Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


How to use getasynckeystate in a 64 bit platform?

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
PlzSuckMaDuck
How do I cheat?
Reputation: 0

Joined: 01 Feb 2019
Posts: 5

PostPosted: Sat Feb 02, 2019 12:16 am    Post subject: How to use getasynckeystate in a 64 bit platform? Reply with quote

I've tried to find tutorials for using getasynckeystate but most of the aritcles are about 32bit platforms which doesn't work on a 64 bit platform. Any help will be appreciated.

Quote:

[ENABLE]
alloc(newmem,2048,"re2.exe"+B8BC63A)
label(returnhere)
label(originalcode)
label(exit)

newmem:

originalcode:
mov [rax+20],ebx //This is the code that i want to fiddle with
mov rsi,[rsp+30]

exit:
jmp returnhere

"re2.exe"+B8BC63A:
jmp newmem
nop
nop
nop
returnhere:

[DISABLE]
dealloc(newmem)
"re2.exe"+B8BC63A:
mov [rax+20],ebx
mov rsi,[rsp+30]
//Alt: db 89 58 20 48 8B 74 24 30


I want to disable this code mov [rax+20],ebx when the assigned key (right mouse key for me) is pressed & the code gets reverted when the button is released.
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Sat Feb 02, 2019 4:16 am    Post subject: Reply with quote

something like this
Code:

[ENABLE]
alloc(newmem,2048,"re2.exe"+B8BC63A)
label(returnhere)
label(originalcode)
label(exit)

newmem:

push RAX
push RCX
push RDX
push R8
push R9
push R10
push R11
sub rsp,28 //7 pushes before, so uneven.  Instead of sub rsp,20 use sub rsp,28
mov rcx,2
call GetAsyncKeyState
add rsp,28
pop r11
pop r10
pop r9
pop r8
pop rdx
pop rcx

test ax,8001
pop rax

jnz originalcode

mov [rax+20],ebx //This is the code that i want to fiddle with

originalcode:
mov rsi,[rsp+30]

exit:
jmp returnhere

"re2.exe"+B8BC63A:
jmp newmem
nop
nop
nop
returnhere:

[DISABLE]
dealloc(newmem)
"re2.exe"+B8BC63A:
mov [rax+20],ebx
mov rsi,[rsp+30]
//Alt: db 89 58 20 48 8B 74 24 30

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
PlzSuckMaDuck
How do I cheat?
Reputation: 0

Joined: 01 Feb 2019
Posts: 5

PostPosted: Sun Feb 03, 2019 12:47 am    Post subject: Reply with quote

Dark Byte wrote:
something like this
Code:

[ENABLE]
alloc(newmem,2048,"re2.exe"+B8BC63A)
label(returnhere)
label(originalcode)
label(exit)

newmem:

push RAX
push RCX
push RDX
push R8
push R9
push R10
push R11
sub rsp,28 //7 pushes before, so uneven.  Instead of sub rsp,20 use sub rsp,28
mov rcx,2
call GetAsyncKeyState
add rsp,28
pop r11
pop r10
pop r9
pop r8
pop rdx
pop rcx

test ax,8001
pop rax

jnz originalcode

mov [rax+20],ebx //This is the code that i want to fiddle with

originalcode:
mov rsi,[rsp+30]

exit:
jmp returnhere

"re2.exe"+B8BC63A:
jmp newmem
nop
nop
nop
returnhere:

[DISABLE]
dealloc(newmem)
"re2.exe"+B8BC63A:
mov [rax+20],ebx
mov rsi,[rsp+30]
//Alt: db 89 58 20 48 8B 74 24 30


Thank you. The code is working properly now. Btw is there any place where a newb can learn about this stuff?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Sun Feb 03, 2019 1:37 am    Post subject: Reply with quote

Not really noob-friendly but https://docs.microsoft.com/en-us/cpp/build/x64-calling-convention?view=vs-2017
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
PlzSuckMaDuck
How do I cheat?
Reputation: 0

Joined: 01 Feb 2019
Posts: 5

PostPosted: Sun Feb 03, 2019 4:57 am    Post subject: Reply with quote

btw how can i switch the trigger from right mouse button to left mouse button?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Sun Feb 03, 2019 5:21 am    Post subject: Reply with quote

yes, change the parameter passed to the function to that of the left mouse button (rcx to 1 instead if 2)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Csimbi
I post too much
Reputation: 92

Joined: 14 Jul 2007
Posts: 3102

PostPosted: Thu Aug 31, 2023 2:45 pm    Post subject: Reply with quote

Did MS just change something?
When I used
Code:
call GetAsyncKeyState

before, it used to work.
Now, CE still assembles something but the code it leads to causes a crash.
Sometimes it leads to a bunch of jne instructions, sometimes it leads to a bunch of int 3 instructions and neither one of these lead anywhere, they just cause a crash.
(see pic below)
Maybe it's the wrong GetAsyncKeyState - shouldn't it be user32.dll?
Any thoughts?
Can I force using GetAsyncKeyState in user32.dll somehow?
Thanks!



CE_GETASKSx64.png
 Description:
 Filesize:  10.33 KB
 Viewed:  1251 Time(s)

CE_GETASKSx64.png


Back to top
View user's profile Send private message
TsTg
Master Cheater
Reputation: 5

Joined: 12 Dec 2012
Posts: 334
Location: Somewhere....

PostPosted: Thu Aug 31, 2023 3:46 pm    Post subject: Reply with quote

Csimbi wrote:
Did MS just change something?
When I used
Code:
call GetAsyncKeyState

before, it used to work.
Now, CE still assembles something but the code it leads to causes a crash.
Sometimes it leads to a bunch of jne instructions, sometimes it leads to a bunch of int 3 instructions and neither one of these lead anywhere, they just cause a crash.
(see pic below)
Maybe it's the wrong GetAsyncKeyState - shouldn't it be user32.dll?
Any thoughts?
Can I force using GetAsyncKeyState in user32.dll somehow?
Thanks!


GetAsyncKeyState API has always been on User32, you can refrence it in CE like this:
Code:
call User32.GetAsyncKeyState
Back to top
View user's profile Send private message
Csimbi
I post too much
Reputation: 92

Joined: 14 Jul 2007
Posts: 3102

PostPosted: Thu Aug 31, 2023 3:55 pm    Post subject: Reply with quote

TsTg wrote:

GetAsyncKeyState API has always been on User32, you can refrence it in CE like this:
Code:
call User32.GetAsyncKeyState


Indeed, thanks!

Using that I could also find out that it's Steam itself.
It redirects that call to gameoverlayrenderer64.dl with a jump:

Code:
USER32.GetAsyncKeyState - E9 15C6DCFD           - jmp 7FFF802E054A
USER32.GetAsyncKeyState+5- 57                    - push rdi
USER32.GetAsyncKeyState+6- 48 83 EC 20           - sub rsp,20
USER32.GetAsyncKeyState+A- 65 48 8B 04 25 30000000  - mov rax,gs:[00000030]
...
7FFF802E054A - E9 D16FC3E7           - jmp gameoverlayrenderer64.dll+97520
...
gameoverlayrenderer64.dll+97520 - 40 53                 - push rbx
gameoverlayrenderer64.dll+97522 - 48 83 EC 20           - sub rsp,20
gameoverlayrenderer64.dll+97526 - 80 3D 9BF70C00 00     - cmp byte ptr [gameoverlayrenderer64.dll+166CC8],00
gameoverlayrenderer64.dll+9752D - 8B D9                 - mov ebx,ecx
gameoverlayrenderer64.dll+9752F - 74 16                 - je gameoverlayrenderer64.dll+97547
gameoverlayrenderer64.dll+97531 - 4C 8B 44 24 28        - mov r8,[rsp+28]
...


Remove the jump and it's all good Wink

Code:
USER32.GetAsyncKeyState - 48 89 5C 24 08        - mov [rsp+08],rbx
Back to top
View user's profile Send private message
TsTg
Master Cheater
Reputation: 5

Joined: 12 Dec 2012
Posts: 334
Location: Somewhere....

PostPosted: Thu Aug 31, 2023 4:04 pm    Post subject: Reply with quote

Csimbi wrote:

Indeed, thanks!

Using that I could also find out that it's Steam itself.
It redirects that call to gameoverlayrenderer64.dl with a jump:

Code:
USER32.GetAsyncKeyState - E9 15C6DCFD           - jmp 7FFF802E054A
USER32.GetAsyncKeyState+5- 57                    - push rdi
USER32.GetAsyncKeyState+6- 48 83 EC 20           - sub rsp,20
USER32.GetAsyncKeyState+A- 65 48 8B 04 25 30000000  - mov rax,gs:[00000030]
...
7FFF802E054A - E9 D16FC3E7           - jmp gameoverlayrenderer64.dll+97520
...
gameoverlayrenderer64.dll+97520 - 40 53                 - push rbx
gameoverlayrenderer64.dll+97522 - 48 83 EC 20           - sub rsp,20
gameoverlayrenderer64.dll+97526 - 80 3D 9BF70C00 00     - cmp byte ptr [gameoverlayrenderer64.dll+166CC8],00
gameoverlayrenderer64.dll+9752D - 8B D9                 - mov ebx,ecx
gameoverlayrenderer64.dll+9752F - 74 16                 - je gameoverlayrenderer64.dll+97547
gameoverlayrenderer64.dll+97531 - 4C 8B 44 24 28        - mov r8,[rsp+28]
...


Remove the jump and it's all good Wink

Code:
USER32.GetAsyncKeyState - 48 89 5C 24 08        - mov [rsp+08],rbx

Np, and wow, never knew that steam actually hooks into this API Very Happy .
good finding there ^^.
Back to top
View user's profile Send private message
Csimbi
I post too much
Reputation: 92

Joined: 14 Jul 2007
Posts: 3102

PostPosted: Thu Aug 31, 2023 4:11 pm    Post subject: Reply with quote

TsTg wrote:

Np, and wow, never knew that steam actually hooks into this API Very Happy .
good finding there ^^.

Must be something new in a recent client release - my scripts were working a few days back but not today.
I am on the beta client though, so a lot of people might not be seeing this just yet.
I wonder if it's legal (allows Steam to log keys) and what antivirus clients will have to say about it Wink
Back to top
View user's profile Send private message
TsTg
Master Cheater
Reputation: 5

Joined: 12 Dec 2012
Posts: 334
Location: Somewhere....

PostPosted: Thu Aug 31, 2023 4:53 pm    Post subject: Reply with quote

Csimbi wrote:
TsTg wrote:

Np, and wow, never knew that steam actually hooks into this API Very Happy .
good finding there ^^.

Must be something new in a recent client release - my scripts were working a few days back but not today.
I am on the beta client though, so a lot of people might not be seeing this just yet.
I wonder if it's legal (allows Steam to log keys) and what antivirus clients will have to say about it Wink


pretty suspicious one if you ask me, surely needs a look at what's inside their code, even more suspicious if they decide to use a hook via something like SetWindowsHookEx.
as for AVs, i am sure they will just ask AV vendors to whitelist their dll Wink
otherwise no one will be happy about it.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites