|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
ulysse31 Master Cheater Reputation: 2
Joined: 19 Mar 2015 Posts: 324 Location: Paris
|
Posted: Thu Jul 09, 2015 11:00 am Post subject: Reversing question |
|
|
Hi,
While "looking what accesses this variable" and seeing a ret instruction here, is it safe to assume that a class destructor is being used to clean dynamically allocated variable ?
Or is it the case for just any dynamically allocated variable that is ended through the use of "delete" ?
Or is it something else ?
thanks
|
|
Back to top |
|
|
Syperus Advanced Cheater Reputation: 1
Joined: 05 Jun 2011 Posts: 61
|
Posted: Thu Jul 09, 2015 11:35 am Post subject: Re: Reversing question |
|
|
ulysse3131 wrote: | Hi,
While "looking what accesses this variable" and seeing a ret instruction here, is it safe to assume that a class destructor is being used to clean dynamically allocated variable ?
Or is it the case for just any dynamically allocated variable that is ended through the use of "delete" ?
Or is it something else ?
thanks |
Do you have an specific code your looking at that you could share? Is it just ret or retn, or retf? But no it's not calling a destructor of the class. Those are usually called as a program is closing since classes usually have functions within it that are going to be used throughout the program. The only time you call the desctructor directly is when you create a new object using the new keyword to free up the resources after it is no longer needed. Otherwise you get into memory leaks.
Anyways back on topic. ret is returning (pop'n) the last value from the stack as you would return in high level languages (return 0, return 1 ect). retn means to return near, and retf means to return far. retn and retf were used back in the older days, but now a days all you need to do is call ret and the compiler will decipher which needs to be called. At least that's how I remember it. Been awhile since i've done anything with asm, but starting to get back into it.
Edit: Also this probably should have been posted in the Gereral Programming section since it's more related to programming and might get more replies if other programmers are looking in that section more. Js!
|
|
Back to top |
|
|
ulysse31 Master Cheater Reputation: 2
Joined: 19 Mar 2015 Posts: 324 Location: Paris
|
Posted: Thu Jul 09, 2015 1:02 pm Post subject: |
|
|
Sweet answer, thanks ! Had only seen retn once, had no idea what it was, never seen retf.
But yes, this was a simple ret.
The variable holds the number of a specific inventory item, the same lines of codes update the amount of every inventory items.
So i was looking at the amount of potions and when i transfered every potion from my inventory to my bank (therefore no longer having potions in inventory) my variable took several values that made little sense, got zero'd and eventually deallocated if i remember correctly (turned into "??").
I could understand the asm of every code that accessed it except for ret, i was expecting code reading it, writing it, even add[] stuff (which there was). I am trying to make sense of how the inventory is handled (not even trying to cheat my item number) so here i was wondering where that ret came from.
It seems to me that this "The only time you call the desctructor directly is when you create a new object using the new keyword to free up the resources after it is no longer needed. Otherwise you get into memory leaks. " is what happened (ie i freed an inventory slot which the game probably renewed.
"Anyways back on topic. ret is returning (pop'n) the last value from the stack as you would return in high level languages (return 0, return 1 ect)"
That's interesting, so that means that if a variable is accessed by a ret then it is necassarily a stack variable ? Do you know which asm code is showing up when a variable is deallocated ?
Thanks for the section tip, next time i open one of those thread i will make sure i post it in the right place.
|
|
Back to top |
|
|
Syperus Advanced Cheater Reputation: 1
Joined: 05 Jun 2011 Posts: 61
|
Posted: Thu Jul 09, 2015 6:03 pm Post subject: |
|
|
ulysse3131 wrote: | That's interesting, so that means that if a variable is accessed by a ret then it is necassarily a stack variable ?
|
Everything (variables, instructions, ect) is in the stack. The easiest way to think of a stack is to think of it like a can of Pringles. The last one in (push'd) is the first one out (pop'd). Same goes for deallocating in high level language. Last one allocated is the first one deallocated. The ret is usually the return of a function i.e. the end of it. Here's an example. I'm working on the game Alien Isolation. Here is the function for the health:
Code: |
AI.exe+3AD730 - 56 - push esi
AI.exe+3AD731 - 8B F1 - mov esi,ecx
AI.exe+3AD733 - 66 83 7E 1C 00 - cmp word ptr [esi+1C],00
AI.exe+3AD738 - 0F85 88000000 - jne AI.exe+3AD7C6
AI.exe+3AD73E - 8B 4E 24 - mov ecx,[esi+24]
AI.exe+3AD741 - 8B 01 - mov eax,[ecx]
AI.exe+3AD743 - 8B 50 1C - mov edx,[eax+1C]
AI.exe+3AD746 - 57 - push edi
AI.exe+3AD747 - FF D2 - call edx
AI.exe+3AD749 - 8D 88 D02C0000 - lea ecx,[eax+00002CD0]
AI.exe+3AD74F - E8 FC96EDFF - call AI.exe+286E50
AI.exe+3AD754 - 8B 7C 24 0C - mov edi,[esp+0C]
AI.exe+3AD758 - 8B 4E 24 - mov ecx,[esi+24]
AI.exe+3AD75B - 85 FF - test edi,edi
AI.exe+3AD75D - 74 2A - je AI.exe+3AD789
AI.exe+3AD75F - 8B 01 - mov eax,[ecx]
AI.exe+3AD761 - 8B 50 1C - mov edx,[eax+1C]
AI.exe+3AD764 - FF D2 - call edx
AI.exe+3AD766 - 8B 80 F42F0000 - mov eax,[eax+00002FF4]
AI.exe+3AD76C - 85 C0 - test eax,eax
AI.exe+3AD76E - 74 0E - je AI.exe+3AD77E
AI.exe+3AD770 - 33 C9 - xor ecx,ecx
AI.exe+3AD772 - 83 78 10 0A - cmp dword ptr [eax+10],0A
AI.exe+3AD776 - 0F95 C1 - setne cl
AI.exe+3AD779 - 49 - dec ecx
AI.exe+3AD77A - 23 C1 - and eax,ecx
AI.exe+3AD77C - EB 02 - jmp AI.exe+3AD780
AI.exe+3AD77E - 33 C0 - xor eax,eax
AI.exe+3AD780 - 89 78 24 - mov [eax+24],edi
AI.exe+3AD783 - 8B 57 50 - mov edx,[edi+50]
AI.exe+3AD786 - 89 50 28 - mov [eax+28],edx
AI.exe+3AD789 - C7 46 0C 04000000 - mov [esi+0C],00000004
AI.exe+3AD790 - 85 FF - test edi,edi
AI.exe+3AD792 - 74 31 - je AI.exe+3AD7C5
AI.exe+3AD794 - 8B BF 1C030000 - mov edi,[edi+0000031C]
AI.exe+3AD79A - 85 FF - test edi,edi
AI.exe+3AD79C - 74 27 - je AI.exe+3AD7C5
AI.exe+3AD79E - 80 7F 48 00 - cmp byte ptr [edi+48],00
AI.exe+3AD7A2 - 74 21 - je AI.exe+3AD7C5
AI.exe+3AD7A4 - 8B 46 24 - mov eax,[esi+24]
AI.exe+3AD7A7 - 8B 40 64 - mov eax,[eax+64]
AI.exe+3AD7AA - 8B 40 04 - mov eax,[eax+04]
AI.exe+3AD7AD - 83 F8 02 - cmp eax,02
AI.exe+3AD7B0 - 74 05 - je AI.exe+3AD7B7
AI.exe+3AD7B2 - 83 F8 07 - cmp eax,07
AI.exe+3AD7B5 - 75 0E - jne AI.exe+3AD7C5
AI.exe+3AD7B7 - 6A 02 - push 02
AI.exe+3AD7B9 - E8 02C4C8FF - call AI.exe+39BC0
AI.exe+3AD7BE - 8B C8 - mov ecx,eax
AI.exe+3AD7C0 - E8 ABC4C8FF - call AI.exe+39C70
AI.exe+3AD7C5 - 5F - pop edi
AI.exe+3AD7C6 - 8B CE - mov ecx,esi
AI.exe+3AD7C8 - E8 9333FEFF - call AI.exe+390B60
AI.exe+3AD7CD - 5E - pop esi
AI.exe+3AD7CE - C2 0400 - ret 0004
|
Notice at the end the ret 0004 is called. This is the end of that function and is returned.
ulysse3131 wrote: | Do you know which asm code is showing up when a variable is deallocated ?
|
I've seen it show up with add before. Something like
|
|
Back to top |
|
|
gir489 Grandmaster Cheater Reputation: 14
Joined: 03 Jan 2012 Posts: 835 Location: Maryland, United States
|
Posted: Fri Jul 10, 2015 4:48 pm Post subject: |
|
|
There might be a delay in the debugger's time the exception is thrown, and the time EIP is read.
Use VEH for reliability.
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|