[Question] Hello im stuck with punkbuster string function logging

[nah1337]

Hello i followed unreals tutorial about pb md5 scan and here it is what i got.
It is 100 % right that the function is passing strings, below i posted some strings that i geted from breakpointing the function md5init.

Code:

.text:004026BB ; int __stdcall sub_4026BB(char *)
.text:004026BB sub_4026BB      proc near               ; CODE XREF: sub_442357+1A8p
.text:004026BB                                         ; sub_444ABD+1E8p ...
.text:004026BB
.text:004026BB var_8CC         = byte ptr -8CCh
.text:004026BB var_CC          = byte ptr -0CCh
.text:004026BB arg_0           = dword ptr  8
.text:004026BB
.text:004026BB                 push    ebp
.text:004026BC                 lea     ebp, [esp-74h]
.text:004026C0                 sub     esp, 8CCh
.text:004026C6                 push    esi
.text:004026C7                 push    edi
.text:004026C8                 xor     esi, esi
.text:004026CA                 push    esi
.text:004026CB                 push    esi
.text:004026CC                 mov     edi, ecx
.text:004026CE                 call    sub_4024E8
.text:004026D3                 test    eax, eax
.text:004026D5                 jz      short loc_40272E
.text:004026D7                 lea     ecx, [ebp+74h+var_CC] ; void *
.text:004026DA                 call    sub_402381
.text:004026DF                 push    esi
.text:004026E0                 lea     ecx, [ebp+74h+var_CC]
.text:004026E3                 call    sub_402158      ; // Md5 init should be
.text:004026E8                 mov     esi, 800h
.text:004026ED                 jmp     short loc_4026FC
.text:004026EF ; ---------------------------------------------------------------------------
.text:004026EF
.text:004026EF loc_4026EF:                             ; CODE XREF: sub_4026BB+56j
.text:004026EF                 push    eax
.text:004026F0                 lea     eax, [ebp+74h+var_8CC]
.text:004026F6                 push    eax
.text:004026F7                 call    sub_40219C
.text:004026FC
.text:004026FC loc_4026FC:                             ; CODE XREF: sub_4026BB+32j
.text:004026FC                 lea     eax, [ebp+74h+var_8CC]
.text:00402702                 push    esi
.text:00402703                 mov     ecx, edi
.text:00402705                 push    eax
.text:00402706                 call    sub_40258B
.text:0040270B                 cmp     eax, 1
.text:0040270E                 lea     ecx, [ebp+74h+var_CC]
.text:00402711                 jge     short loc_4026EF
.text:00402713                 call    sub_402229
.text:00402718                 lea     ecx, [ebp+74h+var_CC]
.text:0040271B                 call    sub_402355      ; //Md5 crypt function 
.text:00402720                 push    eax             ; char *
.text:00402721                 push    [ebp+74h+arg_0] ; char *
.text:00402724                 call    _strcpy
.text:00402729                 pop     ecx
.text:0040272A                 xor     eax, eax
.text:0040272C                 pop     ecx
.text:0040272D                 inc     eax
.text:0040272E
.text:0040272E loc_40272E:                             ; CODE XREF: sub_4026BB+1Aj
.text:0040272E                 pop     edi
.text:0040272F                 pop     esi
.text:00402730                 add     ebp, 74h
.text:00402733                 leave
.text:00402734                 retn    4
.text:00402734 sub_4026BB      endp

Md5init function looks like this:

Code:

int __thiscall sub_402158(int this, int a2)

When i breakpointed the md5init it looked like this :

PHP Code:

01A8F0F8   094B23BE  RETURN to pbcl.094B23BE from pbcl.094B2158
01A8F0FC   00000000
01A8F100   09553288  [B]ASCII "sa000000000000000000000000000000 t9588873f15c376df6f613f9535523b1 m6727a62770f547ac8a72a81d6571b4e "[/B]
01A8F104   094D2478  RETURN to pbcl.094D2478 from pbcl.094B239C
01A8F108   09553288  [B]ASCII "sa000000000000000000000000000000 t9588873f15c376df6f613f9535523b1 m6727a62770f547ac8a72a81d6571b4e "[/B]
01A8F10C   00000063
01A8F110   00000000
01A8F114   7C8092C5  kernel32.GetTickCount
01A8F118   09553291  [B]ASCII "00000000000000000000000 t9588873f15c376df6f613f9535523b1 m6727a62770f547ac8a72a81d6571b4e "[/B]
01A8F11C   01262EF0  SoF2MP.01262EF0
01A8F120   0064006F  SoF2MP.0064006F
01A8F124   00670062  SoF2MP.00670062
01A8F128   00310031
01A8F12C   005C0030  SoF2MP.005C0030
01A8F130   00650054  SoF2MP.00650054
01A8F134   00720065  SoF2MP.00720065
01A8F138   00790061  SoF2MP.00790061
01A8F13C   006F006F  SoF2MP.006F006F
01A8F140   002E0074
01A8F144   006C0064  SoF2MP.006C0064 


Md5crypto function looks like this:

Code:

void *__thiscall sub_402355(void *this)

Md5crypto does this:

PHP Code:

EAX 00000000
ECX 01A8EC24 ASCII "3F"
EDX 00000033
EBX 01A8EC26
ESP 01A8E3E4
EBP 01A8EC60
ESI 01A8EC08 ASCII "F78A67E88F98D4CC871E6F3068343F"
EDI 0000000F
EIP 094A1462 pbcl.094A1462 


How da heck should i log it if it dosent have even char in function parameters?

Should i logg the registers that are passing the strings?

[smoke.hes]

Quote:

Originally Posted by msdn

thiscall
This is the default calling convention used by C++ member functions that do not use variable arguments. Under thiscall, the callee cleans the stack, which is impossible for vararg functions. Arguments are pushed on the stack from right to left, with the this pointer being passed via register ECX on the x86 architecture. The thiscall calling convention cannot be explicitly specified in a program, because thiscall is not a keyword.

i could imagine something like this:

Code:

struct random_class {
	//... <snip> ...
	char *crypto_buf;
	//... <snip> ...
	void *__thiscall sub_402355(void *this);
	//... <snip> ...
};

since you have the 'this ptr' as param, you have the base address of the class which contains the function, and therefore you can use relative adresses to get the variable/s you need..
OR you use a breakpoint hook and get the needed stuff from the stack, as you just did with the debugger ;ö

[nah1337]

Thnx man, i assume you responded because i sended the link over the msn, and asked help . This opened my eyes and now i will have something to move on. You are truly UC contributor!