Memory Hacking Software

[PsychoTron]

So I've been trying to expand the hotkey functionality of the game "Fable: The Lost Chapters".

I've tracked down the function that is being used to switch out items from the hotkey bar. My non-pointer addresses for hotkey slots pass through this function, so how would I go about tracing that to the pointer.

0x00584F24: and dword ptr [eax+ecx*4], 0

That's where it gets the value from, EAX+ECX*4 is my hotkeys non-pointer value.. (Is that an array btw, the "], 0", is for array index access.. Correct?)

Also, how do I determine the real types of function parameters? I know I can debug, and sometimes see a familiar value, and guess at the type then, but I'm getting no clues from watching the registers. (Is there an easier\better way to determine what they are?)

Code: Select all

.text:00584F15 ChangeHotkeys_584F15 proc near          ; CODE XREF: sub_42005B+2608p
.text:00584F15
.text:00584F15 var_10          = dword ptr -10h
.text:00584F15 var_8           = dword ptr -8
.text:00584F15 var_4           = dword ptr -4
.text:00584F15 arg_0           = dword ptr  8
.text:00584F15 arg_4           = dword ptr  0Ch
.text:00584F15
.text:00584F15                 push    ebp
.text:00584F16                 mov     ebp, esp
.text:00584F18                 sub     esp, 10h
.text:00584F1B                 mov     eax, [ecx+148h]
.text:00584F21                 mov     ecx, [ebp+arg_0]
.text:00584F24                 and     dword ptr [eax+ecx*4], 0
.text:00584F28                 push    ebx
.text:00584F29                 push    esi
.text:00584F2A                 mov     esi, [ebp+arg_4]
.text:00584F2D                 push    edi
.text:00584F2E                 mov     edi, [esi]
.text:00584F30                 push    ecx
.text:00584F31                 mov     ecx, esp
.text:00584F33                 push    0FFFFFFFFh
.text:00584F35                 push    offset aPc_expression_ ; "PC_EXPRESSION_ITEM_ASSIGNMENT_ICON_INSI"...
.text:00584F3A                 call    sub_99EBF0
.text:00584F3F                 mov     ecx, esi
.text:00584F41                 call    dword ptr [edi+0Ch]
.text:00584F44                 mov     edi, eax
.text:00584F46                 test    edi, edi
.text:00584F48                 jz      short loc_584F92
.text:00584F4A                 lea     ecx, [ebp+var_8]
.text:00584F4D                 call    sub_42BED4
.text:00584F52                 mov     ebx, [edi]
.text:00584F54                 push    ecx
.text:00584F55                 push    ecx
.text:00584F56                 lea     eax, [ebp+var_8]
.text:00584F59                 mov     ecx, esp
.text:00584F5B                 push    eax
.text:00584F5C                 mov     [ebp+var_8], 1
.text:00584F63                 call    sub_42CD84
.text:00584F68                 mov     ecx, edi
.text:00584F6A                 call    dword ptr [ebx+0F8h]
.text:00584F70                 mov     eax, [edi]
.text:00584F72                 lea     ecx, [ebp+arg_0]
.text:00584F75                 push    ecx
.text:00584F76                 mov     ecx, edi
.text:00584F78                 call    dword ptr [eax+38h]
.text:00584F7B                 mov     eax, [edi]
.text:00584F7D                 lea     ecx, [ebp+arg_0]
.text:00584F80                 push    ecx
.text:00584F81                 mov     ecx, edi
.text:00584F83                 mov     byte ptr [ebp+arg_0+3], 0
.text:00584F87                 call    dword ptr [eax+34h]
.text:00584F8A                 lea     ecx, [ebp+var_4]
.text:00584F8D                 call    sub_42ABCA
.text:00584F92
.text:00584F92 loc_584F92:                             ; CODE XREF: ChangeHotkeys_584F15+33j
.text:00584F92                 call    sub_41E5F2
.text:00584F97                 push    0FFFFFFFFh
.text:00584F99                 push    offset aPc_expressio_0 ; "PC_EXPRESSION_ITEM_INSIDE_CONTAINER"
.text:00584F9E                 lea     ecx, [ebp+arg_0]
.text:00584FA1                 mov     edi, eax
.text:00584FA3                 call    sub_99EBF0
.text:00584FA8                 push    0
.text:00584FAA                 lea     eax, [ebp+arg_0]
.text:00584FAD                 push    eax
.text:00584FAE                 mov     ecx, edi
.text:00584FB0                 call    sub_41DB1D
.text:00584FB5                 push    eax
.text:00584FB6                 lea     ecx, [ebp+var_10]
.text:00584FB9                 call    sub_429C15
.text:00584FBE                 lea     ecx, [ebp+arg_0]
.text:00584FC1                 call    sub_99EAE0
.text:00584FC6                 mov     eax, [esi]
.text:00584FC8                 lea     ecx, [ebp+var_10]
.text:00584FCB                 push    ecx
.text:00584FCC                 mov     ecx, esi
.text:00584FCE                 call    dword ptr [eax+0F0h]
.text:00584FD4                 lea     ecx, [ebp+var_10]
.text:00584FD7                 call    sub_4291DE
.text:00584FDC                 pop     edi
.text:00584FDD                 pop     esi
.text:00584FDE                 pop     ebx
.text:00584FDF                 leave
.text:00584FE0                 retn    8
.text:00584FE0    ChangeHotkeys_584F15 endp

[L. Spiro]

], 0 is not array access.
eax+ecx*4 is array access with ECX being the index.
Whatever the value of EAX is is the base of the array.


It is usually enough to know that parameters are always promoted to 32-bit values (or a pair of 32-bit values in the case of __int64 and double) but if you really think you need more than that look at how they are being used in the function. Floating-point registers ST* obviously mean the value is a float or double. http://www.powerbasic.com/support/help/ ... isters.htm


L. Spiro

[PsychoTron]

I wanted to know about the function params, because I might want to hook a function. (So I need to treat the data properly depending on what I'm doing.)

Anyways, I tracked down the pointers I needed.

So how do I use the complex address? I'm working in C# for this project. I have a ReadProcessMemory function set up, but I'm not sure what to feed it,..

Hotkey Slot 1
[[[[[0x013B8790]+0x32C]+0x4]+0x0]+0x18]+0x0

I tried just adding those values + base(00400000), which gave me this..

0x017B8AD8 // Should be slot 1

So I read the memory at that address(0x017B8AD8), but it's returning 112, when I know the value is 0..

So, how do I properly add the values?

Thanks for your help so far, I do appreciate it.

--

(Btw, keep in mind, I just started with C++\ASM, only been working on it for a few days now.)

[L. Spiro]

You didn't include a module name in the Complex Address so you should not be adding a base of 0x00400000.
The rules for processing a Complex Address are clearly stated in the help file. Whatever number is inside [] is an address that is passed to ReadProcessMemory().


L. Spiro

[PsychoTron]

Edit:

Okay, so after some more searching, I found this thread..

viewtopic.php?f=6&t=4932&start=0

It says you need to write a parser, which is something you could have told me right off the bat when you saw I was trying to add the numbers, etc.

So, how about some info on the format? I can't parse something I don't understand, how do the offsets work?

[[[[[0x013B8790]+0x32C]+0x4]+0x0]+0x18]+0x0

I'm guessing, that the 0x013B8790 is the last pointer in the chain.

But what are the offsets, I'm again assuming, that when I read 0x013B8790, I will get the next pointer, but what do I do with the offset, just add it, or what?

(Can this be avoided somehow? Can I just add my module name plus some combination of those values to create a directly usable address?)

[L. Spiro]

I didn’t tell you to make a parser because such a thing is unreasonable even for people with decent experience with C++.
The Complex Address system is one of the most complex pieces of code in MHS, particularly so due to the large number of variants it supports.

It is far too much overkill for all you want to do, since you do not need to read generic Complex Addresses but instead just a few specific ones. Which means you can hard-code them. And my advice above is sufficient for that.


I have posted a simple parser example that allows you to reformat a simple Complex Address to a single C++ (or C#) statement before.
viewtopic.php?f=37&t=7149


Once again:

Code: Select all

UINT_PTR DeRef( UINT_PTR _uiptrPointer ) {
    UINT_PTR uiptrRet;
    // g_hProcess assumed to be a global, but this is bad coding practice.
    //  Make it a class member or pass it to this function.
    if ( !::ReadProcessMemory( g_hProcess, reinterpret_cast<LPVOID>(_uiptrPointer), &uiptrRet, sizeof( uiptrRet ), NULL ) ) { return 0UL; }
    return uiptrRet;
}

Code: Select all

// [[[[[0x013B8790]+0x32C]+0x4]+0x0]+0x18]+0x0
UINT_PTR uiptrFinal = DeRef( DeRef( DeRef( DeRef( DeRef( 0x013B8790 ) + 0x32C ) + 0x4 ) + 0x0 ) + 0x18 ) + 0x0;

viewtopic.php?f=30&t=5519


L. Spiro

[PsychoTron]

I got my tool running and released over at a Fable mod community, the code needs a good rewrite now that it's all working, but other than that it seems to do the job.

Also, I intended no offense before, that's just how I am, sorry if you misunderstood.