• Amused
  • Angry
  • Annoyed
  • Awesome
  • Bemused
  • Cocky
  • Cool
  • Crazy
  • Crying
  • Down
  • Drunk
  • Embarrased
  • Enraged
  • Friendly
  • Geeky
  • Godly
  • Happy
  • Hateful
  • Hungry
  • Innocent
  • Meh
  • Piratey
  • Poorly
  • Sad
  • Secret
  • Shy
  • Sneaky
  • Tired
  • Wtf
  • At Work
  • CodenzHub
  • Coding
  • Deejaying
  • Donating
  • Drinking
  • Eating
  • Editing
  • Hacking
  • Hate Mailing
  • Jamin'
  • Lagging
  • Live Streaming
  • Lurking
  • No Status
  • Pawning
  • PC Gaming
  • PS Gaming
  • Raging
  • Reversing
  • Sleeping
  • Steam Gaming
  • Trolling
  • TwitchStreamer
  • Vodka!
  • Watching TV/Movie
  • Xbox Gaming
  • Youtuber
  • Zombies
  • Results 1 to 5 of 5
    1. #1
      Administrator
      Hacked By Jesus
       
      Reversing
       
      [GH]Rake's Avatar
      Join Date
      Jan 2014
      Location
      USA
      Posts
      3,190
      Thanks (-->)
      718
      Thanks (<--)
      934

      How to Call a Game Function

      John Kittz
      Requirements: Intermediate knowledge of ASM and C++ and the stack, internal access to process

      1)Find the address of the function you want to call

      Example:
      If you want to call the function that does damage to players, you would find your entity address, the enemy's entity address, do a "Find what Accesses This Address" on the enemy's health. Shoot the enemy once. Find the instruction that has only been executed once. This could be the function DoDamage() or it could be a function like DecreaseHealth() that gets called by the DoDamage() function. If it's DecreaseHealth() you will have to trace backwards to the function that calls it. If it's DoDamage() you will want to right click on this instruction in Cheat Engine and click "Select Function". Scroll to the top of the selected function, the top address is the address of your function.

      2)Discover the calling convention of the function

      You do this by viewing how the arguments are pushed onto the stack or placed in registers by the caller before the function is called and also how they are popped off the stack by either the caller or the callee.

      When a function is called the callee creates a new stack frame using EBP and ESP, each function has it's own stack frame which is local storage that the function needs.

      Read about stack frames here:
      https://en.wikipedia.org/wiki/Call_stack#Structure
      https://en.wikibooks.org/wiki/X86_Di...d_Stack_Frames
      https://www.cs.cornell.edu/courses/c...ures/lec20.pdf


      Example: For the DoDamge() function you would examine the PUSH instructions before the call and breakpoint the first instruction of the DoDamage() function and examine the registers. Find the address of your entity and of the enemy either on the stack or in the registers.

      Read up on calling conventions:
      https://www.codeproject.com/Articles...ns-Demystified
      https://www.codeproject.com/Articles...ng-Conventions
      https://guidedhacking.com/showthread...d-to-know-them

      3) Discover the arguments and the argument types

      Using IDA is the easiest. If class objects are being passed in you will need to reverse those objects and recreate them in your code. Before your function gets called, you will see arguments get pushed onto the stack, usually in right to left order.
      You can use ReClass to create those classes https://guidedhacking.com/showthread...class-Tutorial

      4)Recreate the function prototype in your code and create a typedef to it and then call it

      Here are some examples:

      //typedef the function prototype
      typedef cvar_t*(__cdecl * _Cvar_Get)(const char *var_name, const char *var_value, int flags);

      //Create an instance of the function and assign it to an address
      _Cvar_Get Cvar_Get = (_Cvar_Get)0x043F688;

      //Call it like this
      Cvar_Get("cl_gamepath", "OpenArena", 0);

      //typedef the function prototype
      typedef clipHandle_t(__cdecl *_CM_InlineModel)(int index);

      //Create an instance of the function and assign it to an address
      _CM_InlineModel CM_InlineModel = (_CM_InlineModel)0x00426a5c;

      //Call it like this
      CM_InlineModel(5);


      @mambda was also kind enough to share a shorter way of doing this using the code that @Nazalas shared here:
      https://guidedhacking.com/showthread...n-game-console


      //multiline method:
      typedef void(__cdecl * _contoutf)(const char* string, ...);
      _contoutf contoutf = (_contoutf)0x46b060;
      contoutf((char*)"Hello");

      //one line method:
      ((void(__cdecl*)(const char* string))0x46b060)("do the shit");


      Alternatively if the calling convention is giving you trouble you can just push the variables onto the stack and call the function using inline ASM as I did in this thread:
      https://guidedhacking.com/showthread...ight=traceline

      If you're using the wrong calling convention you will corrupt the stack and the game will crash. Sometimes I try all the calling convention until one works hehe

      Please reply if you have something to add to this article!

    2. Thanks Nazalas, metrix, farmith, PwndDepot, Lukor, MegaByte, Mystic thanked for this post
    3. #2
      Hacker
      I'm just a collection of atoms
      maan
       
      No Status
       
      mambda's Avatar
      Join Date
      Jun 2014
      Posts
      718
      Thanks (-->)
      65
      Thanks (<--)
      201
      Noice stuff, i had this on calling conventions if you want to add it to the list: https://guidedhacking.com/showthread...d-to-know-them!, but those links should be more than enough

      Rake forever giving back :')

    4. Thanks [GH]Rake, Nazalas thanked for this post
    5. #3
      Newbie
      Learning to hack games!
       
      Feeling Normal
       
      MegaByte's Avatar
      Join Date
      May 2016
      Posts
      13
      Thanks (-->)
      4
      Thanks (<--)
      5
      Cheers,

      Additionally if you just want to call a game function using Cheat engine to try out your idea.

      You can use a script like so.

      Code:
      [enable]
      alloc(MyCode,1024)
      CreateThread(MyCode)
      
      MyCode:
      // As Example
      //CALL SomeGameAddress
      // or do other code
      ret // exit thread
      
      [disable]
      dealloc(mycode)
      https://blog.extendedgames.com/2012/...de-in-new.html

      Obviously this is from a new thread so look out if the code is not thread safe.

      You might be able to improve this by putting it in a try catch/critical section I think it is called?
      So that the game does not crash outright if you screw something up... Im not sure.

      Best of luck.

    6. #4
      I has a status
      I rage frequently
       
      Pawning
       
      PwndDepot's Avatar
      Join Date
      Nov 2014
      Location
      Colorado
      Posts
      175
      Thanks (-->)
      68
      Thanks (<--)
      30

      Re: How to Call a Game Function

      Something I noticed with the cheat engine "select function" utility the other day is it only selected up to the first found "return" instruction, and not the actual start of the stack frame (push epb then mov ebp, esp). At least for assaultcube's dodamage or decreasehealth function or whatever, thats what I tested it on.

    7. #5
      Administrator
      Hacked By Jesus
       
      Reversing
       
      [GH]Rake's Avatar
      Join Date
      Jan 2014
      Location
      USA
      Posts
      3,190
      Thanks (-->)
      718
      Thanks (<--)
      934

      Re: How to Call a Game Function

      Cheats'n'Trainers
      yeah I guess that fucker doesn't always work perfecto

    Similar Game Hacker Threads

    1. [VideoTutorial] C++ Detour / Hooking Function Tutorial for Game Hacking
      By [GH]Rake in forum GH Hack Video Tutorials
      Replies: 26
      Last Post: 12-29-2016, 06:48 PM
    2. [Help] Call Game Functions Not Effect
      By lukaluka in forum Assault Cube Hacks
      Replies: 1
      Last Post: 02-06-2016, 06:00 AM
    3. [Help] Unable to get mid-function codecaving to work with this game
      By SICGames88 in forum GH Tutorials Help
      Replies: 10
      Last Post: 09-10-2015, 07:04 PM
    4. Replies: 5
      Last Post: 06-22-2015, 06:27 AM
    5. Calling a function by address (function in another module)
      By c5 in forum Tutorials and Snippets
      Replies: 9
      Last Post: 11-05-2013, 09:27 AM