update thiscall function
I have this code and it was working but it stopped after updating the game and I try to run it again but there are things I did not understand
Code:
#include <Windows.h>
#include <iostream>
#define _CRT_SECURE_NO_WARNINGS
using namespace std;
LPVOID m_lpPickDropDword = 0x0;
struct sAABuffer_Helper
{
DWORD SecondDword;
BYTE Filler[0x200];
};
struct sAABuffer
{
DWORD FirstDword;
BYTE Filler[0x400]; // NOT ACTUALLY A FILLER, ITS THE SERIALIZED MSG BUFFER.
sAABuffer_Helper* pBuffer;
sAABuffer(DWORD First, DWORD Second)
{
FirstDword = First;
pBuffer = new sAABuffer_Helper{};
memset(Filler, 0, 0x400);
pBuffer->SecondDword = Second;
memset(pBuffer->Filler, 0, 0x200);
}
~sAABuffer()
{
delete pBuffer;
}
};
typedef bool(__thiscall* p_AAFunction)(DWORD __this, DWORD __Two, DWORD __PlayerID, DWORD __MobID, DWORD __PlayerX, DWORD __PlayerY, DWORD __Zero);
p_AAFunction Org_AAPacketFunction;
sAABuffer* m_AABuffer = 0x0;
DWORD WINAPI MainThread(LPVOID param)
{
uintptr_t moduleBase = (uintptr_t)GetModuleHandle("gameco.exe");
Org_AAPacketFunction = (p_AAFunction)(moduleBase + 0x9C952D);
AllocConsole();
FILE* f;
freopen_s(&f, "CONOUT$", "w", stdout);
while (true)
{
Sleep(30);
if (GetAsyncKeyState(VK_ESCAPE)) {
Sleep(2000);
DWORD ecx1 = 0xF61A74;
DWORD ecx2 = 0xF6A1EC;
m_AABuffer = new sAABuffer((DWORD)ecx1, (DWORD)ecx2);
auto AAPacketBuffer = reinterpret_cast<DWORD>(m_AABuffer);
Org_AAPacketFunction(AAPacketBuffer, 2, 0x28, 0xDD, 552, 382, 0);
}
}
fclose(f);
FreeConsole();
FreeLibraryAndExitThread((HMODULE)param, 0);
return 0;
}
BOOL WINAPI DllMain(HINSTANCE hModule, DWORD dwReason, LPVOID lpReserved) {
switch (dwReason) {
case DLL_PROCESS_ATTACH:
CreateThread(0, 0, MainThread, hModule, 0, 0);
break;
}
return TRUE;
}
Code:
009370C | 57 | push edi //0 | 009370E | FF75 EC | push dword ptr ss:[ebp-14] //y 009370E | 8D8D C0FBFFFF | lea ecx,dword ptr ss:[ebp-440] 009370F | FF75 E8 | push dword ptr ss:[ebp-18] // x 009370F | FFB6 28030000 | push dword ptr ds:[esi+328] // mopid 009370F | 50 | push eax //player id 009370F | 6A 02 | push 2 //2 009370F | E8 5E760500 | call <gameco.sub_98E761>
Code:
0098E761 | 55 | push ebp | 0098E76 | 8BEC | mov ebp,esp | 0098E76 | 53 | push ebx | 0098E76 | 8B5D 0C | mov ebx,dword ptr ss:[ebp+C] | 0098E76 | 56 | push esi | 0098E76 | 57 | push edi | 0098E76 | 8BF1 | mov esi,ecx // ecx =0018F5A0 = 0xF61A74 0098E76 | 85DB | test ebx,ebx | 0098E76 | 0F84 BA000000 | je gameco.98E82E | 0098E77 | 8B7D 10 | mov edi,dword ptr ss:[ebp+10] | 0098E77 | 85FF | test edi,edi | 0098E77 | 0F84 AF000000 | je gameco.98E82E | 0098E77 | E8 9870F4FF | call <JMP.&timeGetTime> | 0098E78 | 8B8E 04040000 | mov ecx,dword ptr ds:[esi+404] | 0098E78 | 8349 20 01 | or dword ptr ds:[ecx+20],1 | 0098E78 | 8941 28 | mov dword ptr ds:[ecx+28],eax | 0098E79 | 8B86 04040000 | mov eax,dword ptr ds:[esi+404] | 0098E79 | 8348 20 08 | or dword ptr ds:[eax+20],8 | 0098E79 | 0FB74D 14 | movzx ecx,word ptr ss:[ebp+14] | 0098E79 | 8958 34 | mov dword ptr ds:[eax+34],ebx | 0098E7A | 8B86 04040000 | mov eax,dword ptr ds:[esi+404] | 0098E7A | 8348 20 10 | or dword ptr ds:[eax+20],10 | 0098E7A | 8978 38 | mov dword ptr ds:[eax+38],edi | 0098E7A | 8B86 04040000 | mov eax,dword ptr ds:[esi+404] | 0098E7B | 8348 20 40 | or dword ptr ds:[eax+20],40 | 0098E7B | 8948 40 | mov dword ptr ds:[eax+40],ecx | 0098E7B | 8B86 04040000 | mov eax,dword ptr ds:[esi+404] | 0098E7C | 8148 20 80000000 | or dword ptr ds:[eax+20],80 | 0098E7C | 0FB74D 18 | movzx ecx,word ptr ss:[ebp+18] | 0098E7C | 8948 44 | mov dword ptr ds:[eax+44],ecx | 0098E7D | 8B86 04040000 | mov eax,dword ptr ds:[esi+404] | 0098E7D | 8148 20 00100000 | or dword ptr ds:[eax+20],1000 | 0098E7D | 0FB74D 08 | movzx ecx,word ptr ss:[ebp+8] | 0098E7E | 8948 58 | mov dword ptr ds:[eax+58],ecx | 0098E7E | 8B86 04040000 | mov eax,dword ptr ds:[esi+404] | 0098E7E | 8B4D 1C | mov ecx,dword ptr ss:[ebp+1C] | 0098E7E | 8148 20 00400000 | or dword ptr ds:[eax+20],4000 | 0098E7F | 8948 60 | mov dword ptr ds:[eax+60],ecx | 0098E7F | 8B8E 04040000 | mov ecx,dword ptr ds:[esi+404] // ecx = 0018F9A8 = 0xF6A1EC 0098E7F | 68 FC030000 | push 3FC | 0098E80 | 8D46 08 | lea eax,dword ptr ds:[esi+8] | 0098E80 | 50 | push eax | 0098E80 | E8 05E13B00 | call <gameco.sub_D4C910> // thiscall function | 0098E80 | 84C0 | test al,al | 0098E80 | 74 1F | je gameco.98E82E | 0098E80 | 8B8E 04040000 | mov ecx,dword ptr ds:[esi+404] | 0098E81 | B8 57080000 | mov eax,857 | 0098E81 | 66:8946 06 | mov word ptr ds:[esi+6],ax | 0098E81 | 8B01 | mov eax,dword ptr ds:[ecx] | 0098E82 | FF50 20 | call dword ptr ds:[eax+20] | 0098E82 | 83C0 04 | add eax,4 | 0098E82 | 66:8946 04 | mov word ptr ds:[esi+4],ax | 0098E82 | B0 01 | mov al,1 | 0098E82 | EB 02 | jmp gameco.98E830 | 0098E82 | 32C0 | xor al,al | 0098E83 | 5F | pop edi | 0098E83 | 5E | pop esi | 0098E83 | 5B | pop ebx | 0098E83 | 5D | pop ebp | 0098E83 | C2 1800 | ret 18
Code:
char __thiscall sub_98E761(
int this,
unsigned __int16 a2,
int a3,
int a4,
unsigned __int16 a5,
unsigned __int16 a6,
int a7)
{
DWORD Time; // eax
int v9; // ecx
int v10; // eax
int v11; // eax
int v12; // eax
int v13; // eax
int v14; // eax
int v15; // eax
int v16; // ecx
if ( !a3 )
return 0;
if ( !a4 )
return 0;
Time = timeGetTime();
v9 = *(_DWORD *)(this + 1028);
*(_DWORD *)(v9 + 32) |= 1u;
*(_DWORD *)(v9 + 40) = Time;
v10 = *(_DWORD *)(this + 1028);
*(_DWORD *)(v10 + 32) |= 8u;
*(_DWORD *)(v10 + 52) = a3;
v11 = *(_DWORD *)(this + 1028);
*(_DWORD *)(v11 + 32) |= 0x10u;
*(_DWORD *)(v11 + 56) = a4;
v12 = *(_DWORD *)(this + 1028);
*(_DWORD *)(v12 + 32) |= 0x40u;
*(_DWORD *)(v12 + 64) = a5;
v13 = *(_DWORD *)(this + 1028);
*(_DWORD *)(v13 + 32) |= 0x80u;
*(_DWORD *)(v13 + 68) = a6;
v14 = *(_DWORD *)(this + 1028);
*(_DWORD *)(v14 + 32) |= 0x1000u;
*(_DWORD *)(v14 + 88) = a2;
v15 = *(_DWORD *)(this + 1028);
*(_DWORD *)(v15 + 32) |= 0x4000u;
*(_DWORD *)(v15 + 96) = a7;
if ( !(unsigned __int8)sub_D4C910(this + 8, 1020) )
return 0;
v16 = *(_DWORD *)(this + 1028);
*(_WORD *)(this + 6) = 2135;
*(_WORD *)(this + 4) = (*(int (__thiscall **)(int))(*(_DWORD *)v16 + 32))(v16) + 4;
return 1;
}
Code:
00B1773 | 55 | push ebp | 00B1773 | 8BEC | mov ebp,esp | 00B1773 | 53 | push ebx | 00B1773 | 8B5D 0C | mov ebx,dword ptr ss:[ebp+C] | 00B1773 | 56 | push esi | 00B1773 | 8BF1 | mov esi,ecx | 00B1773 | 57 | push edi | 00B1774 | 85DB | test ebx,ebx | 00B1774 | 0F84 86000000 | je gameco.B177CE | 00B1774 | 8B7D 10 | mov edi,dword ptr ss:[ebp+10] | 00B1774 | 85FF | test edi,edi | 00B1774 | 74 7F | je gameco.B177CE | 00B1774 | E8 FA72EEFF | call <JMP.&timeGetTime> | 00B1775 | 8986 2C040000 | mov dword ptr ds:[esi+42C],eax | 00B1775 | 8D8E 08040000 | lea ecx,dword ptr ds:[esi+408] | 00B1776 | 0FB745 14 | movzx eax,word ptr ss:[ebp+14] | 00B1776 | 899E 38040000 | mov dword ptr ds:[esi+438],ebx | 00B1776 | 89BE 3C040000 | mov dword ptr ds:[esi+43C],edi | 00B1777 | 8986 44040000 | mov dword ptr ds:[esi+444],eax | 00B1777 | 0FB745 18 | movzx eax,word ptr ss:[ebp+18] | 00B1777 | 8986 48040000 | mov dword ptr ds:[esi+448],eax | 00B1778 | 0FB745 08 | movzx eax,word ptr ss:[ebp+8] | 00B1778 | 8986 5C040000 | mov dword ptr ds:[esi+45C],eax | 00B1778 | 818E 24040000 D950000 | or dword ptr ds:[esi+424],50D9 | 00B1779 | 8B45 1C | mov eax,dword ptr ss:[ebp+1C] | 00B1779 | 8986 64040000 | mov dword ptr ds:[esi+464],eax | 00B1779 | 8D46 08 | lea eax,dword ptr ds:[esi+8] | 00B177A | 68 FC030000 | push 3FC | 00B177A | 50 | push eax | 00B177A | E8 55E32D00 | call gameco.DF5B00 | 00B177A | 84C0 | test al,al | 00B177A | 74 1F | je gameco.B177CE | 00B177A | B8 57080000 | mov eax,857 | 00B177B | 8D8E 08040000 | lea ecx,dword ptr ds:[esi+408] | 00B177B | 66:8946 06 | mov word ptr ds:[esi+6],ax | 00B177B | 8B01 | mov eax,dword ptr ds:[ecx] | 00B177C | FF50 20 | call dword ptr ds:[eax+20] | 00B177C | 83C0 04 | add eax,4 | 00B177C | 66:8946 04 | mov word ptr ds:[esi+4],ax | 00B177C | B0 01 | mov al,1 | 00B177C | EB 02 | jmp gameco.B177D0 | 00B177C | 32C0 | xor al,al | 00B177D | 5F | pop edi | 00B177D | 5E | pop esi | 00B177D | 5B | pop ebx | 00B177D | 5D | pop ebp | 00B177D | C2 1800 | ret 18 |
Please, I do not understand this struct and why it was used like this
Code:
struct sAABuffer_Helper
{
DWORD SecondDword;
BYTE Filler[0x200];
};
struct sAABuffer
{
DWORD FirstDword;
BYTE Filler[0x400]; // NOT ACTUALLY A FILLER, ITS THE SERIALIZED MSG BUFFER.
sAABuffer_Helper* pBuffer;
sAABuffer(DWORD First, DWORD Second)
{
FirstDword = First;
pBuffer = new sAABuffer_Helper{};
memset(Filler, 0, 0x400);
pBuffer->SecondDword = Second;
memset(pBuffer->Filler, 0, 0x200);
}
~sAABuffer()
{
delete pBuffer;
}
};
