[ASM] C++ Call function

[NosLuna]

I find this in ollyDBG

Example how use? :

Code:

void rest()
{
	std::cout << "Debug" ;
	DWORD RestAddr = 0x0053A628;
	__asm
	{
		PUSH 1
		XOR ECX,ECX
		MOV EDX
		MOV EDX,DWORD PTR DS:[0x0053A628]
		CALL RestAddr
		}

	}

[IceTrailer]

#moved

[elmarcia]

Quote:

Originally Posted by NosLuna

I find this in ollyDBG

Example how use? :

Code:

void rest()
{
	std::cout << "Debug" ;
	DWORD RestAddr = 0x0053A628;
	__asm
	{
		PUSH 1
		XOR ECX,ECX
		MOV EDX
		MOV EDX,DWORD PTR DS:[0x0053A628]
		CALL RestAddr
		}

	}

U need to know which params are sent to the function and call it in your dll,
we know that the function gets two params, eax and String "rest" in this case, maybe same function with different strings make different things.
So go back to olly and check what the hell eax points to, presumably pointer to structure or sth else.

Steps to setup:
1) Run your game.
2) Open it with cheat engine and find base address (img1)
3) Open it with olly find target function address (img2)
4) Check what params are needed for function to work
5) Call function

Image 1


Image 2


Offset = targetFunctionAddress - BaseAddress

Code:

#include <windows.h>
#include <iostream>
#include <stdio.h>

HANDLE hThread;

typedef void _signature(void * unk,LPSTR action);
_signature * targetFunction = NULL;

void callRest(void * unk, LPSTR action);

void setup(){
  //get base address of current process
    DWORD baseAddress = (DWORD)GetModuleHandle(NULL);
   DWORD offset = 0x0; //this offset is obtained following image2
 targetFunction = (_signature *)(baseAddress + offset);
char action_rest[] = "rest";
void param1 = NULL; //you need to check what this param is first
//your main logic here
callRest(param1,action_rest);
//
}

void callRest(void * unk, LPSTR action){
targetFunction(unk,action);
}


BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        hThread = CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)setup,NULL,0,NULL);

        break;
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        CloseHandle(hThread);
        break;
    }
    return TRUE;
}

Edit: i think i screw up with the image, and "rest" was the value from the instruction below, anyway u still have two params (you know number of params counting how many push are made to the stack before instruction call), if you need more info in what type those parameters are you can always go inside the function and check how they are used. A pointer to structure is a bit harder to set up because u need a way to obtain that pointer before using it.

Ex:

game calls -> getCurrentPlayer() or whatever to obtain its own pointer assuming thats needed for the function to work.

[//enhance]

wait so is this reading game memory?

[elmarcia]

Quote:

Originally Posted by //enhance

wait so is this reading game memory?

Is a step further, using debugger to find assembly instructions that do things in game (Ex: doRest(), attack(), findEntity() ...)

[kraneqq]

find the params, get the calling convention

build the function prototype

call the function

profit

[HighGamer.]

I would use IDA PRO on the target and press F5 this will get you the function calling conversion, then you can inline the function prototype.

Following prototype will look something like this

Code:

static auto game_rest_function= reinterpret_cast<void(__fastcall*)(*int unknown, LSTR action)>(0x11F4B41);

Call it like this

Code:

game_rest_function(0x12345678, "rest");

I make game hacks and bots for a living this is very easy for me, and hooking asm functions isn't complicated at all, make sure your target game is fully unpacked and runnable to prevent debugger detection, when injecting your DLL make breakpoints in ollydbg where your prototype function is called and step it line by line to see if it gets called properly.