• Amused
  • Angry
  • Annoyed
  • Awesome
  • Bemused
  • Cocky
  • Cool
  • Crazy
  • Crying
  • Down
  • Drunk
  • Embarrased
  • Enraged
  • Friendly
  • Geeky
  • Godly
  • Happy
  • Hateful
  • Hungry
  • Innocent
  • Meh
  • Piratey
  • Poorly
  • Sad
  • Secret
  • Shy
  • Sneaky
  • Tired
  • Wtf
  • At Work
  • CodenzHub
  • Coding
  • Deejaying
  • Donating
  • Drinking
  • Eating
  • Editing
  • Hacking
  • Hate Mailing
  • Jamin'
  • Lagging
  • Live Streaming
  • Lurking
  • No Status
  • Pawning
  • PC Gaming
  • PS Gaming
  • Raging
  • Reversing
  • Sleeping
  • Steam Gaming
  • Trolling
  • TwitchStreamer
  • Vodka!
  • Watching TV/Movie
  • Xbox Gaming
  • Youtuber
  • Zombies
  • Page 1 of 2 12 LastLast
    Results 1 to 10 of 11
    1. #1
      Global Moderator
      I suck
       
      Coding
       
      iPower's Avatar
      Join Date
      Jun 2017
      Location
      Brazil
      Posts
      95
      Thanks (-->)
      40
      Thanks (<--)
      52

      Reverse Engineering example in GTA: SA

      How to Call Game Functions
      *****GIVE ME A FEEDBACK ABOUT MY TUTORIALS! I WANT TO KNOW IF YOU LIKE MY TUTORIAL STYLE AND WHAT I SHOULD IMPROVE

      Sup guys! In this tutorial we'll be looking a basic reverse engineering example in GTA: SA. If you want to follow this tutorial, I'll be using Cheat Engine, IDA Pro and Ollydbg (olly is for debugging purposes). Probably nobody plays this game (neither do I, but I'm hacking this game for learning purposes), but If you do, great! If you don't, still great because you are still learning how to reverse engineer different games. This tutorial is for beginners that are starting with reverse engineering (I can't call myself experienced but whatever). If you are learning, my advice is to download the game and follow this tutorial because you'll learn techniques to find your own stuff.

      We'll be looking how to find the function that displays messages like this:

      Reverse Engineering example in GTA: SA

      When we activate/deactivate a cheat, "Cheat Activated/Deactivated" message pops up. We need to find cheat flags to get to the function that processes a cheat. In GTA San Andreas the flags are 1 for activated and 0 for deactivated. In this tutorial I'll be using Mega Jump cheat (YOU CAN USE WHATEVER CHEAT YOU WANT). The address of the state of this cheat is 0x96916C - (don't wanna lose time explaining basic stuff. If you don't like being spoon-feeded just find the address of other cheat flags because the method is the same).

      You can see everything in this screenshot:

      Reverse Engineering example in GTA: SA

      Now we want to see what instruction writes to this flag to get to the function that processes a cheat.
      Right click on the address and select "Find out what writes to this address" or press F6
      and select Yes.

      After we attached the debugger, let's back to the game and activate/deactivate our cheat. In my case I'll be activating the cheat again.
      A instruction popped up. The instruction is moving some value from CL (16-bit register - part of ecx) to our address.

      You can see this here:

      Reverse Engineering example in GTA: SA

      Ok now we can press Stop and go to disassembler by selecting Show disassembler

      Reverse Engineering example in GTA: SA

      Select the highlighted instruction, press CTRL+G and copy the address. The address is 00438597

      Now it's the IDA Pro part! (as always you should know at least the basics of the program)
      If your pc doesn't suck like mine IDA Pro should load everything fast. After that click on the screen, press G, paste the address we've copied before and press OK to jump to the address. I'm using text view btw because we'll need to copy addresses.

      Reverse Engineering example in GTA: SA

      Now let's hit F5 to get our old friend called Pseudocode

      Reverse Engineering example in GTA: SA

      The instruction highlighted in my screenshot in ASM form is (you can go back to text view to check if you feel like):
      Code:
      .text:0043858E                 cmp     ds:byte_969130[esi], bl
      .text:00438594                 setz    cl
      .text:00438597                 mov     ds:byte_969130[esi], cl
      Basically what byte_969130[v6] = byte_969130[v6] == 0 is doing:

      byte_969130 - probably an array of the flags
      v6 - cheatIndex

      This instruction is comparing the value at that address to 0. If both are equal, gonna set it to 1 or if they are different gonna set it to 0;
      It's similar to this shit:

      byte_969130[cheatIndex] = !byte_969130[cheatIndex] // ugly but who cares


      Let's go up a bit and try to see if we find some shit.
      As we can see, v7 is being set to some value that sub_6A0050 is returning; One of the parameters being passed is "CHEAT8". If we actually look better, there are two calls to sub_6A0050 because they are in if/else statements. We'll see that in this screenshot:

      Reverse Engineering example in GTA: SA

      As we saw earlier, byte_969130 is an array of cheat flags and v6 is the index. Basically what this is doing is:

      if in that index of the array the value is greater than zero, call sub_6A0050 with the last parameter being "CHEAT8".
      else call sub_6A0050 with the last parameter being "CHEAT1".


      As we saw earlier, when the value is 1, it's gonna set it to 0 and vice versa. Then the string "CHEAT8" is related to cheat deactivation and "CHEAT1" to cheat activation.

      Other thing that we can see in the screenshot is that v7 is passed as a parameter in the next function, which is interesting.


      Btw, v7 is

      _BYTE *v7; // pointer to something


      Well, let's see what actually sub_6A0050 returns. To jump to the function just double click on the name.

      Reverse Engineering example in GTA: SA


      _BYTE *__thiscall sub_6A0050(_BYTE *this, char *a2)

      //_BYTE an unknown type; the only known info is its size: 1 byte


      So the function is a member function and returns a pointer (address) to something. The first argument is a pointer to the current object (this pointer) and the second argument is a pointer to a char.

      If you actuall try to find strings like "Cheat Activated" in IDA Pro you won't get any results. GTA San Andreas loads the strings from other files to memory and fetches from there. It's really hard to tell what sub_6A0050 does by only looking to the source so we'll take a guess:

      This function is returning a pointer to an string probably.
      In this cases our other close friend Ollydbg is always there to help us! We will see what is actually this function returns to v7 to be passed as a parameter to sub_588BE0.

      Let's go back to that process cheat function! Select sub_588BE0 and press TAB to go back to text view.

      Reverse Engineering example in GTA: SA

      push eax is the last instruction being pushed to the stack before function calls and if you are familiar with assembly, parameters are pushed to the stack in reverse order then the value inside eax is the first parameter of sub_588BE0 (the one we want). Copy the address of that instruction because we are going to use Ollydbg now. The address is 00438552.

      Now we are going to open Ollydbg and attach it to GTA San Andreas (close cheat engine before doing this if you haven't done yet). Press F9 to continue running the process. Now press CTRL+G, paste that address and select OK to jump to that address.


      Reverse Engineering example in GTA: SA

      As I said before, the value of eax is being pushed as the first parameter (you can see in the screenshot an "Arg1" comment)
      Let's hit a breakpoint in this instruction to see what's the value inside EAX. You can do this by right clicking on the instruction and select Breakpoint -> Toggle or press F2.

      Now let's get back to the game and activate/deactivate our cheat again and see what happens.
      The breakpoint was hit and we get to see what's inside eax.

      Reverse Engineering example in GTA: SA

      YAY! WE WERE CORRECT! That function really returned an address of a string. Now that we know what's the first parameter, we can go back to IDA and jump to sub_588BE0 (you can press G and type 588be0 and press OK).


      Reverse Engineering example in GTA: SA


      char __cdecl sub_588BE0(int a1, char a2, char a3, char a4)

      //Calling convention: __cdecl
      //return type: char
      //Four arguments


      I'll be using the first argument as char* (ida sometimes treats pointers/addresses like integer types) and the other three as integers.

      REMEMBER: I'M DOING THIS INTERNALLY.

      So let's write our typedef and function pointer.


      #define SHOWMSG_ADDY 0x588BE0 // our function that we found

      typedef char (__cdecl* _showMsg)(char*, int, int, int);
      _showMsg showMsg = (_showMsg)SHOWMSG_ADDY;


      We can make a wrapper:


      void showMessage(char* yourString)
      {
      showMsg(yourString, 0, 0, 0);
      //I'll be using default parameters that the game uses in almost every call to this function
      //No need to worry about them
      }

      showMessage("GH IS THE BEST!");



      Result:

      Reverse Engineering example in GTA: SA

      That's it folks!
      I have been writing this thing for like three hours lol!
      I hope everyone enjoyed! More tutorials are coming up!

      GiovaniHacking
      Last edited by iPower; 12-07-2017 at 08:14 AM.

    2. Thanks [GH]Rake, Traxin, Lukor, Roman_Ablo, HexMurder thanked for this post
    3. #2
      Administrator
      Hacked By Jesus
       
      Reversing
       
      [GH]Rake's Avatar
      Join Date
      Jan 2014
      Location
      USA
      Posts
      3,681
      Thanks (-->)
      897
      Thanks (<--)
      1101
      Awesome

    4. #3
      Global Moderator
      I suck
       
      Coding
       
      iPower's Avatar
      Join Date
      Jun 2017
      Location
      Brazil
      Posts
      95
      Thanks (-->)
      40
      Thanks (<--)
      52
      Quote Originally Posted by [GH]Rake View Post
      Awesome
      Thanks!

    5. #4
      Newbie
      Learning to hack games!
       
      Feeling Normal
       
      test_filipe's Avatar
      Join Date
      Aug 2016
      Posts
      1
      Thanks (-->)
      0
      Thanks (<--)
      0
      My IDA does not have to generate Pseudocode. How can I get this?

    6. #5
      Global Moderator
      I suck
       
      Coding
       
      iPower's Avatar
      Join Date
      Jun 2017
      Location
      Brazil
      Posts
      95
      Thanks (-->)
      40
      Thanks (<--)
      52
      Quote Originally Posted by test_filipe View Post
      My IDA does not have to generate Pseudocode. How can I get this?
      You need to have hex rays decompiler plugin I guess (actually idk tbh)

    7. #6
      Coder
      PM for THO unlimited RT
       
      Coding
       
      Roman_Ablo's Avatar
      Join Date
      Feb 2017
      Location
      KFC
      Posts
      212
      Thanks (-->)
      96
      Thanks (<--)
      53
      Quote Originally Posted by test_filipe View Post
      My IDA does not have to generate Pseudocode. How can I get this?
      Get the latest version of IDA (7.0) or just get the 6.8 since these are the popular leaked ones with Pseudocode. Then, just navigate to a function and press F5 and it should generate the pseudocode. It's not really a plugin afaik, I thought IDA came with it but I didn't buy it so idfk.

    8. Thanks iPower thanked for this post
    9. #7
      Global Moderator
      I suck
       
      Coding
       
      iPower's Avatar
      Join Date
      Jun 2017
      Location
      Brazil
      Posts
      95
      Thanks (-->)
      40
      Thanks (<--)
      52
      Quote Originally Posted by Roman_Ablo View Post
      Get the latest version of IDA (7.0) or just get the 6.8 since these are the popular leaked ones with Pseudocode. Then, just navigate to a function and press F5 and it should generate the pseudocode. It's not really a plugin afaik, I thought IDA came with it but I didn't buy it so idfk.
      Yea I didn't buy it too so idk

    10. #8
      Newbie
      Learning to hack games!
       
      Feeling Normal
       
      JMP's Avatar
      Join Date
      Dec 2016
      Posts
      12
      Thanks (-->)
      1
      Thanks (<--)
      0
      It's a really great information. Thanks for take a time to do this. Will help many people. nois BR HUE xD

    11. #9
      Global Moderator
      I suck
       
      Coding
       
      iPower's Avatar
      Join Date
      Jun 2017
      Location
      Brazil
      Posts
      95
      Thanks (-->)
      40
      Thanks (<--)
      52
      Quote Originally Posted by JMP View Post
      It's a really great information. Thanks for take a time to do this. Will help many people. nois BR HUE xD
      Nois mano! k

    12. #10
      Coder
      PM for THO unlimited RT
       
      Coding
       
      Roman_Ablo's Avatar
      Join Date
      Feb 2017
      Location
      KFC
      Posts
      212
      Thanks (-->)
      96
      Thanks (<--)
      53
      Advertise on GuidedHacking
      Quote Originally Posted by GiovaniHacking View Post
      Nois mano! k
      Quote Originally Posted by JMP View Post
      It's a really great information. Thanks for take a time to do this. Will help many people. nois BR HUE xD


      pls rake/traxo dont take this down its just friendly banter

    13. Thanks iPower thanked for this post
    Page 1 of 2 12 LastLast

    Similar Game Hacker Threads

    1. [Discuss] Reverse Engineering Videos
      By [GH]Rake in forum General Hacking Discussion
      Replies: 12
      Last Post: 11-04-2017, 07:26 PM
    2. [Discuss] About reverse engineering
      By USSS in forum General Hacking Discussion
      Replies: 4
      Last Post: 05-13-2017, 09:35 PM
    3. [Discuss] Reverse engineering
      By USSS in forum General Hacking Discussion
      Replies: 16
      Last Post: 05-11-2017, 03:26 PM
    4. [Discuss] Reverse engineering on resume
      By KISKE in forum General Hacking Discussion
      Replies: 7
      Last Post: 01-05-2017, 08:10 PM
    5. Reverse Engineering and hooks
      By nb81 in forum Hacking Help
      Replies: 5
      Last Post: 11-02-2013, 05:40 AM

    Tags for this Thread