Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Issue finding parameters and proper pointer

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
mynameisjimmy
Newbie cheater
Reputation: 0

Joined: 21 Jun 2018
Posts: 15

PostPosted: Fri Jul 06, 2018 8:48 am    Post subject: Issue finding parameters and proper pointer Reply with quote

Good evening,

Issue A)
I've started working on an auto-attack bot to gain experience, but I seem to get stuck.

I've found the function responsible for attacking (or so I think) and it being called looks like this:

Code:
nz.exe+1562D1 - push 00 { 0 }
nz.exe+1562D3 - push 1E { 30 }
nz.exe+1562D5 - push edi
nz.exe+1562D6 - mov ecx,esi
nz.exe+1562D8 - call nz.exe+162E60


Changing 30 to 31 changes animation but stops dealing damage, so I'm guessing this is the attack function.

Now, here's the stacktrace:
Code:
00DA78A8(esp+0)      - 04ECD7C4             - (pointer)04ECD7C4   
00DA78AC(esp+4)      - 0000001E             - (dword)0000001E(30)
00DA78B0(esp+8)      - 00000000             - (dword)00000000(0) 
00DA78B4(esp+C)      - 04ECD7C4             - (pointer)04ECD7C4   
00DA78B8(esp+10)     - 04EB1D80             - (pointer)04EB1D80   
00DA78BC(esp+14)     - 00000014             - (dword)00000014(20)
00DA78C0(esp+18)     - 0000001F             - (dword)0000001F(31)
00DA78C4(esp+1C)     - 00000000             - (dword)00000000(0)


How do I find which of these are the function parameters, considering stacktrace has atleast 3000 addresses in it.

If somebody could help me, I would appreciate it greatly.

Issue B:
I found a variable that holds ID of the monster I'm currently targetting, I've hit 'Pointer scan', restarted game, targetted mobs again, found address holding it's info, rescanned pointers for this new address and it seems that the window is empty - 0 pointers.

I'm clueless at this point.
Back to top
View user's profile Send private message
FreeER
Grandmaster Cheater Supreme
Reputation: 53

Joined: 09 Aug 2013
Posts: 1091

PostPosted: Fri Jul 06, 2018 9:31 am    Post subject: Reply with quote

look at the value... you already know what 2 of them are going to be after all

00DA78AC(esp+4 ) - 0000001E - (dword)0000001E(30)
00DA78B0(esp+8 ) - 00000000 - (dword)00000000(0)
00DA78B4(esp+C ) - 04ECD7C4 - (pointer)04ECD7C4

That or go take an asm course that teaches you how to call and write functions in x86...

_________________
https://github.com/FreeER/ has a few CE related repos
Back to top
View user's profile Send private message
mynameisjimmy
Newbie cheater
Reputation: 0

Joined: 21 Jun 2018
Posts: 15

PostPosted: Fri Jul 06, 2018 10:00 am    Post subject: Reply with quote

FreeER wrote:
look at the value... you already know what 2 of them are going to be after all

00DA78AC(esp+4 ) - 0000001E - (dword)0000001E(30)
00DA78B0(esp+8 ) - 00000000 - (dword)00000000(0)
00DA78B4(esp+C ) - 04ECD7C4 - (pointer)04ECD7C4

That or go take an asm course that teaches you how to call and write functions in x86...


I know how assembler works, don't insult me.
The third one is target ID, but it occurs twice on stack and I don't know where the arguments end.

@edit
I think I found parameters, these 6 lines don't change in terms of value type no matter how many times I run into breakpoint:
Code:
00EF7154(esp+0)      - 013662DD             - (pointer)nz.exe+1562DD
00EF7158(esp+4)      - 04E5B8E0             - (pointer)04E5B8E0   
00EF715C(esp+8)      - 0000001E             - (dword)0000001E(30)
00EF7160(esp+C)      - 00000000             - (dword)00000000(0) 
00EF7164(esp+10)     - 04E5B8E0             - (pointer)04E5B8E0   
00EF7168(esp+14)     - 04E11D80             - (pointer)04E11D80
Back to top
View user's profile Send private message
FreeER
Grandmaster Cheater Supreme
Reputation: 53

Joined: 09 Aug 2013
Posts: 1091

PostPosted: Fri Jul 06, 2018 10:22 am    Post subject: Reply with quote

mynameisjimmy wrote:
How do I find which of these are the function parameters, considering stacktrace has atleast 3000 addresses in it.
mynameisjimmy wrote:
it occurs twice on stack and I don't know where the arguments end.
Quote:
Joined: 21 Jun 2018
Posts: 6


Literally everything there makes it seem like you don't know, or you wouldn't have to ask about how seeing a call that pushes 3 arguments, moves a value into ecx (like thiscall would) and then calls a function (which first pushes the return address then jumps to the function) works.

Also the fact that you listed the stack using the stack pointer, esp, rather than with the frame pointer ebp (inside the function you care about the arguments for). Admittedly not every program uses the frame pointer but the vast vast majority of x86 programs do and even many of the x64.


Knowing a few instructions like mov, add, cmp and what registers are etc. does not mean you know the entire language and how it works. It means you know a few instructions and don't panic when you see the code, there is however a big difference from not panicking and actually understanding everything you see.

_________________
https://github.com/FreeER/ has a few CE related repos
Back to top
View user's profile Send private message
mynameisjimmy
Newbie cheater
Reputation: 0

Joined: 21 Jun 2018
Posts: 15

PostPosted: Fri Jul 06, 2018 11:08 am    Post subject: Reply with quote

The issue is I can't really test it out, so I don't know whether what I'm doing is correct.

I found client's obj, because in OOP it's stored in ECX before function call and I used esp because previously I was looking for pointer to the targetted monster as said in issue B.

So amount of pushes is the amount of arguments, excluding or including ecx (pointer to client obj)?
Back to top
View user's profile Send private message
FreeER
Grandmaster Cheater Supreme
Reputation: 53

Joined: 09 Aug 2013
Posts: 1091

PostPosted: Fri Jul 06, 2018 11:41 am    Post subject: Reply with quote

Quote:
So amount of pushes is the amount of arguments, excluding or including ecx (pointer to client obj)?
yeah, arguments are just things passed to the function. x86 mostly uses the stack to pass things, though thiscall puts the object/this pointer in ecx, floating point values are typically passed on the fpu stack (in x86, fld) or xmm registers (in x64, movss/movsd). There are various x86 calling conventions (cdecl, stdcall, thiscall, fastcall, etc. most push the arguments from right to left others may do so from left to right). x64 has 1 (for windows anyways, linux has it's own variation on x64 iirc).

Quote:
The issue is I can't really test it out, so I don't know whether what I'm doing is correct.
Why not? take what you think may be the pointer and put it in the data dissect window, if it's a creature then you should see some thing related to it, name, pos, health, level, etc. If all you get is an id number then find the list of entities and see if it's there (hopefully it's an index so you don't have to look at the entire list).
_________________
https://github.com/FreeER/ has a few CE related repos
Back to top
View user's profile Send private message
mynameisjimmy
Newbie cheater
Reputation: 0

Joined: 21 Jun 2018
Posts: 15

PostPosted: Fri Jul 06, 2018 12:01 pm    Post subject: Reply with quote

I dissected it and apparently there are 3 variables that seem to represent x, y, z position and one that represents angle (seeing how it jumps to 0 after 360).

I still don't have a pointer that wouldn't reset upon server restart and even if I feed the function same arguments via this code:

Code:
typedef void(__thiscall * SendMeleeAttack_t)(void * somehell, unsigned int target, unsigned int dwAtk);
SendMeleeAttack_t f;


Code:
DWORD base = (DWORD)GetModuleHandle(L"nz.exe");

f = (SendMeleeAttack_t)(base + 0x162E60);

DWORD target = 0x1ECA8E38;

f((void*)(base + 0x1562DD), target, 0x01E);


It just crashes - which is why I said I can't really test it.

Also, thanks for all the help, I really appreciate it.
I have a vast programming knowledge as I've been doing it for over 8 years professionally, but I have little to no reverse engineering/assembler knowledge, pretty much only what I've learned in university.
Back to top
View user's profile Send private message
FreeER
Grandmaster Cheater Supreme
Reputation: 53

Joined: 09 Aug 2013
Posts: 1091

PostPosted: Fri Jul 06, 2018 1:25 pm    Post subject: Reply with quote

You should have 4 arguments, the this pointer that goes in ecx (assuming it is an object pointer, not just a random instruction which occasionally happens in assembly) and the 3 pushed values. So I'd expect something more like

Code:
typedef void(__thiscall * SendMeleeAttack_t)(void * obj, unsigned int target, unsigned int dwAtk, unsigned int zero);

(of course, pointers are only going to work if you're injecting a dll and therefore in the same address space, otherwise you'd have to use winapi functions like CreateRemoteThread and WriteProcessMemory)


I've just learned a bit over the years playing with CE, probably about 7 years ago when I started doing more than just non-pointer scans, and reading/watching tutorials. I haven't delved too deep into really reversing anything or making trainers/bots with a language and nothing professional or academic (other than the free online CS50 course lol).
Since I don't do anything with online/multi-player games I've pretty much avoided pointers as much as possible and just hooked the assembly code to do what I wanted, much easier Laughing

If the above doesn't work best I can suggest is to look at your assembly code and try to see what it's doing differently.

_________________
https://github.com/FreeER/ has a few CE related repos
Back to top
View user's profile Send private message
mynameisjimmy
Newbie cheater
Reputation: 0

Joined: 21 Jun 2018
Posts: 15

PostPosted: Fri Jul 06, 2018 2:38 pm    Post subject: Reply with quote

Well, I copied your code and executed it this way:

Code:
f((void*)(0x12527508), *(unsigned int*)(0x0522BA48), 0x1E, 0x0)


The first hex is hardcoded client's address, straight out of ECX, the next one is hardcoded enemy ID.

The good news is - it doesn't crash, the bad news is - it doesn't do anything.

@edit
Progress!
I've managed to emulate the attack - it deals no damage tho.
Back to top
View user's profile Send private message
FreeER
Grandmaster Cheater Supreme
Reputation: 53

Joined: 09 Aug 2013
Posts: 1091

PostPosted: Fri Jul 06, 2018 4:10 pm    Post subject: Reply with quote

well, progress is good Smile
Best of luck!

_________________
https://github.com/FreeER/ has a few CE related repos
Back to top
View user's profile Send private message
mynameisjimmy
Newbie cheater
Reputation: 0

Joined: 21 Jun 2018
Posts: 15

PostPosted: Fri Jul 06, 2018 4:22 pm    Post subject: Reply with quote

FreeER wrote:
well, progress is good Smile
Best of luck!


Apparently the attacks work... without range limit lol.
This is an unexpected exploit haha.

Thanks again for all the help.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites