Tutorial How to find function arguments / paremeters

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

Solaire

Respected Hacker
Dank Tier VIP
Dec 15, 2013
1,051
16,353
62
This tutorial will be covering reversing a function to find its parameters. The function being reversed here is the takeDamage function for AssaultCube. So, start up AssaultCube, and begin a singleplayer deathmatch with only 1 other bot. Find your health address. After that, right click the health address you found and click "Find out what writes to this address".

Once the box shows up, get shot by the bot again. Something similar should show up.

Double click that and it will bring us to the memory viewer at the specific ASM instruction. Trace upwards to the start of the function, or use CE's neat feature that does it for us! Right click in the window, then click "Select current function". It will bring us close to the top, but in this situation it's not really the top.

There is a jump over the return statement. Let's right click above that return statement, and click "Select current function" again! This time we should arrive at the top of the function.

Set a breakpoint here then get shot. The return address to whatever called this function will be on the stacktrace. The address there should be similar to 426B96. If you double click it, it will bring us to the instruction after the call to the takeDamage function.

So, let's dissect this a bit, and find out what each register being assigned here is.

Let's start with ECX, ESI, and EDI. These all contain the same address. Based on previous reversing and dealing with this game, it is the entities base address. So, knowing that they are the entity base, we can take a wild guess that EBX has something to do with the entity as well. EBX contains the entity base address + 0xF4, which is the address 4 bytes before our health.

Now that we know what EBX is being assigned, let's move on to the other 2 registers, EDX and EAX. EDX contains 3C. Let's take a moment to turn 3C into decimal format. It's equivalent to 60. Let's unpause the game and shoot our enemy with the pistol. You'll find the register now contains a number that is much smaller.

Are you getting what I'm hinting at here? :p

EDX contains the amount of damage done to the entity. So, let's move on to our last register assignment, EAX. I figured this one out pretty quickly myself, and I want you to try and find it out. Come back when you either give up trying to find out, need a hint, or figure it out.

*HINT* Change weapons, and try different ways of damaging the enemy.

This register is assigned the type of damage being done.

So, knowing what we know now, here it is all put together:

EBX is the address 4 bytes before health/armor
EAX is the type of weapon you hurt them with

0 = Knife
1 = Pistol
2 = Carbine
3 = Shotgun
4 = Submachine gun
5 = Sniper Rifle
6 = ARifle
7 = Unknown (If someone finds what it is, do share!)
8 = Grenade
9 = Akimbo

EDX Hold the amount of damage taken
ESI, ECX and EDI contain the entity base

00426B84 |. 8B55 08 MOV EDX,DWORD PTR [EBP+8] ; Amount of damage taken
00426B87 |. 8B45 10 MOV EAX,DWORD PTR [EBP+10] ; Type of damage
00426B8A |. 52 PUSH EDX ; Put the type of damage onto the stack
00426B8B |. 8D9E F4000000 LEA EBX,DWORD PTR [ESI+F4] ; Pointer to 4 bytes before the entity health/armor
00426B91 |. E8 8A300000 CALL ac_clien.00429C20 ; Take Damage Call

Congratulations! You've gotten the parameters to the function! These can be used for many neat things, such as detouring the function, or calling it.

If there's anything I've explained incorrectly, or could have explained better please tell me!

Happy hacking,
Krampus :)
 
Last edited:

TastyHorror

Coder
Dank Tier Donator
Nobleman
Oct 11, 2012
179
2,268
8
Good tutorial but not noob proof. You need more pictures. I like this, and I'm glad you're contributing.
 
Last edited:
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods