Solved Calling a Function (C++)

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

xkhen0017

Newbie
Full Member
May 31, 2017
21
553
2
I know how to call a function from ASM. I've been using it since I started learning hacking. But I have here some problem,

basically I have a function here which is a SendPacket function.

C++:
00470F62 | A1 CC 1D 6D 01           | mov eax,dword ptr ds:[16D1DCC]          |
00470F78 | 8B 80 E0 00 00 00        | mov eax,dword ptr ds:[eax+E0]           |
00470F7E | 6A 00                    | push 0                                  |  < buffer 
00470F80 | 6A 03                    | push 3                                  |  < 2nd packet header
00470F82 | 6A 01                    | push 1                                  |  < 1st packet header
00470F84 | 50                       | push eax                                |  < some pointer (class/struct)
00470F85 | 33 F6                    | xor esi,esi                             |  < size of the packet
00470F87 | E8 44 D7 62 00           | call <sub_A9E6D0>          	      |  < packet
If I where to call this function "sub_A9E6D0" i will use ASM as the foundation.

C++:
__asm mov eax, dword ptr ds : [0x16D1DCC]; //MOV EAX,DWORD PTR DS:[0x15121A4]
		__asm mov eax, [eax + 0xE0];
		__asm push buf;
		__asm push header2;
		__asm push header1;
		__asm push eax;
		__asm mov esi, isize;
		__asm call TCP;
but what I want to achieve is to call it using a prototype like this..
C++:
typedef void(__stdcall *_SendPacketTCP)(dword, byte, byte, unsigned char*);
_SendPacketTCP SendPacketTCP = (_SendPacketTCP)(sub_A9E6D0);

//to call this function
SendPacketTCP(pStruct, 1, 3, 0);

//But my one big problem is to how to pass the packet size to esi using this?
But my one big problem is to how to pass the packet size to esi using this? On IDA it shows __usercall I have no idea how to construct that one.
I know I may sound crazy on why I want to switch from ASM, but I just want to clean up my code a bit. reducing tons of lines. :EleGiggle:
 
Last edited:

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,294
37,938
269
Last edited by a moderator:

Broihon

edgy 12 y/o
Escobar Tier VIP
Fleep Tier Donator
Dec 22, 2013
1,745
40,528
316
It the devs really decided to use/create a weird calling convention where the first argument is passed in esi then I don't think that there's a chance to redo that in Visual Studio without using inline asm or some static byte arrays.
If there's a way to implement custom calling conventions then tell me please.
But I think mambda is right, this looks too weird to be true.
 

xkhen0017

Newbie
Full Member
May 31, 2017
21
553
2
Haha. I know it's weird but some packets are sent as nullpointer.

Much detailed code will be like this,

Code:
push buffer
push header2
push header1
push pointer/struct
mov esi, packetsize
call SendPacket
So there is no way to call it in managed way? Too bad I need to use asm. >.< Been looking for answers for so long on many sites. I will let you all know if I found a way to do it. :)
 

xkhen0017

Newbie
Full Member
May 31, 2017
21
553
2
Thanks. But it's kinda a different thing, this one it passes ESI as param, where in my case it only reads ESI. Will look deep into it and inform you all. For the mean time I'll use inline assembly. ???
 

Traxin

Escobar Tier VIP
Dank Tier Donator
Aug 3, 2015
1,041
25,378
154
When you XOR something with itself, it zeros out.
ESI is not important for this function and it damn sure isn't your "packet size."

Like the guys before me said, this looks way too weird to be right.
You might need to go back and step through some code again because this analysis seems all types of fucked up.
 

xkhen0017

Newbie
Full Member
May 31, 2017
21
553
2
Traxin,

Yes I know, that is why the packet is 0, only headers are sent to the server. There are some cases that the packet body is 0 and only headers are sent.

here is another call from the same function that uses ESI and have a packet body.

C++:
005229AA | 8D 34 80                 | lea esi,dword ptr ds:[eax+eax*4]        |
005229AD | A1 CC 1D 6D 01           | mov eax,dword ptr ds:[16D1DCC]          | <- first ParamPointer added with E0
005229B2 | 80 78 78 00              | cmp byte ptr ds:[eax+78],0              |
005229B6 | 8D 74 36 10              | lea esi,dword ptr ds:[esi+esi+10]       | <- SIZE OF THE PACKET TRANSFERED
005229BA | 8B F8                    | mov edi,eax                             | 
005229BC | 75 06                    | jne dd2.5229C4                 	      |
005229BE | 80 78 79 00              | cmp byte ptr ds:[eax+79],0              |
005229C2 | 74 15                    | je dd2.5229D9                           |
005229C4 | 8B 80 E0 00 00 00        | mov eax,dword ptr ds:[eax+E0]           | <- first Param Pointer final (with E0 added)
005229CA | 8D 54 24 10              | lea edx,dword ptr ss:[esp+10]           | <- This is the pointer to the packet buffer
005229CE | 52                       | push edx                                | <- Pushed as last param (Packet Buffer)
005229CF | 6A 02                    | push 2                                  | <- Packet Header 2
005229D1 | 6A 1B                    | push 1B                                 | <- Packet Header 1
005229D3 | 50                       | push eax                                | <- First Param Pointer (EAX)
005229D4 | E8 F7 BC 57 00           | call sub_A9E6D0 		              | <- Call for the SendPacket
example of the packet
08 1B 02 X1 X2 X3 X4 X5 X6 X7 X8

First Byte = Size
Second Byte = Header 1
Third Byte = Header 2
Preceding Bytes = Packet Body with size of 8 bytes.

And I've been using this for a long time. So Im really sure of it.
 

Traxin

Escobar Tier VIP
Dank Tier Donator
Aug 3, 2015
1,041
25,378
154
Then yea, sounds like what Rake posted might be at play here.
SO said:
it could customize the calling convention to something that uses register values already set up at the place of call
Sounds like what's happening here, looks like you're stuck to inline assembly. I think any other way might actually be more code :\
 

xkhen0017

Newbie
Full Member
May 31, 2017
21
553
2
Maybe I can try to experiment here since the function cleans the stack itself, assuming this one is stdcall. And this method seems to be unconventional/unusual.

C++:
typedef void(__stdcall *_SendPacketTCP)(dword, byte, byte, unsigned char*);
_SendPacketTCP SendPacketTCP = (_SendPacketTCP)(sub_A9E6D0);

//to call this function
__asm{
push esi  //save the value of esi
mov esi,size //move the SIZE to ESI registry to be used on the function call.
}
//call the function
SendPacketTCP(pStruct, 1, 3, 0);
//then
__asm pop esi //to pop the default value of esi before call.
I will do this when I get home after work. And will inform you all. :)
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods