Cheat Engine

[MikeNoey]

Hi, I've been looking around and trying to find out more about calling functions and hooking etc. Most of what I have found involves DLL injection and C++ knowledge. I plan on reading and learning everything I can about C++ but not at this moment as I am focusing more on Assembly and LUA. I've found some examples of CreateThread which have helped me grasp it a bit better but I think if I can have it explained using my own provided information with an example I'd grasp it much easier. I'm 90% sure I found the function that is responsible for opening my characters Inventory.

[img]https://imgur.com/zmB87Yw[/img]

From what I understand of the function. "cmp dword ptr [edi+3C],00" checks if the inventory is currently closed and if so it then runs "mov [edi+3C],1" which opens the inventory. I tried manually changing the pointer address to 1 but it only partially displays the inventory with parts of it missing / incomplete. I'd love to see an example of how to call this function via CreateThread. Thank you in advance to any who help me here with this and plenty more after xddd

[ParkourPenguin]

That's not the start of the function. It's a section of code jumped to by a few conditional branches. The actual start is probably several hundred instructions above that.

You can still use it, but setting up the state might be a little more complicated.

[MikeNoey]

Ok and by "Make preparations" you mean what ? If I understand things right I have to make sure the registers match the same as if the function was being called normally. When freeing up memory I see you "jmp kernel32.VirtualFree" why is that ?

[ParkourPenguin]

By "make preparations" I mean you should do whatever you need to do so that the game's code does what it's suppose to do. I don't know what that is; it's something you can figure out by looking at what the game is doing. In the picture you can see esi is being accessed in addition to a few static values. You might be able to leave the static values alone and be fine, but you'll need to find esi somehow (e.g. via a pointer).

When the script is enabled, CE allocates memory to put that code in for the thread to execute. The safest and most optimal way I can think of to clean up that memory is for that thread to deallocate it. After that, the thread also needs to return in order for the OS to clean up the thread's resources. Since it can't return to memory that doesn't exist after the deallocation happens, it's best to perform a tail call to VirtualFree. That way, after VirtualFree deallocates that memory, the thread returns to wherever the memory was called from. Everything gets cleaned up nice and safe.

[MikeNoey]

Thanks Parkour. I think I understand enough to experiment and play with it. Hopefully I'll get it working.

[MikeNoey]

So I've tried running the following script and when I execute it the game doesn't crash. I'm just not sure if I'm doing it right because when I breakpoint the actual address that gets called it doesnt trigger a breakpoint which leaves me wondering if it was done correctly.

[ParkourPenguin]

Which debugger interface are you using? If you're using VEH, that's expected, try windows instead.

[Dark Byte]

int3 bp's do trigger with VEH debug (you can set them explicitly in ce 7.0)

[MikeNoey]

Just to make myself clearer. The breakpoint triggers when I perform the function manually by opening up my inventory menu but when I run the script that calls that address the breakpoint will not trigger. Which is why I thought the issue must lie in the CreateThread script that calls the address.

[MikeNoey]

I made a 2 minute video showing what I'm trying to do. It shows the Assembly script I'm trying to run along with the Call function and full view of the Stack and I even show the proper ret that returns to the address after the Call. If anyone can take a look and tell me where I'm going wrong I'd appreciate it.

In the video the script was missing "mov ebx,3" above "push ebx" and after adding that and running it again the game still crashes. I've also made sure the addresses have the correct values by adding mov instructions before each push

https://www.youtube.com/watch?v=9nRm2IFf8NQ&feature=youtu.be

[ParkourPenguin]

You shouldn't change the location of the stack like that (esp/ebp).

Perhaps you should just give up for now and learn more about x86 architecture- at least what the stack is and what a call instruction does.

[MikeNoey]

Yeah I worked that out with esp / ebp. I've managed to use code injection to change the function by cleaning the stack and replacing it with what was in the CreateThread script. So that's progress atleast. because I was messing with the packet function responsible for forming outgoing packets. I managed to change it so that when I send a message instead of the message sending an item is used and so on.

[MikeNoey]

FUCK YESSSSSSS. I figured it out. Thank you again for the help. Been going through every forum post I could find on CE and thanks to SunBeam, Parkour, DarkByte, Atom and Zanzer. You guys are godsendssss. I got it all working. Thank you again <3

Ok so I've hit my first hiccup and I'd love some help understanding this. When I restart the game and then enable my script the game crashes everytime BUT perform the function manually as in doing it in game via normal means atleast once / first THEN enable my script, the function calls perfectly everytime I Enable/disable and game does not crash. Why would this be happening ?

Well I've done some tinkering. I'm not sure what the problem was but I fixed it by pushing my own registered symbols onto stack with the correct values. Now I can run the script first without having to perform the function manually