|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
molawew How do I cheat? Reputation: 0
Joined: 04 Jan 2018 Posts: 6
|
Posted: Wed Feb 07, 2018 8:42 am Post subject: Calling a function |
|
|
I'd really appreciate some help. I'm playing an offline game and I'm trying to call a function that generates textures.
I found the function. It is not frequently called by the game, only when there's some texture update, which isn't too often. And I found out that I can use it (the way I do below) without crashing only at a specific time. What I do is put a breakpoint on function call and edit EBX and EDX, increment them for +1.
In the following picture (remove the space, the forum won't let me link images) is how the registers are when there's no texture appearing when the high poly loads:
Code: | i.imgur. com/DL5kTUg.png
| So I edit EBX and EDX to be +1, and the texture I want appears. Make it +2, and another more complex variant of the texture appears. Goes up to +3. I should note that it is actually editing EDX that makes the texture appear, I can omit changing EBX and the texture will still appear, and the game won't crash.
The function is the one in the screenshot below where I put a breakpoint.
Code: | i.imgur. com/1DIRN88.png
| How would I go about calling this function? Thanks in advance.
Last edited by molawew on Wed Feb 07, 2018 11:00 am; edited 1 time in total |
|
Back to top |
|
|
TheyCallMeTim13 Wiki Contributor Reputation: 50
Joined: 24 Feb 2017 Posts: 976 Location: Pluto
|
Posted: Wed Feb 07, 2018 9:10 am Post subject: |
|
|
You'll have to inspect the called instructions and see what it is using and needs. If you are currently just using an injection to change EBX and EDX to +1 of it's current value, then it looks like the "DL" registry is where it might be looking based on the image http://i.imgur.com/1DIRN88.png and "editing EDX makes the texture appear". So based on this image http://i.imgur.com/DL5kTUg.png, it looks like in the injection this would work too.
Code: | mov dl,1
call "AA2Play....
|
But ultimately you will then use some allocated memory and createThread to setup the parameters and call the function.
Code: | alloc(memThread)
memThread:
//... set what ever else you find the function needs.
mov dl,1
mov eax,3
push edi // edi seems to be an address not sure if the function will use it or if this is just stored be for the call.
// But you will have to set it as needed or push the value needed on to the stack
call "AA2Play...
ret
creatThread(memThread)
|
_________________
|
|
Back to top |
|
|
molawew How do I cheat? Reputation: 0
Joined: 04 Jan 2018 Posts: 6
|
Posted: Wed Feb 07, 2018 10:41 am Post subject: |
|
|
Thanks for replying.
I made a mistake in the original post, the function is bigger, sorry about that. Here it is:
Code: | i.imgur. com/J7kJx6l.png |
I believe it should take at least 3 arguments. First should be whether it's doing +1 to ebx/edx, or +2 or +3, or +0 (no special texture), since that results in different textures. Second argument should be related to the character that it is applying the texture to. And third argument should be which texture is being applied. (although this could be edx/ebx?). This same function is called every time any texture update is made, so I'm guessing something must specify which texture it should be, to what character it should be applied, and what stage (+0 to +3).
EDIT: Also I should note that I don't make registers be 1. I make EDX and EBX be EDX+1, and EBX+1. I increase it by 1.
|
|
Back to top |
|
|
TheyCallMeTim13 Wiki Contributor Reputation: 50
Joined: 24 Feb 2017 Posts: 976 Location: Pluto
|
Posted: Wed Feb 07, 2018 12:00 pm Post subject: |
|
|
That's part of what you need, but use "Follow" (right click instruction) to see what the function is doing. There must be a pointer for the texture or texture set. A "Break and Trace" before the CALL instruction (using a condition breakpoint if the instruction is shared) would be better.
It depends on where and if you are injecting. But if the function uses the DL registry (which is a guess) and just before the call you add 1 to (http://i.imgur.com/DL5kTUg.png) the EDX registry 06D59B00 this will result in 06D59B01 in the EDX registry, and DL is the lower byte of the DX registry, and DX is the lower word (2 bytes) of the EDX registry (dword / 4 bytes). Then the parameter might be 1 or what ever you add, but this is just a guess as I have not seen the function it self.
http://wiki.cheatengine.org/index.php?title=Assembler#Structure
_________________
|
|
Back to top |
|
|
molawew How do I cheat? Reputation: 0
Joined: 04 Jan 2018 Posts: 6
|
Posted: Wed Feb 07, 2018 12:33 pm Post subject: |
|
|
I followed what the function it was calling on that breakpoint. It's fairly big.
Code: |
AA2Play v12 FP v1.40a.exe+151EC0 - 8B 4C 24 04 - mov ecx,[esp+04]
AA2Play v12 FP v1.40a.exe+151EC4 - 83 EC 0C - sub esp,0C { 12 }
AA2Play v12 FP v1.40a.exe+151EC7 - 53 - push ebx
AA2Play v12 FP v1.40a.exe+151EC8 - 55 - push ebp
AA2Play v12 FP v1.40a.exe+151EC9 - 8B 6C 24 1C - mov ebp,[esp+1C]
AA2Play v12 FP v1.40a.exe+151ECD - 56 - push esi
AA2Play v12 FP v1.40a.exe+151ECE - 57 - push edi
AA2Play v12 FP v1.40a.exe+151ECF - 85 C0 - test eax,eax
AA2Play v12 FP v1.40a.exe+151ED1 - 0F8C 7F010000 - jl "AA2Play v12 FP v1.40a.exe"+152056 { ->AA2Play v12 FP v1.40a.exe+152056 }
AA2Play v12 FP v1.40a.exe+151ED7 - 83 FD 06 - cmp ebp,06 { 00000006 }
AA2Play v12 FP v1.40a.exe+151EDA - 0F87 76010000 - ja "AA2Play v12 FP v1.40a.exe"+152056 { ->AA2Play v12 FP v1.40a.exe+152056 }
AA2Play v12 FP v1.40a.exe+151EE0 - 8A DA - mov bl,dl
AA2Play v12 FP v1.40a.exe+151EE2 - FE CB - dec bl
AA2Play v12 FP v1.40a.exe+151EE4 - 80 FB 02 - cmp bl,02 { 2 }
AA2Play v12 FP v1.40a.exe+151EE7 - 0F87 69010000 - ja "AA2Play v12 FP v1.40a.exe"+152056 { ->AA2Play v12 FP v1.40a.exe+152056 }
AA2Play v12 FP v1.40a.exe+151EED - 8D 34 C5 00000000 - lea esi,[eax*8+00000000]
AA2Play v12 FP v1.40a.exe+151EF4 - 2B F0 - sub esi,eax
AA2Play v12 FP v1.40a.exe+151EF6 - 8D 44 AD 0F - lea eax,[ebp+ebp*4+0F]
AA2Play v12 FP v1.40a.exe+151EFA - 8D 3C C1 - lea edi,[ecx+eax*8]
AA2Play v12 FP v1.40a.exe+151EFD - 0FB6 C2 - movzx eax,dl
AA2Play v12 FP v1.40a.exe+151F00 - 8D 9C F1 90010000 - lea ebx,[ecx+esi*8+00000190]
AA2Play v12 FP v1.40a.exe+151F07 - 8B 74 87 0C - mov esi,[edi+eax*4+0C]
AA2Play v12 FP v1.40a.exe+151F0B - C7 44 24 24 00000000 - mov [esp+24],00000000 { 0 }
AA2Play v12 FP v1.40a.exe+151F13 - 85 F6 - test esi,esi
AA2Play v12 FP v1.40a.exe+151F15 - 0F84 3B010000 - je "AA2Play v12 FP v1.40a.exe"+152056 { ->AA2Play v12 FP v1.40a.exe+152056 }
AA2Play v12 FP v1.40a.exe+151F1B - 8B 53 04 - mov edx,[ebx+04]
AA2Play v12 FP v1.40a.exe+151F1E - 85 D2 - test edx,edx
AA2Play v12 FP v1.40a.exe+151F20 - 0F84 30010000 - je "AA2Play v12 FP v1.40a.exe"+152056 { ->AA2Play v12 FP v1.40a.exe+152056 }
AA2Play v12 FP v1.40a.exe+151F26 - 83 7C 87 18 00 - cmp dword ptr [edi+eax*4+18],00 { 0 }
AA2Play v12 FP v1.40a.exe+151F2B - 0F84 25010000 - je "AA2Play v12 FP v1.40a.exe"+152056 { ->AA2Play v12 FP v1.40a.exe+152056 }
AA2Play v12 FP v1.40a.exe+151F31 - 83 FD 06 - cmp ebp,06 { 00000006 }
AA2Play v12 FP v1.40a.exe+151F34 - 0F85 96000000 - jne "AA2Play v12 FP v1.40a.exe"+151FD0 { ->AA2Play v12 FP v1.40a.exe+151FD0 }
AA2Play v12 FP v1.40a.exe+151F3A - 8B 41 04 - mov eax,[ecx+04]
AA2Play v12 FP v1.40a.exe+151F3D - D9E8 - fld1
AA2Play v12 FP v1.40a.exe+151F3F - 8A 80 2BD30000 - mov al,[eax+0000D32B]
AA2Play v12 FP v1.40a.exe+151F45 - D9 05 8418EB00 - fld dword ptr ["AA2Play v12 FP v1.40a.exe"+311884] { [0.50] }
AA2Play v12 FP v1.40a.exe+151F4B - 84 C0 - test al,al
AA2Play v12 FP v1.40a.exe+151F4D - 74 04 - je "AA2Play v12 FP v1.40a.exe"+151F53 { ->AA2Play v12 FP v1.40a.exe+151F53 }
AA2Play v12 FP v1.40a.exe+151F4F - D9C0 - fld st(0)
AA2Play v12 FP v1.40a.exe+151F51 - EB 02 - jmp "AA2Play v12 FP v1.40a.exe"+151F55 { ->AA2Play v12 FP v1.40a.exe+151F55 }
AA2Play v12 FP v1.40a.exe+151F53 - D9C1 - fld st(1)
AA2Play v12 FP v1.40a.exe+151F55 - 84 C0 - test al,al
AA2Play v12 FP v1.40a.exe+151F57 - 74 04 - je "AA2Play v12 FP v1.40a.exe"+151F5D { ->AA2Play v12 FP v1.40a.exe+151F5D }
AA2Play v12 FP v1.40a.exe+151F59 - DDDA - fstp st(2)
AA2Play v12 FP v1.40a.exe+151F5B - EB 04 - jmp "AA2Play v12 FP v1.40a.exe"+151F61 { ->AA2Play v12 FP v1.40a.exe+151F61 }
AA2Play v12 FP v1.40a.exe+151F5D - DDD9 - fstp st(1)
AA2Play v12 FP v1.40a.exe+151F5F - D9C9 - fxch st(1)
AA2Play v12 FP v1.40a.exe+151F61 - D9 47 04 - fld dword ptr [edi+04]
AA2Play v12 FP v1.40a.exe+151F64 - 8B 52 58 - mov edx,[edx+58]
AA2Play v12 FP v1.40a.exe+151F67 - D9 7C 24 24 - fnstcw [esp+24]
AA2Play v12 FP v1.40a.exe+151F6B - 0FB7 44 24 24 - movzx eax,word ptr [esp+24]
AA2Play v12 FP v1.40a.exe+151F70 - DECA - fmulp st(2),st(0)
AA2Play v12 FP v1.40a.exe+151F72 - 0D 000C0000 - or eax,0C00 { 3072 }
AA2Play v12 FP v1.40a.exe+151F77 - D9C9 - fxch st(1)
AA2Play v12 FP v1.40a.exe+151F79 - 89 44 24 20 - mov [esp+20],eax
AA2Play v12 FP v1.40a.exe+151F7D - D9 6C 24 20 - fldcw [esp+20]
AA2Play v12 FP v1.40a.exe+151F81 - DF 7C 24 10 - fistp qword ptr [esp+10]
AA2Play v12 FP v1.40a.exe+151F85 - 8B 44 24 10 - mov eax,[esp+10]
AA2Play v12 FP v1.40a.exe+151F89 - 50 - push eax
AA2Play v12 FP v1.40a.exe+151F8A - D9 6C 24 28 - fldcw [esp+28]
AA2Play v12 FP v1.40a.exe+151F8E - D8 0F - fmul dword ptr [edi]
AA2Play v12 FP v1.40a.exe+151F90 - D9 7C 24 28 - fnstcw [esp+28]
AA2Play v12 FP v1.40a.exe+151F94 - 0FB7 44 24 28 - movzx eax,word ptr [esp+28]
AA2Play v12 FP v1.40a.exe+151F99 - 0D 000C0000 - or eax,0C00 { 3072 }
AA2Play v12 FP v1.40a.exe+151F9E - 89 44 24 24 - mov [esp+24],eax
AA2Play v12 FP v1.40a.exe+151FA2 - D9 6C 24 24 - fldcw [esp+24]
AA2Play v12 FP v1.40a.exe+151FA6 - DF 7C 24 14 - fistp qword ptr [esp+14]
AA2Play v12 FP v1.40a.exe+151FAA - 8B 44 24 14 - mov eax,[esp+14]
AA2Play v12 FP v1.40a.exe+151FAE - 50 - push eax
AA2Play v12 FP v1.40a.exe+151FAF - 8B 46 08 - mov eax,[esi+08]
AA2Play v12 FP v1.40a.exe+151FB2 - 8B 73 18 - mov esi,[ebx+18]
AA2Play v12 FP v1.40a.exe+151FB5 - D9 6C 24 2C - fldcw [esp+2C]
AA2Play v12 FP v1.40a.exe+151FB9 - 8B 78 58 - mov edi,[eax+58]
AA2Play v12 FP v1.40a.exe+151FBC - 8B 41 18 - mov eax,[ecx+18]
AA2Play v12 FP v1.40a.exe+151FBF - 56 - push esi
AA2Play v12 FP v1.40a.exe+151FC0 - 52 - push edx
AA2Play v12 FP v1.40a.exe+151FC1 - E8 AA51FAFF - call "AA2Play v12 FP v1.40a.exe"+F7170 { ->AA2Play v12 FP v1.40a.exe+F7170 }
AA2Play v12 FP v1.40a.exe+151FC6 - 5F - pop edi
AA2Play v12 FP v1.40a.exe+151FC7 - 5E - pop esi
AA2Play v12 FP v1.40a.exe+151FC8 - 5D - pop ebp
AA2Play v12 FP v1.40a.exe+151FC9 - 5B - pop ebx
AA2Play v12 FP v1.40a.exe+151FCA - 83 C4 0C - add esp,0C { 12 }
AA2Play v12 FP v1.40a.exe+151FCD - C2 0800 - ret 0008 { 00000008 }
AA2Play v12 FP v1.40a.exe+151FD0 - A1 2067F400 - mov eax,["AA2Play v12 FP v1.40a.exe"+3A6720] { [084A7020] }
AA2Play v12 FP v1.40a.exe+151FD5 - 8B 08 - mov ecx,[eax]
AA2Play v12 FP v1.40a.exe+151FD7 - 8B 91 A4000000 - mov edx,[ecx+000000A4]
AA2Play v12 FP v1.40a.exe+151FDD - 50 - push eax
AA2Play v12 FP v1.40a.exe+151FDE - FF D2 - call edx
AA2Play v12 FP v1.40a.exe+151FE0 - 85 C0 - test eax,eax
AA2Play v12 FP v1.40a.exe+151FE2 - 7D 06 - jnl "AA2Play v12 FP v1.40a.exe"+151FEA { ->AA2Play v12 FP v1.40a.exe+151FEA }
AA2Play v12 FP v1.40a.exe+151FE4 - 89 44 24 24 - mov [esp+24],eax
AA2Play v12 FP v1.40a.exe+151FE8 - EB 39 - jmp "AA2Play v12 FP v1.40a.exe"+152023 { ->AA2Play v12 FP v1.40a.exe+152023 }
AA2Play v12 FP v1.40a.exe+151FEA - 8B 43 04 - mov eax,[ebx+04]
AA2Play v12 FP v1.40a.exe+151FED - 8B 40 58 - mov eax,[eax+58]
AA2Play v12 FP v1.40a.exe+151FF0 - E8 BB6A0700 - call "AA2Play v12 FP v1.40a.exe"+1C8AB0 { ->AA2Play v12 FP v1.40a.exe+1C8AB0 }
AA2Play v12 FP v1.40a.exe+151FF5 - 85 C0 - test eax,eax
AA2Play v12 FP v1.40a.exe+151FF7 - 7D 06 - jnl "AA2Play v12 FP v1.40a.exe"+151FFF { ->AA2Play v12 FP v1.40a.exe+151FFF }
AA2Play v12 FP v1.40a.exe+151FF9 - 89 44 24 24 - mov [esp+24],eax
AA2Play v12 FP v1.40a.exe+151FFD - EB 24 - jmp "AA2Play v12 FP v1.40a.exe"+152023 { ->AA2Play v12 FP v1.40a.exe+152023 }
AA2Play v12 FP v1.40a.exe+151FFF - E8 EC0E0C00 - call "AA2Play v12 FP v1.40a.exe"+212EF0 { ->AA2Play v12 FP v1.40a.exe+212EF0 }
AA2Play v12 FP v1.40a.exe+152004 - D9 47 08 - fld dword ptr [edi+08]
AA2Play v12 FP v1.40a.exe+152007 - D9 5E 14 - fstp dword ptr [esi+14]
AA2Play v12 FP v1.40a.exe+15200A - 56 - push esi
AA2Play v12 FP v1.40a.exe+15200B - D9 47 0C - fld dword ptr [edi+0C]
AA2Play v12 FP v1.40a.exe+15200E - D9 5E 18 - fstp dword ptr [esi+18]
AA2Play v12 FP v1.40a.exe+152011 - E8 1A1B0C00 - call "AA2Play v12 FP v1.40a.exe"+213B30 { ->AA2Play v12 FP v1.40a.exe+213B30 }
AA2Play v12 FP v1.40a.exe+152016 - 83 C4 04 - add esp,04 { 00000004 }
AA2Play v12 FP v1.40a.exe+152019 - E8 72200C00 - call "AA2Play v12 FP v1.40a.exe"+214090 { ->AA2Play v12 FP v1.40a.exe+214090 }
AA2Play v12 FP v1.40a.exe+15201E - E8 1D100C00 - call "AA2Play v12 FP v1.40a.exe"+213040 { ->AA2Play v12 FP v1.40a.exe+213040 }
AA2Play v12 FP v1.40a.exe+152023 - E8 386F0700 - call "AA2Play v12 FP v1.40a.exe"+1C8F60 { ->AA2Play v12 FP v1.40a.exe+1C8F60 }
AA2Play v12 FP v1.40a.exe+152028 - 85 C0 - test eax,eax
AA2Play v12 FP v1.40a.exe+15202A - 7D 04 - jnl "AA2Play v12 FP v1.40a.exe"+152030 { ->AA2Play v12 FP v1.40a.exe+152030 }
AA2Play v12 FP v1.40a.exe+15202C - 89 44 24 24 - mov [esp+24],eax
AA2Play v12 FP v1.40a.exe+152030 - A1 2067F400 - mov eax,["AA2Play v12 FP v1.40a.exe"+3A6720] { [084A7020] }
AA2Play v12 FP v1.40a.exe+152035 - 8B 08 - mov ecx,[eax]
AA2Play v12 FP v1.40a.exe+152037 - 8B 91 A8000000 - mov edx,[ecx+000000A8]
AA2Play v12 FP v1.40a.exe+15203D - 50 - push eax
AA2Play v12 FP v1.40a.exe+15203E - FF D2 - call edx
AA2Play v12 FP v1.40a.exe+152040 - 85 C0 - test eax,eax
AA2Play v12 FP v1.40a.exe+152042 - 7D 04 - jnl "AA2Play v12 FP v1.40a.exe"+152048 { ->AA2Play v12 FP v1.40a.exe+152048 }
AA2Play v12 FP v1.40a.exe+152044 - 89 44 24 24 - mov [esp+24],eax
AA2Play v12 FP v1.40a.exe+152048 - 8B 44 24 24 - mov eax,[esp+24]
AA2Play v12 FP v1.40a.exe+15204C - 5F - pop edi
AA2Play v12 FP v1.40a.exe+15204D - 5E - pop esi
AA2Play v12 FP v1.40a.exe+15204E - 5D - pop ebp
AA2Play v12 FP v1.40a.exe+15204F - 5B - pop ebx
AA2Play v12 FP v1.40a.exe+152050 - 83 C4 0C - add esp,0C { 12 }
AA2Play v12 FP v1.40a.exe+152053 - C2 0800 - ret 0008 { 00000008 }
AA2Play v12 FP v1.40a.exe+152056 - 5F - pop edi
AA2Play v12 FP v1.40a.exe+152057 - 5E - pop esi
AA2Play v12 FP v1.40a.exe+152058 - 5D - pop ebp
AA2Play v12 FP v1.40a.exe+152059 - B8 05400080 - mov eax,80004005 { -2147467259 }
AA2Play v12 FP v1.40a.exe+15205E - 5B - pop ebx
AA2Play v12 FP v1.40a.exe+15205F - 83 C4 0C - add esp,0C { 12 }
AA2Play v12 FP v1.40a.exe+152062 - C2 0800 - ret 0008 { 00000008 }
|
I did trace and break on the instruction where I previously put a breakpoint. I also put a breakpoint right before it and edited EDX and EBX to be +1. Here's the file: Code: | pastebin. com/TF04UJWA
| These are a bit large. Thank you for your time.
EDIT:
I dug around a bit more in the function called.
Code: | i.imgur. com /pJrkP0s.png |
This function is called multiple times during high poly load. In a normal scenario, it's called 4 times, while in the scenario where special textures show up, it is called 7 times (it is on the 7th time that it calls for the texture).
The first breakpoint is where the function starts. The roughly marked jl instruction is the last place where EDX has the value it originally had. I can make a breakpoint on this jil and increment it by 1 on the 7th time (when the special event that calls it 7 times happens) and the texture will show up. Otherwise, it's called 5 times and incrementing it by 1 (even if I do it every time it hits it) won't have any effect.
I believe the second breakpoint is where it checks for something, and decides whether to add the texture or not.
Would it be worthwhile to try hooking onto this function that seems to be called on every high poly load and editing it from there, if such a thing is possible at all?
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|