Cheat Engine

LongBeardedLion

(Image below)

So i successfully reversed all the functions and arrived at the "Boss" function 58AAA0 Laughing

feels good.
I was able to inject code and call this function, after many tries. And the whole day working in it.

My questions are:

1. Is there any other function below this one in the supposed hierarchy?
I search for references and there are none. And i opened IDA and it shows the xrefs to my function. I went back all the way to function 58AAA0, tracing back what are the registers the pass the values that i need.
So is there anything that is behind this function 58AAA0 that i should also reverse to get to the root of what changes the stance of my units? Or thats it?

2. I cant understand from where are the values getting plugged in in my function 58AAA0 if there is nothing happening before it? What calls this function?
Its a thiscall function that only has switch cases and it seems to loop constantly.

3. The function getting an ECX address that is my player object, and a value in the stack that is an address that is randomly generated (and changes everytime) , that contains the values that then will be used in a much later function to change the stance of the unit.
How and where does my function get these arguments from if there is nothing before it? How can i find this out?
It is very important if i could get a way to know what is writting this argument that changes everytime the function is called, but has always the same values in it that change my unit stance.

In IDA still shows the r.data 0062AAEC before my boss function 58AAA0
Does this have an influence in my function? Can i do anything with it?

The more i learn the more i feel like a damn noob. Laughing

Thank you so much for all the support.

atom0s · Posted: Wed Jun 17, 2020 1:31 pm Post subject:

Based on the graphic, that looks like your function is part of a class and the top-most ref is the VTable entry that it's located within. The call using ECX is due to being a class-call, which is considered a '__thiscall' (calling convention wise) where ECX holds the class objects 'this' pointer when called.

In order to find where that is called, you would need to set a breakpoint at the start of the function and traceback, via the call stack, to where it was called from.

LongBeardedLion · Posted: Wed Jun 17, 2020 10:09 pm Post subject:

Thank you.

You were absolutely right.
There is yet another function that calls my function.
But its calling through an address that changes everytime too.
Call [edx+c].
So i have more material to work.

Thank you. Smile