[Tutorial] Basic Reversing in S4L (KickVote Function)

03/28/2015 22:07 Cyrex'#1

Hello. :)
Wanna show you how to reverse functions in S4 League.
So let's get started;

First you need the address of the pre-kickvote processing function,
which is located in some class(__thiscall). I found out that it's not a vtable entry, so that's not so good because with vftables you can always grab your functions easier.

[Only registered and activated users can see links. Click Here To Register...]

PHP Code:


			
.text:00E5FB12                 push    eax
.text:00E5FB13                 lea     ecx, [ebp+arg_0]
.text:00E5FB16                 push    ecx
.text:00E5FB17                 push    offset dword_1642368
.text:00E5FB1C                 push    1
.text:00E5FB1E                 mov     edx, [ebp+var_10]
.text:00E5FB21                 mov     eax, [edx]
.text:00E5FB23                 mov     ecx, [ebp+var_10]
.text:00E5FB26                 mov     edx, [eax+20h]
.text:00E5FB29                 call    edx

this is the actual kickvote interface invoke, which is ofc in the processing function. you can see it takes five arguments (this ptr, 0x1, an address constant, and eax which is 0x0).

Let's first see how those parameters are accomplished;

- first the this* is passed from another function to this one, then it's going to be copied into a local variable and then processed within another function:

PHP Code:


			
int __thiscall sub_E552E0(void *this)
{
  return (int)((char *)this + 84);
}

after that the kickvote invoke function ist just called and the function returns 1.

So to get all arguments just follow this:

1. execute sub_562180 with following arguments (0E6D7080h(ds:dword_165E6A0), first passed arg. and second passed argument to the processing function(arg_0 and arg_4 NOT THIS PTR).
2. execute sub_E552E0 and save result into some variable (passed this ptr to processing function)
3. kick invoke implementation:

PHP Code:


			
(*(void (__thiscall **)(int, signed int, _DWORD, int *, char *))(*(_DWORD *)v5 + 32))(v5, 1, dword_1642368, &a2, &a4);

[For v5 use the result from step 2, then pass 1, then pass just 0]

To gather the this ptr from the processing function just hook it:

(in your hook)

PHP Code:


			
__asm {
    mov temp_value,ecx
}

or you can also grab it from the stack because it was pushed before.
just calculate yourself where it should be on the stack.

the class ptr is always saved into the ecx register in case of __thiscall

then you can just make a typdef and invoke it :)

PHP Code:


			
typedef void (__thiscall** invoke_Kick_t)(int, signed int, DWORD, int*, char*);
invoke_Kick_t invoke_Kick_p = (*(void(__thiscall **)(int,signed int,DWORD,int*,char*))(*(DWORD*)processed_this + 0x20));

03/28/2015 22:08 HaMaDa..#2

Good Work :)

03/28/2015 22:09 Cyrex'#3

Quote:

Originally Posted by HaMaDa..

Good Work :)

Thanks ;)

03/28/2015 22:12 HaMaDa..#4

But i dont have this program :/

03/28/2015 22:14 Cyrex'#5

Quote:

Originally Posted by HaMaDa..

But i dont have this program :/

Just use Cheat Engine Disassembler or x64dbg.

03/29/2015 14:24 Wieso nicht?#6

So what I can do, if I reversed a function? Which possibilities exist?

03/29/2015 14:59 LeheMan1#7

nice tuto thx

04/03/2015 14:45 Cyrex'#8

Quote:

Originally Posted by Wieso nicht?

So what I can do, if I reversed a function? Which possibilities exist?

You can either call it or you can use it to gather other information like player infos. Also you can understand how the game works and understand how to manipulate the game for your advantage

04/03/2015 17:06 alexprototyp#9

Nice Tutorial.

04/07/2015 08:09 Neyil#10

Quote:

Originally Posted by .Paradox*

Just use Cheat Engine Disassembler or x64dbg.

how tf do you expect the guy to use cheat engine dissembler when it uses shitty ASM..while at the same time it's severely limited as a debugger..

cheat engine dissabembler doesn't use any c++ compilation at all so this guide is kinda useless for cheat engine dbger itself..(You're expecting this dude to convert code to long ass asm)

ollydebug and IDA are the icing of the cake.. while sometimes it gets too sweet
and you over think simple things.

when you say functions.. it's pretty broad since all are not the same. Every class has different attributes. It's better to compile code to change stuff if you're really going to do advanced stuff such as look for player ids.. because cmon you don't just grab player ids just to have player ids unless you are saving them or displaying them through some print class

04/07/2015 09:39 Terrat#11

#removed

04/10/2015 21:22 Cyrex'#12

Quote:

Originally Posted by Neyil

how tf do you expect the guy to use cheat engine dissembler when it uses shitty ASM..while at the same time it's severely limited as a debugger..

cheat engine dissabembler doesn't use any c++ compilation at all so this guide is kinda useless for cheat engine dbger itself..(You're expecting this dude to convert code to long ass asm)

ollydebug and IDA are the icing of the cake.. while sometimes it gets too sweet
and you over think simple things.

when you say functions.. it's pretty broad since all are not the same. Every class has different attributes. It's better to compile code to change stuff if you're really going to do advanced stuff such as look for player ids.. because cmon you don't just grab player ids just to have player ids unless you are saving them or displaying them through some print class

decompiling the asm code into pseudo c code is just an example to clarify...

04/12/2015 20:41 Numino#13

Easy to understand and nice feature :) thanks :D

04/13/2015 17:01 Dominik0330#14

Work Fine ... Rly nice
Good job ;)