View previous topic :: View next topic |
Author |
Message |
sbryzl Master Cheater Reputation: 6
Joined: 25 Jul 2016 Posts: 252
|
Posted: Sat Feb 24, 2018 12:18 pm Post subject: PostMessage Key Sim |
|
|
This game has 32 bit and 64 bit modes and both have references to PostMessageW. I've been using it in 32 bit mode to simulate key presses by using 4 dword parameters and it returns with a simulated key press and altered ecx and edx registers.
My problem is with 64 bit. I don't know whether to push the values as qword or 4 dwords combined into 2 qword or what other steps need to be taken to translate to the request to the function or if it will even work. The result in 64 bit is that it returns from function without removing any of my parameters from the stack and no key simulation.
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4297
|
|
Back to top |
|
|
sbryzl Master Cheater Reputation: 6
Joined: 25 Jul 2016 Posts: 252
|
Posted: Sat Feb 24, 2018 1:54 pm Post subject: |
|
|
ParkourPenguin wrote: | The first 4 parameters are passed through registers, not the stack. Make sure the stack is aligned on a 16-byte boundary and there's some shadow space on the stack for the register parameters.
You can read about 64-bit calling conventions here. |
Thanks! Would you recommend preserving all these registers even if they don't seem to be changing upon testing?
RAX Volatile Return value register
RCX Volatile First integer argument
RDX Volatile Second integer argument
R8 Volatile Third integer argument
R9 Volatile Fourth integer argument
R10:R11 Volatile Must be preserved as needed by caller; used in syscall/sysret instructions
R12:R15 Nonvolatile Must be preserved by callee
RDI Nonvolatile Must be preserved by callee
RSI Nonvolatile Must be preserved by callee
RBX Nonvolatile Must be preserved by callee
RBP Nonvolatile May be used as a frame pointer; must be preserved by callee
Update: It looks like rcx,rdx,r8,r9, the registers holding the arguments are the only ones that change, but I'm not sure if some other event could cause a problem in another register.
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4297
|
Posted: Sat Feb 24, 2018 2:40 pm Post subject: |
|
|
If you're doing this in a code injection, you should back up all volatile registers (including xmm0 - xmm5), but you can probably get away with not backing most of them up.
If you're not in a code injection (e.g. executing code via createThread), do whatever you want; it's your code.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
sbryzl Master Cheater Reputation: 6
Joined: 25 Jul 2016 Posts: 252
|
Posted: Sat Feb 24, 2018 2:44 pm Post subject: |
|
|
Yep, it's injected, thanks.
|
|
Back to top |
|
|
|