| View previous topic :: View next topic |
| Author |
Message |
Staked
Newbie cheater
![]() Reputation: 0
Joined: 09 Mar 2019
Posts: 17
|
 Posted: Thu Mar 21, 2019 11:21 pm Post subject: Tutorial |
 |
|
Is it possible to make a script that executes parts of the code in an independent way? For example, the tutorial step 2. Could it be possible to find the function that does this in assembly and then call it? or run it?
I've seen some stuff about this by creating a dll file, inject it etc. But can it be done in a simpler way? just in cheat engine
An example would help alot
|
|
| Back to top |
|
 |
OldCheatEngineUser
Whateven rank
 Reputation: 20
Joined: 01 Feb 2016
Posts: 1586
|
| Posted: Fri Mar 22, 2019 12:27 am Post subject: Re: Tutorial |
|
|
| Staked wrote: | Is it possible to make a script that executes parts of the code in an independent way? For example, the tutorial step 2. Could it be possible to find the function that does this in assembly and then call it? or run it?
I've seen some stuff about this by creating a dll file, inject it etc. But can it be done in a simpler way? just in cheat engine
An example would help alot |
ehm, i think you mean:
- whenever the original function is called, redirect it to your assembly script to control whether to continue executing the function or just return to the caller
yeah sure (if that what you meant), start by finding the value then see what writes to it.
find where the function returns, place a breakpoint and once hit do single step to return to the caller.
then you might want to see what arguments are passed, and number of parameters.
you may need to understand calling conventions, and differences between x86 and x86_64 architectures. (32-bit and 64-bit)
and of course little bit of assembly knowledge is required.
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
| STN wrote: | | i am a sweetheart. |
|
|
| Back to top |
|
|
Staked
Newbie cheater
![]() Reputation: 0
Joined: 09 Mar 2019
Posts: 17
|
| Posted: Fri Mar 22, 2019 12:40 am Post subject: |
|
|
Sorry for being so unclear.
I found the function/instructions which makes my character move in the game.
I want to execute the code that does this from cheat engine.
I used ultimap to find the right place in the instruction memory. And i just tried to execute it from the top in lua using.
executeCode('404BC0')
It made my character start move (which was intended) but the game also crashed.
|
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 470
Joined: 09 May 2003
Posts: 25788
Location: The netherlands
|
| Posted: Fri Mar 22, 2019 1:27 am Post subject: |
|
|
look at executeCodeEx , perhaps you need to provide more parameters
and it's always possible that some code is just not thread safe, or the thread needs extra initialization like tls setup
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Staked
Newbie cheater
![]() Reputation: 0
Joined: 09 Mar 2019
Posts: 17
|
| Posted: Fri Mar 22, 2019 2:08 am Post subject: |
|
|
i tried what you said.
executeCodeEx(1, 100, '404BC0')
worked like a charm! 100%
executeCodeEx(callmethod, timeout, address, {type,value},{type,value},...)
the arguments within {}
How does that work really?
I understood it as it was arguments to the function i call. But what if the address I input (404BC0) is not a function?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25788
Location: The netherlands
|
| Posted: Fri Mar 22, 2019 4:12 am Post subject: |
|
|
| Code: |
executeCodeEx(callmethod, timeout, address, {type,value},{type,value},...)
Calls a function using the given callmethod and parameters
callmethod: 0=stdcall, 1=cdecl
timeout: Number of milliseconds to wait for a result. nil or -1, infitely. 0 is no wait (will not free the call memory, so beware of it's memory leak)
address: Address to execute
{type,value} : Table containing the value type, and the value
{
type: 0=integer (32/64bit) can also be a pointer
1=float (32-bit float)
2=double (64-bit float)
3=ascii string (will get converted to a pointer to that string)
4=wide string (will get converted to a pointer to that string)
value: anything base type that lua can interpret
}
|
so to call a function with 1 int parameter and 1 string pointer using stdcall:
executeCodeEx(0,nil,functionaddress,{type=0, value=123}, {type=3,value="xxx"})
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Staked
Newbie cheater
![]() Reputation: 0
Joined: 09 Mar 2019
Posts: 17
|
| Posted: Fri Mar 22, 2019 5:00 am Post subject: |
|
|
but what happens in the game code? can i think of it just as parameters to a function? Are there any specific registers set?
what would happen if i didnt target a function? maybe thats not possible?
Here is a section i want to call, but everytime i do I crash.
What can I look for to make the executeCodeEx(...) work?
| Description: |
|
| Filesize: |
64.49 KB |
| Viewed: |
2363 Time(s) |
|
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25788
Location: The netherlands
|
| Posted: Fri Mar 22, 2019 5:25 am Post subject: |
|
|
The function you're in uses "ret 4" so: the calling method is stdcall (0) and it takes one parameter
If you give the wrong parameter value the game will crash
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Staked
Newbie cheater
![]() Reputation: 0
Joined: 09 Mar 2019
Posts: 17
|
| Posted: Fri Mar 22, 2019 7:34 am Post subject: |
|
|
I read some info about calling conventions.
The info you wrote, stdcall(0) and that it takes 1 parameter. That was all from "ret 4"?
Is this correct?
ret = cdecl
ret 4 = stdcall, 1 argument
ret 8 = stdcall, 2 arguments
What is a good approach to find what should be passed as argument?
Should it be in one of the registers used by mov instruction?
|
|
| Back to top |
|
|
OldCheatEngineUser
Whateven rank
Reputation: 20
Joined: 01 Feb 2016
Posts: 1586
|
| Posted: Fri Mar 22, 2019 2:28 pm Post subject: |
|
|
yes correct, but it can be either stdcall or pascal. (but its okay only one parameter is passed)
and you should notice they are making free space in stack for local variables (sub esp,XXX and then add esp,XXX), example C/C++ AUTO keyword. (but still compiler dependent)
the game is handling exceptions, and the handler routine is pushed earlier.
| Code: | mov ecx,[esp+00000D0] // pushed beginning of the functions?
...
mov fs:[00000000],ecx // any exception? address of ecx is called |
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
| STN wrote: | | i am a sweetheart. |
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
