Cheat Engine

Hatschi · Posted: Fri Jan 27, 2017 9:38 am Post subject: [AA] CreateThread with parameter

How to use createthread in AA including a parameter (same as you do on the GUI in memory viewer).

I've expected a workaround something like

mov eax,004000 //parameter
push eax
call 00F0000 //function
ret

But it crashes. If I enter the address and the parameter in the GUI it works fine.

Would be nice if we could use it like

createthread(00F000, 004000)

in the future.

Dark Byte · Posted: Fri Jan 27, 2017 11:33 am Post subject:

use ret 4 in the function

Hatschi · Posted: Fri Jan 27, 2017 11:38 am Post subject:

Thank you. Can you explain the difference? What does ret 4 do and why is it required at this time?

Dark Byte · Posted: Fri Jan 27, 2017 12:05 pm Post subject:

ret 4 will return to the return address and increase esp with an additional 4 (it pops the value you pushed off the stack)

that way your final ret will jump to the correct address (else it'd jump to the value you gave as parameter)

Hatschi · Posted: Fri Jan 27, 2017 12:34 pm Post subject:

Ah that makes sense, thank you for explaining.

Hatschi · Posted: Thu Feb 02, 2017 1:45 pm Post subject:

And what do I do if I push two parameters?

push eax
push esi
call 12345
ret 4

Dark Byte · Posted: Thu Feb 02, 2017 2:01 pm Post subject:

have ret 8 at the end of the function at 12345

SunBeam · Posted: Thu Feb 02, 2017 2:26 pm Post subject:

Hi Hatschi. You may want to read this as well: https://en.wikipedia.org/wiki/X86_calling_conventions. The difference between stdcall/cdecl.

Hatschi · Posted: Thu Feb 02, 2017 3:37 pm Post subject:

I've tried ret 8 as expected but it crashed as well.
However when I use:

add esp,10
sub esp,8
ret

it works fine.

//edit: Thanks Sunbeam, the site contains useful examples.

SunBeam · Posted: Thu Feb 02, 2017 9:45 pm Post subject:

You're supposed to put the "ret 8" inside the function the CALL points to. Not outside of it:

push eax // this means esp+4
push esi // this means esp+4+4 = esp+8
call MyFunction
ret

MyFunction:
{ do stuff }
ret 8 <- you put it here

STN · Posted: Thu Feb 02, 2017 11:56 pm Post subject:

The easiest way to understand this is debug it and look at stack. Use full stack option in CE, ollydbg gives more info but you can use CE too

add esp,10
sub esp,8
ret

could do add esp, 8 instead

SunBeam · Posted: Fri Feb 03, 2017 5:59 am Post subject:

In the end, it's all about cdecl/stdcall conventions..

Hatschi · Posted: Sat Feb 04, 2017 12:26 pm Post subject:

But I call a game function, I can't put ret8 to the end of it. The ingame functions only ends with a simple "ret".
It looks like this:

Dark Byte · Posted: Sat Feb 04, 2017 1:27 pm Post subject:

then it's probably cdecl (or fastcall, but assume cdecl)
in that case just put "add esp,8" after the call (assuming the function takes 2 parameters)

Hatschi · Posted: Sun Feb 05, 2017 4:11 am Post subject:

When calling the function within another function which is accessed by the game itself, it works very well.
But when calling it by a self-created thread it fails.

Another thing I don't understand. When I set the BP to the first opcode of the function I want to call and then either use the CreateThread GUI menu item or an AA script, the BP is never hit although the function was called. What's the reason for this?