Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Executing a referenced function

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
pears
How do I cheat?
Reputation: 0

Joined: 31 Oct 2015
Posts: 7
PostPosted: Tue Sep 10, 2019 8:21 pm    Post subject: Executing a referenced function Reply with quote
Hello,

I am looking for ways to execute a referenced function in a game I have attached to. I actually have a PDB for the game, and can load it into CE so I am able to find the address of the start of a function, and would like to be able to execute a function the game has created after pressing a button or some other event.

Is this possible to do? I am still new to CE.

Thank you,
pears
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 198

Joined: 25 Jan 2006
Posts: 8517
Location: 127.0.0.1
PostPosted: Wed Sep 11, 2019 1:52 pm    Post subject: Reply with quote
Yes, it is possible. You can do it using the 'createthread' feature of the auto-asssembler engine.

You can write out the functionality in a few different ways but generally the result is the same.

For example, here is a way that when you check and uncheck the cheat script entry in your cheat list, it will invoke the function:

Code:

[ENABLE]
[DISABLE]
createthread(callGameFunction)
callGameFunction:
    mov ecx, [playerPointer]     // See note 1.
    call SomeGameFunctionAddress // See note 2.
    ret


Note 1: playerPointer here comes from another script that makes a global variable that can be accessed by other scripts. This setup is calling a class function (__thiscall convention).

Note 2: You can use the raw function name if symbols are available, or the exact address for the function. If the function moves (ie. its in a module or similar) you can use the symbol information to make the proper call as needed.

If your goal is to add this to a button on a UI, you can do similar with the functionality in Lua.

Here are two examples I made when CE first added Lua scripting that you can check out. Some of the Lua stuff has changed/gotten a lot better since then though, so that exact code may not work now, but still should get you the general idea.

https://forum.cheatengine.org/viewtopic.php?t=530117
https://forum.cheatengine.org/viewtopic.php?t=530047
_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
Dark Byte
Site Admin
Reputation: 458

Joined: 09 May 2003
Posts: 25288
Location: The netherlands
PostPosted: Wed Sep 11, 2019 2:14 pm    Post subject: Reply with quote
executeCodeEx/executeMethod
Code:

 executeCodeEx(callmethod, timeout, address, {type=x,value=param1} or param1,{type=x,value=param2} or param2,...)
callmethod: 0=stdcall, 1=cdecl
  timeout: Number of milliseconds to wait for a result. nil or -1, infitely. 0 is no wait (will not free the call memory, so beware of it's memory leak)
  address: Address to execute
  {type,value} : Table containing the value type, and the value
    {
    type: 0=integer (32/64bit) can also be a pointer
          1=float (32-bit float)
          2=double (64-bit float)
          3=ascii string (will get converted to a pointer to that string)
          4=wide string (will get converted to a pointer to that string)
     
    value: anything base type that lua can interpret
    }
  if just param is provided CE will guess the type based on the provided type

executeMethod(callmethod, timeout, address, {regnr=0..15,classinstance=xxxxxxxx} or classinstance, {type=x,value=param1} or param1, {type=x,value=param2} or param2,...) - Executes a method.
  regnr can be:
    0: R/EAX
    1: R/ECX
    2: R/EDX
    3: R/EBX
    4: R/ESP
    5: R/EBP
    6: R/ESI
    7: R/EDI
    8: R8
    9: R9
    10: R10
    11: R11
    12: R12
    13: R13
    14: R14
    15: R15
 

  If no register number is provided then ECX(1) is picked
  If instance is nil it is the same as executeCodeEx


 
  If a direct parameter is given instead of a table entry describing the type, CE will 'guess' the type it is

  Returns the E/RAX value returned by the called function (if no timeout or other interruption)


_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites