Fable TLC - Pointer Tracing\Function Decoding
Posted: Sat Sep 11, 2010 4:50 am
So I've been trying to expand the hotkey functionality of the game "Fable: The Lost Chapters".
I've tracked down the function that is being used to switch out items from the hotkey bar. My non-pointer addresses for hotkey slots pass through this function, so how would I go about tracing that to the pointer.
0x00584F24: and dword ptr [eax+ecx*4], 0
That's where it gets the value from, EAX+ECX*4 is my hotkeys non-pointer value.. (Is that an array btw, the "], 0", is for array index access.. Correct?)
Also, how do I determine the real types of function parameters? I know I can debug, and sometimes see a familiar value, and guess at the type then, but I'm getting no clues from watching the registers. (Is there an easier\better way to determine what they are?)
I've tracked down the function that is being used to switch out items from the hotkey bar. My non-pointer addresses for hotkey slots pass through this function, so how would I go about tracing that to the pointer.
0x00584F24: and dword ptr [eax+ecx*4], 0
That's where it gets the value from, EAX+ECX*4 is my hotkeys non-pointer value.. (Is that an array btw, the "], 0", is for array index access.. Correct?)
Also, how do I determine the real types of function parameters? I know I can debug, and sometimes see a familiar value, and guess at the type then, but I'm getting no clues from watching the registers. (Is there an easier\better way to determine what they are?)
- Code: Select all
.text:00584F15 ChangeHotkeys_584F15 proc near ; CODE XREF: sub_42005B+2608p
.text:00584F15
.text:00584F15 var_10 = dword ptr -10h
.text:00584F15 var_8 = dword ptr -8
.text:00584F15 var_4 = dword ptr -4
.text:00584F15 arg_0 = dword ptr 8
.text:00584F15 arg_4 = dword ptr 0Ch
.text:00584F15
.text:00584F15 push ebp
.text:00584F16 mov ebp, esp
.text:00584F18 sub esp, 10h
.text:00584F1B mov eax, [ecx+148h]
.text:00584F21 mov ecx, [ebp+arg_0]
.text:00584F24 and dword ptr [eax+ecx*4], 0
.text:00584F28 push ebx
.text:00584F29 push esi
.text:00584F2A mov esi, [ebp+arg_4]
.text:00584F2D push edi
.text:00584F2E mov edi, [esi]
.text:00584F30 push ecx
.text:00584F31 mov ecx, esp
.text:00584F33 push 0FFFFFFFFh
.text:00584F35 push offset aPc_expression_ ; "PC_EXPRESSION_ITEM_ASSIGNMENT_ICON_INSI"...
.text:00584F3A call sub_99EBF0
.text:00584F3F mov ecx, esi
.text:00584F41 call dword ptr [edi+0Ch]
.text:00584F44 mov edi, eax
.text:00584F46 test edi, edi
.text:00584F48 jz short loc_584F92
.text:00584F4A lea ecx, [ebp+var_8]
.text:00584F4D call sub_42BED4
.text:00584F52 mov ebx, [edi]
.text:00584F54 push ecx
.text:00584F55 push ecx
.text:00584F56 lea eax, [ebp+var_8]
.text:00584F59 mov ecx, esp
.text:00584F5B push eax
.text:00584F5C mov [ebp+var_8], 1
.text:00584F63 call sub_42CD84
.text:00584F68 mov ecx, edi
.text:00584F6A call dword ptr [ebx+0F8h]
.text:00584F70 mov eax, [edi]
.text:00584F72 lea ecx, [ebp+arg_0]
.text:00584F75 push ecx
.text:00584F76 mov ecx, edi
.text:00584F78 call dword ptr [eax+38h]
.text:00584F7B mov eax, [edi]
.text:00584F7D lea ecx, [ebp+arg_0]
.text:00584F80 push ecx
.text:00584F81 mov ecx, edi
.text:00584F83 mov byte ptr [ebp+arg_0+3], 0
.text:00584F87 call dword ptr [eax+34h]
.text:00584F8A lea ecx, [ebp+var_4]
.text:00584F8D call sub_42ABCA
.text:00584F92
.text:00584F92 loc_584F92: ; CODE XREF: ChangeHotkeys_584F15+33j
.text:00584F92 call sub_41E5F2
.text:00584F97 push 0FFFFFFFFh
.text:00584F99 push offset aPc_expressio_0 ; "PC_EXPRESSION_ITEM_INSIDE_CONTAINER"
.text:00584F9E lea ecx, [ebp+arg_0]
.text:00584FA1 mov edi, eax
.text:00584FA3 call sub_99EBF0
.text:00584FA8 push 0
.text:00584FAA lea eax, [ebp+arg_0]
.text:00584FAD push eax
.text:00584FAE mov ecx, edi
.text:00584FB0 call sub_41DB1D
.text:00584FB5 push eax
.text:00584FB6 lea ecx, [ebp+var_10]
.text:00584FB9 call sub_429C15
.text:00584FBE lea ecx, [ebp+arg_0]
.text:00584FC1 call sub_99EAE0
.text:00584FC6 mov eax, [esi]
.text:00584FC8 lea ecx, [ebp+var_10]
.text:00584FCB push ecx
.text:00584FCC mov ecx, esi
.text:00584FCE call dword ptr [eax+0F0h]
.text:00584FD4 lea ecx, [ebp+var_10]
.text:00584FD7 call sub_4291DE
.text:00584FDC pop edi
.text:00584FDD pop esi
.text:00584FDE pop ebx
.text:00584FDF leave
.text:00584FE0 retn 8
.text:00584FE0 ChangeHotkeys_584F15 endp