|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
SadrienHatesU Newbie cheater Reputation: 0
Joined: 08 May 2017 Posts: 14 Location: I don't exist... Unfortunately
|
Posted: Fri Jan 05, 2018 8:16 pm Post subject: Using Auto Assemble to run a function? |
|
|
How do I run a function and then store what it should return using the auto assemble function of CE?
for example I need my AoB scan to find a specific function and run it then take the return which points to an array in order to write my pointers.
I have a AoB scan for the beginning of the function that I need to run, I just need to know how to run a function in an auto assemble script that I found by AoB and get the address that the function returns.
_________________
Um... Hello... Thanks for taking the time to read my pointless signature |
|
Back to top |
|
|
FreeER Grandmaster Cheater Supreme Reputation: 53
Joined: 09 Aug 2013 Posts: 1091
|
Posted: Sat Jan 06, 2018 8:25 am Post subject: |
|
|
disclaimer: I just woke up...
Code: | [ENABLE]
// finds function you want to call
aobscan(functionname, unique aob to start of function)
// creates memory for your own function which calls the one you want
globalalloc(functionCaller, $1000) // allocs and registers, no dealloc
// your function to call the one you want
funtionCaller:
// ... setup args (registers in x64, probably stack x86)
sub RSP, 20 // x64 requires 0x20 shadowspace to save registers
mov rax, functioname // can't call 8 byte addresses, if it's 32 bit can use "call functionname"
call rax
add RSP, 20
// ... pop args if necessary x86 cdecl/thiscall etc.
// result in RAX/EAX
ret
// creates a thread and runs the function you want
createThread(functionCaller)
[DISABLE]
|
if the function you want to call doesn't take any arguments then you should be able to use createThread(functionname). Of course if you hook running code then you don't need createThread, you can call it in the hooked code, just be careful not to overwrite registers the code needs to keep (functions don't have to save all the registers see https://en.wikipedia.org/wiki/X86_calling_conventions).
|
|
Back to top |
|
|
SadrienHatesU Newbie cheater Reputation: 0
Joined: 08 May 2017 Posts: 14 Location: I don't exist... Unfortunately
|
Posted: Sun Jan 07, 2018 6:59 am Post subject: x86 vs 64 bit |
|
|
so I don't have time to check it out a lot right now, but you are saying I would have to change your instructions in order to get it because it is in 64 bit memory so I can not call an 8 byte address or is it just that I can only call an 8 byte value from a register and not directly from the address on the stack?
_________________
Um... Hello... Thanks for taking the time to read my pointless signature |
|
Back to top |
|
|
FreeER Grandmaster Cheater Supreme Reputation: 53
Joined: 09 Aug 2013 Posts: 1091
|
Posted: Sun Jan 07, 2018 9:30 am Post subject: |
|
|
Quote: | is it just that I can only call an 8 byte value from a register and not directly from the address | This. If you couldn't call a 8 byte address in x64 then it wouldn't have functions at all and that just wouldn't work There are also ways to call an 8 byte address stored in memory, you can't however use a constant 8 byte address in the instruction eg. call 0x12345678DEADBEEF, but you can move 0x12345678DEADBEEF into a 64 bit register and then call that or call [RSP] when 0x12345678DEADBEEF is on top of the stack etc.
|
|
Back to top |
|
|
SadrienHatesU Newbie cheater Reputation: 0
Joined: 08 May 2017 Posts: 14 Location: I don't exist... Unfortunately
|
Posted: Wed Jan 10, 2018 10:54 pm Post subject: . |
|
|
FreeER wrote: | disclaimer: I just woke up...
Code: | [ENABLE]
// finds function you want to call
aobscan(functionname, unique aob to start of function)
// creates memory for your own function which calls the one you want
globalalloc(functionCaller, $1000) // allocs and registers, no dealloc
// your function to call the one you want
funtionCaller:
// ... setup args (registers in x64, probably stack x86)
sub RSP, 20 // x64 requires 0x20 shadowspace to save registers
mov rax, functioname // can't call 8 byte addresses, if it's 32 bit can use "call functionname"
call rax
add RSP, 20
// ... pop args if necessary x86 cdecl/thiscall etc.
// result in RAX/EAX
ret
// creates a thread and runs the function you want
createThread(functionCaller)
[DISABLE]
|
if the function you want to call doesn't take any arguments then you should be able to use createThread(functionname). Of course if you hook running code then you don't need createThread, you can call it in the hooked code, just be careful not to overwrite registers the code needs to keep (functions don't have to save all the registers see). |
When I do as you listed it simply does nothing. Like the script executes and I believe it returns to nowhere? Does anyone know the syntax off the top of their head for my to define a symbol with the returned value from the thread or can they explain to me what the problem with this persons code is?
_________________
Um... Hello... Thanks for taking the time to read my pointless signature
Last edited by SadrienHatesU on Wed Jan 10, 2018 11:23 pm; edited 1 time in total |
|
Back to top |
|
|
Thiago Newbie cheater Reputation: 0
Joined: 30 Jan 2017 Posts: 18
|
Posted: Wed Jan 10, 2018 11:11 pm Post subject: Re: . |
|
|
SadrienHatesU wrote: | FreeER wrote: | disclaimer: I just woke up...
Code: | [ENABLE]
// finds function you want to call
aobscan(functionname, unique aob to start of function)
// creates memory for your own function which calls the one you want
globalalloc(functionCaller, $1000) // allocs and registers, no dealloc
// your function to call the one you want
funtionCaller:
// ... setup args (registers in x64, probably stack x86)
sub RSP, 20 // x64 requires 0x20 shadowspace to save registers
mov rax, functioname // can't call 8 byte addresses, if it's 32 bit can use "call functionname"
call rax
add RSP, 20
// ... pop args if necessary x86 cdecl/thiscall etc.
// result in RAX/EAX
ret
// creates a thread and runs the function you want
createThread(functionCaller)
[DISABLE]
|
if the function you want to call doesn't take any arguments then you should be able to use createThread(functionname). Of course if you hook running code then you don't need createThread, you can call it in the hooked code, just be careful not to overwrite registers the code needs to keep (functions don't have to save all the registers see). |
When I do as you listed it simply does nothing. Like the script executes and I believe it returns to nowhere? Does anyone know the syntax off the top of their head for my to define a symbol with the returned value from the thread? |
It returns to RAX or EAX if you're in a 32 bit program.
If you store the RAX value in a new memory location and add that address in C.E, you'll see if it points to your array.
_________________
I'm newbie ... |
|
Back to top |
|
|
SadrienHatesU Newbie cheater Reputation: 0
Joined: 08 May 2017 Posts: 14 Location: I don't exist... Unfortunately
|
Posted: Wed Jan 10, 2018 11:25 pm Post subject: Re: . |
|
|
Thiago wrote: | SadrienHatesU wrote: | FreeER wrote: | disclaimer: I just woke up...
Code: | [ENABLE]
// finds function you want to call
aobscan(functionname, unique aob to start of function)
// creates memory for your own function which calls the one you want
globalalloc(functionCaller, $1000) // allocs and registers, no dealloc
// your function to call the one you want
funtionCaller:
// ... setup args (registers in x64, probably stack x86)
sub RSP, 20 // x64 requires 0x20 shadowspace to save registers
mov rax, functioname // can't call 8 byte addresses, if it's 32 bit can use "call functionname"
call rax
add RSP, 20
// ... pop args if necessary x86 cdecl/thiscall etc.
// result in RAX/EAX
ret
// creates a thread and runs the function you want
createThread(functionCaller)
[DISABLE]
|
if the function you want to call doesn't take any arguments then you should be able to use createThread(functionname). Of course if you hook running code then you don't need createThread, you can call it in the hooked code, just be careful not to overwrite registers the code needs to keep (functions don't have to save all the registers see). |
When I do as you listed it simply does nothing. Like the script executes and I believe it returns to nowhere? Does anyone know the syntax off the top of their head for my to define a symbol with the returned value from the thread? |
It returns to RAX or EAX if you're in a 32 bit program.
If you store the RAX value in a new memory location and add that address in C.E, you'll see if it points to your array. |
its not 32 bit. where would it return?
_________________
Um... Hello... Thanks for taking the time to read my pointless signature |
|
Back to top |
|
|
Thiago Newbie cheater Reputation: 0
Joined: 30 Jan 2017 Posts: 18
|
Posted: Wed Jan 10, 2018 11:49 pm Post subject: Re: . |
|
|
SadrienHatesU wrote: | Thiago wrote: | SadrienHatesU wrote: | FreeER wrote: | disclaimer: I just woke up...
Code: | [ENABLE]
// finds function you want to call
aobscan(functionname, unique aob to start of function)
// creates memory for your own function which calls the one you want
globalalloc(functionCaller, $1000) // allocs and registers, no dealloc
// your function to call the one you want
funtionCaller:
// ... setup args (registers in x64, probably stack x86)
sub RSP, 20 // x64 requires 0x20 shadowspace to save registers
mov rax, functioname // can't call 8 byte addresses, if it's 32 bit can use "call functionname"
call rax
add RSP, 20
// ... pop args if necessary x86 cdecl/thiscall etc.
// result in RAX/EAX
ret
// creates a thread and runs the function you want
createThread(functionCaller)
[DISABLE]
|
if the function you want to call doesn't take any arguments then you should be able to use createThread(functionname). Of course if you hook running code then you don't need createThread, you can call it in the hooked code, just be careful not to overwrite registers the code needs to keep (functions don't have to save all the registers see). |
When I do as you listed it simply does nothing. Like the script executes and I believe it returns to nowhere? Does anyone know the syntax off the top of their head for my to define a symbol with the returned value from the thread? |
It returns to RAX or EAX if you're in a 32 bit program.
If you store the RAX value in a new memory location and add that address in C.E, you'll see if it points to your array. |
its not 32 bit. where would it return? |
My bad, I wrote it in a confusing way.
Your function will return the value in the RAX register.
You could also be trying to call a void function and expecting a return value.
_________________
I'm newbie ... |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|