Cheat Engine

hjefferson · Newbie cheater Reputation: 0 Joined: 19 May 2012 Posts: 12

When I break within a function, I see the return address - the function that called it. Is there any way to view the function that called that and the one that called that and so on?

Dark Byte · Posted: Tue May 22, 2012 7:45 am Post subject:

Rightclick the stacktrace and choose a different style of viewing. (full, module only, etc...)

Also, if you're using the 32-bit ce version you may see a longer list (for some reason the walkstacktrace api in win64 applications return a incomplete set if the target is 32-bit (I should fix that))

hjefferson · Newbie cheater Reputation: 0 Joined: 19 May 2012 Posts: 12

The full viewing option shows the entire stack at this point, right?

The module viewing shows all the values that are the program base address+an offset?

How come the first value in "module only" is not the same as the return address listed under "stacktrace"?

Dark Byte · Posted: Tue May 22, 2012 7:59 am Post subject:

the function you're in may have stored modulebased addresses in the stack as local variables

ebp+4 will usually be the return address
(ebp+0 is usually the address of the previous stackframe, and that address+4 is the return address of that one.
I guess I could even write a lua function that shows this)

hjefferson · Newbie cheater Reputation: 0 Joined: 19 May 2012 Posts: 12

And does the stacktrace view only show explicit calls to a function?

As in : I break at 004B1843. I see the return address in "stacktrace" view is 005227A6. But when I go to 005227A6, I don't see any call to the function at 004B1750, which contains 004B1843.

Instead I see a call to a different function, seemingly unrelated.

However, if I look at the "modules only" view and follow the very first value in the stack, 0051E900, I see a "call eax" opcode. Can I assume eax was 004B1750?

Dark Byte · Posted: Tue May 22, 2012 12:53 pm Post subject:

If the return address is 005227A6 then the caller address is 005227a1

the stack does not only contain code addresses, but also variable addresses.
0051E900 just means that that value is at the top of the stack (local variable, base pointer, etc...) but doesn't mean it's the return address.

hjefferson · Newbie cheater Reputation: 0 Joined: 19 May 2012 Posts: 12

But at 005227A1, it calls 0051D350. How does this 0051D350 relate to my function at 004B1750?

Am I misunderstanding something fundamental about calls and return addresses?

Dark Byte · Posted: Tue May 22, 2012 1:01 pm Post subject:

No idea, perhaps somewhere in 51d350 is a jmp ?

hjefferson · Newbie cheater Reputation: 0 Joined: 19 May 2012 Posts: 12

Yes, you are right, there was a jmp in 0051D350. I had not anticipated a long jump like this.