Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Calling a function

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
molawew
How do I cheat?
Reputation: 0

Joined: 04 Jan 2018
Posts: 6

PostPosted: Wed Feb 07, 2018 8:42 am    Post subject: Calling a function Reply with quote

I'd really appreciate some help. I'm playing an offline game and I'm trying to call a function that generates textures.
I found the function. It is not frequently called by the game, only when there's some texture update, which isn't too often. And I found out that I can use it (the way I do below) without crashing only at a specific time. What I do is put a breakpoint on function call and edit EBX and EDX, increment them for +1.

In the following picture (remove the space, the forum won't let me link images) is how the registers are when there's no texture appearing when the high poly loads:
Code:
i.imgur. com/DL5kTUg.png
So I edit EBX and EDX to be +1, and the texture I want appears. Make it +2, and another more complex variant of the texture appears. Goes up to +3. I should note that it is actually editing EDX that makes the texture appear, I can omit changing EBX and the texture will still appear, and the game won't crash.

The function is the one in the screenshot below where I put a breakpoint.
Code:
i.imgur. com/1DIRN88.png
How would I go about calling this function? Thanks in advance.

Last edited by molawew on Wed Feb 07, 2018 11:00 am; edited 1 time in total
Back to top
View user's profile Send private message
TheyCallMeTim13
Wiki Contributor
Reputation: 50

Joined: 24 Feb 2017
Posts: 976
Location: Pluto

PostPosted: Wed Feb 07, 2018 9:10 am    Post subject: Reply with quote

You'll have to inspect the called instructions and see what it is using and needs. If you are currently just using an injection to change EBX and EDX to +1 of it's current value, then it looks like the "DL" registry is where it might be looking based on the image http://i.imgur.com/1DIRN88.png and "editing EDX makes the texture appear". So based on this image http://i.imgur.com/DL5kTUg.png, it looks like in the injection this would work too.

Code:
mov dl,1
call "AA2Play....


But ultimately you will then use some allocated memory and createThread to setup the parameters and call the function.

Code:
alloc(memThread)
memThread:
  //... set what ever else you find the function needs.
  mov dl,1
  mov eax,3
  push edi // edi seems to be an address not sure if the function will use it or if this is just stored be for the call.
  // But you will have to set it as needed or push the value needed on to the stack
  call "AA2Play...
  ret

creatThread(memThread)

_________________
Back to top
View user's profile Send private message Visit poster's website
molawew
How do I cheat?
Reputation: 0

Joined: 04 Jan 2018
Posts: 6

PostPosted: Wed Feb 07, 2018 10:41 am    Post subject: Reply with quote

Thanks for replying.
I made a mistake in the original post, the function is bigger, sorry about that. Here it is:
Code:
i.imgur. com/J7kJx6l.png

I believe it should take at least 3 arguments. First should be whether it's doing +1 to ebx/edx, or +2 or +3, or +0 (no special texture), since that results in different textures. Second argument should be related to the character that it is applying the texture to. And third argument should be which texture is being applied. (although this could be edx/ebx?). This same function is called every time any texture update is made, so I'm guessing something must specify which texture it should be, to what character it should be applied, and what stage (+0 to +3).

EDIT: Also I should note that I don't make registers be 1. I make EDX and EBX be EDX+1, and EBX+1. I increase it by 1.
Back to top
View user's profile Send private message
TheyCallMeTim13
Wiki Contributor
Reputation: 50

Joined: 24 Feb 2017
Posts: 976
Location: Pluto

PostPosted: Wed Feb 07, 2018 12:00 pm    Post subject: Reply with quote

That's part of what you need, but use "Follow" (right click instruction) to see what the function is doing. There must be a pointer for the texture or texture set. A "Break and Trace" before the CALL instruction (using a condition breakpoint if the instruction is shared) would be better.

It depends on where and if you are injecting. But if the function uses the DL registry (which is a guess) and just before the call you add 1 to (http://i.imgur.com/DL5kTUg.png) the EDX registry 06D59B00 this will result in 06D59B01 in the EDX registry, and DL is the lower byte of the DX registry, and DX is the lower word (2 bytes) of the EDX registry (dword / 4 bytes). Then the parameter might be 1 or what ever you add, but this is just a guess as I have not seen the function it self.

http://wiki.cheatengine.org/index.php?title=Assembler#Structure

_________________
Back to top
View user's profile Send private message Visit poster's website
molawew
How do I cheat?
Reputation: 0

Joined: 04 Jan 2018
Posts: 6

PostPosted: Wed Feb 07, 2018 12:33 pm    Post subject: Reply with quote

I followed what the function it was calling on that breakpoint. It's fairly big.
Code:

AA2Play v12 FP v1.40a.exe+151EC0 - 8B 4C 24 04           - mov ecx,[esp+04]
AA2Play v12 FP v1.40a.exe+151EC4 - 83 EC 0C              - sub esp,0C { 12 }
AA2Play v12 FP v1.40a.exe+151EC7 - 53                    - push ebx
AA2Play v12 FP v1.40a.exe+151EC8 - 55                    - push ebp
AA2Play v12 FP v1.40a.exe+151EC9 - 8B 6C 24 1C           - mov ebp,[esp+1C]
AA2Play v12 FP v1.40a.exe+151ECD - 56                    - push esi
AA2Play v12 FP v1.40a.exe+151ECE - 57                    - push edi
AA2Play v12 FP v1.40a.exe+151ECF - 85 C0                 - test eax,eax
AA2Play v12 FP v1.40a.exe+151ED1 - 0F8C 7F010000         - jl "AA2Play v12 FP v1.40a.exe"+152056 { ->AA2Play v12 FP v1.40a.exe+152056 }
AA2Play v12 FP v1.40a.exe+151ED7 - 83 FD 06              - cmp ebp,06 { 00000006 }
AA2Play v12 FP v1.40a.exe+151EDA - 0F87 76010000         - ja "AA2Play v12 FP v1.40a.exe"+152056 { ->AA2Play v12 FP v1.40a.exe+152056 }
AA2Play v12 FP v1.40a.exe+151EE0 - 8A DA                 - mov bl,dl
AA2Play v12 FP v1.40a.exe+151EE2 - FE CB                 - dec bl
AA2Play v12 FP v1.40a.exe+151EE4 - 80 FB 02              - cmp bl,02 { 2 }
AA2Play v12 FP v1.40a.exe+151EE7 - 0F87 69010000         - ja "AA2Play v12 FP v1.40a.exe"+152056 { ->AA2Play v12 FP v1.40a.exe+152056 }
AA2Play v12 FP v1.40a.exe+151EED - 8D 34 C5 00000000     - lea esi,[eax*8+00000000]
AA2Play v12 FP v1.40a.exe+151EF4 - 2B F0                 - sub esi,eax
AA2Play v12 FP v1.40a.exe+151EF6 - 8D 44 AD 0F           - lea eax,[ebp+ebp*4+0F]
AA2Play v12 FP v1.40a.exe+151EFA - 8D 3C C1              - lea edi,[ecx+eax*8]
AA2Play v12 FP v1.40a.exe+151EFD - 0FB6 C2               - movzx eax,dl
AA2Play v12 FP v1.40a.exe+151F00 - 8D 9C F1 90010000     - lea ebx,[ecx+esi*8+00000190]
AA2Play v12 FP v1.40a.exe+151F07 - 8B 74 87 0C           - mov esi,[edi+eax*4+0C]
AA2Play v12 FP v1.40a.exe+151F0B - C7 44 24 24 00000000  - mov [esp+24],00000000 { 0 }
AA2Play v12 FP v1.40a.exe+151F13 - 85 F6                 - test esi,esi
AA2Play v12 FP v1.40a.exe+151F15 - 0F84 3B010000         - je "AA2Play v12 FP v1.40a.exe"+152056 { ->AA2Play v12 FP v1.40a.exe+152056 }
AA2Play v12 FP v1.40a.exe+151F1B - 8B 53 04              - mov edx,[ebx+04]
AA2Play v12 FP v1.40a.exe+151F1E - 85 D2                 - test edx,edx
AA2Play v12 FP v1.40a.exe+151F20 - 0F84 30010000         - je "AA2Play v12 FP v1.40a.exe"+152056 { ->AA2Play v12 FP v1.40a.exe+152056 }
AA2Play v12 FP v1.40a.exe+151F26 - 83 7C 87 18 00        - cmp dword ptr [edi+eax*4+18],00 { 0 }
AA2Play v12 FP v1.40a.exe+151F2B - 0F84 25010000         - je "AA2Play v12 FP v1.40a.exe"+152056 { ->AA2Play v12 FP v1.40a.exe+152056 }
AA2Play v12 FP v1.40a.exe+151F31 - 83 FD 06              - cmp ebp,06 { 00000006 }
AA2Play v12 FP v1.40a.exe+151F34 - 0F85 96000000         - jne "AA2Play v12 FP v1.40a.exe"+151FD0 { ->AA2Play v12 FP v1.40a.exe+151FD0 }
AA2Play v12 FP v1.40a.exe+151F3A - 8B 41 04              - mov eax,[ecx+04]
AA2Play v12 FP v1.40a.exe+151F3D - D9E8                  - fld1
AA2Play v12 FP v1.40a.exe+151F3F - 8A 80 2BD30000        - mov al,[eax+0000D32B]
AA2Play v12 FP v1.40a.exe+151F45 - D9 05 8418EB00        - fld dword ptr ["AA2Play v12 FP v1.40a.exe"+311884] { [0.50] }
AA2Play v12 FP v1.40a.exe+151F4B - 84 C0                 - test al,al
AA2Play v12 FP v1.40a.exe+151F4D - 74 04                 - je "AA2Play v12 FP v1.40a.exe"+151F53 { ->AA2Play v12 FP v1.40a.exe+151F53 }
AA2Play v12 FP v1.40a.exe+151F4F - D9C0                  - fld st(0)
AA2Play v12 FP v1.40a.exe+151F51 - EB 02                 - jmp "AA2Play v12 FP v1.40a.exe"+151F55 { ->AA2Play v12 FP v1.40a.exe+151F55 }
AA2Play v12 FP v1.40a.exe+151F53 - D9C1                  - fld st(1)
AA2Play v12 FP v1.40a.exe+151F55 - 84 C0                 - test al,al
AA2Play v12 FP v1.40a.exe+151F57 - 74 04                 - je "AA2Play v12 FP v1.40a.exe"+151F5D { ->AA2Play v12 FP v1.40a.exe+151F5D }
AA2Play v12 FP v1.40a.exe+151F59 - DDDA                  - fstp st(2)
AA2Play v12 FP v1.40a.exe+151F5B - EB 04                 - jmp "AA2Play v12 FP v1.40a.exe"+151F61 { ->AA2Play v12 FP v1.40a.exe+151F61 }
AA2Play v12 FP v1.40a.exe+151F5D - DDD9                  - fstp st(1)
AA2Play v12 FP v1.40a.exe+151F5F - D9C9                  - fxch st(1)
AA2Play v12 FP v1.40a.exe+151F61 - D9 47 04              - fld dword ptr [edi+04]
AA2Play v12 FP v1.40a.exe+151F64 - 8B 52 58              - mov edx,[edx+58]
AA2Play v12 FP v1.40a.exe+151F67 - D9 7C 24 24           - fnstcw [esp+24]
AA2Play v12 FP v1.40a.exe+151F6B - 0FB7 44 24 24         - movzx eax,word ptr [esp+24]
AA2Play v12 FP v1.40a.exe+151F70 - DECA                  - fmulp st(2),st(0)
AA2Play v12 FP v1.40a.exe+151F72 - 0D 000C0000           - or eax,0C00 { 3072 }
AA2Play v12 FP v1.40a.exe+151F77 - D9C9                  - fxch st(1)
AA2Play v12 FP v1.40a.exe+151F79 - 89 44 24 20           - mov [esp+20],eax
AA2Play v12 FP v1.40a.exe+151F7D - D9 6C 24 20           - fldcw [esp+20]
AA2Play v12 FP v1.40a.exe+151F81 - DF 7C 24 10           - fistp qword ptr [esp+10]
AA2Play v12 FP v1.40a.exe+151F85 - 8B 44 24 10           - mov eax,[esp+10]
AA2Play v12 FP v1.40a.exe+151F89 - 50                    - push eax
AA2Play v12 FP v1.40a.exe+151F8A - D9 6C 24 28           - fldcw [esp+28]
AA2Play v12 FP v1.40a.exe+151F8E - D8 0F                 - fmul dword ptr [edi]
AA2Play v12 FP v1.40a.exe+151F90 - D9 7C 24 28           - fnstcw [esp+28]
AA2Play v12 FP v1.40a.exe+151F94 - 0FB7 44 24 28         - movzx eax,word ptr [esp+28]
AA2Play v12 FP v1.40a.exe+151F99 - 0D 000C0000           - or eax,0C00 { 3072 }
AA2Play v12 FP v1.40a.exe+151F9E - 89 44 24 24           - mov [esp+24],eax
AA2Play v12 FP v1.40a.exe+151FA2 - D9 6C 24 24           - fldcw [esp+24]
AA2Play v12 FP v1.40a.exe+151FA6 - DF 7C 24 14           - fistp qword ptr [esp+14]
AA2Play v12 FP v1.40a.exe+151FAA - 8B 44 24 14           - mov eax,[esp+14]
AA2Play v12 FP v1.40a.exe+151FAE - 50                    - push eax
AA2Play v12 FP v1.40a.exe+151FAF - 8B 46 08              - mov eax,[esi+08]
AA2Play v12 FP v1.40a.exe+151FB2 - 8B 73 18              - mov esi,[ebx+18]
AA2Play v12 FP v1.40a.exe+151FB5 - D9 6C 24 2C           - fldcw [esp+2C]
AA2Play v12 FP v1.40a.exe+151FB9 - 8B 78 58              - mov edi,[eax+58]
AA2Play v12 FP v1.40a.exe+151FBC - 8B 41 18              - mov eax,[ecx+18]
AA2Play v12 FP v1.40a.exe+151FBF - 56                    - push esi
AA2Play v12 FP v1.40a.exe+151FC0 - 52                    - push edx
AA2Play v12 FP v1.40a.exe+151FC1 - E8 AA51FAFF           - call "AA2Play v12 FP v1.40a.exe"+F7170 { ->AA2Play v12 FP v1.40a.exe+F7170 }
AA2Play v12 FP v1.40a.exe+151FC6 - 5F                    - pop edi
AA2Play v12 FP v1.40a.exe+151FC7 - 5E                    - pop esi
AA2Play v12 FP v1.40a.exe+151FC8 - 5D                    - pop ebp
AA2Play v12 FP v1.40a.exe+151FC9 - 5B                    - pop ebx
AA2Play v12 FP v1.40a.exe+151FCA - 83 C4 0C              - add esp,0C { 12 }
AA2Play v12 FP v1.40a.exe+151FCD - C2 0800               - ret 0008 { 00000008 }
AA2Play v12 FP v1.40a.exe+151FD0 - A1 2067F400           - mov eax,["AA2Play v12 FP v1.40a.exe"+3A6720] { [084A7020] }
AA2Play v12 FP v1.40a.exe+151FD5 - 8B 08                 - mov ecx,[eax]
AA2Play v12 FP v1.40a.exe+151FD7 - 8B 91 A4000000        - mov edx,[ecx+000000A4]
AA2Play v12 FP v1.40a.exe+151FDD - 50                    - push eax
AA2Play v12 FP v1.40a.exe+151FDE - FF D2                 - call edx
AA2Play v12 FP v1.40a.exe+151FE0 - 85 C0                 - test eax,eax
AA2Play v12 FP v1.40a.exe+151FE2 - 7D 06                 - jnl "AA2Play v12 FP v1.40a.exe"+151FEA { ->AA2Play v12 FP v1.40a.exe+151FEA }
AA2Play v12 FP v1.40a.exe+151FE4 - 89 44 24 24           - mov [esp+24],eax
AA2Play v12 FP v1.40a.exe+151FE8 - EB 39                 - jmp "AA2Play v12 FP v1.40a.exe"+152023 { ->AA2Play v12 FP v1.40a.exe+152023 }
AA2Play v12 FP v1.40a.exe+151FEA - 8B 43 04              - mov eax,[ebx+04]
AA2Play v12 FP v1.40a.exe+151FED - 8B 40 58              - mov eax,[eax+58]
AA2Play v12 FP v1.40a.exe+151FF0 - E8 BB6A0700           - call "AA2Play v12 FP v1.40a.exe"+1C8AB0 { ->AA2Play v12 FP v1.40a.exe+1C8AB0 }
AA2Play v12 FP v1.40a.exe+151FF5 - 85 C0                 - test eax,eax
AA2Play v12 FP v1.40a.exe+151FF7 - 7D 06                 - jnl "AA2Play v12 FP v1.40a.exe"+151FFF { ->AA2Play v12 FP v1.40a.exe+151FFF }
AA2Play v12 FP v1.40a.exe+151FF9 - 89 44 24 24           - mov [esp+24],eax
AA2Play v12 FP v1.40a.exe+151FFD - EB 24                 - jmp "AA2Play v12 FP v1.40a.exe"+152023 { ->AA2Play v12 FP v1.40a.exe+152023 }
AA2Play v12 FP v1.40a.exe+151FFF - E8 EC0E0C00           - call "AA2Play v12 FP v1.40a.exe"+212EF0 { ->AA2Play v12 FP v1.40a.exe+212EF0 }
AA2Play v12 FP v1.40a.exe+152004 - D9 47 08              - fld dword ptr [edi+08]
AA2Play v12 FP v1.40a.exe+152007 - D9 5E 14              - fstp dword ptr [esi+14]
AA2Play v12 FP v1.40a.exe+15200A - 56                    - push esi
AA2Play v12 FP v1.40a.exe+15200B - D9 47 0C              - fld dword ptr [edi+0C]
AA2Play v12 FP v1.40a.exe+15200E - D9 5E 18              - fstp dword ptr [esi+18]
AA2Play v12 FP v1.40a.exe+152011 - E8 1A1B0C00           - call "AA2Play v12 FP v1.40a.exe"+213B30 { ->AA2Play v12 FP v1.40a.exe+213B30 }
AA2Play v12 FP v1.40a.exe+152016 - 83 C4 04              - add esp,04 { 00000004 }
AA2Play v12 FP v1.40a.exe+152019 - E8 72200C00           - call "AA2Play v12 FP v1.40a.exe"+214090 { ->AA2Play v12 FP v1.40a.exe+214090 }
AA2Play v12 FP v1.40a.exe+15201E - E8 1D100C00           - call "AA2Play v12 FP v1.40a.exe"+213040 { ->AA2Play v12 FP v1.40a.exe+213040 }
AA2Play v12 FP v1.40a.exe+152023 - E8 386F0700           - call "AA2Play v12 FP v1.40a.exe"+1C8F60 { ->AA2Play v12 FP v1.40a.exe+1C8F60 }
AA2Play v12 FP v1.40a.exe+152028 - 85 C0                 - test eax,eax
AA2Play v12 FP v1.40a.exe+15202A - 7D 04                 - jnl "AA2Play v12 FP v1.40a.exe"+152030 { ->AA2Play v12 FP v1.40a.exe+152030 }
AA2Play v12 FP v1.40a.exe+15202C - 89 44 24 24           - mov [esp+24],eax
AA2Play v12 FP v1.40a.exe+152030 - A1 2067F400           - mov eax,["AA2Play v12 FP v1.40a.exe"+3A6720] { [084A7020] }
AA2Play v12 FP v1.40a.exe+152035 - 8B 08                 - mov ecx,[eax]
AA2Play v12 FP v1.40a.exe+152037 - 8B 91 A8000000        - mov edx,[ecx+000000A8]
AA2Play v12 FP v1.40a.exe+15203D - 50                    - push eax
AA2Play v12 FP v1.40a.exe+15203E - FF D2                 - call edx
AA2Play v12 FP v1.40a.exe+152040 - 85 C0                 - test eax,eax
AA2Play v12 FP v1.40a.exe+152042 - 7D 04                 - jnl "AA2Play v12 FP v1.40a.exe"+152048 { ->AA2Play v12 FP v1.40a.exe+152048 }
AA2Play v12 FP v1.40a.exe+152044 - 89 44 24 24           - mov [esp+24],eax
AA2Play v12 FP v1.40a.exe+152048 - 8B 44 24 24           - mov eax,[esp+24]
AA2Play v12 FP v1.40a.exe+15204C - 5F                    - pop edi
AA2Play v12 FP v1.40a.exe+15204D - 5E                    - pop esi
AA2Play v12 FP v1.40a.exe+15204E - 5D                    - pop ebp
AA2Play v12 FP v1.40a.exe+15204F - 5B                    - pop ebx
AA2Play v12 FP v1.40a.exe+152050 - 83 C4 0C              - add esp,0C { 12 }
AA2Play v12 FP v1.40a.exe+152053 - C2 0800               - ret 0008 { 00000008 }
AA2Play v12 FP v1.40a.exe+152056 - 5F                    - pop edi
AA2Play v12 FP v1.40a.exe+152057 - 5E                    - pop esi
AA2Play v12 FP v1.40a.exe+152058 - 5D                    - pop ebp
AA2Play v12 FP v1.40a.exe+152059 - B8 05400080           - mov eax,80004005 { -2147467259 }
AA2Play v12 FP v1.40a.exe+15205E - 5B                    - pop ebx
AA2Play v12 FP v1.40a.exe+15205F - 83 C4 0C              - add esp,0C { 12 }
AA2Play v12 FP v1.40a.exe+152062 - C2 0800               - ret 0008 { 00000008 }


I did trace and break on the instruction where I previously put a breakpoint. I also put a breakpoint right before it and edited EDX and EBX to be +1. Here's the file:
Code:
pastebin. com/TF04UJWA
These are a bit large. Thank you for your time.

EDIT:

I dug around a bit more in the function called.
Code:
i.imgur. com /pJrkP0s.png


This function is called multiple times during high poly load. In a normal scenario, it's called 4 times, while in the scenario where special textures show up, it is called 7 times (it is on the 7th time that it calls for the texture).
The first breakpoint is where the function starts. The roughly marked jl instruction is the last place where EDX has the value it originally had. I can make a breakpoint on this jil and increment it by 1 on the 7th time (when the special event that calls it 7 times happens) and the texture will show up. Otherwise, it's called 5 times and incrementing it by 1 (even if I do it every time it hits it) won't have any effect.
I believe the second breakpoint is where it checks for something, and decides whether to add the texture or not.
Would it be worthwhile to try hooking onto this function that seems to be called on every high poly load and editing it from there, if such a thing is possible at all?
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites