Technomancer
June 9th, 2006, 20:33
Hi guys. I am kind of lost here. I am reversing a game now and i am trying to print text in the game. I followed an example of a hacker who already successfully reversed that part i am stuck at.
This is how the hacker "emulated" the game's method of Printing text :
I will paste what is at the 43D064 and what happens prior to the call.
Here is what happened prior to the call to the TextPrinting Function :
Here is what happens at 43D064 the text printing function itself :
Any greater minds here can offer help as i don't really understand the hacker's theory behind his "hook". Basically, i understand that arguments are moved into ecx and edx prior to the call to 43D064 (which will mean it is a fastcall probably?) @ 43D064 itself, what is stored in ecx and edx is passed to esi and edi ... probably for string-related activities.
What i am puzzled about is, how does the hacker determine from a whole chunk of code that there are only 2 arguments (stored in ecx and edx) required prior to the call to 43D064. Also, there was a part where "or ecx, FFFFFFFF" was used prior to the call. Usually, why is there a need to OR a register with all FFFFFFFF ? The hacker substituted that with PUSH 0Fh
POP ECX (which is essentially mov ecx,0Fh). Can anyone guess what is this for?
I am mainly confused because prior to the call to 43D064, there were so many registers and variables being moved around. How did the hacker smartly guessed that only ecx and edx are the important ones ? Also i assume the game used GetPrivateProfileString for a reason?
This is how the hacker "emulated" the game's method of Printing text :
Code:
PUSHAD
MOV EDX,<own address pointing to a string>
PUSH 0Fh
POP ECX
CALL 43D064 ;Here is where he calls the TextPrinting function
POPAD
RETN
I will paste what is at the 43D064 and what happens prior to the call.
Here is what happened prior to the call to the TextPrinting Function :
Code:
* Possible StringData Ref from Data Obj ->"\Game.ini"
|
:00409B0D 685C444800 push 0048445C
:00409B12 50 push eax
:00409B13 E878020600 call 00469D90
:00409B18 59 pop ecx
:00409B19 8BC6 mov eax, esi
:00409B1B 59 pop ecx
:00409B1C 8D8DACFEFFFF lea ecx, dword ptr [ebp+FFFFFEAC]
:00409B22 51 push ecx
:00409B23 8D4DB0 lea ecx, dword ptr [ebp-50]
:00409B26 C1E002 shl eax, 02
:00409B29 6A50 push 00000050
:00409B2B 51 push ecx
:00409B2C FFB06C434800 push dword ptr [eax+0048436C]
:00409B32 FFB07C434800 push dword ptr [eax+0048437C]
* Possible StringData Ref from Data Obj ->"NetMsg"
|
:00409B38 6854444800 push 00484454
* Reference To: KERNEL32.GetPrivateProfileStringA, Ord:014Fh
|
:00409B3D FF1590914700 Call dword ptr [00479190]
:00409B43 8D55B0 lea edx, dword ptr [ebp-50]
:00409B46 83C9FF or ecx, FFFFFFFF
:00409B49 E816350300 call 0043D064
Here is what happens at 43D064 the text printing function itself :
Code:
:0043D064 55 push ebp
:0043D065 8BEC mov ebp, esp
:0043D067 83EC54 sub esp, 00000054
:0043D06A 53 push ebx
:0043D06B 56 push esi
:0043D06C 8BF2 mov esi, edx
:0043D06E 57 push edi
:0043D06F 56 push esi
:0043D070 8BF9 mov edi, ecx
:0043D072 E819C90200 call 00469990
Any greater minds here can offer help as i don't really understand the hacker's theory behind his "hook". Basically, i understand that arguments are moved into ecx and edx prior to the call to 43D064 (which will mean it is a fastcall probably?) @ 43D064 itself, what is stored in ecx and edx is passed to esi and edi ... probably for string-related activities.
What i am puzzled about is, how does the hacker determine from a whole chunk of code that there are only 2 arguments (stored in ecx and edx) required prior to the call to 43D064. Also, there was a part where "or ecx, FFFFFFFF" was used prior to the call. Usually, why is there a need to OR a register with all FFFFFFFF ? The hacker substituted that with PUSH 0Fh
POP ECX (which is essentially mov ecx,0Fh). Can anyone guess what is this for?
I am mainly confused because prior to the call to 43D064, there were so many registers and variables being moved around. How did the hacker smartly guessed that only ecx and edx are the important ones ? Also i assume the game used GetPrivateProfileString for a reason?