How to detect when a game calls a certain function, such as Save or Load.

[K^2]

Hey guys, I'm looking to re-write Grand Theft Auto: San Andreas's Save/Load system, with an asi that will intercept the calls made by the game when a user want's to Save and Load a game file.

Now, I know how to use Cheat Engine to find the Ammo, heath addresses etc.

But how do I find out if a player is Saving or Loading a game file?

I've already written the code that checks for "gta_sa.exe", since an asi loader will load it with the game.

Any help is extremely appreciated!

[atom0s]

Find the functions that are called when saving/loading and hook them.

A common method to find functions like that are to look for common strings that pertain to the function at hand. Such as:
- The name of the save game files.
- The name of the folder the save games are made in.

Another method is tracing back to the function by using API breakpoints. In this case, a file is being edited, so you could try setting breakpoints on:
- CreateFileA
- CreateFileW

Then if those are used in the call to save the file/load the file, you can trace back to the function that invoked the API.

[K^2]

Find the functions that are called when saving/loading and hook them.

A common method to find functions like that are to look for common strings that pertain to the function at hand. Such as:
- The name of the save game files.
- The name of the folder the save games are made in.

Another method is tracing back to the function by using API breakpoints. In this case, a file is being edited, so you could try setting breakpoints on:
- CreateFileA
- CreateFileW

Then if those are used in the call to save the file/load the file, you can trace back to the function that invoked the API.

Thankyou for your reply.
So is Cheat Engine useless in this case?
I'm assuming I can't find this data with Cheat Engine?

[radnomguywfq3]

Thankyou for your reply.
So is Cheat Engine useless in this case?
I'm assuming I can't find this data with Cheat Engine?

If the software is unpacked, I would honestly just do this:

Hook the CreateFileA\CreateFileW\(Insert any other low-level File Access APIs here) in a DLL, make it a transparent detour and just log all the return addresses and the arguments to the calls of that particular API. You should find that one of them has their arguments as "MySaveGame" and then follow that return address to the caller. Repeat this until you find yourself inside the game and not a filesystem dll (if you land in one in the first place) - you may have to go up several levels as I imagine GTA has a relatively abstract filesystem.

[K^2]

If the software is unpacked, I would honestly just do this:

Hook the CreateFileA\CreateFileW\(Insert any other low-level File Access APIs here) in a DLL, make it a transparent detour and just log all the return addresses and the arguments to the calls of that particular API. You should find that one of them has their arguments as "MySaveGame" and then follow that return address to the caller. Repeat this until you find yourself inside the game and not a filesystem dll (if you land in one in the first place) - you may have to go up several levels as I imagine GTA has a relatively abstract filesystem.

I've been using ollydbg to find the addresses of CreateFileA, CreateFileW, ReadFile and OpenFile.

I think they're stored in a block, since the Address I found was the same for all of them, example:

Address I found holds:
- CreateFileA
- CreateFileW
- ReadFile
- OpenFile
- And some others I don't need

Now, I'm just guessing, maybe I have to dig deeper into that block to find the actual addresses called.

Are there any tutorials that're specific to my problem?

Any further assistance in this to bring me a solution would be great.

[atom0s]

In Olly just set a breakpoint at the top of the API calls. Then when the break is hit, look at the stack, the return address should be at the top.
That'll take you back to where the API was invoked at.

[K^2]

In Olly just set a breakpoint at the top of the API calls. Then when the break is hit, look at the stack, the return address should be at the top.
That'll take you back to where the API was invoked at.

So I need to leave olly open then run the game, save a file or load one?

[atom0s]

So I need to leave olly open then run the game, save a file or load one?

Easiest way to test if CreateFile is even going to help:
- Load the game and get all the way to the point where you are about to load a game.
- Open Olly and attach to your game.
- Go to CreateFileA / CreateFileW and place the breakpoints at the top.
- Go back to the game and cause the load / save to happen.
- See if Olly hit a breakpoint.

If it did hit a breakpoint, follow the return address that should be at the top of the stack.

If it did not break, then they are accessing the file by other means.

[K^2]

Thankyou for your help and keeping calm with all the questions I'm asking, + respect.

EDIT: Tried it and the game crashed when trying to overwrite a save file, when saving.
Minimized to olly and took this screenshot: https://i.imgur.com/sjfPFbo.png

The only problem was to get control of my PC again I had to end olly's process?

[atom0s]

Those images are the steps I took to toggle the breakpoints, did I find the right address and add the breakpoint correctly?

Thankyou for your help and keeping calm with all the questions I'm asking, + respect.

Upload the images to a site instead of attaching them here. Have to wait for mod approval for anything attached to posts.

[K^2]

Upload the images to a site instead of attaching them here. Have to wait for mod approval for anything attached to posts.

Edited my last post

[atom0s]

Edited my last post

Image is way too small to see anything.

[K^2]

Image is way too small to see anything.

Can you not zoom in? that's a full screenshot and it's everything I see in olly.

Okay, I've been so stupid.
I think CreateFileA is always called weather it be, Saving, Loading or overwriting.

CreateFileA has different modes for the different events.

For Loading the mode is: OPEN_EXISTING
I don't know what the other modes are yet.
So In my asi I just detour the CreateFileA API, then check what Mode it is in? or Check what mode it is in the detour it?

[radnomguywfq3]

Thankyou for your help and keeping calm with all the questions I'm asking, + respect.

EDIT: Tried it and the game crashed when trying to overwrite a save file, when saving.
Minimized to olly and took this screenshot: https://i.imgur.com/sjfPFbo.png

The only problem was to get control of my PC again I had to end olly's process?

Yes, but that doesn't tell you anything. From what I see in the stack, you are reading a file. This is the wrong call to CreateFileA - hence why you need to log it. There will be a million calls to this API, you need to find the right call (where its opening with write access and is writing to a file with a name that is relevant to your save game.) Alternately, if it works, you can break on every call to the API via OllyDbg. Just a heads up though - live analysis on games never works out well. You're always better dissecting with offline analysis then monitoring with a logger of some sort - and repeating that process.

If you trace back to this where this is called from (by logging the return addresses) you will find what routine in particular is called when you save a game. CreateFileA is a low-level API and it will be called for a million different reasons (including loading files)

[K^2]

Yes, but that doesn't tell you anything. From what I see in the stack, you are reading a file. This is the wrong call to CreateFileA - hence why you need to log it. There will be a million calls to this API, you need to find the right call (where its opening with write access and is writing to a file with a name that is relevant to your save game.) Alternately, if it works, you can break on every call to the API via OllyDbg. Just a heads up though - live analysis on games never works out well. You're always better dissecting with offline analysis then monitoring with a logger of some sort - and repeating that process.

If you trace back to this where this is called from (by logging the return addresses) you will find what routine in particular is called when you save a game. CreateFileA is a low-level API and it will be called for a million different reasons (including loading files)

How do I do offline analysis?and where is the return address shown?