 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
mynameisjimmy
Newbie cheater
![]() Reputation: 0
Joined: 21 Jun 2018
Posts: 15
|
 Posted: Thu Jun 21, 2018 7:13 am Post subject: Learning to find addresses. |
 |
|
Good evening.
I have a wide experience in programming, have been doing it professionaly for over a decade - but only recently have I begun getting interested in reverse engineering.
I've learned how to hook debuggers to protected games, but I've yet to learn how to find functions.
To learn how to do it - I've downloaded my friends idle game, where you click on a forest to get wood, mine to get gold and so on.
I've tracked what memory address the wood is stored in and tracked what writes to it - I even see the call that is possibly the function I'm looking for, but how do I test it or know for sure?
@Edit: Apparently I can't post URLs yet, so here it is:
| Code: | 1D8AC4FD - fstp dword ptr [esp]
1D8AC500 - fld dword ptr [esp]
1D8AC503 - add esp,04 { 4 }
1D8AC506 - sub esp,0C { 12 }
1D8AC509 - sub esp,04 { 4 }
1D8AC50C - fstp dword ptr [esp]
1D8AC50F - call 0689C428 <-- the function most likely
1D8AC514 - add esp,10 { 16 }
1D8AC517 - fstp qword ptr [ebp-00000160]
1D8AC51D - mov eax,151BA088 { [3419.00] } <-- current wood
1D8AC522 - fld qword ptr [eax]
1D8AC524 - fld qword ptr [ebp-00000160]
1D8AC52A - faddp
1D8AC52C - mov eax,151BA088 { [3419.00] } <-- current wood
1D8AC531 - fstp qword ptr [eax]
1D8AC533 - mov eax,151BA090 { [3950.00] }
1D8AC538 - fld qword ptr [eax]
1D8AC53A - fld qword ptr [ebp-00000160]
1D8AC540 - faddp
1D8AC542 - mov eax,151BA090 { [3950.00] }
1D8AC547 - fstp qword ptr [eax]
1D8AC549 - mov eax,151BA1B9 { [0] }
1D8AC54E - mov byte ptr [eax],01 { 1 } |
|
|
| Back to top |
|
 |
OldCheatEngineUser
Whateven rank
 Reputation: 20
Joined: 01 Feb 2016
Posts: 1587
|
| Posted: Thu Jun 21, 2018 7:57 am Post subject: |
|
|
what are you looking for? what function?
i can see you are in wood addition function, which appears to be double data type.
and there is a call above it for whatever reason, why you didnt dig into that call and check if its the function you are interested in or not?
what are you trying to do? (specifically)
analyzing and reverse engineering functions?
- try "break and trace" it take snapshots of what instructions executed and data related to it
- knowing what values in registers and what they mean can help a lot
- it may require poking the game function and watching how the game reacts (i mean like messing around with instructions and registers) like changing them
all this and many more can help, plus to get even better write your own c++ console program and debug it.
use different compilers, different compilers = different asm instructions.
try to use as many functions as you can, create your own too.
try to simulate game functions in your own code, see if it make sense to you, after all it takes time to gain knowledge.
being computer programmer is good, but a programmer without the knowledge of what and how things go under the hood isnt good.
one tip:
- start with small, to medium and large games then go for triple A games.
(OOP style in-game-development can make reversing much more difficult than normal ones, there will be classes-objects-functions-and much dirt)
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
| STN wrote: | | i am a sweetheart. |
|
|
| Back to top |
|
|
mynameisjimmy
Newbie cheater
![]() Reputation: 0
Joined: 21 Jun 2018
Posts: 15
|
| Posted: Thu Jun 21, 2018 8:38 am Post subject: |
|
|
| OldCheatEngineUser wrote: | what are you trying to do? (specifically)
analyzing and reverse engineering functions? |
I'm trying to execute the 'ResourceForest:OnClick' function, to emulate as it was constantly being clicked.
I could simply send message via winapi with click and position, but my point is learning how to do it the RE way and not creating workarounds.
PS: I did go into that function, it didn't tell me much really:
| Code: | 0686C908 - push ebp
0686C909 - mov ebp,esp
0686C90B - sub esp,08 { 8 }
0686C90E - fldz
0686C910 - fstp dword ptr [ebp-04]
0686C913 - fld dword ptr [ebp+08]
0686C916 - frndint
0686C918 - sub esp,04 { 4 }
0686C91B - fstp dword ptr [esp]
0686C91E - fld dword ptr [esp]
0686C921 - add esp,04 { 4 }
0686C924 - fstp dword ptr [ebp-04]
0686C927 - fld dword ptr [ebp-04]
0686C92A - leave
0686C92B - ret |
Am I correct to assume that if it's 'ret null' then it returns nothing?
|
|
| Back to top |
|
|
OldCheatEngineUser
Whateven rank
Reputation: 20
Joined: 01 Feb 2016
Posts: 1587
|
| Posted: Thu Jun 21, 2018 8:58 am Post subject: |
|
|
| mynameisjimmy wrote: | | Am I correct to assume that if it's 'ret null' then it returns nothing? |
yes, return to previous IP-EIP-RIP without popping any bytes.
i did auto-click cheat long time ago, for a shooting game.
using LMB (left mouse button) to shoot, found my ammo address as well as the instruction that is writing to it.
couple lines above my ammo subtracting instructions, there was a check (checking if LMB is clicked or not) if so then jump to location X and execute bullet.
all what i did is changed the conditional jump and had auto-fire, its nearly the same case with you.
see if there is any check in this subroutine, if nothing then go back one subroutine til you find where the check is.
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
| STN wrote: | | i am a sweetheart. |
|
|
| Back to top |
|
|
mynameisjimmy
Newbie cheater
![]() Reputation: 0
Joined: 21 Jun 2018
Posts: 15
|
| Posted: Thu Jun 21, 2018 9:30 am Post subject: |
|
|
| mynameisjimmy wrote: | | see if there is any check in this subroutine, if nothing then go back one subroutine til you find where the check is. |
The whole function (2nd code I've posted) seems to have no checks in it, so I went back.
I think I examined the code properly, tell me if I'm correct:
| Code: | 1D73A3AA - mov eax,151BA1B8 //this wiggles between 01000000 and 01001010 when I spam clicks, but it also randomly changes between these 2.
1D73A3AF - mov byte ptr [eax],01 //??
1D73A3B2 - fld qword ptr [ebp-00000160] //Perhaps load mouse state
1D73A3B8 - fld qword ptr [18BA9D00] { [1000000000.00] } //Load state to compare to
1D73A3BE - fcomip st(0),st(1) //Compare both states
1D73A3C0 - fstp st(0) //Store current state
1D73A3C2 - jna 1D73A3ED //If both matched, jump below (3 instructions below call) and don't call clicks
1D73A3C4 - fld qword ptr [ebp-00000160]
1D73A3CA - sub esp,04 { 4 }
1D73A3CD - fstp dword ptr [esp]
1D73A3D0 - fld dword ptr [esp]
1D73A3D3 - add esp,04 { 4 }
1D73A3D6 - sub esp,0C { 12 }
1D73A3D9 - sub esp,04 { 4 }
1D73A3DC - fstp dword ptr [esp]
1D73A3DF - call 0686C908 //Do the func |
How can I execute JUST the call? Maybe it's sufficient, seeing how there are no checks inside the call function.
Last edited by mynameisjimmy on Thu Jun 21, 2018 9:32 am; edited 1 time in total |
|
| Back to top |
|
|
ParkourPenguin
I post too much
 Reputation: 140
Joined: 06 Jul 2014
Posts: 4291
|
| Posted: Thu Jun 21, 2018 9:31 am Post subject: |
|
|
| mynameisjimmy wrote: | | Am I correct to assume that if it's 'ret null' then it returns nothing? |
No. It's returning a floating point value on the x87 stack (conventional for 32-bit applications). Most of that function is redundant; all it does is round its argument to an int and return it.
If there is a number following the return, the stack pointer is further increased by that number of bytes after the return address (stdcall argument cleanup).
You shouldn't try to reverse engineer anything if you can't reason through what code is doing. Try learning about what instructions do first.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
mynameisjimmy
Newbie cheater
![]() Reputation: 0
Joined: 21 Jun 2018
Posts: 15
|
| Posted: Thu Jun 21, 2018 9:34 am Post subject: |
|
|
| ParkourPenguin wrote: | | mynameisjimmy wrote: | | Am I correct to assume that if it's 'ret null' then it returns nothing? |
No. It's returning a floating point value on the x87 stack (conventional for 32-bit applications). Most of that function is redundant; all it does is round its argument to an int and return it.
If there is a number following the return, the stack pointer is further increased by that number of bytes after the return address (stdcall argument cleanup).
You shouldn't try to reverse engineer anything if you can't reason through what code is doing. Try learning about what instructions do first. |
I'm moderately familiar with what instructions do - I know that the number 'ret' passes as argument is the size in bytes of value and from it we can guess whether it was integer (4 bytes), float etc.
My issue is I lack practical knowledge, like the one you've just provided me with - which I'm thankful for.
|
|
| Back to top |
|
|
OldCheatEngineUser
Whateven rank
Reputation: 20
Joined: 01 Feb 2016
Posts: 1587
|
| Posted: Thu Jun 21, 2018 10:04 am Post subject: |
|
|
| ParkourPenguin wrote: | | No. It's returning a floating point value on the x87 stack |
basically you are saying ret is case-sensitive with x87 fpu, in additional of returning to previous ip it will also return a value in st0? or pops st0?
(which doesnt make sense to me)
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
| STN wrote: | | i am a sweetheart. |
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 140
Joined: 06 Jul 2014
Posts: 4291
|
| Posted: Thu Jun 21, 2018 11:41 am Post subject: |
|
|
| OldCheatEngineUser wrote: | | basically you are saying ret is case-sensitive with x87 fpu, in additional of returning to previous ip it will also return a value in st0? or pops st0? |
I don't know what you're talking about.
A ret instruction pops an address from the stack and jumps to it. It has nothing to do with the value returned by a function. By convention, the value returned by a function is stored in eax (ineger or pointer), st(0) (floating point number in x86), or xmm0 (floating point number in x64).
| mynameisjimmy wrote: | | I know that the number 'ret' passes as argument is the size in bytes of value and from it we can guess whether it was integer (4 bytes), float etc. |
Not really. There is a ret instruction that takes an operand which specifies how many bytes to increase the stack pointer by after removing the return address from the stack. This just cleans up the arguments passed to the function under the stdcall calling convention.
You can't infer anything about the value type of the arguments from this information. You can guess the number of arguments passed through the stack, but not their type.
(note that x64 has an entirely different calling convention)
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
OldCheatEngineUser
Whateven rank
Reputation: 20
Joined: 01 Feb 2016
Posts: 1587
|
| Posted: Thu Jun 21, 2018 9:22 pm Post subject: |
|
|
| ParkourPenguin wrote: | | A ret instruction pops an address from the stack and jumps to it. |
everyone knows that.
internally the call push the next IP into stack and ret pops it up.
| ParkourPenguin wrote: | | mynameisjimmy wrote: | | Am I correct to assume that if it's 'ret null' then it returns nothing? |
No. It's returning a floating point value on the x87 stack |
what do you mean with floating point value? wrote by mistake?
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
| STN wrote: | | i am a sweetheart. |
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 140
Joined: 06 Jul 2014
Posts: 4291
|
| Posted: Thu Jun 21, 2018 10:52 pm Post subject: |
|
|
| OldCheatEngineUser wrote: | | what do you mean with floating point value? wrote by mistake? |
No, that isn't a mistake. A floating point data type is a way to store numbers on a computer (e.g. "float" and "double"). A value of such a type can be called a floating point value.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
OldCheatEngineUser
Whateven rank
Reputation: 20
Joined: 01 Feb 2016
Posts: 1587
|
| Posted: Thu Jun 21, 2018 11:16 pm Post subject: |
|
|
yeah, nothing new!
because this line is confusing:
"No. It's returning a floating point value on the x87 stack"
probably two answers in one line.
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
| STN wrote: | | i am a sweetheart. |
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
