FearLess Cheat Engine

So let's say I have this little function.



I want to find out what calls it, but it's shared and a couple of things use it constantly so a simple trace won't work. Let's say I also don't have any record of what I want, so I don't know any specific arguments to use for the breakpoint settings. I just want to get a list of results that I can investigate manually.

A - Can I make a list of places that jumped to a specific opcode (like the start of that function)?
B - Can I make a list of places that the ret at the end went back to?

B sounds more plausible than A to me but I'm no expert.

hey,
the first thing that comes to my mind:

before the C3/ret gets executed the return address is on the stack.
hook after add rsp,28 and before the ret:
allocate some memory(let's name it Pool) and create a loop with Index:
in this loop the stack address gets compared with the Pool, if its not found check Pool +Index until Pool +Index is 0x90
if 0x90 - > copy address from the stack to current loop Pool Index.
and if an address is found just return.

so you should get every return address from this function and you can access them with Pool+8|Pool+10 and so on

Do a "Find out what addresses this code accesses" on the RET instruction

it's a special case scenario where it will give a log of all callers

(Also, a LOT of programming languages have their own rand implementation)

cfemen wrote: ↑

Fri Nov 22, 2019 11:53 am

hey,
the first thing that comes to my mind:

before the C3/ret gets executed the return address is on the stack.
hook after add rsp,28 and before the ret:
allocate some memory(let's name it Pool) and create a loop with Index:
in this loop the stack address gets compared with the Pool, if its not found check Pool +Index until Pool +Index is 0x90
if 0x90 - > copy address from the stack to current loop Pool Index.
and if an address is found just return.

so you should get every return address from this function and you can access them with Pool+8|Pool+10 and so on

Allocating memory inside the target progress and writing a loop for that sounds... messy and maybe not portable. Would doing it in Lua work or would having a Lua function called that often have severe performance issues?

Eric wrote: ↑

Fri Nov 22, 2019 8:24 pm

Do a "Find out what addresses this code accesses" on the RET instruction

it's a special case scenario where it will give a log of all callers

Okay this sounds great!

Eric wrote: ↑

Fri Nov 22, 2019 8:24 pm

(Also, a LOT of programming languages have their own rand implementation)

Yeah, in this case I already know for sure that the function I actually want calls this one, I want to learn about this to make updating things easier after patches.

Rydian wrote: ↑

Sat Nov 23, 2019 5:03 am

Allocating memory inside the target progress and writing a loop for that sounds... messy and maybe not portable. Would doing it in Lua work or would having a Lua function called that often have severe performance issues?

with lua it would have an performance impact (probably same as Find out what addresses this code access does )

But Erics suggestion is better
i didnt know that you can use Find out what addresses this code accesses on rets.
basically it does the same like my approach, but way more handy to use