C++ w/ Inline Assembly

I don't exactly know how to explain what I'm trying to do, but I'll do my best to show you, and explain what I can.

What I'm trying to do is call a function with parameters, but the position parameter is encrypted.

This is what it would look like if the position wasn't encrypted:

[code]DWORD *pGame = (DWORD *)0x00665B80;

//Returns a pointer to the local player - will return NULL if not in game
DWORD MyChar(void){
if(!pGame)

return NULL;

if(!*pGame)

return NULL;

return *(DWORD *)(*pGame + 0x4C);
}

//Returns a float pointer to character's position variable; a float[3], with x, y, and z coords
float *ZObject__GetPosition(void *vpChar){

return (float *)((DWORD)vpChar + 0x54);
}

typedef void(__cdecl *ZPostShotMeleeFunction)(int nShot, float *pos);
ZPostShotMeleeFunction ZPostShotMelee = (ZPostShotMeleeFunction)ZPostShotMeleeSignatureOffset;

if(GetAsyncKeyState(0x60) < 0){
DWORD dwMe = MyChar();

float pos[3];
memcpy(pos, ZObject__GetPosition((void *)dwMe), sizeof(float) * 3);

ZPostShotMelee(1, pos);
}[/code]

This is what it looks like with the position encrypted:

[code]if(GetAsyncKeyState(0x60) < 0){

_asm{
pushad
push 1 // or 7 -- It varies from 1 - 7; 1 being the weakest, 7 being the strongest
mov eax, ZGetGameSignatureOffset //004AA270
call eax
mov ecx, dword ptr ds:[eax+0x4C]
mov eax, EncryptionSignatureOffset //00402B40
call eax
push eax
mov eax, ZPostShotMeleeSignatureOffset
call eax
pop eax
pop eax
popad
}
}[/code]

This is the encryption function:

[code]00402B40 8B41 54 mov eax, dword ptr ds:[ecx+54]
00402B43 85C0 test eax, eax
00402B45 75 04 jnz short 00402B4B
00402B47 8D41 48 lea eax, dword ptr ds:[ecx+48]
00402B4A C3 retn
00402B4B 8B48 20 mov ecx, dword ptr ds:[eax+20]
00402B4E 8B50 0C mov edx, dword ptr ds:[eax+C]
00402B51 8B048A mov eax, dword ptr ds:[edx+ecx*4][/code]

The problem I'm having is making a function which will allow me to use the ZPostShotMelee(1, Function_Which_Returns_Position_And_Allows_Me_To_Use_It_As_Parameter()).

I've tried:

[code]float *TestFunc(void){
float *pos;

_asm{
mov eax, ZGetGameSignatureOffset
call eax
mov ecx, dword ptr ds:[eax+0x4C]
mov eax, EncryptionSignatureOffset
call eax
mov pos, eax
}

return pos;
}[/code]

But it just crashes. The only way I can call it with the parameters it takes are directly through Assembly; however, there are many other functions I wish to call with the position parameter, but they are far more complicated in Assembly, which is why I want to just call them in C++.

Can anyone help?
«1

Comments

  • :
    : [code]: float *TestFunc(void){
    : float *pos;
    :
    : _asm{
    : mov eax, ZGetGameSignatureOffset
    : call eax
    : mov ecx, dword ptr ds:[eax+0x4C]
    : mov eax, EncryptionSignatureOffset
    : call eax
    : mov pos, eax
    : }
    :
    : return pos;
    : }[/code]


    Hmm, I would say you're using to much to much assembly...

    The above code could be replaced by the following line of code
    [code]
    pos = EncryptionSignatureOffset(ZGetGameSignatureOffset());
    [/code]

    If you have optimisation reasons for using assembly, I would recomend first doing it in normaly, then profile and optimise.
  • I don't think you get what I meant... I'm sorry if I didn't explain it clear.

    [code]_asm{
    mov eax, ZGetGameSignatureOffset
    call eax
    mov ecx, dword ptr ds:[eax+0x4C]
    mov eax, EncryptionSignatureOffset
    call eax
    }
    }[/code]

    This would be the same as:

    [code]DWORD MyChar(void){
    if(!pGame)

    return NULL;

    if(!*pGame)

    return NULL;

    return *(DWORD *)(*pGame + 0x4C);
    }

    float *ZObject__GetPosition(void *vpChar){

    return (float *)((DWORD)vpChar + 0x54);
    }[/code]

    The only problem is the 0x54 is now encrypted, and I can't use it that way.

    Basically, I am able to push the parameter onto the stack, but I cannot return it an use it as a parameter in a function.

    What I want to be able to do is use ZPostShotMelee(7, pos) or ZPostShotMelee(7, ReturnPosition()) instead of using Assembly to push the parameters and call the function. I do, however, need to use Assembly to return the position, but it just crashes when I try.

    As for using to much Assembly, that's not the case.

    For example:

    [code]if(GetAsyncKeyState(0x60) < 0){

    _asm{
    pushad
    push 1 // or 7 -- It varies from 1 - 7; 1 being the weakest, 7 being the strongest
    mov eax, ZGetGameSignatureOffset //004AA270
    call eax
    mov ecx, dword ptr ds:[eax+0x4c]
    mov eax, EncryptionSignatureOffset //00402B40
    call eax
    push eax
    mov eax, ZPostShotMeleeSignatureOffset
    call eax
    pop eax
    pop eax
    popad
    }
    }[/code]

    This is ZPostShotMelee(1, pos), but if you look at that Assembly, it has

    [code]mov eax, ZGetGameSignatureOffset //004AA270
    call eax
    mov ecx, dword ptr ds:[eax+0x4c]
    mov eax, EncryptionSignatureOffset //00402B40
    call eax
    push eax[/code]

    Which is what I want to do, but instead of pushing it onto the stack I want to return it, hence the mov pos, eax and then return pos.
  • OK, your problem is that you want to return variables, and don't know how/can't get it working. Right?

    My problem ;-), is that you're using to much assembly...

    : The only problem is the 0x54 is now encrypted, and I can't use it that way.

    Why? Is this the reason you have to use assembly?
  • Yes, that's why I have to use Assembly. If I could decrypt it I could just use it as 0x54, but I need to return the position using Assembly (it will still be encrypted), which is what I was trying to do.
  • : Yes, that's why I have to use Assembly. If I could decrypt it I
    : could just use it as 0x54, but I need to return the position using
    : Assembly (it will still be encrypted), which is what I was trying to
    : do.

    Eh, I still don't get it...

    Why does this position returning function have to be in asm?
  • I think that instead of trying to do this the hard way, I'll simply stick to using pure Assembly.
  • : Do you have a suggestion as to how to write it in C++?
    :

    Do you mean this code? or the other?
    [code]
    mov eax, ZGetGameSignatureOffset //004AA270
    call eax
    mov ecx, dword ptr ds:[eax+0x4c]
    mov eax, EncryptionSignatureOffset //00402B40
    call eax
    push eax

    C:
    return EncryptionSignatureOffset(ZGetGameSignatureOffset()+0x4c);
    [/code]

    The return depends on the contex...

    [code]
    _asm{
    pushad
    push 1 // or 7 -- It varies from 1 - 7; 1 being the weakest, 7 being the strongest
    mov eax, ZGetGameSignatureOffset //004AA270
    call eax
    mov ecx, dword ptr ds:[eax+0x4c]
    mov eax, EncryptionSignatureOffset //00402B40
    call eax
    push eax
    mov eax, ZPostShotMeleeSignatureOffset
    call eax
    pop eax
    pop eax
    popad
    }

    ZPostShotMeleeSignatureOffset(
    EncryptionSignatureOffset(ZGetGameSignatureOffset()+0x4c));
    [/code]

    I don't know how the Offset funcs work, but they could also be written in C.
  • I edited my post. I'm going to stick to pure Assembly as far as calling functions with the position parameter.

    Now I just need to learn some more Assembly.

    Now this is my problem:

    [code]ZPostRequestSpawnWorldItem(const MUID *uidChar, int nItemID, float *pos)[/code]

    MUID struct:
    [code]struct MUID{
    unsigned long High;
    unsigned long Low;
    };

    //MUID *uidChannel = new MUID();
    MUID *uidChar = new MUID(); //We'll only be dealing with this one
    //MUID *uidKiller = new MUID();
    //MUID *uidNPC = new MUID();
    //MUID *uidPlayer = new MUID();
    //MUID *uidStage = new MUID();[/code]

    [code]//0x1A4 uidChar
    //0x1AC uidChannel
    //0x1B4 uidStage

    //ZGetGameClient
    DWORD ZGetGameClientClassPointer(const int OffsetBit){
    DWORD result;

    _asm{
    mov eax, ZGetGameClientSignatureOffset
    call eax
    add eax, OffsetBit
    mov eax, dword ptr ds:[eax]
    mov result, eax
    }

    return result;
    }[/code]

    Example of use without Assembly:
    [code]if(GetAsyncKeyState(0x60) < 0){
    uidChar->High = 0; //Could be ZGetGameClientClassPointer(0x1A0), but it's always 0
    uidChar->Low = ZGetGameClientClassPointer(0x1A4);
    int nItemID = 201;
    float pos[3];
    GetPosition(pos);
    ZPostRequestSpawnWorldItem(uidChar, nItemID, pos);
    }[/code]

    This is what I have so far with Assembly:
    [code]_asm{
    pushad
    mov eax, ZGetGameClientSignatureOffset
    call eax
    mov eax, dword ptr ds:[eax+0x1A0]
    push eax
    mov eax, dword ptr ds:[eax+0x1A4]
    push eax
    push 201
    mov eax, ZGetGameSignatureOffset
    call eax
    mov ecx, dword ptr ds:[eax+0x4C]
    mov eax, EncryptionSignatureOffset
    call eax
    push eax
    mov eax, ZPostRequestSpawnWorldItemSignatureOffset
    call eax
    pop eax
    pop eax
    popad
    }[/code]

    I'm just not sure when I am supposed to pop, or if I'm even doing this right. Any idea how I could get this to work?
  • :
    : Example of use without Assembly:
    : [code]: if(GetAsyncKeyState(0x60) < 0){
    : uidChar->High = 0; //Could be ZGetGameClientClassPointer(0x1A0), but it's always 0
    : uidChar->Low = ZGetGameClientClassPointer(0x1A4);
    : int nItemID = 201;
    : float pos[3];
    : GetPosition(pos);
    : ZPostRequestSpawnWorldItem(uidChar, nItemID, pos);
    : }[/code]:
    :
    : This is what I have so far with Assembly:
    : [code]: _asm{
    : pushad
    : mov eax, ZGetGameClientSignatureOffset
    : call eax
    : mov eax, dword ptr ds:[eax+0x1A0]
    : push eax
    : mov eax, dword ptr ds:[eax+0x1A4]
    : push eax
    : push 201
    : mov eax, ZGetGameSignatureOffset
    : call eax
    : mov ecx, dword ptr ds:[eax+0x4C]
    : mov eax, EncryptionSignatureOffset
    : call eax
    : push eax
    : mov eax, ZPostRequestSpawnWorldItemSignatureOffset
    : call eax
    : pop eax
    : pop eax
    : popad
    : }[/code]:
    :
    : I'm just not sure when I am supposed to pop, or if I'm even doing
    : this right. Any idea how I could get this to work?
    :

    That depends on the funcs...

    And are the two above snippets sopposed to be ekvivalent? Becouse they're not.
  • Are they what? If you meant equivalent then yes, and they are, excluding the conditional statement. I just need to know when and what I am supposed to pop.
  • : Are they what? If you meant equivalent then yes, and they are,
    : excluding the conditional statement. I just need to know when and
    : what I am supposed to pop.
    :

    Lol, sorry for my bad spelling... And ops, they're equivalent, but not equall...

    Again, how does the funcs look like?
    Are they poping anything?
    And long before, you didn't answear my Q...
    Is the problem that you can't return from the func?
  • I'll paste the actual function, and you can compare it to what I'm trying to do, though it will look completely different.

    And yes, the problem is that I cannot return, I can only push eax onto the stack in order for it to work properly.

    The actual function:
    [code]004B4520 64:A1 00000000 mov eax, dword ptr fs:[0]
    004B4526 6A FF push -1
    004B4528 68 FD745D00 push Gunz.005D74FD
    004B452D 50 push eax
    004B452E 64:8925 00000000 mov dword ptr fs:[0], esp
    004B4535 83EC 10 sub esp, 10
    004B4538 53 push ebx
    004B4539 55 push ebp
    004B453A 56 push esi
    004B453B 57 push edi
    004B453C 68 08060000 push 608
    004B4541 E8 BAF40000 call Gunz.004C3A00
    004B4546 8B1D 7C235E00 mov ebx, dword ptr ds:[5E237C]
    004B454C 83C4 04 add esp, 4
    004B454F 68 1C136600 push Gunz.0066131C
    004B4554 8BF8 mov edi, eax
    004B4556 FFD3 call ebx
    004B4558 8B35 18136600 mov esi, dword ptr ds:[661318]
    004B455E 85F6 test esi, esi
    004B4560 74 0A je short Gunz.004B456C
    004B4562 8B46 08 mov eax, dword ptr ds:[esi+8]
    004B4565 A3 18136600 mov dword ptr ds:[661318], eax
    004B456A EB 0C jmp short Gunz.004B4578
    004B456C 6A 14 push 14
    004B456E E8 B2741100 call Gunz.005CBA25
    004B4573 83C4 04 add esp, 4
    004B4576 8BF0 mov esi, eax
    004B4578 8B2D 80235E00 mov ebp, dword ptr ds:[5E2380]
    004B457E 68 1C136600 push Gunz.0066131C
    004B4583 FFD5 call ebp
    004B4585 897424 18 mov dword ptr ss:[esp+18], esi
    004B4589 33C0 xor eax, eax
    004B458B 3BF0 cmp esi, eax
    004B458D 894424 28 mov dword ptr ss:[esp+28], eax
    004B4591 74 0C je short Gunz.004B459F
    004B4593 8B4C24 30 mov ecx, dword ptr ss:[esp+30]
    004B4597 51 push ecx
    004B4598 8BCE mov ecx, esi
    004B459A E8 21350500 call Gunz.00507AC0
    004B459F 50 push eax
    004B45A0 8BCF mov ecx, edi
    004B45A2 C74424 2C FFFFFFFF mov dword ptr ss:[esp+2C], -1
    004B45AA E8 A1470500 call Gunz.00508D50
    004B45AF 68 94136600 push Gunz.00661394
    004B45B4 FFD3 call ebx
    004B45B6 8B35 90136600 mov esi, dword ptr ds:[661390]
    004B45BC 85F6 test esi, esi
    004B45BE 74 0B je short Gunz.004B45CB
    004B45C0 8B56 08 mov edx, dword ptr ds:[esi+8]
    004B45C3 8915 90136600 mov dword ptr ds:[661390], edx
    004B45C9 EB 0C jmp short Gunz.004B45D7
    004B45CB 6A 10 push 10
    004B45CD E8 53741100 call Gunz.005CBA25
    004B45D2 83C4 04 add esp, 4
    004B45D5 8BF0 mov esi, eax
    004B45D7 68 94136600 push Gunz.00661394
    004B45DC FFD5 call ebp
    004B45DE 897424 18 mov dword ptr ss:[esp+18], esi
    004B45E2 85F6 test esi, esi
    004B45E4 C74424 28 01000000 mov dword ptr ss:[esp+28], 1
    004B45EC 74 0E je short Gunz.004B45FC
    004B45EE 8B4424 34 mov eax, dword ptr ss:[esp+34]
    004B45F2 50 push eax
    004B45F3 8BCE mov ecx, esi
    004B45F5 E8 66260500 call Gunz.00506C60
    004B45FA EB 02 jmp short Gunz.004B45FE
    004B45FC 33C0 xor eax, eax
    004B45FE 50 push eax
    004B45FF 8BCF mov ecx, edi
    004B4601 C74424 2C FFFFFFFF mov dword ptr ss:[esp+2C], -1
    004B4609 E8 42470500 call Gunz.00508D50
    004B460E 68 60266600 push Gunz.00662660
    004B4613 FFD3 call ebx
    004B4615 8B35 5C266600 mov esi, dword ptr ds:[66265C]
    004B461B 85F6 test esi, esi
    004B461D 74 0B je short Gunz.004B462A
    004B461F 8B4E 14 mov ecx, dword ptr ds:[esi+14]
    004B4622 890D 5C266600 mov dword ptr ds:[66265C], ecx
    004B4628 EB 0C jmp short Gunz.004B4636
    004B462A 6A 18 push 18
    004B462C E8 F4731100 call Gunz.005CBA25
    004B4631 83C4 04 add esp, 4
    004B4634 8BF0 mov esi, eax
    004B4636 68 60266600 push Gunz.00662660
    004B463B FFD5 call ebp
    004B463D 897424 1C mov dword ptr ss:[esp+1C], esi
    004B4641 85F6 test esi, esi
    004B4643 C74424 28 02000000 mov dword ptr ss:[esp+28], 2
    004B464B 74 35 je short Gunz.004B4682
    004B464D 8B4424 38 mov eax, dword ptr ss:[esp+38]
    004B4651 8B50 08 mov edx, dword ptr ds:[eax+8]
    004B4654 8B48 04 mov ecx, dword ptr ds:[eax+4]
    004B4657 895424 10 mov dword ptr ss:[esp+10], edx
    004B465B 8B10 mov edx, dword ptr ds:[eax]
    004B465D 8B4424 10 mov eax, dword ptr ss:[esp+10]
    004B4661 50 push eax
    004B4662 51 push ecx
    004B4663 894C24 1C mov dword ptr ss:[esp+1C], ecx
    004B4667 52 push edx
    004B4668 8BCE mov ecx, esi
    004B466A 895424 24 mov dword ptr ss:[esp+24], edx
    004B466E E8 ED290500 call Gunz.00507060
    004B4673 C706 ECC35E00 mov dword ptr ds:[esi], Gunz.005EC3EC
    004B4679 C746 04 06000000 mov dword ptr ds:[esi+4], 6
    004B4680 EB 02 jmp short Gunz.004B4684
    004B4682 33F6 xor esi, esi
    004B4684 56 push esi
    004B4685 8BCF mov ecx, edi
    004B4687 C74424 2C FFFFFFFF mov dword ptr ss:[esp+2C], -1
    004B468F E8 BC460500 call Gunz.00508D50
    004B4694 57 push edi
    004B4695 E8 06E80000 call Gunz.004C2EA0
    004B469A 8B4C24 24 mov ecx, dword ptr ss:[esp+24]
    004B469E 83C4 04 add esp, 4
    004B46A1 5F pop edi
    004B46A2 5E pop esi
    004B46A3 5D pop ebp
    004B46A4 5B pop ebx
    004B46A5 64:890D 00000000 mov dword ptr fs:[0], ecx
    004B46AC 83C4 1C add esp, 1C
    004B46AF C3 retn
    004B46B0 56 push esi
    004B46B1 8BF1 mov esi, ecx
    004B46B3 E8 08FBFFFF call Gunz.004B41C0
    004B46B8 F64424 08 01 test byte ptr ss:[esp+8], 1
    004B46BD 74 09 je short Gunz.004B46C8
    004B46BF 56 push esi
    004B46C0 E8 90731100 call Gunz.005CBA55
    004B46C5 83C4 04 add esp, 4
    004B46C8 8BC6 mov eax, esi
    004B46CA 5E pop esi
    004B46CB C2 0400 retn 4

    [/code]

    Good luck with that.
  • : I'll paste the actual function, and you can compare it to what I'm
    : trying to do, though it will look completely different.
    :
    : And yes, the problem is that I cannot return, I can only push eax
    : onto the stack in order for it to work properly.
    :

    I was talking about the funcitons you where calling...

    And why not:
    [code]
    int ret;
    ...
    asm{
    mov [ret], eax
    }
    ...
    return ret;
    [/code]
  • That is the function I'm calling. o.o

    Anyway, I will try what you suggested.

  • I couldn't be entirely sure, but it looks like the function has a return value stored in eax, and doesn't pop the parameters so you have to do so.

    However, I only quickly glanced over it. What does retn 4 do exactly?

    Best Regards,
    Richard

    The way I see it... Well, it's all pretty blurry
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Categories