View previous topic :: View next topic |
Author |
Message |
Hatschi Master Cheater Reputation: 2
Joined: 28 Jan 2010 Posts: 327
|
Posted: Fri Jan 27, 2017 9:38 am Post subject: [AA] CreateThread with parameter |
|
|
How to use createthread in AA including a parameter (same as you do on the GUI in memory viewer).
I've expected a workaround something like
mov eax,004000 //parameter
push eax
call 00F0000 //function
ret
But it crashes. If I enter the address and the parameter in the GUI it works fine.
Would be nice if we could use it like
createthread(00F000, 004000)
in the future. |
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 457
Joined: 09 May 2003 Posts: 25262 Location: The netherlands
|
Posted: Fri Jan 27, 2017 11:33 am Post subject: |
|
|
use ret 4 in the function _________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Hatschi Master Cheater Reputation: 2
Joined: 28 Jan 2010 Posts: 327
|
Posted: Fri Jan 27, 2017 11:38 am Post subject: |
|
|
Thank you. Can you explain the difference? What does ret 4 do and why is it required at this time? |
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 457
Joined: 09 May 2003 Posts: 25262 Location: The netherlands
|
Posted: Fri Jan 27, 2017 12:05 pm Post subject: |
|
|
ret 4 will return to the return address and increase esp with an additional 4 (it pops the value you pushed off the stack)
that way your final ret will jump to the correct address (else it'd jump to the value you gave as parameter) _________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Hatschi Master Cheater Reputation: 2
Joined: 28 Jan 2010 Posts: 327
|
Posted: Fri Jan 27, 2017 12:34 pm Post subject: |
|
|
Ah that makes sense, thank you for explaining. |
|
Back to top |
|
|
Hatschi Master Cheater Reputation: 2
Joined: 28 Jan 2010 Posts: 327
|
Posted: Thu Feb 02, 2017 1:45 pm Post subject: |
|
|
And what do I do if I push two parameters?
push eax
push esi
call 12345
ret 4 |
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 457
Joined: 09 May 2003 Posts: 25262 Location: The netherlands
|
Posted: Thu Feb 02, 2017 2:01 pm Post subject: |
|
|
have ret 8 at the end of the function at 12345 _________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
SunBeam I post too much Reputation: 65
Joined: 25 Feb 2005 Posts: 4022 Location: Romania
|
|
Back to top |
|
|
Hatschi Master Cheater Reputation: 2
Joined: 28 Jan 2010 Posts: 327
|
Posted: Thu Feb 02, 2017 3:37 pm Post subject: |
|
|
I've tried ret 8 as expected but it crashed as well.
However when I use:
add esp,10
sub esp,8
ret
it works fine.
//edit: Thanks Sunbeam, the site contains useful examples. |
|
Back to top |
|
|
SunBeam I post too much Reputation: 65
Joined: 25 Feb 2005 Posts: 4022 Location: Romania
|
Posted: Thu Feb 02, 2017 9:45 pm Post subject: |
|
|
You're supposed to put the "ret 8" inside the function the CALL points to. Not outside of it:
push eax // this means esp+4
push esi // this means esp+4+4 = esp+8
call MyFunction
ret
MyFunction:
{ do stuff }
ret 8 <- you put it here |
|
Back to top |
|
|
STN I post too much Reputation: 42
Joined: 09 Nov 2005 Posts: 2672
|
Posted: Thu Feb 02, 2017 11:56 pm Post subject: |
|
|
The easiest way to understand this is debug it and look at stack. Use full stack option in CE, ollydbg gives more info but you can use CE too
add esp,10
sub esp,8
ret
could do add esp, 8 instead _________________
|
|
Back to top |
|
|
SunBeam I post too much Reputation: 65
Joined: 25 Feb 2005 Posts: 4022 Location: Romania
|
Posted: Fri Feb 03, 2017 5:59 am Post subject: |
|
|
In the end, it's all about cdecl/stdcall conventions.. |
|
Back to top |
|
|
Hatschi Master Cheater Reputation: 2
Joined: 28 Jan 2010 Posts: 327
|
Posted: Sat Feb 04, 2017 12:26 pm Post subject: |
|
|
But I call a game function, I can't put ret8 to the end of it. The ingame functions only ends with a simple "ret".
It looks like this:
Code: | 055DF568 - push ebp
055DF569 - mov ebp,esp
055DF56B - push edi
055DF56C - push esi
055DF56D - mov esi,[ebp+08]
055DF570 - mov edi,[ebp+0C]
055DF573 - sub esp,08 { 8 }
....
055DF66A - lea esp,[ebp-08]
055DF66D - pop esi
055DF66E - pop edi
055DF66F - leave
055DF670 - ret
|
The function isn't called by the game, at least not while I play. I set a BP on it and tried to manually call it with the createthread but the breakpoint is never hit although the function was called by the thread. |
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 457
Joined: 09 May 2003 Posts: 25262 Location: The netherlands
|
Posted: Sat Feb 04, 2017 1:27 pm Post subject: |
|
|
then it's probably cdecl (or fastcall, but assume cdecl)
in that case just put "add esp,8" after the call (assuming the function takes 2 parameters) _________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Hatschi Master Cheater Reputation: 2
Joined: 28 Jan 2010 Posts: 327
|
Posted: Sun Feb 05, 2017 4:11 am Post subject: |
|
|
When calling the function within another function which is accessed by the game itself, it works very well.
But when calling it by a self-created thread it fails.
Another thing I don't understand. When I set the BP to the first opcode of the function I want to call and then either use the CreateThread GUI menu item or an AA script, the BP is never hit although the function was called. What's the reason for this? |
|
Back to top |
|
|
|