Question How do you find the correct function parameter?

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat
Status
Not open for further replies.

hound.c++

hm? hmm...
Dank Tier Donator
Apr 26, 2015
20
504
0
Game Name
N/A
Anticheat
N/A
How long you been coding/hacking?
3 months
Coding Language
N/A
Hi,

It's a Unreal Engine 4 Game, anyway my idea is to write a basic internal calling a change material color function.

What I've done so far in RE:

I've had a material change it's color ingame and ultimately found one of it's float values for the RGB, then I looked who writes to it and found the function.
If I nop the function UE seems to just replace all the materials that uses the function with color white and black (debug I guess?), also I can't change the color ingame anymore,
so I'm pretty sure it is the correct one.

If I look in IDA into it it's defined like this __int64 __fastcall sub_233E6D0(__int64 *a1)

C++:
__int64 __fastcall sub_1417EC290(__int64 *a1)
{
  __int64 v1; // rsi
  __int64 *v2; // r15
  struct IRendererModule *v3; // rax
  _QWORD *v4; // rbx
  __int64 v5; // r14
  FUniformExpressionCache *v6; // rdi
  __int64 v7; // rbp
  __int64 v8; // rsi
  __int64 v9; // rbx
  __int64 v10; // rcx
  __int64 result; // rax
  __int128 v12; // xmm0
  __int128 v13; // xmm1
  __int64 v14; // rcx

  v1 = *a1;
  v2 = a1;
  if ( *(_BYTE *)(*a1 + 420) & 8 )
  {
    v3 = GetRendererModule();
    (*(void (__fastcall **)(struct IRendererModule *, __int64))(*(_QWORD *)v3 + 336i64))(v3, v1);
    *(_BYTE *)(v1 + 420) &= 0xF7u;
  }
  ++*(_DWORD *)(v1 + 416);
  v4 = (_QWORD *)(v1 + 120);
  v5 = 0i64;
  v6 = (FUniformExpressionCache *)(v1 + 40);
  v7 = 4i64;
  do
  {
    *((_BYTE *)v4 - 8) = 0;
    *v4 = 0i64;
    FUniformExpressionCache::ResetAllocatedVTs(v6);
    v6 = (FUniformExpressionCache *)((char *)v6 + 88);
    v4 += 11;
    --v7;
  }
  while ( v7 );
  v8 = v1 + 448;
  v9 = *(int *)(v8 + 8);
  if ( (int)v9 <= 0 )
  {
LABEL_12:
    v12 = *(_OWORD *)(v2 + 1);
    v13 = *(_OWORD *)(v2 + 3);
    *(_DWORD *)(v8 + 8) = v9 + 1;
    if ( (int)v9 + 1 > *(_DWORD *)(v8 + 12) )
      TArray<FCachedCompositeFontData::FCachedFontRange,TSizedDefaultAllocator<32>>::ResizeGrow(v8, (unsigned int)v9);
    result = *(_QWORD *)v8;
    v14 = 32 * v9;
    *(_OWORD *)(v14 + result) = v12;
    *(_OWORD *)(v14 + result + 16) = v13;
  }
  else
  {
    v10 = *(_QWORD *)v8;
    while ( 1 )
    {
      if ( *(_DWORD *)v10 == *((_DWORD *)v2 + 2)
        && *(_DWORD *)(v10 + 4) == *((_DWORD *)v2 + 3)
        && *(_BYTE *)(v10 + 8) == *((_BYTE *)v2 + 16) )
      {
        result = *((unsigned int *)v2 + 5);
        if ( *(_DWORD *)(v10 + 12) == (_DWORD)result )
          break;
      }
      ++v5;
      v10 += 32i64;
      if ( v5 >= v9 )
        goto LABEL_12;
    }
    *(_OWORD *)(v10 + 0x10) = *(_OWORD *)(v2 + 3);
  }
  return result;
}
so my guess is probably that a1 is like a pointer to the material that is being used by a model. However, here comes my issue. I can't just set a breakpoint on the call because it's called by thousand other materials. If I watch what writes to my "color" address - note here that *(_OWORD *)(v10 + 0x10) = *(_OWORD *)(v2 + 3); does that and v2 is r15 - I should find the address at least for that object in r15 but every time a write happens on the same "color" address a different address in r15 is passed for the same object. How would I proceed from here?
 
Last edited:

Erarnitox

🐅
Meme Tier VIP
Trump Tier Donator
May 11, 2018
151
5,023
3
Have you checked the cross references to this function in ida? (Press 'X' on the function signature i think)... there you can see from where and how it get's called. I would then try to find a function that calles sub_233E6D0 and that you know what it is somewhat doing. Then you can set a breakpoint on this function instead and watch step by step how it gets called. Especially what gets moved into ecx as an argument for the function. Then you only need to trace back where the value in ecx came from etc. I hope i was able to give you some ideas on how to proceed, good luck and let us know how it goes :)
 
Status
Not open for further replies.
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods