Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


[AA] CreateThread with parameter
Goto page 1, 2  Next
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
Hatschi
Master Cheater
Reputation: 2

Joined: 28 Jan 2010
Posts: 327

PostPosted: Fri Jan 27, 2017 9:38 am    Post subject: [AA] CreateThread with parameter Reply with quote

How to use createthread in AA including a parameter (same as you do on the GUI in memory viewer).

I've expected a workaround something like

mov eax,004000 //parameter
push eax
call 00F0000 //function
ret

But it crashes. If I enter the address and the parameter in the GUI it works fine.

Would be nice if we could use it like

createthread(00F000, 004000)

in the future.
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Fri Jan 27, 2017 11:33 am    Post subject: Reply with quote

use ret 4 in the function
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Hatschi
Master Cheater
Reputation: 2

Joined: 28 Jan 2010
Posts: 327

PostPosted: Fri Jan 27, 2017 11:38 am    Post subject: Reply with quote

Thank you. Can you explain the difference? What does ret 4 do and why is it required at this time?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Fri Jan 27, 2017 12:05 pm    Post subject: Reply with quote

ret 4 will return to the return address and increase esp with an additional 4 (it pops the value you pushed off the stack)

that way your final ret will jump to the correct address (else it'd jump to the value you gave as parameter)

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Hatschi
Master Cheater
Reputation: 2

Joined: 28 Jan 2010
Posts: 327

PostPosted: Fri Jan 27, 2017 12:34 pm    Post subject: Reply with quote

Ah that makes sense, thank you for explaining.
Back to top
View user's profile Send private message
Hatschi
Master Cheater
Reputation: 2

Joined: 28 Jan 2010
Posts: 327

PostPosted: Thu Feb 02, 2017 1:45 pm    Post subject: Reply with quote

And what do I do if I push two parameters?

push eax
push esi
call 12345
ret 4
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Thu Feb 02, 2017 2:01 pm    Post subject: Reply with quote

have ret 8 at the end of the function at 12345
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
SunBeam
I post too much
Reputation: 65

Joined: 25 Feb 2005
Posts: 4022
Location: Romania

PostPosted: Thu Feb 02, 2017 2:26 pm    Post subject: Reply with quote

Hi Hatschi. You may want to read this as well: https://en.wikipedia.org/wiki/X86_calling_conventions. The difference between stdcall/cdecl.
Back to top
View user's profile Send private message
Hatschi
Master Cheater
Reputation: 2

Joined: 28 Jan 2010
Posts: 327

PostPosted: Thu Feb 02, 2017 3:37 pm    Post subject: Reply with quote

I've tried ret 8 as expected but it crashed as well.
However when I use:

add esp,10
sub esp,8
ret

it works fine.

//edit: Thanks Sunbeam, the site contains useful examples.
Back to top
View user's profile Send private message
SunBeam
I post too much
Reputation: 65

Joined: 25 Feb 2005
Posts: 4022
Location: Romania

PostPosted: Thu Feb 02, 2017 9:45 pm    Post subject: Reply with quote

You're supposed to put the "ret 8" inside the function the CALL points to. Not outside of it:

push eax // this means esp+4
push esi // this means esp+4+4 = esp+8
call MyFunction
ret

MyFunction:
{ do stuff }
ret 8 <- you put it here
Back to top
View user's profile Send private message
STN
I post too much
Reputation: 42

Joined: 09 Nov 2005
Posts: 2672

PostPosted: Thu Feb 02, 2017 11:56 pm    Post subject: Reply with quote

The easiest way to understand this is debug it and look at stack. Use full stack option in CE, ollydbg gives more info but you can use CE too

add esp,10
sub esp,8
ret

could do add esp, 8 instead

_________________
Cheat Requests/Tables- Fearless Cheat Engine
https://fearlessrevolution.com
Back to top
View user's profile Send private message
SunBeam
I post too much
Reputation: 65

Joined: 25 Feb 2005
Posts: 4022
Location: Romania

PostPosted: Fri Feb 03, 2017 5:59 am    Post subject: Reply with quote

In the end, it's all about cdecl/stdcall conventions..
Back to top
View user's profile Send private message
Hatschi
Master Cheater
Reputation: 2

Joined: 28 Jan 2010
Posts: 327

PostPosted: Sat Feb 04, 2017 12:26 pm    Post subject: Reply with quote

But I call a game function, I can't put ret8 to the end of it. The ingame functions only ends with a simple "ret".
It looks like this:

Code:
055DF568 - push ebp
055DF569 - mov ebp,esp
055DF56B - push edi
055DF56C - push esi
055DF56D - mov esi,[ebp+08]
055DF570 - mov edi,[ebp+0C]
055DF573 - sub esp,08 { 8 }

....


055DF66A - lea esp,[ebp-08]
055DF66D - pop esi
055DF66E - pop edi
055DF66F - leave
055DF670 - ret


The function isn't called by the game, at least not while I play. I set a BP on it and tried to manually call it with the createthread but the breakpoint is never hit although the function was called by the thread.
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Sat Feb 04, 2017 1:27 pm    Post subject: Reply with quote

then it's probably cdecl (or fastcall, but assume cdecl)
in that case just put "add esp,8" after the call (assuming the function takes 2 parameters)

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Hatschi
Master Cheater
Reputation: 2

Joined: 28 Jan 2010
Posts: 327

PostPosted: Sun Feb 05, 2017 4:11 am    Post subject: Reply with quote

When calling the function within another function which is accessed by the game itself, it works very well.
But when calling it by a self-created thread it fails.

Another thing I don't understand. When I set the BP to the first opcode of the function I want to call and then either use the CreateThread GUI menu item or an AA script, the BP is never hit although the function was called. What's the reason for this?
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites