 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Fresco
Grandmaster Cheater
![]() Reputation: 4
Joined: 07 Nov 2010
Posts: 600
|
 Posted: Tue Jan 08, 2013 2:16 pm Post subject: find out if the code accesses the registers |
 |
|
so here's the thing, i recently bumped into studying how assembly functions work, i have no problem when i write them on, but it's kinda hard to track a games' function especially with no comments by the author as it's a game and it wasn't developed in asm.
i'm struggling understanding the parameters of that function, i need to know if the function just uses the stack as income parameters or it needs some registers too.
i was wondering if ce has the ability to find out if the function accesses the registers before writing to them.
i mean, when i call a function, eax or ebx or any other register for that matter has a value, i need to know if the function that i call uses any registers' value before writing something to them, because after the function writes to eax or any register, i don't care if or when it uses eax ...
thanks 
_________________
... Fresco |
|
| Back to top |
|
 |
Fresco
Grandmaster Cheater
![]() Reputation: 4
Joined: 07 Nov 2010
Posts: 600
|
| Posted: Thu Jan 10, 2013 1:04 pm Post subject: |
|
|
anyone ?
_________________
... Fresco |
|
| Back to top |
|
|
rindew
Newbie cheater
![]() Reputation: 0
Joined: 19 Jan 2013
Posts: 16
Location: Tennesse
|
| Posted: Mon Jan 21, 2013 10:16 pm Post subject: |
|
|
| I'm not EXACTLY following you, but ce does have a way to find out what is accessing or writing to a specific address.
|
|
| Back to top |
|
|
Fresco
Grandmaster Cheater
![]() Reputation: 4
Joined: 07 Nov 2010
Posts: 600
|
| Posted: Sat Jan 26, 2013 7:29 am Post subject: |
|
|
i need to know if a function that i call, uses or not the value of any register
like:
| Code: | mov eax, val
push whatever
call function
//clear stack |
we know for sure that "function" will use the value whatever, but how about "val" does "function" use val ? how do i know that ?
val is moved into eax, therefore, i need to know if "function" uses the value of eax or not in order to work.
get it ?
_________________
... Fresco |
|
| Back to top |
|
|
ablonevn
Advanced Cheater
![]() Reputation: 1
Joined: 02 Oct 2011
Posts: 59
|
| Posted: Sat Jan 26, 2013 10:05 am Post subject: |
|
|
| Fresco wrote: | i need to know if a function that i call, uses or not the value of any register
like:
| Code: | mov eax, val
push whatever
call function
//clear stack |
we know for sure that "function" will use the value whatever, but how about "val" does "function" use val ? how do i know that ?
val is moved into eax, therefore, i need to know if "function" uses the value of eax or not in order to work.
get it ? |
i don't really understand your question, but any guess may be wrong, here is another code which you can not guess its value had used or not, and even it always used. that task cannot be automatic
| Code: |
mov eax, val
push whatever
call function
function:
push eax //use eax's value
cmp [someaddress],1
jne exit
mov ecx,eax //use eax's value
mov eax,[ecx]
exit:
pop eax //use eax's value
|
and this
| Quote: |
we know for sure that "function" will use the value whatever
|
only your guess, these is no way to "certain" function use whatever if you dont read its code
| Code: |
mov eax, val
push whatever
call function
mov [esp+4],eax
pop whatever
function:
xor eax,bed
ret
|
|
|
| Back to top |
|
|
Fresco
Grandmaster Cheater
![]() Reputation: 4
Joined: 07 Nov 2010
Posts: 600
|
| Posted: Fri Feb 01, 2013 6:02 am Post subject: |
|
|
you're right, but most of the times
| Code: | push a
push b
push c
call fncz
add esp,0C |
means that fncz uses a b and c
my question is:
| Code: | mov eax,hpaddy
push val
call dechp
add esp,4
cmp eax, retid etc...
//---
dechp:
cmp eax,0 //<- here
je ret
mov ebx,[esp]
sub [eax],ebx //<- here
mov eax,[hpsuccessfullydecreased] //<- not here
cmp eax,0 //<- not here
cmova eax,2 //<- not here
ret
//---
hpsuccessfullydecreased:
dd 00 00 00 01 |
i need to know the codes in function "dechp" that access eax (or any other register that i choose) before writing to it (which are thoose marked with "<-here")
i don't care about anything after the function writes on eax
but i want to know if the value that eax holds at function call is used by the program.
simply: is eax a parameter that "function" needs to work or not ?
seems like "dechp" uses eax.
but how do i determine that in a real program without looking line by line ?
eax is just an example, but what if a function uses ebx or others ?
another example:
| Code: | call settozero
settozero:
mov [eax],0
ret |
settozero uses register eax as a reference and does not use the stack.
my question:
how can i know if "settosero" uses eax's value ?
it may not be a standard, but some programs/games do that!, it's not always the stack that gets used by a funciton:)
| ablonevn wrote: | | push eax //use eax's value |
in some ways ... but then why bother pushing eax and using esp instead of just using eax as it is ?
"push eax" means, decrement stack by 4 bytes, save eax's value in the top of the stack and then set eax to zero.
cmp eax,2 <- this uses eax
_________________
... Fresco |
|
| Back to top |
|
|
ablonevn
Advanced Cheater
![]() Reputation: 1
Joined: 02 Oct 2011
Posts: 59
|
| Posted: Fri Feb 01, 2013 9:10 am Post subject: |
|
|
| Fresco wrote: | you're right, but most of the times
| Code: | push a
push b
push c
call fncz
add esp,0C |
means that fncz uses a b and c
my question is:
| Code: | mov eax,hpaddy
push val
call dechp
add esp,4
cmp eax, retid etc...
//---
dechp:
cmp eax,0 //<- here
je ret
mov ebx,[esp]
sub [eax],ebx //<- here
mov eax,[hpsuccessfullydecreased] //<- not here
cmp eax,0 //<- not here
cmova eax,2 //<- not here
ret
//---
hpsuccessfullydecreased:
dd 00 00 00 01 |
i need to know the codes in function "dechp" that access eax (or any other register that i choose) before writing to it (which are thoose marked with "<-here")
i don't care about anything after the function writes on eax
but i want to know if the value that eax holds at function call is used by the program.
simply: is eax a parameter that "function" needs to work or not ?
seems like "dechp" uses eax.
but how do i determine that in a real program without looking line by line ?
eax is just an example, but what if a function uses ebx or others ?
another example:
| Code: | call settozero
settozero:
mov [eax],0
ret |
settozero uses register eax as a reference and does not use the stack.
my question:
how can i know if "settosero" uses eax's value ?
it may not be a standard, but some programs/games do that!, it's not always the stack that gets used by a funciton:)
| ablonevn wrote: | | push eax //use eax's value |
in some ways ... but then why bother pushing eax and using esp instead of just using eax as it is ?
"push eax" means, decrement stack by 4 bytes, save eax's value in the top of the stack and then set eax to zero.
cmp eax,2 <- this uses eax |
uh, i think it is realy hardwork, the "push eax" may be just free eax and use eax to do some other task and then restore it value, the thing you want to do most likely ida hex-ray does, and you know rare user share it to you if they knew it. here is another example:
| Code: |
mov eax,64
call func
func:
push ebp
mov ebp,esp
push eax <-now eax's value equal "[ebp-4]" & [esp-4] you must monitor this two address to know function use eax or not
call dochangeeax ;assume this is stdcall :D, now at this point, must monitor both eax and [ebp+8] :D
push edx
mov [ebp-4],edx
push [ebp-4]
call anotherfunc
|
i think you could write some small function and try to decompile to get same result as ida does, "transform register to variable so you will know when variable is used" if you have enough time, you will own another hex-ray verion too 
|
|
| Back to top |
|
|
Fresco
Grandmaster Cheater
![]() Reputation: 4
Joined: 07 Nov 2010
Posts: 600
|
| Posted: Sun Feb 03, 2013 10:14 am Post subject: |
|
|
perhaps i'm explaining myself wrong.
i'm wondering if functions uses eax as a parameter
how can i know that ?
i was hoping i'd find some code analyzer that will tell me if the functions copy's eax'es value before writing to it.
| Code: | //c++;
MessageBox( NULL, eax, ebx, MB_OK ); |
it's wrong writing it this way, but still i hope you get it.
MessageBox is a function.
it accepts 4 parameters
which 2 of them are direct registers ( eax and ebx ) and the other 2 are stack ( [esp] )
the asm will be
| Code: | // eax and ebx already have a value here
push NULL
push MB_OK
call MessageBox |
i know that MessageBox function uses only the stack but still.
if you see this function for the first time in asm level, you don't know what parameters it needs in order to work
you may think that it uses NULL and MB_OK and just that
now without knowing that it uses eax and ebx, how can you determine that?
well simple, right click the function in the debugger and see if it reads eax or ebx's value before writing to it
if i push eax, i'll only get eax value in [esp] but the function will not take the value of [esp], but eax
got it now ?
sample function:
function:
| Code: | //some stuff
mov [ecx+4],eax //<- here the program reads eax, *
add eax,30
mov [esp],eax //<- here the program also reads eax |
i was wondering if there's an automated algorithm that will return true or false if the selected function uses eax's value before writing to eax or not which basically means that uses eax's value in order to work properly which means that the register eax is a parameter for the function
_________________
... Fresco |
|
| Back to top |
|
|
ablonevn
Advanced Cheater
![]() Reputation: 1
Joined: 02 Oct 2011
Posts: 59
|
| Posted: Mon Feb 04, 2013 2:31 am Post subject: |
|
|
uhm, you just want to determine which parameter pass for function ? it could be done through examine esp register, but it doesn't always works, just becouse the "share code" make it too complex. Here is method to determine parameter pass to function, (just a solution for most app, not always work)
1/ determine which point is begin of function
2/ following every jump until you see "ret" instruction. mark these point may be are end of function (one function have very much ret). which "ret" change ESP's value to
2/ analyze stack pointer and every child function (the hardest part is determine function calling style.
this is an example, assume every function use stdcall or cdecl
| Code: |
push ebp ;1 esp=0, after this instruction executed then esp=-4;
mov ebp,esp ;2 -0 ebp=-4
mov eax,1 ;3 -0
push eax ;4 -4
call setvalue ;5 -4
add esp,4 ;6 +4
cmp eax,1 ;7 +0 esp=-8
je locret ;8
push ebx ;8a
push ebx ;9
push ecx ;10
push ebp ;11
call trashfunc ;12
pop ebx ;8b
locret: ;13 esp=-8
mov esp,ebp ;14
pop ebp ;15
ret ;16
setvalue:
mov eax,10 +0
ret +0
trashfunc:
ret 10
|
the algorithm is: ESP's value at begining function must equal ESP's value at the end function. assume ESP value at line 1 is 0.
now to examine the first call "setvalue", to determine function parameter, whatever calling style is, the ESP's value before call function must equal ESP's value after function call, (cdecl call usually use add esp,xxx). what ever in that range, it will be function's parameter. to determine function used these value or not, then do a analyze child function, to know which opcode do an operation "read" or "write" to stack/register then go to intel website & download complete instruction manual for CPU architect you are going to programming or you can read assembler unit of darkbyte.
|
|
| Back to top |
|
|
Fresco
Grandmaster Cheater
![]() Reputation: 4
Joined: 07 Nov 2010
Posts: 600
|
|
| Back to top |
|
|
n0 m3rcY
Cheater
![]() Reputation: 0
Joined: 18 Jun 2012
Posts: 42
|
| Posted: Tue Feb 05, 2013 1:06 am Post subject: Re: find out if the code accesses the registers |
|
|
| Fresco wrote: | so here's the thing, i recently bumped into studying how assembly functions work, i have no problem when i write them on, but it's kinda hard to track a games' function especially with no comments by the author as it's a game and it wasn't developed in asm.
i'm struggling understanding the parameters of that function, i need to know if the function just uses the stack as income parameters or it needs some registers too.
i was wondering if ce has the ability to find out if the function accesses the registers before writing to them.
i mean, when i call a function, eax or ebx or any other register for that matter has a value, i need to know if the function that i call uses any registers' value before writing something to them, because after the function writes to eax or any register, i don't care if or when it uses eax ...
thanks |
Depends if it's a x86 or x86_64.
x86 has a few calling conventions, stdcall is the most common and returns in eax. ecx and edx are volatile (you can tell if esi, edi, and ebx are being used from any pushes).
x86_64 only has fastcall, where rcx, rdx, r8, and r9 are used for parameters and are volatile, rax is return. r10 and r11 are also volatile.
You can tell any non-volatile registers being used by pushes. Also, you can step over the function call and CE or olly should show the registers changed.
As for the x86 stack frame on a typical function, here's the layout:
ebp+$0 = old ebp
ebp+$4 = return address
ebp+$8 = 1st param
ebp+$c = 2nd param
...
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
