How to detect when a game calls a certain function, such as Save or Load.

[atom0s]

How do I do offline analysis?and where is the return address shown?

Use a disassembler like IDA.

[K^2]

Use a disassembler like IDA.

Okay, I've got the freeware version but I have no idea how to use IDA, I'm confused with what to do first.

EDIT: I was messing about with IDA and added a breakpoint on the CreateFileA.

Here's what happened when I loaded a game save:

https://i.imgur.com/szw6iGv.png

https://i.imgur.com/5Rz0kKx.png

Hopefully you can see them good enough.

I also got a traceable graph:

https://i.imgur.com/V3aF084.png - Part 1 of graph

https://i.imgur.com/ZbvfOvr.png - Part 2 of graph

https://i.imgur.com/IsXGr1f.png - Part 3 of graph

[atom0s]

Trace back a few steps where the call to CreateFile was made now and see if the file name being passed is the name of the save game file. If it is then you have found part of the saving/loading routine.

[K^2]

Trace back a few steps where the call to CreateFile was made now and see if the file name being passed is the name of the save game file. If it is then you have found part of the saving/loading routine.

Think I might have cracked it.

I opened a new project along with gta_sa.exe.
Selected the strings window and searched for "CreateFileA" then double clicked everyone I found until I got this (I highlighted it):

https://i.imgur.com/Y0cT7xT.pn

So I double clicked "sub_156BBFB+19E"

And then I got this (I highlighted it):

https://i.imgur.com/OUH5wwV.png

I put a breakpoint on this and proceeded to load a game.
Came out of the game and IDA had caught the Load.

So does this mean the address: 0156BD99 is the one I've been looking for?

[atom0s]

I reinstalled GTA:SA, using OllyDbg's conditional breakpoint system upon opening the load saved game menu I get:

Code:

755BC291   COND:
755BC291   CALL to CreateFileW from kernel32.75813F81
             FileName = "C:\Users\atom0s\Documents\GTA San Andreas User Files\GTASAsf1.b"
             Access = GENERIC_READ
             ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
             pSecurity = 0028F9B8
             Mode = OPEN_EXISTING
             Attributes = NORMAL
             hTemplateFile = NULL

Which returns to the wrapper for CreateFileW, so I traced back, placed similar break there and got:

Code:

75813F3C   COND:
75813F3C   CALL to CreateFileW from kernel32.758153DF
             FileName = "C:\Users\atom0s\Documents\GTA San Andreas User Files\GTASAsf1.b"
             Access = GENERIC_READ
             ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
             pSecurity = 0028F9C8
             Mode = OPEN_EXISTING
             Attributes = NORMAL
             hTemplateFile = NULL

Which leads back to CreateFileA, again set another bp there and get:

Code:

758153AE   COND:
758153AE   CALL to CreateFileA from gta_sa.00834215
             FileName = "C:\Users\atom0s\Documents\GTA San Andreas User Files\GTASAsf1.b"
             Access = GENERIC_READ
             ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
             pSecurity = 0028F9B8
             Mode = OPEN_EXISTING
             Attributes = NORMAL
             hTemplateFile = NULL

So finally got a game function address:
gta_sa.00834215

When loaded and in-game, I saved to a new file 2, which lead to saving using:

Code:

758153AE   COND:
758153AE   CALL to CreateFileA from gta_sa.00834215
             FileName = "C:\Users\atom0s\Documents\GTA San Andreas User Files\GTASAsf2.b"
             Access = GENERIC_WRITE
             ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
             pSecurity = 0028FB20
             Mode = CREATE_ALWAYS
             Attributes = NORMAL
             hTemplateFile = NULL

So the function seems to do at least 3 things:
- Load the files and list them visually. (Or return a list of data of some sort or something..)
- Load the selected file to play.
- Save the file to disk.

[K^2]

Thankyou for taking the time out of your day to do this for me, I highly appreciate and respect it.

So "gta_sa.00834215" is where I can detour?

[atom0s]

Well that's part of the function, you'll have to debug and figure out where the start of it is and what you need to do to properly get it working.

According to IDA it is:

Code:

signed int __thiscall sub_834038(void *this, int a2, int a3, LPCSTR lpFileName, __int16 a5, unsigned __int8 a6)
{

Keep in mind the signatures IDA generates are not always right on the sizespes. So you'll have to play with it to get things right.

[K^2]

So it could start at: sub_834038

But it could be wrong because of IDA?

I can't find "gta_sa.00834215" or "sub_834038" in IDA.

Also, could you explain the difference between OllyDBG and IDA please.
At moment I'm switching between them not knowing why.
What is Olly used for and what is IDA used for.
I though they did the same thing?

[atom0s]

OllyDbg is a debugger.

IDA is a disassembler and a debugger.

[K^2]

OllyDbg is a debugger.

IDA is a disassembler and a debugger.

Oh right, so how did you get the information from ollydbg? I can't attach it because the game wont maximize then.

How did you learn all this lol

[atom0s]

Oh right, so how did you get the information from ollydbg? I can't attach it because the game wont maximize then.

How did you learn all this lol

Set Olly to be always on top, so when you alt+tab it'll come up.
And if a breakpoint is hit you can CTRL+ALT+DEL to open Task Manager and tab to Olly then instead of losing control etc.

As for getting the info, set a conditional logging breakpoint. To do that:
- Open OllyDbg.
- Open GTASA in Olly.
- Ctrl+G and enter CreateFileA (* see note 1 below!)
- At the top of the function, right-click -> Breakpoint -> Conditional Log
- Leave everything how it is exception change the following two things:
---> Log value of expression : Set to always.
---> Log function arguments : Set to always.
- Click ok, a pink breakpoint should be set on the address now.

Note 1: If you are on Windows 7/8 going directly to CreateFileA wont work with Ctrl+G since you will land up in the kernelbase wrapper instead. To get the real API address, right-click in the code window, choose view, then find kernel32 in the list. Right-click again after kernel32 is loaded, choose search for -> Name (label) in current module. Find CreateFileA export, double click it and you'll be at the real API call.

Then run the game as normal, load/save etc. and then alt+tab back to OllyDbg and check the log window for the results.

As for how I learned how to do this, trial and error, taking the time to learn the tools at hand, etc. I've been doing stuff like this for over 15 years now so you get used to it after awhile of practice heh.

[K^2]

I followed your instructions, is this the log window because this is the data in it after loading the game:

https://i.imgur.com/u5cQGdD.png

Thankyou for the explaination, can you remind me what I should be looking for now you've found "gta_sa.00834215"?
Once the start address is found do I need to re-write the save/load system exactly as the .exe did or can I do it my own way?

Also, the reason I'm doing this is to bypass certain data the game checks for and writes when saving/loading (mainly the missions).
Is this possible?

I really can't thank you enough atom0s, you sir deserve a medal.

[atom0s]

Here is a quickly thrown together hook for it:

Code:

/**
 * Grand Theft Auto: San Andras - File Loader Hook
 * (c) 2013 atom0s [atom0s@live.com]
 */

#include <Windows.h>
#include <string>

#define MakeJump( f, t ) (int)( ( (int)t - (int)f ) - 5)

DWORD   g_SaveGame      = 0x00834038;
DWORD   g_JumpBack      = 0x00000000;

DWORD   g_Argument1     = NULL;
DWORD   g_Argument2     = NULL;
DWORD   g_Argument3     = NULL;
DWORD   g_Argument4     = NULL;
DWORD   g_Argument5     = NULL;

char    g_OutputBuffer[ 1024 ] = { 0 };

__declspec( naked ) void  SaveGameHook( void )
{
    __asm
    {
        // Pull the arguments from the stack..
        push DWORD PTR DS:[esp+0x04]
        pop [g_Argument1]
        push DWORD PTR DS:[esp+0x08]
        pop [g_Argument2]
        push DWORD PTR DS:[esp+0x0C]
        pop [g_Argument3]
        push DWORD PTR DS:[esp+0x10]
        pop [g_Argument4]
        push DWORD PTR DS:[esp+0x14]
        pop [g_Argument5]

        // Restore the original code..
        push ebp
        mov ebp, esp
        sub esp, 0x1C

        // Preserve registers and flags..
        pushad
        pushfd
    }

    sprintf_s( g_OutputBuffer, 1024, "SaveGameHook [Arg1: 0x%08X][Arg2: 0x%08X][Arg3: %s][Arg4: %d][Arg5: %d]",
        g_Argument1, g_Argument2, g_Argument3, g_Argument4, g_Argument5
        );
    OutputDebugString( g_OutputBuffer );

    __asm
    {
        // Restore registers and flags..
        popfd
        popad

        // Jump back to the original function..
        jmp g_JumpBack
    }
}

void InstallHook( HMODULE hModule )
{
    MessageBox(0,0,0,0);
    DWORD dwOldProtection = NULL;
    VirtualProtect( (LPVOID)0x00834038, 0x1000, PAGE_EXECUTE_READWRITE, &dwOldProtection ); 

    BYTE* btJump            = (BYTE*)g_SaveGame;
    *(BYTE*)(btJump + 0)    = 0xE9;
    *(int* )(btJump + 1)    = MakeJump( btJump, SaveGameHook );
    *(BYTE*)(btJump + 5)    = 0x90; // Nop extra data..

    g_JumpBack = (DWORD)( btJump + 6 );
}

BOOL APIENTRY DllMain( HMODULE hModule, DWORD fdwReason, LPVOID lpReserved )
{
    UNREFERENCED_PARAMETER( lpReserved );

    switch (fdwReason)
    {
    case DLL_PROCESS_ATTACH:
        InstallHook( hModule );
        break;
    }

    return TRUE;
}

However looking at it now, the function seems to be used to load all types of files:

Code:

[7236] SaveGameHook [Arg1: 0x0028FB6C][Arg2: 0x0028FB68][Arg3: loadscs.txd][Arg4: 32768][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028FB58][Arg2: 0x0028FB54][Arg3: loadscs.txd][Arg4: 32768][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028FB5C][Arg2: 0x0028FB58][Arg3: loadscs.txd][Arg4: 32768][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028FCE0][Arg2: 0x0028FCDC][Arg3: AMERICAN.GXT][Arg4: 32768][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028FC14][Arg2: 0x0028FC10][Arg3: HANDLING.CFG][Arg4: 32768][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028FBEC][Arg2: 0x0028FBE8][Arg3: data\surface.dat][Arg4: 32768][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028FBCC][Arg2: 0x0028FBC8][Arg3: data\surfinfo.dat][Arg4: 0][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028FCB0][Arg2: 0x0028FCAC][Arg3: data\surfaud.dat][Arg4: 0][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028FCBC][Arg2: 0x0028FCB8][Arg3: DATA\PEDSTATS.DAT][Arg4: 0][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028F14C][Arg2: 0x0028F148][Arg3: PedEvent.txt][Arg4: 0][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028EFE4][Arg2: 0x0028EFE0][Arg3: RANDOM.ped][Arg4: 0][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028EFE4][Arg2: 0x0028EFE0][Arg3: m_norm.ped][Arg4: 0][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028EFE4][Arg2: 0x0028EFE0][Arg3: m_plyr.ped][Arg4: 0][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028EFE4][Arg2: 0x0028EFE0][Arg3: RANDOM.grp][Arg4: 0][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028EFE4][Arg2: 0x0028EFE0][Arg3: MISSION.grp][Arg4: 0][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028E638][Arg2: 0x0028E634][Arg3: GangMbr.ped][Arg4: 0][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028E62C][Arg2: 0x0028E628][Arg3: Cop.ped][Arg4: 0][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028E620][Arg2: 0x0028E61C][Arg3: R_Norm.ped][Arg4: 0][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028E614][Arg2: 0x0028E610][Arg3: R_Tough.ped][Arg4: 0][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028E608][Arg2: 0x0028E604][Arg3: R_Weak.ped][Arg4: 0][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028E5FC][Arg2: 0x0028E5F8][Arg3: Fireman.ped][Arg4: 0][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028E638][Arg2: 0x0028E634][Arg3: m_empty.ped][Arg4: 0][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028E62C][Arg2: 0x0028E628][Arg3: Indoors.ped][Arg4: 0][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028E620][Arg2: 0x0028E61C][Arg3: RANDOM.grp][Arg4: 0][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028E614][Arg2: 0x0028E610][Arg3: RANDOM2.grp][Arg4: 0][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028FC24][Arg2: 0x0028FC20][Arg3: TIMECYC.DAT][Arg4: 32768][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028FC84][Arg2: 0x0028FC80][Arg3: POPCYCLE.DAT][Arg4: 32768][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028FCE4][Arg2: 0x0028FCE0][Arg3: AUDIO\CONFIG\BANKSLOT.DAT][Arg4: 32768][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028FCE4][Arg2: 0x0028FCE0][Arg3: AUDIO\CONFIG\BANKLKUP.DAT][Arg4: 32768][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028FC60][Arg2: 0x0028FC5C][Arg3: AUDIO\CONFIG\PAKFILES.DAT][Arg4: 32768][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028FCE4][Arg2: 0x0028FCE0][Arg3: AUDIO\STREAMS\AA][Arg4: 0][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028FCE0][Arg2: 0x0028FCDC][Arg3: sa-utrax.dat][Arg4: 32768][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028FCC0][Arg2: 0x0028FCBC][Arg3: AUDIO\STREAMS\AA][Arg4: 0][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028FD0C][Arg2: 0x0028FD08][Arg3: AUDIO\CONFIG\EVENTVOL.DAT][Arg4: 0][Arg5: 420]

When you open the 'Load Save Game screen this is the result:

Code:

[7236] SaveGameHook [Arg1: 0x0028FA14][Arg2: 0x0028FA10][Arg3: C:\Users\atom0s\Documents\GTA San Andreas User Files\GTASAsf1.b][Arg4: 32768][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028FA04][Arg2: 0x0028FA00][Arg3: C:\Users\atom0s\Documents\GTA San Andreas User Files\GTASAsf1.b][Arg4: 32768][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028FA14][Arg2: 0x0028FA10][Arg3: C:\Users\atom0s\Documents\GTA San Andreas User Files\GTASAsf2.b][Arg4: 32768][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028FA04][Arg2: 0x0028FA00][Arg3: C:\Users\atom0s\Documents\GTA San Andreas User Files\GTASAsf2.b][Arg4: 32768][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028FA14][Arg2: 0x0028FA10][Arg3: C:\Users\atom0s\Documents\GTA San Andreas User Files\GTASAsf3.b][Arg4: 32768][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028FA14][Arg2: 0x0028FA10][Arg3: C:\Users\atom0s\Documents\GTA San Andreas User Files\GTASAsf4.b][Arg4: 32768][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028FA14][Arg2: 0x0028FA10][Arg3: C:\Users\atom0s\Documents\GTA San Andreas User Files\GTASAsf5.b][Arg4: 32768][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028FA14][Arg2: 0x0028FA10][Arg3: C:\Users\atom0s\Documents\GTA San Andreas User Files\GTASAsf6.b][Arg4: 32768][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028FA14][Arg2: 0x0028FA10][Arg3: C:\Users\atom0s\Documents\GTA San Andreas User Files\GTASAsf7.b][Arg4: 32768][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028FA14][Arg2: 0x0028FA10][Arg3: C:\Users\atom0s\Documents\GTA San Andreas User Files\GTASAsf8.b][Arg4: 32768][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028FB8C][Arg2: 0x0028FB88][Arg3: MODELS\FRONTEN1.TXD][Arg4: 32768][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028FB8C][Arg2: 0x0028FB88][Arg3: MODELS/FRONTEN_pc.TXD][Arg4: 32768][Arg5: 420]
[7236] SaveGameHook [Arg1: 0x0028FB8C][Arg2: 0x0028FB88][Arg3: MODELS\FRONTEN2.TXD][Arg4: 32768][Arg5: 420]

From here you are on your own though. I got other things to attend to. Good luck.

[Jason]

Was too lazy to read the rest of the posts just now but just wanted to add one minor point (though it's not particularly relevant in this case, but may be later).

Don't hook/breakpoint the "xxxA" versions of the Windows API functions (i.e CreateFileA), hooking/breaking the "xxxW" version is far more reliable. Essentially the "xxxA" versions of the API convert the ASCII string provided into a wide char (Unicode) string then call the "xxxW" version anyway (as you can see in the screenshot you posted):



You can see that the function basically just calls Basep8BitStringToDynamicUnicode (converts the ASCII string into a Unicode one). Then pushes all the arguments back onto the stack (swapping the ASCII string pointer for the new unicode string pointer) and calls CreateFileW.

As I said, this isn't really relevant in this case because it appears GTA is calling the "xxxA" versions of the API in the first place anyway, but just for future reference monitoring the "xxxW" versions of the API can be a lot more reliable as both calls to "xxxA" and "xxxW" will end up in "xxxW".

[atom0s]

Was too lazy to read the rest of the posts just now but just wanted to add one minor point (though it's not particularly relevant in this case, but may be later).

Don't hook/breakpoint the "xxxA" versions of the Windows API functions (i.e CreateFileA), hooking/breaking the "xxxW" version is far more reliable. Essentially the "xxxA" versions of the API convert the ASCII string provided into a wide char (Unicode) string then call the "xxxW" version anyway (as you can see in the screenshot you posted):

You can see that the function basically just calls Basep8BitStringToDynamicUnicode (converts the ASCII string into a Unicode one). Then pushes all the arguments back onto the stack (swapping the ASCII string pointer for the new unicode string pointer) and calls CreateFileW.

As I said, this isn't really relevant in this case because it appears GTA is calling the "xxxA" versions of the API in the first place anyway, but just for future reference monitoring the "xxxW" versions of the API can be a lot more reliable as both calls to "xxxA" and "xxxW" will end up in "xxxW".

In a lot of cases this is not helpful at all given that CreateFileA wraps and calls CreateFileW. Meaning the return address will be skewed by the wrapper calls.
Such as in this case for GTA:

Code:

0028FB4C   758153E4  /CALL to CreateFileW from kernel32.758153DF
0028FB50   0184FE18  |FileName = "AMERICAN.GXT"
0028FB54   80000000  |Access = GENERIC_READ
0028FB58   00000003  |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0028FB5C   0028FBA8  |pSecurity = 0028FBA8
0028FB60   00000003  |Mode = OPEN_EXISTING
0028FB64   00000080  |Attributes = NORMAL
0028FB68   00000000  \hTemplateFile = NULL

Which leads to more work getting the result desired.