Cheat Engine

Macaroni · Posted: Mon Oct 06, 2014 9:31 pm Post subject: How do I call Local functions?

I'm a bit new to all of this so excuse me if my wording is off, but say I have a dll program. With this dll program, I can inject it and read/write memory to Solitaire. Now in solitaire when I make a move I assume it calls a function like MoveCard(x, y);
where MoveCard =
MoveCard(Card1, Card2){
Move Card1 to Card2;
}

then I see the card move from point a to point b right? How would I go about calling this function in my dll (Visual C++)? My Hypothesis -

1. Locate function
2. Translate function to CE script
3. Translate the CE script to inline asm

But how do I do these three things?
1.How do I find the function? Do I need to use IDA?
2.This is just needed incase it uses live dynamic addresses right?
3.I have some experience with this already, found a guide a long time ago.

Also, could instead of me recoding the function into my own code, just flat out call it?

zm0d · Posted: Thu Oct 09, 2014 7:24 am Post subject:

You can try to find the function used with a simple string search and guessing names or creating a dumb of the executable (dumpbin.exe) and look at its function. You then need to find the call/s of this function and find out the parameters given to the function, which can be a little complex so far.

The easiest way to find out the function you look for might be using Cheat Engines UltiMap. It`s an awesome tool if you can run DBVM. Works similar to the CE memory scanner (you do something in the game and then start filtering). Keep in mind that you still have to find out the parameters of the function and you maybe have to dissect and rebuild datastructures to call the function properly on your own.

There are some tutorials out in the WWW on how to use CE UltiMap. Just google.

Macaroni · Posted: Sun Oct 12, 2014 6:12 pm Post subject:

penpenpen · Cheater Reputation: 0 Joined: 23 Feb 2014 Posts: 39

I think cheat engine only finds functions by name if they are exportet(in dll's ie). There are alot of functions, especially within the main executable, that have no reference.

You just use ultimap and set breakpoints, on those breakpoints you change variables to see if you have the right function.

If you do, you need to get the memory address of the function ie Solitaire.exe+123. While Solitaire.exe is your base address and 123 is the offset.
Than you have to see what parameters the functions get. You can do that by using the dissect Code Command, and then jump to where the function is called. You usually find some push statements there, those are the function parameters.

When you now want to call the function you need to generate a function in your programming language (in ce with lua ie), and give it the same parameters as the original. Than you can run the function (watch for "calling conventions" usually stdcall does the trick).

But even though you may have the right function, it might not do anything in the programm, that is because of the way programmes are written, and how the function is called. For some function to actually do anything certain parameters must be met. (ie. MouseClicked = TRUE; Xcoord > 20;.....)

So its basicly a process of reverse engineering through the programm to find out how it works.

In a game like solitaire I'd say its pretty straight forward.

zm0d · Posted: Mon Oct 13, 2014 4:17 am Post subject:

I don't have so much experience in IDA, too. I always use CE.
The method you mention might work. Also you should check out the "View" menu point in the "Memory View" window. You can find all methods stored in injected DLLs over the "Enumerate DLL's and Symbols" method (Ctrl+Alt+S while "Memory View" window is active).
You are able to do some string operation (let CE scan for all string within the memory) too.

It's not an easy excercise you are trying to solve there.

lampuiho · Posted: Mon Oct 13, 2014 9:07 pm Post subject:

create a thread then call the function with correct parameters.