Reversing a function - need some help menu

User Tag List

Results 1 to 7 of 7
  1. #1
    streppel's Avatar Active Member
    Reputation
    77
    Join Date
    Mar 2007
    Posts
    196
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Reversing a function - need some help

    hey

    [ASM (NASM)] ; private: void __thiscall FlowControlModule_t::SlotMovementForward(bool) .text - Pastebin.com <--there is the function
    i'm trying to call it, works fine so far BUT only for stating to move, but as there is no other function to stop moving and my breakpoint is hit when stopping to walk forward, it has to be this function.

    it doesn't make any difference when i try to call it with a true or false as argument,it still keeps on running

    when the breakpoint is hit i can see that the esi register changes,it has the value 042CEE00 when i begin to walk and 042CEE01 when stopping, so.

    what i did then was to try to set esi myself before the call, but it didn't work either(didn't change anything,but didn't crash either)

    my last attempt was to look what is in the esp register and reconstruct it,writing it in the gamememory and giving mov'ing my pointer in esp, which lead to a crash of the client

    would be really nice if one of you could help me here as my assembler skills aren't the best, tho i'm already trying to learn it.

    btw hexrays didn't work there telling me to adjust the stack pointer(i'm new to hexrays,so this is another story but any help on this(not telling me to what i should change the stackpointer but explaining me on how i can find it out myself) would be nice too

    streppel

    PS: and sorry this is not wow-related, but this section is so much more frequently visited by all people that the chance to get an answer is the biggest here

    Reversing a function - need some help
  2. #2
    Verletzer's Avatar Private
    Reputation
    11
    Join Date
    Apr 2011
    Posts
    11
    Thanks G/R
    0/2
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    A few observations...

    The calling convention for this function is not thiscall. I believe it would be considered a stdcall function. The thiscall calling convention typically uses the ECX register to hold the pointer to "this" - however this is not required. I believe VC++ will always use ECX, other compilers could use something else. Regardless, I do not see any register being used in a manner that would suggest a pointer to "this".

    I can see why the HexRays decompiler complained about the stack pointer. Line 13/14 push ECX/ESI, putting 8 bytes onto the stack. Line 40 restores(pops) the value of ESI but not ECX. This means than there is an extra 4 bytes on the stack. Unfortunately I have yet to master this decompiler so I am not sure what steps you would need to take to make it happy.

    N3InterfaceModule_t::GetInstance on line 15 and 37 appear to return a pointer to an object - held in EAX after the call. This is then copied to ECX before N3Msg_GetMovementMode/N3Msg_MovementChanged is called. This usage of ECX suggests that these two functions qualify as thiscall.

    From what I see, ESI is only used to hold the address of functions that are called. I am not sure where you were in the function when ESI was equal to, 042CEE00. If anything, it pointed to the address of another function.

    While I did not provide you with a clear answer to the question, I hope that helped clear things up a bit and will lead you to the solution.
    Last edited by Verletzer; 06-06-2011 at 04:48 PM.

  3. #3
    streppel's Avatar Active Member
    Reputation
    77
    Join Date
    Mar 2007
    Posts
    196
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    thanks for your fast answer
    you are right, N3Msg_MovementChanged is a thiscall. i tryed hooking this function before and found the enum for the different movement types, tho tryting to call it myself did not work. that's why i thought i'd have to use this function instead. Maybe i just did anything wrong when trying to call MovementChanged myself,i'll give it a try again now.

    i'm open to any information that might help me

    EDIT:

    ok,got it working tho i'm a lil confused now
    normally when passing parameters through the stack i'm used to allocate memory, write the value to this memory and then pass the adresse over the stack to the function
    now i had to give one parameter(the movement type) directly over the stack, the other one via allocating memory etc.

    how does this come?

    german passage for verletzter:
    würde dir ja rep geben,hast aber noch von letztens irgendwann,deswegen ein ander mal
    Last edited by streppel; 06-06-2011 at 05:32 PM.

  4. #4
    caytchen's Avatar Contributor
    Reputation
    138
    Join Date
    Apr 2007
    Posts
    162
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by streppel View Post
    normally when passing parameters through the stack i'm used to allocate memory, write the value to this memory and then pass the adresse over the stack to the function
    now i had to give one parameter(the movement type) directly over the stack, the other one via allocating memory etc.
    You need to learn programming first before you can reverse engineer.
    The reason the movement type is passed directly is that its probably only an integer from an enum and therefore fits perfectly into one register. Think about what the compiler has to do when you have a function take a Vector3f (so 3 floats) directly: it has to push every single float onto the stack before it can call the function. But theres more: the function that took the vector now only has a copy of it. It can manipulate it all it wants, but it won't have any effect on the vector that was passed in. You could return the modified Vector3 but then you have to do even more copying. So to avoid copying, what is done is to pass in a pointer to the vector. The pointer again only takes a register and the function can now actually modify the values of the vector that was passed in.
    If you can't understand the rationale between passing something as a pointer or a copy then you need to go back to programming.

    Also see this code for what happens when you pass a Vector3f and a 3x3 matrix directly on the stack. The compiler tries to cope best it can but it can't hide the fact that its a terribly inefficient thing to do.
    Last edited by caytchen; 06-07-2011 at 09:36 AM.

  5. #5
    MaiN's Avatar Elite User
    Reputation
    335
    Join Date
    Sep 2006
    Posts
    1,047
    Thanks G/R
    0/10
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by caytchen View Post
    Also see this code for what happens when you pass a Vector3f and a 3x3 matrix directly on the stack. The compiler tries to cope best it can but it can't hide the fact that its a terribly inefficient thing to do.
    How is that optimized? That looks optimized for size rather than speed. Can you try optimizing for speed instead, or is it not your code?
    [16:15:41] Cypher: caus the CPU is a dick
    [16:16:07] kynox: CPU is mad
    [16:16:15] Cypher: CPU is all like
    [16:16:16] Cypher: whatever, i do what i want

  6. #6
    caytchen's Avatar Contributor
    Reputation
    138
    Join Date
    Apr 2007
    Posts
    162
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by MaiN View Post
    How is that optimized? That looks optimized for size rather than speed. Can you try optimizing for speed instead, or is it not your code?
    Not optimized at all (VC10 /Od) but with favor small code (/Os) and I disabled the runtime check, security cookies stuff. With optimization he would just reduce it all to an xor eax, eax and I was too lazy to add code to stop it from doing that. This one is with favor fast code (/Ot).

  7. #7
    streppel's Avatar Active Member
    Reputation
    77
    Join Date
    Mar 2007
    Posts
    196
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    ok,i got the point i think. thanks caytchen

Similar Threads

  1. Need some help =( fast!
    By Niko33 in forum Gaming Chat
    Replies: 4
    Last Post: 11-29-2006, 05:19 PM
  2. Need some help with fishing bot
    By ralphie123 in forum World of Warcraft Bots and Programs
    Replies: 3
    Last Post: 11-24-2006, 09:41 AM
  3. warrior head tier 2 --> tier 3 need some help please
    By katjenl in forum WoW ME Questions and Requests
    Replies: 1
    Last Post: 11-22-2006, 09:10 AM
  4. Need some help
    By _Shapes_ in forum World of Warcraft Model Editing
    Replies: 2
    Last Post: 11-11-2006, 02:18 PM
  5. NEED SOME HELP with Model Editing
    By Dwarf in forum World of Warcraft Model Editing
    Replies: 4
    Last Post: 09-12-2006, 08:12 PM
All times are GMT -5. The time now is 07:43 AM. Powered by vBulletin® Version 4.2.3
Copyright © 2024 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2024 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search