 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
blueBoxDiv
Newbie cheater
![]() Reputation: 0
Joined: 26 Sep 2023
Posts: 13
|
 Posted: Fri Sep 29, 2023 12:54 pm Post subject: How to invoke/call a function if you have the address? |
 |
|
So, I made myself a .exe that has functions. And I can get the address.
i.imgur . com/6V9kMOz.png
Now, I want to invoke those functions using Cheat Engine.
But I want to trigger them, by pressing a button.
Though I have no clue how I can trigger it, everytime I do, my app crashes because idk wtf I do with alloc and dealloc and all the other forum posts on this forum and createthread.
Maybe it is wrong, I do not know. Maybe someone knows.
Anyways.
I have the address of the function, but I don't know how to call it through Cheat Engine itself.
I want to call the function everytime I click on this
i.imgur . com /vCp5RNn.png
but I do not know how
how can I trigger test1
| Code: | [ENABLE]
test1:
call 7FF621952630
[DISABLE] |
I want to run this, how do I run it just through injection?
Last edited by blueBoxDiv on Sat Sep 30, 2023 5:16 am; edited 1 time in total |
|
| Back to top |
|
 |
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4719
|
| Posted: Fri Sep 29, 2023 7:24 pm Post subject: |
|
|
| Code: | [ENABLE]
alloc(newmem,2048)
newmem:
sub rsp,28
call 7FF621952630 // should really use `call program.exe+78630` or something
add rsp,28
xor eax,eax
ret
createthreadandwait(newmem,1000)
[DISABLE]
dealloc(newmem) |
If it still doesn't work, post the source code of the program you wrote.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
blueBoxDiv
Newbie cheater
![]() Reputation: 0
Joined: 26 Sep 2023
Posts: 13
|
| Posted: Sat Sep 30, 2023 5:14 am Post subject: |
|
|
| ParkourPenguin wrote: | | Code: | [ENABLE]
alloc(newmem,2048)
newmem:
sub rsp,28
call 7FF621952630 // should really use `call program.exe+78630` or something
add rsp,28
xor eax,eax
ret
createthreadandwait(newmem,1000)
[DISABLE]
dealloc(newmem) |
If it still doesn't work, post the source code of the program you wrote. |
Tried that, it didn't work.
Tried | Code: | | call Project1.exe+2630 |
and it still didn't work. Mostly I forgot the meaning of eax and rsp
unless those are like temporary variables that you can write to, then it would make sense again.
This is main.cpp with the functions the header files is really just for the test commands.
| Code: |
#include <iostream>
#include <string>
#include <map>
#include "cmd_inputs.h"
int g_Test1;
int g_Test2;
int g_Test3 = 0; // for pointer3
int* g_pTest2 = &g_Test2;
double test1_value = 50;
void callTest1() {
std::cout << "Test message!" << std::endl;
}
void callWithArgument(int arg1=5) {
std::cout << "Value: ";
std::cout << arg1;
std::cout << std::endl;
}
void callWithProvideableArgument(double num) {
std::cout << "Value inputted: ";
std::cout << num;
std::cout << std::endl;
}
void multiArg1(int arg1=1, std::string arg2="a string") {
std::cout << "arg1: " << arg1 << std::endl;
std::cout << "arg2: " << arg2 << std::endl;
}
void multiArg2(int arg1, double arg3 = 50) {
double arg2 = test1_value;
std::cout << "arg1: " << arg1 << std::endl;
std::cout << "arg2: " << arg2 << std::endl;
std::cout << "arg3: " << arg3 << std::endl;
}
void pointerTest1() {
int* p = &g_Test1;
std::cout << "Current value: " << *p;
std::cout << std::endl;
}
void pointerTest2(int* p) {
*p += 1;
std::cout << "New pointer value: " << *p;
std::cout << std::endl;
}
void hiddenFunction() {
std::cout << "You have managed to trigger this hidden function";
std::cout << std::endl;
}
void hiddenFunc2(int num) {
std::cout << "You managed to trigger this hidden fucntion and input this value: " << num;
std::cout << std::endl;
}
void input_handler() {
std::cout << "Enter an input: ";
std::cout << CMD_InputMap::getCMDInputs();
std::cout << std::endl;
std::string input;
std::cin >> input; // wait for input
// convert to enum
auto enumInput = CMD_InputMap::stringToEnum(input);
using CMD_InputsEnum = CMD_InputMap::InputsEnum;
if (enumInput == CMD_InputsEnum::e_Call_Simple) {
callTest1();
}
else if (enumInput == CMD_InputsEnum::e_Call_NoProvideArg) {
callWithArgument();
}
else if (enumInput == CMD_InputsEnum::e_Call_ProvideArg) {
std::string arg1_input;
std::cout << "Enter a number: ";
std::cin >> arg1_input;
double arg1;
try {
arg1 = std::stod(arg1_input);
callWithProvideableArgument(arg1);
} catch (std::invalid_argument& e) {
std::cout << "Invalid number" << std::endl;
}
}
else if (enumInput == CMD_InputsEnum::e_Call_PreProvidedArg) {
double arg1 = 20;
callWithProvideableArgument(arg1);
}
else if (enumInput == CMD_InputsEnum::e_Call_MultiArg1) {
multiArg1();
}
else if (enumInput == CMD_InputsEnum::e_Call_MultiArg2) {
multiArg2(200);
}
else if (enumInput == CMD_InputsEnum::e_PointerTest1) {
pointerTest1();
}
else if (enumInput == CMD_InputsEnum::e_PointerTest2) {
pointerTest2(g_pTest2);
}
else if (enumInput == CMD_InputsEnum::e_PointerTest3) {
auto inputPointer = &g_pTest2;
pointerTest2(*inputPointer);
}
// Exit
else if (enumInput == CMD_InputsEnum::e_EXIT) {
return;
}
// If no valid input was found
else {
std::cout << "Invalid input.";
std::cout << std::endl;
}
std::cout << std::endl;
input_handler();
}
int main() {
// Init
g_Test1 = 10; // default value
*g_pTest2 = 0;
input_handler();
system("pause");
return 0;
}
|
A release build, I removed the debug symbols.
Edit:
Wait I need to retry, I re-named "newmem" and forgot to rename the other ones.
Edit:
It didn't work either.
In my case I was trying to invoke callTest1.
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4719
|
| Posted: Sat Sep 30, 2023 11:00 am Post subject: |
|
|
| Code: | #include <iostream>
#include <atomic>
#include <chrono>
#include <thread>
std::atomic_int g = 0;
void callTest1() {
std::cout << "Set!" << std::endl;
g.store(1);
}
int main(int, char**) {
using namespace std::chrono_literals;
std::cout << (void *)callTest1 << std::endl;
while (g.load() == 0) {
std::this_thread::sleep_for(500ms);
}
return 0;
}
|
This works fine for me.
Does "Memory Viewer -> Tools -> Create Thread" work? If not, it's not the AA script that's the problem.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
blueBoxDiv
Newbie cheater
![]() Reputation: 0
Joined: 26 Sep 2023
Posts: 13
|
| Posted: Fri Oct 06, 2023 6:30 am Post subject: |
|
|
| ParkourPenguin wrote: | | Code: | #include <iostream>
#include <atomic>
#include <chrono>
#include <thread>
std::atomic_int g = 0;
void callTest1() {
std::cout << "Set!" << std::endl;
g.store(1);
}
int main(int, char**) {
using namespace std::chrono_literals;
std::cout << (void *)callTest1 << std::endl;
while (g.load() == 0) {
std::this_thread::sleep_for(500ms);
}
return 0;
}
|
This works fine for me.
Does "Memory Viewer -> Tools -> Create Thread" work? If not, it's not the AA script that's the problem. |
Create Thread does work. Not sure what I should do with it, but it does work, it did not crash the application.
It just printed out the thing again that it prints out when I'd start the app.
The Auto Assemble thing does crash the app however.
Also if I create an empty header and save the Cheat Table. When I open the Cheat Table the Header is gone.
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4719
|
| Posted: Fri Oct 06, 2023 10:41 am Post subject: |
|
|
| blueBoxDiv wrote: | | Not sure what I should do with it, but it does work |
How do you know it works if you don't know what it's suppose to do?
You're suppose to call the function that takes void (i.e. callTest1).
Start off with simpler cases and keep going until something breaks.
e.g. try executing this AA script while attached to the CE tutorial:
| Code: | globalalloc(foo,4096)
foo:
sub rsp,28
mov ecx,#500
call kernel32.Sleep
add rsp,28
xor eax,eax
ret
createthreadandwait(foo,1000) |
If it works, then try executing it while attached to your app. If it still works, then you did something wrong. Maybe you weren't actually executing callTest1 but some other random address?
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25833
Location: The netherlands
|
| Posted: Fri Oct 06, 2023 1:21 pm Post subject: |
|
|
You're 100% sure the address is correct? (e.g not just the address of the functionname)
tried executeCodeEx(1,nil,0x7FF621952630,nil)
are you on macos?
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
blueBoxDiv
Newbie cheater
![]() Reputation: 0
Joined: 26 Sep 2023
Posts: 13
|
| Posted: Sat Oct 07, 2023 7:16 am Post subject: |
|
|
| ParkourPenguin wrote: | | blueBoxDiv wrote: | | Not sure what I should do with it, but it does work |
How do you know it works if you don't know what it's suppose to do?
You're suppose to call the function that takes void (i.e. callTest1).
Start off with simpler cases and keep going until something breaks.
e.g. try executing this AA script while attached to the CE tutorial:
| Code: | globalalloc(foo,4096)
foo:
sub rsp,28
mov ecx,#500
call kernel32.Sleep
add rsp,28
xor eax,eax
ret
createthreadandwait(foo,1000) |
If it works, then try executing it while attached to your app. If it still works, then you did something wrong. Maybe you weren't actually executing callTest1 but some other random address? |
On the Cheat Engine Game Tutorial it worked.
On my application, it worked as well.
Running the function however, did not work.
| Dark Byte wrote: | You're 100% sure the address is correct? (e.g not just the address of the functionname)
tried executeCodeEx(1,nil,0x7FF621952630,nil)
are you on macos? |
Not on MacOS. I am on Windows.
The address that I got, was when I used the Code Filter and filtered out the function.
Sometimes that address changes, uhh memory idk.
But I got the address that should stay the same all the times, unless I compile the app again, which is: Project1.exe+2630
I have tried running that Lua code you sent me. It didn't do anything. When I skimmed through the docs I haven't found "executeCodeEx"
I wrapped it around print and it printed: "No idea how to handle the type you provided for parameter 5"
so I removed the 4th arg, but the application would crash as well
I assume the function is invoked when call is used, though I am not sure where it takes the stuff it needs from if I just directly call the address
----
Now that I look through it, there's more than just a part in the code that is doing "call" with that address, so maybe I did get the wrong thing
i.imgur . com/Ybgbcec.png
It's not the void function directly.
Maybe I need to re-compile the .exe without the optimizations. Instead of putting the std:cout in that void function, the compiler took it out.
Not sure if that's a good practise.
I am also realizing I am not calling the address, which is calling that address...
Calling the address at the part where it says ("Test Message") does call the void function.
But it's not only calling void callTest1, it's also invoking the other function. Basically as if I skipped the process of inputting the text in my application.
I expected to only call the void function that will only print out "Test Message". You know, just calling functions but, maybe it was optimized away.
So, I am wondering if I should re-compile without optimization and see how that goes.
Turns out Debug is always without optimization. There it looks different. Though if I invoke the function it didn't print anything out, but it told me that the code executed.
Either something was missing on it or I don't know.
It doesn't look like that I called the function, like the original code would call it, e.g. callTest1()
I am not sure if that information solely still exists when compiled, even without optimization. But I think that it should be.
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4719
|
| Posted: Sat Oct 07, 2023 10:10 am Post subject: |
|
|
Don't use the code filter. Let the app print out where the function is. Look at my code. Also disassemble that address and verify there's actually valid code there.
Don't compile with optimizations. Of course the function will be inlined. You can't call it then because there is no function to call- it got optimized away.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
blueBoxDiv
Newbie cheater
![]() Reputation: 0
Joined: 26 Sep 2023
Posts: 13
|
| Posted: Sun Oct 08, 2023 11:08 am Post subject: |
|
|
| ParkourPenguin wrote: | Don't use the code filter. Let the app print out where the function is. Look at my code. Also disassemble that address and verify there's actually valid code there.
Don't compile with optimizations. Of course the function will be inlined. You can't call it then because there is no function to call- it got optimized away. |
Printing out the function which revealed the address and using something like,
worked:
| Code: | | executeCodeEx(1,nil,"Project1.exe+1A30") |
for Release and Debug build, the Debug build is the one with no optimization
It was completly somewhere else, but it looked similar to the things I found with Code Filter
though, printing out the function is do able if one has the source code
So, how can I find the right address through Cheat Engine? And the other question would still be for what to do with functions that one can provide arguments to.[/code]
also why do the Headers not save inside the Cheat Table?
|
|
| Back to top |
|
|
AliceHenderson
How do I cheat?
![]() Reputation: 0
Joined: 24 Jul 2023
Posts: 1
|
| Posted: Fri Oct 13, 2023 11:27 pm Post subject: |
|
|
| A quick question. If I ask same problem from chatgpt, will I get the right answer?
|
|
| Back to top |
|
|
blueBoxDiv
Newbie cheater
![]() Reputation: 0
Joined: 26 Sep 2023
Posts: 13
|
| Posted: Sun Oct 15, 2023 1:35 pm Post subject: |
|
|
I used the wrong function address as mentioned. Though, I found the function address by literally printing it out.
That's like "cheating" without even using cheat engine to obtain the address.
How can I obtain the address with cheat engine though? Cuz like, that's the entire point on the test application that I made. It's to "train" though Code Filter is not good cuz I can't really filter the function that I want at the end, cuz there's more than one function.
There's like a "trace" thing, not sure if that can find the function address.
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4719
|
| Posted: Sun Oct 15, 2023 3:10 pm Post subject: |
|
|
Compile without optimizations and you can play around with CE and the code filter all you want. If you're using an IDE, look for something that says "debug" instead of "release".
When you're compiling with optimizations, the call gets optimized away. There is no function to call. What you're looking for does not exist.
You can do some shenanigans to force the compiler to not inline the call, but compiling without optimizations is far easier.
If you're concerned about getting more than one result in the code filter, that's realistic. It's up to you to go through each result and figure out whether or not it's what you're looking for.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
blueBoxDiv
Newbie cheater
![]() Reputation: 0
Joined: 26 Sep 2023
Posts: 13
|
| Posted: Sun Feb 04, 2024 12:52 pm Post subject: |
|
|
| ParkourPenguin wrote: | Compile without optimizations and you can play around with CE and the code filter all you want. If you're using an IDE, look for something that says "debug" instead of "release".
When you're compiling with optimizations, the call gets optimized away. There is no function to call. What you're looking for does not exist.
You can do some shenanigans to force the compiler to not inline the call, but compiling without optimizations is far easier.
If you're concerned about getting more than one result in the code filter, that's realistic. It's up to you to go through each result and figure out whether or not it's what you're looking for. |
for figuring out the real address of a function?
|
|
| Back to top |
|
|
blueBoxDiv
Newbie cheater
![]() Reputation: 0
Joined: 26 Sep 2023
Posts: 13
|
| Posted: Thu Apr 18, 2024 4:18 pm Post subject: |
|
|
| ParkourPenguin wrote: | Compile without optimizations and you can play around with CE and the code filter all you want. If you're using an IDE, look for something that says "debug" instead of "release".
When you're compiling with optimizations, the call gets optimized away. There is no function to call. What you're looking for does not exist.
You can do some shenanigans to force the compiler to not inline the call, but compiling without optimizations is far easier.
If you're concerned about getting more than one result in the code filter, that's realistic. It's up to you to go through each result and figure out whether or not it's what you're looking for. |
Alright, so I figured out that the real function address just jumps to the address that I got through Code Filter.
How can I scan ALL OPCODES for a specific address like 7FF71C3BE2E0
original one is
but I just need to scan for references to 7FF71C3BE2E0
How can I do that?[/code]
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
