Solved IDA Pro thiscall

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

Virulant

Newbie
Full Member
Aug 19, 2015
14
112
0
Hey, I got the following function:

C++:
char *__thiscall KickPlayer(_BYTE *this, _DWORD *a2)
{
  _BYTE *v2; // esi@1
  int v3; // ecx@1
  char *result; // eax@5
  char v5; // [sp+8h] [bp-228h]@1

  v2 = this;
  sub_42A1B0(&v5);
  sub_42C230(&v5);
  v3 = 66064 * *a2;
  if ( !v2[v3 + 336] && (dword_AB10C0 == 1 || *(_DWORD *)&v2[v3 + 304]) )
    sub_427EE0(&v5);
  v2[66064 * *a2 + 336] = 1;
  result = &v2[66064 * *a2 + 344];
  *(_QWORD *)&v2[66064 * *a2 + 352] = __PAIR__(
                                        HIDWORD(qword_71E838[*(_DWORD *)result]),
                                        qword_71E838[*(_DWORD *)result])
                                    + 300000;
  return result;
}
Which is from this assembly code:

C++:
.text:00425FC0 KickPlayer      proc near               ; CODE XREF: sub_4AD2B0+38AAp
.text:00425FC0                                         ; sub_4AD2B0+3A44p ...
.text:00425FC0
.text:00425FC0 var_228         = byte ptr -228h
.text:00425FC0 arg_0           = dword ptr  4
.text:00425FC0
.text:00425FC0                 sub     esp, 228h
.text:00425FC6                 push    esi
.text:00425FC7                 mov     esi, ecx
.text:00425FC9                 push    edi
.text:00425FCA                 lea     ecx, [esp+230h+var_228]
.text:00425FCE                 call    sub_42A1B0
.text:00425FD3                 lea     eax, [esp+230h+var_228]
.text:00425FD7                 push    eax
.text:00425FD8                 mov     ecx, offset dword_6D8428
.text:00425FDD                 call    sub_42C230
.text:00425FE2                 mov     edi, [esp+230h+arg_0]
.text:00425FE9                 mov     ecx, [edi]
.text:00425FEB                 imul    ecx, 10210h
.text:00425FF1                 cmp     byte ptr [ecx+esi+150h], 0
.text:00425FF9                 lea     eax, [ecx+esi+130h]
.text:00426000                 jnz     short loc_426020
.text:00426002                 cmp     dword_AB10C0, 1
.text:00426009                 jz      short loc_426010
.text:0042600B                 cmp     dword ptr [eax], 0
.text:0042600E                 jz      short loc_426020
.text:00426010
.text:00426010 loc_426010:                             ; CODE XREF: KickPlayer+49j
.text:00426010                 lea     edx, [esp+230h+var_228]
.text:00426014                 push    edx
.text:00426015                 lea     ecx, [eax+0F28Ch]
.text:0042601B                 call    sub_427EE0
.text:00426020
.text:00426020 loc_426020:                             ; CODE XREF: KickPlayer+40j
.text:00426020                                         ; KickPlayer+4Ej
.text:00426020                 mov     eax, [edi]
.text:00426022                 imul    eax, 10210h
.text:00426028                 mov     byte ptr [eax+esi+150h], 1
.text:00426030                 mov     ecx, [edi]
.text:00426032                 imul    ecx, 10210h
.text:00426038                 lea     eax, [ecx+esi+158h]
.text:0042603F                 mov     ecx, [eax]
.text:00426041                 mov     edx, dword ptr qword_71E838[ecx*8]
.text:00426048                 mov     ecx, dword ptr qword_71E838+4[ecx*8]
.text:0042604F                 add     edx, 493E0h
.text:00426055                 adc     ecx, 0
.text:00426058                 pop     edi
.text:00426059                 mov     [eax+8], edx
.text:0042605C                 mov     [eax+0Ch], ecx
.text:0042605F                 pop     esi
.text:00426060                 add     esp, 228h
.text:00426066                 retn    4
.text:00426066 KickPlayer      endp
What I'd like to know, is how would I be able to call this function from my C++ code ?
Currently, I'm using the following:

C++:
char*(__thiscall * KickPlayer)(DWORD *a1) = (char*(__thiscall *)(DWORD*))0x00425FC0;
KickPlayer(a1);
The problem is that the *this is not passed (it can't be passed by argument, right ?).
How would I be able to pass the this without putting it in the function call ? Thanks.
 

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,298
37,938
269
C++:
<class name here> * pThis = some instance of the class in memory here.

typedef (__thiscall * orig)(<class name here>* , other params);
orig originalFunction;

originalFunction( pThis , other params );
now, for hooking it, its like this.

C++:
typedef (__thiscall * orig)(void *, other params);
orig originalFunction;

<return type> __fastcall hkFunction(void * ecx, void * edx, other params)
{
return originalFunction(ecx, other params );
}
for some possibly more in depth stuff just read this: Tutorial - Calling Conventions, and why you need to know them! skip to the __thiscall / fastcall secgtion if you want, ignore the asm cause i wrote it at 2am and its all wrong but im never going to fix it lmao ( nothing major, just stuff like [ebp + 4], which is the return address. )

 
Last edited by a moderator:

Lovelace

Jr.Coder
Full Member
Nobleman
Oct 23, 2015
83
938
5
Look for instructions which are calling that function and analyze how "this" is passed and where it came from.
 

Virulant

Newbie
Full Member
Aug 19, 2015
14
112
0
It looks like ECX is the register used to pass the *this in Assembly:

C++:
.text:004B0B46 KickPlayerCall:                         ; CODE XREF: sub_4AD2B0+388Bj
.text:004B0B46                 mov     [esp+80C0h+var_7D20], eax
.text:004B0B4D                 lea     eax, [esp+80C0h+var_7D20]
.text:004B0B54                 push    eax
.text:004B0B55                 mov     ecx, offset dword_AB1BC0
.text:004B0B5A                 call    KickPlayer
.text:004B0B5F                 mov     ecx, dword ptr [esp+80C0h+var_8098]
.text:004B0B63                 imul    ecx, 10210h
.text:004B0B69                 add     ecx, offset unk_AC0D64
.text:004B0B6F                 push    ecx
.text:004B0B70                 lea     ecx, [esp+80C4h+var_7798]
.text:004B0B77                 call    sub_41C430
.text:004B0B7C                 push    offset aIsKicked_ ; " is kicked."
.text:004B0B81                 lea     ecx, [esp+80C4h+var_74A0]
.text:004B0B88                 call    sub_41BC80
.text:004B0B8D                 lea     edx, [esp+80C0h+var_74A0]
.text:004B0B94                 push    edx
.text:004B0B95                 lea     ecx, [esp+80C4h+var_7798]
.text:004B0B9C                 call    sub_41C490
.text:004B0BA1                 lea     ecx, [esp+80C0h+var_74A0]
.text:004B0BA8                 call    sub_41BCF0
.text:004B0BAD                 lea     eax, [esp+80C0h+var_7798]
.text:004B0BB4                 push    eax
.text:004B0BB5                 mov     ecx, offset unk_AA9700
.text:004B0BBA                 call    sub_481D10
.text:004B0BBF                 lea     ecx, [esp+80C0h+var_7798]
.text:004B0BC6                 call    sub_41BCF0
.text:004B0BCB                 jmp     loc_4C30B3      ; jumptable 004AD3BF cases 75,77,78,371,372,477,601-604,609,615,616,750,900-903,910-952,960,970-972,980,1004,1090,1104,1105,1108-1111,1120-1126,1678,1679,1798,1808,1882,1885-1887,1960,1961,1965,1968,1980-2000,2032,2053,2055,2060,2386-2393,2400-2403
However, how would I be able to pass this in C++ in the function ?
 

Lovelace

Jr.Coder
Full Member
Nobleman
Oct 23, 2015
83
938
5
now, for hooking it, its like this.
He wants to call it.

Anyways, I'm no asm pro, but this is how I would do it.

This is what I meant by finding out where "this" came from.

C++:
void *this = (void *)getClassInstance();
Function(this, a1);
and to call it, I do this...

C++:
void hkFunction(int a1)
{
	void *_this = (void *)getClassInstance();
	return oFunction(_this, a1);
}

// simply call it like this
hkFunction(a1);

// or directly call it like this
void *_this = (void *)getClassInstance();
oFunction(_this, a1);
I hope you get the point. This is probably not the best way to do this.
 
Last edited:

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,298
37,938
269
Yeah he wants to cal lit, but to get a class instance he'd most likely want to hook it fiorst, or look for one in the binary.
 

Virulant

Newbie
Full Member
Aug 19, 2015
14
112
0
Hey guys,

I don't quite get something, how shall I get the instance of the class.
Shall I just reinterpret cast the class I'd create with the address of my ECX register (this) ?

Thanks for your help !
 

Lovelace

Jr.Coder
Full Member
Nobleman
Oct 23, 2015
83
938
5
Hey guys,

I don't quite get something, how shall I get the instance of the class.
Shall I just reinterpret cast the class I'd create with the address of my ECX register (this) ?

Thanks for your help !
Just like what I said... Look for instructions which are calling the function.

Perform an ASM scan in CE.

Memory View->Search->Find assembly code

and search for this assembly code to find out what's calling your function

C++:
call KickPlayerAddress // ProcessName+offset would be better
If it shows any result, go to that address and scroll up a bit (before function gets called) and look for something like this:

C++:
call    getClassInstanceAddress
mov     ecx, eax // move "this" to ECX
...
call KickPlayer
sometimes the class instance is just a static address that's moved to ECX.

Look at mambda's first example.
 

Virulant

Newbie
Full Member
Aug 19, 2015
14
112
0
Just before the function getting called, ECX is being assigned as such:

C++:
mov ecx,00AB1BC0
It appears it gets assigned some constant.
Taking a bit of your previous example, could be called using this:

C++:
void *_this = reinterpret_cast<void*>(0x00AB1BC0);
char*(__stdcall* KickPlayer)BYTE *this, DWORD *a1) = (char*(__stdcall*)(BYTE*,DWORD*))0x00425FC0;
KickPlayer(_this, a1);
EDIT:

Oh shit guys, thank you very much, finally got it working !
Here is the full code I have:

C++:
char*(__thiscall * KickPlayer)(void *a2,DWORD *a1) = (char*(__thiscall *)(void*,DWORD*))0x00425FC0;
void *_this = reinterpret_cast<void*>(0x00AB1BC0);

Player player1 = GameData::DebugGetPlayer(0);

DWORD a1 = player1.GetID();
KickPlayer(_this, &a1);
Thank you very much, I was working on it for dozens of hours, just couldn't figure it out.
Had already tried similar things, I was so close but managed to get it working thanks to you.

So many hours spent into this simple thing, I guess that's how you learn how it works.
Thanks again guys !
 
Last edited:

Virulant

Newbie
Full Member
Aug 19, 2015
14
112
0
Rake;42585 said:
This is a hard coded address? Glad to see you got this working :)
Yup', you can see this in this post (calling the KickPlayer function): https://guidedhacking.com/showthread.php?8064-IDA-Pro-thiscall&p=42529&viewfull=1#post42529 .
I've been trying to get it working for so long, I'm glad to be able to ask help here, I hope I'll one day be able to master this.

I'm not much interested in cheating and all that stuff, but being able to alter the game and add your own code is just something awesome. Unlimited possibilities.
Gosh, I wish I had been looking into it earlier instead of doing some lame C# !
 
  • Like
Reactions: Chamallow
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods