Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Function calling using C

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Discussions
View previous topic :: View next topic  
Author Message
Game Hacking Dojo
Master Cheater
Reputation: 1

Joined: 17 Sep 2023
Posts: 250
PostPosted: Tue Sep 19, 2023 11:18 am    Post subject: Function calling using C Reply with quote
Hello everyone,
I would like to make a function call using the Cheat Engine script.
I did it using assembly by pushing all the registers to the stack and popping them back again once done. My first issue is that, I don't like how visually messy that looks. I love C/C++ and I know that Cheat Engine Scripts support C code. However, when I tried to add my arguments to C variables I couldn't assign a variable to an 8-byte value (unsigned long long int) (Example: my value could be 29A9121C220 instead of a pointer. In this case the script doesn't allow it. And how can I assign the variable to a pointer like what've done in assembly). I always get an error as this value can't be assigned. So I would love it if someone could rewrite a function-calling script using this example that I made and works using assembly in C.

I want to use as much C as possible as long as it's more readable and neater.


Code:
{ Game   : GTA5.exe }

[ENABLE]

aobscanmodule(CarFix,GTA5.exe,F3 0F 10 82 80 02 00 00 F3) // should be unique
alloc(newmem,$512,CarFix)

alloc(CarFixFlag,$8)
registersymbol(CarFixFlag)
label(code)
label(return)

CarFixFlag:
  db 0

newmem:
  cmp [CarFixFlag],1
  jne code

  cmp [GTA5.exe+2001D38],0
  je code

  cmp dword ptr [GTA5.exe+259FC4C],ffffffff
  jne code

  cmp [rdx+38],103FF      //Car = 403FF   Char = 103FF
  je code

  cmp [rdx+00000280],GTA5.exe+2A2E124
  je code

  push rax
  push rbx
  push rcx
  push rdx
  push rsi
  push rdi
  push rsp
  push rbp
  push r8
  push r9
  push r10
  push r11
  push r12
  push r13
  push r14
  push r15

  mov rbp,rsp

  //mov rcx,[GTA5.exe+1FBB398]     //Argument
  mov rcx,[GTA5.exe+2001D38]     //Argument
  call GTA5.exe+F1D4B8

  mov rsp,rbp

  pop r15
  pop r14
  pop r13
  pop r12
  pop r11
  pop r10
  pop r9
  pop r8
  pop rbp
  pop rsp
  pop rdi
  pop rsi
  pop rdx
  pop rcx
  pop rbx
  pop rax
  //ret

  //jmp code


code:
  mov [CarFixFlag],0

  movss xmm0,[rdx+00000280]
  jmp return

CarFix:
  jmp newmem
  nop 3

return:
registersymbol(CarFix)

[DISABLE]

CarFix:
  db F3 0F 10 82 80 02 00 00

unregistersymbol(*)
dealloc(*)

{
// ORIGINAL CODE - INJECTION POINT: GTA5.exe+217F18

GTA5.exe+217EEE: E9 CA 00 00 00           - jmp GTA5.exe+217FBD
GTA5.exe+217EF3: F3 0F 10 1D 6D 9E 79 01  - movss xmm3,[GTA5.exe+19B1D68]
GTA5.exe+217EFB: 0F 2F 58 24              - comiss xmm3,[rax+24]
GTA5.exe+217EFF: 77 EA                    - ja GTA5.exe+217EEB
GTA5.exe+217F01: 48 8B 93 10 02 00 00     - mov rdx,[rbx+00000210]
GTA5.exe+217F08: 0F 57 C9                 - xorps xmm1,xmm1
GTA5.exe+217F0B: 8A 42 28                 - mov al,[rdx+28]
GTA5.exe+217F0E: 2C 03                    - sub al,03
GTA5.exe+217F10: 3C 02                    - cmp al,02
GTA5.exe+217F12: 0F 87 9B 00 00 00        - ja GTA5.exe+217FB3
// ---------- INJECTING HERE ----------
GTA5.exe+217F18: F3 0F 10 82 80 02 00 00  - movss xmm0,[rdx+00000280]
// ---------- DONE INJECTING  ----------
GTA5.exe+217F20: F3 0F 10 93 A4 04 00 00  - movss xmm2,[rbx+000004A4]
GTA5.exe+217F28: F3 0F 5C D0              - subss xmm2,xmm0
GTA5.exe+217F2C: F3 0F 11 83 A4 04 00 00  - movss [rbx+000004A4],xmm0
GTA5.exe+217F34: 8B 05 3E 16 C0 02        - mov eax,[GTA5.exe+2E19578]
GTA5.exe+217F3A: 0F 2F 93 A8 04 00 00     - comiss xmm2,[rbx+000004A8]
GTA5.exe+217F41: 76 0E                    - jna GTA5.exe+217F51
GTA5.exe+217F43: F3 0F 11 93 A8 04 00 00  - movss [rbx+000004A8],xmm2
GTA5.exe+217F4B: 89 83 84 04 00 00        - mov [rbx+00000484],eax
GTA5.exe+217F51: F3 0F 10 83 A8 04 00 00  - movss xmm0,[rbx+000004A8]
GTA5.exe+217F59: 0F 2F C1                 - comiss xmm0,xmm1
}
Back to top
View user's profile Send private message Visit poster's website
ParkourPenguin
I post too much
Reputation: 152

Joined: 06 Jul 2014
Posts: 4691
PostPosted: Tue Sep 19, 2023 1:51 pm    Post subject: Reply with quote
You're doing something wrong with {$cccode}. It's hard to say what if you don't post your code.

Here's an example using step 2 of the CE tutorial:
Code:
[ENABLE]
aobscanmodule(Step2Write,Tutorial-x86_64.exe,29 83 F8 07 00 00)
assert(Tutorial-x86_64.exe+FC10,53 48) // should find this via aobscan too, but whatever

alloc(newmem,$1000,Step2Write)

label(randomFunction)
label(healFlag)
label(return)

// generates random int from [0,n)
Tutorial-x86_64.exe+FC10:
randomFunction:

newmem:
{$ccode healthbase=RBX subhealth=RAX}
extern int healFlag;
extern int randomFunction(int);

int health = *(int *)(healthbase + 0x7F8);
if (healFlag && health < 90) {
   subhealth = -(randomFunction(5) + 5);
}
{$asm}
  sub [rbx+000007F8],eax
  jmp return

db CC
align 4 CC
healFlag:
  dd 0

Step2Write:
  jmp newmem
  nop
return:

registersymbol(Step2Write)
registersymbol(healFlag)
[DISABLE]

Step2Write:
  db 29 83 F8 07 00 00

unregistersymbol(*)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: Tutorial-x86_64.exe+2B4BC

Tutorial-x86_64.exe+2B4AF: B9 05 00 00 00           - mov ecx,00000005
Tutorial-x86_64.exe+2B4B4: E8 57 47 FE FF           - call Tutorial-x86_64.exe+FC10
Tutorial-x86_64.exe+2B4B9: 83 C0 01                 - add eax,01
// ---------- INJECTING HERE ----------
Tutorial-x86_64.exe+2B4BC: 29 83 F8 07 00 00        - sub [rbx+000007F8],eax
// ---------- DONE INJECTING  ----------
Tutorial-x86_64.exe+2B4C2: 48 8D 4D F8              - lea rcx,[rbp-08]
Tutorial-x86_64.exe+2B4C6: E8 45 DA FD FF           - call Tutorial-x86_64.exe+8F10
}
This heals the player for a random amount of health in [5,9] (inclusive) if the flag is active and the current health is below 90.

Miscellaneous remarks about your code:

`alloc(newmem,$512,CarFix)` - that's 0x512, use $800 or 2048

`cmp [address],X` - you should qualify the size of the value you're comparing. By default it's 4 bytes (dword ptr).

You don't need to push/pop every register, just the volatile ones. And even then you can look at the original code and see which ones aren't currently in use (e.g. rax doesn't need to be saved).

`mov rbp,rsp` / `mov rsp,rbp` - no
_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
CookiesHax
How do I cheat?
Reputation: 0

Joined: 25 Jul 2024
Posts: 1
PostPosted: Thu Jul 25, 2024 5:19 am    Post subject: Reply with quote
u can replace pop/push RAX... with popad/pushad Smile
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Discussions All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites