 14046393E
140463891 - 48 8B CF - mov rcx,rdi
140463894 - E8 57EBA4FF - call 13FEB23F0
140463899 - BA 19000000 - mov edx,00000019 { 25 }
14046389E - 48 8B CF - mov rcx,rdi
1404638A1 - 48 8B F0 - mov rsi,rax
1404638A4 - E8 D70FA5FF - call 13FEB4880
1404638A9 - BA 2A000000 - mov edx,0000002A { 42 }
1404638AE - 48 8B CF - mov rcx,rdi
1404638B1 - 0FB6 D8 - movzx ebx,al
1404638B4 - E8 C70FA5FF - call 13FEB4880
1404638B9 - 48 8B CF - mov rcx,rdi
1404638BC - 84 DB - test bl,bl
1404638BE - 74 12 - je 1404638D2
1404638C0 - 41 B8 19000000 - mov r8d,00000019 { 25 }
1404638C6 - 48 8D 54 24 40 - lea rdx,[rsp+40]
1404638CB - E8 3012A5FF - call 13FEB4B00
1404638D0 - EB 46 - jmp 140463918
1404638D2 - 84 C0 - test al,al
1404638D4 - 74 12 - je 1404638E8
1404638D6 - 41 B8 2A000000 - mov r8d,0000002A { 42 }
1404638DC - 48 8D 54 24 50 - lea rdx,[rsp+50]
1404638E1 - E8 1A12A5FF - call 13FEB4B00
1404638E6 - EB 0B - jmp 1404638F3
1404638E8 - 48 8B 07 - mov rax,[rdi]
1404638EB - 48 8D 54 24 60 - lea rdx,[rsp+60]
1404638F0 - FF 50 58 - call qword ptr [rax+58]
1404638F3 - F3 0F10 00 - movss xmm0,[rax]
1404638F7 - F3 0F10 48 04 - movss xmm1,[rax+04]
1404638FC - F3 0F11 44 24 20 - movss [rsp+20],xmm0
140463902 - F3 0F10 40 08 - movss xmm0,[rax+08]
140463907 - 48 8D 44 24 20 - lea rax,[rsp+20]
14046390C - F3 0F11 44 24 28 - movss [rsp+28],xmm0
140463912 - F3 0F11 4C 24 24 - movss [rsp+24],xmm1
140463918 - F3 0F10 48 04 - movss xmm1,[rax+04]
14046391D - F3 0F5C 4E 04 - subss xmm1,[rsi+04]
140463922 - F3 0F10 54 24 34 - movss xmm2,[rsp+34]
140463928 - F3 0F5C 56 04 - subss xmm2,[rsi+04]
14046392D - F3 0F59 0D 93964600 - mulss xmm1,[1408CCFC8] { [0.50] }
140463935 - 0F2F CA - comiss xmm1,xmm2
140463938 - 0F87 6EFCFFFF - ja 1404635AC
14046393E - 32 C0 - xor al,al
140463940 - 0F28 B4 24 E0000000 - movaps xmm6,[rsp+000000E0]
140463948 - 0F28 BC 24 D0000000 - movaps xmm7,[rsp+000000D0]
140463950 - 48 81 C4 F0000000 - add rsp,000000F0 { 240 }
140463957 - 41 5F - pop r15
140463959 - 41 5C - pop r12
14046395B - 5F - pop rdi
14046395C - 5E - pop rsi
14046395D - 5B - pop rbx
14046395E - C3 - ret
|
My function: (RDX points to my structure)
| Code: | 1404257D0 - 0FB7 82 88000000 - movzx eax,word ptr [rdx+00000088]
1404257D7 - 05 38FFFFFF - add eax,FFFFFF38 { -200 }
1404257DC - 83 F8 2B - cmp eax,2B { 43 }
1404257DF - 0F96 C0 - setbe al
1404257E2 - C3 - ret
|
|
|
| Back to top |
|
 |
ParkourPenguin
I post too much
 Reputation: 140
Joined: 06 Jul 2014
Posts: 4289
|
| Posted: Wed Aug 23, 2017 5:27 pm Post subject: |
|
|
I'd try looking at the code first.
| Code: | ...
14046355F - E8 9C09A5FF - call 13FEB3F00
140463564 - 48 8B D8 - mov rbx,rax
...
1404635D8 - 48 8B D3 - mov rdx,rbx
...
****************************************************************************************
1404635E2 - E8 E921FCFF - call 1404257D0
****************************************************************************************
...
|
It seems like the address is coming from the call at 14046355F. Look at the code in there and see what it's doing.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
cooleko
Grandmaster Cheater
![]() Reputation: 11
Joined: 04 May 2016
Posts: 717
|
| Posted: Fri Aug 25, 2017 9:59 pm Post subject: |
|
|
| I continued scanning through each function call, one by one, ended up in the parent's parent and found where the structure is. Thanks for telling me to just do it the hard way. No secrets needed, just a little elbow grease.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
