Cheat Engine

[ulysse31]

Hi, I am trying to call a function in a game.

I have done the tutorials i could found on it (shadowhaloplayer's) but the ones i found were simply too easy, it used ultimap to find a starting point and then the function used two arguments which happened to be right before the call... it's never that easy irl.

So, I am willing to call a function in game which is an interaction with a NPC (could also be the use of a skill for all i care) and i try to locate a starting point with ultimap.
Once the call is found, I break and trace the call because i am thinking I need to have the same registers / stack values.
First question is, if i use the same stack values is it very likely than the call will work or do i need to take more into account (maybe static stack values) etc?

In game, you press "F" and the skill (or interaction with NPC) is done.
So i am thinking it shouldn't be that hard ultimately F is sending you somewhere it pushes values into the stack and then calls the function (i think?) so if ultimap can find the call why can't it find the pushes before the call ?

My call is between jumps and calls, like a place where many function call are stored so I am guessing there are pushes that lead to a jmp that leads to my call so I tried to scan for the adress value of my initial call.
But i noticed if I scan for the adress that a jmp jumps to, it doesn't find me the jmp adress instruction.

I even watched a jmp xxxxxxxxx and copied its bytes i saw from memory viewer and i scanned for them and got nothing (was surprising, still didn't understand why).

So if i can't track the pushs I have the trace the call and simply copy the whole stack/register values and then i intend to do a create thread that would have this :
pushad
pushfd
xor eax,eax
xor ecx,ecx
xor edx,edx
xor ebx,ebx
xor esi,esi
xor edi,edi
xor ebp,ebp
all stack copied
call of function

popfd
popad
ret
Would this work ? Is there an efficient way to copy a stack ? (i think there are hundreds of values to copy.
Is there a more efficient way to call a skill in game through CE (not interested in having CE send the key bound to the skill in game)?
thx

[justa_dude]

Set a breakpoint, then look at the stack trace in CE's memory window to find out what code called yours.

[ulysse31]

Thx for the reply.

I did Geri's tutorial so I can do the backtrace using "break and trace instructions".

However my function only calls other functions and never goes "back" therefore i cannot trace what called it with this tool (even tried tracing 20 000 instead of the default 1000 and it didn't go back).

So there is the breakpoint option with the stacktrace and it gives the window with return adresses and parameters however the return adresses seem completely unrelated to my function, doesn't make any sense to me.

I get several return adresses that either send me in between a sea of "add [eax],al", or give me access violation error and i didn't find a single article which would tell how to interprete those return adresses.
(If you have one, i'd glady read it)

[Zanzer]

You need to break on the original function within the game code.

You can then find the call statement and find all of the arguments it is being passed.

You then need to replicate those arguments in the code you provided.

[ulysse31]

Thx.

I managed to get the return adress from breakpoint to somewhat work.
Somewhat because it doesn't tell me every call but it doesn't matter too much because the last call it gives is right anyway.
Only doesn't work on that game where it tells me access violation but I am trying to get minesweeper function to work and for minesweeper return adress are correct.

I managed to track down a conditional jne after which the code is only used when I click "about minesweeper".
Before jne the code is always accessed(whenever the mouse is on the minesweeper window the code is read).

Then i changed the jne to a je (basicly always read my send about window code) and i expected a crash but no, game functioned right.
The only thing it changed is that now whenever my mouse is placed upon "about" i dont need to left click it anymore is instantly launches.
so i am guessing (can anyone confirm?) simply putting the mouse here changes registry values and maybe pushes arguments too, which can then get used by my jne -> je change (who is sort of always trying to launch minesweeper.


But it gets really hard to keep tracing because i am on a long code that gets read perpetually by the game but is still important to my call about window function. Obviously it has became really hard to isolate this code.

Can someone tell me if the right approach to go further is this :
Take stack and registry snapshots and see what values never change whent about window is called.
Do conditionnal breakpoints based on these values (say EAX==12312131 only but also always when about is called) then i guess i might be able to go further in the traceback this way.
But is there a more efficitient way to do this ?
In pinball, calling the about window is as simple as this :
push xxxxxxx
push 0
push xxxxxxx
call xxxxxxxxx

[ulysse31]

So if anyone follows the same path I followed and has issues finding information on basic things such as the F5 breakpoint etc..

Atm i think this breakpoint works untill the point you reach a core routine and it starts sending you back "too deep".

About calling game function, this is what worked : I backtraced the call up untill I reached a routine (code executed repeatedly), then It wasn't just the function I wanted anymore, it sets the game in a state where he s succeptible to call several functions including the one I wanted.
From there you do a backtrace and you see what's the difference between a routine backtrace where you changed the first conditionnal jmp to always go where ur function call is, what's different with a backtrace where u have the default conditionnal jmp and u actually call ur function urself thourgh the game mecanism.

In here lies the answer about what to do to call the function through memory correctly (at least, it did for me).

usually its conditionnal jmps and if you modify them enough, eventually the function will be triggered only it will be triggered without cooldown.
a few more modifications and it ll be trigered as intended tho