Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Calling .NET function CompareString

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
Redouane
Master Cheater
Reputation: 3

Joined: 05 Sep 2013
Posts: 363
Location: Algeria
PostPosted: Mon Mar 28, 2016 9:14 am    Post subject: Calling .NET function CompareString Reply with quote
The function: Microsoft.VisualBasic.CompilerServices.Operators::CompareString takes 3 arguments, first 2 are strings, 3rd is the case-sensivity flag.

While trying to do a crack me, I found a call to that function that compares my serial with the correct one (tried faking eax after the call, and got the "win" message), now I want to get the two strings that are being compared.

From what I see, the calling convention is possibly __fastcall (ecx and edx are set before the function is called), but when I set a breakpoint just before the function call, I don't get a valid string in ecx/edx (even tried with unicode), also tried [esp+4] and [esp+8] and no valid strings in them.

Does anyone know how the string arguments are passed to that function?

Thanks.

PAD1.png
 Description:
 Filesize:  3.02 KB
 Viewed:  4538 Time(s)

PAD1.png
dbg.png
 Description:
 Filesize:  14.74 KB
 Viewed:  4538 Time(s)

dbg.png
Back to top
View user's profile Send private message
Zanzer
I post too much
Reputation: 126

Joined: 09 Jun 2013
Posts: 3278
PostPosted: Mon Mar 28, 2016 11:15 am    Post subject: Reply with quote
Use the value of ECX/EDX as a pointer instead and check the values around there.
For example, if ECX equals 0x12345678, browse the memory at "[12345678]" (with brackets).

After the original mov edx,[address] just simply try: mov ecx,edx
Back to top
View user's profile Send private message
Redouane
Master Cheater
Reputation: 3

Joined: 05 Sep 2013
Posts: 363
Location: Algeria
PostPosted: Mon Mar 28, 2016 1:24 pm    Post subject: Reply with quote
Zanzer wrote:
Use the value of ECX/EDX as a pointer instead and check the values around there.
For example, if ECX equals 0x12345678, browse the memory at "[12345678]" (with brackets).

After the original mov edx,[address] just simply try: mov ecx,edx


Found it, here is the block that ecx points to: <picture> (the string isn't at the beginning of the block of data).

ECX.png
 Description:
 Filesize:  1.52 KB
 Viewed:  4511 Time(s)

ECX.png
Back to top
View user's profile Send private message
Zanzer
I post too much
Reputation: 126

Joined: 09 Jun 2013
Posts: 3278
PostPosted: Mon Mar 28, 2016 1:52 pm    Post subject: Reply with quote
Right.
I believe the first 4 bytes represent a pointer to the String class itself (don't quote me).
The next 4 bytes are the string's length. Followed up by the string's char array.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites