Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Reverse Engineering GetTickCount

Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials
View previous topic :: View next topic  
Author Message
Expert Cheater
Reputation: 3

Joined: 01 Jan 2016
Posts: 159

PostPosted: Tue Jan 19, 2016 12:23 pm    Post subject: Reverse Engineering GetTickCount Reply with quote

I don't know if this is the right thread to post this, because it's not a cheat engine only tutorial, but I thought it would help someone.

I am writing this little guide about a function that might be very useful to hook when dealing with time based anticheats.
I'll also cover a little bit about basic knowledge of API analysis.

KERNELBASE.GetTickCount - jmp KERNELBASE.GetTickCount+4
KERNELBASE.GetTickCount+2- repe nop
KERNELBASE.GetTickCount+4- mov ecx,[7FFE0324] { [00000000] }
KERNELBASE.GetTickCount+A- mov edx,[7FFE0320] { [000B4F46] }
KERNELBASE.GetTickCount+10- mov eax,[7FFE0328] { [00000000] }
KERNELBASE.GetTickCount+15- cmp ecx,eax
KERNELBASE.GetTickCount+17- jne KERNELBASE.GetTickCount+2
KERNELBASE.GetTickCount+19- mov eax,[7FFE0004] { [0F99A027] }
KERNELBASE.GetTickCount+1E- mul edx
KERNELBASE.GetTickCount+20- shl ecx,08 { 8 }
KERNELBASE.GetTickCount+23- imul ecx,[7FFE0004] { [0F99A027] }
KERNELBASE.GetTickCount+2A- shrd eax,edx,18
KERNELBASE.GetTickCount+2E- shr edx,18 { 24 }
KERNELBASE.GetTickCount+31- add eax,ecx
KERNELBASE.GetTickCount+33- ret

Ok, so this is the piece of code we will look at.
As you can see, this generally controls most of the timeflow of the current application because it's the function that defines the outcome of GetTickCount().

But what can we say about this before analyzing the arguments themselves?
We know that this GetTickCount() is a 32 bit function ( no 64 bit register used, such as rax).
We also know that on a 32 bit application, __stdcall is the most used calling convention.
By looking at the msdn microsoft official site, we can get all the information we need about a normal stdcall, and how any function will behave.

Argument-passing order
Right to left.

Argument-passing convention
By value, unless a pointer or reference type is passed.

Stack-maintenance responsibility
Called function pops its own arguments from the stack.

This is what msdn can say about this calling convention.
As we can see, any function will get its arguments by popping them out of stack.
By looking again at our function code, we have a strong clue that the function doesn't require any arguments.
The EBP register doesn't get changed anywhere, so the stack will never be referenced by the code.

Knowing this will make our life easier, because we can debug this function without the need to care about our stack frame.
Now we can proceed on looking at the code itself.

Offsets: 0-17
So, the code will start by jumping directly into the initialization of registers.
The addresses it copies them from are shared by the kernel, so their change is not given by the application as many would suppose.
0x7FFE0320 is the address containing a value that keeps incrementing at a fixed rate, while the other 2 addresses suit the purpose of countering an overflow (it would took 49.7 days of the machine running nonstop).

Offsets: 19-33
The only thing happening here is some data processing that increases the resulting tick count with logical shifts and by multipling it with special values (set again by the kernel).
It then proceeds on returning the value processed using the EAX register.

This was it, a closer look to the Kernel32.dll API.
Knowing how to analyze a globally used function will always help you, because you can easily find most of the functions that you might need, or even better hook it wherever you are hacking a game that use CRC checks on most of the executable code.

Cheat Engine for example, injects a DLL (speedhack-i386) to hook all the functions that control the flow of time in the game, but by doing so it can get detectable.
You could create your own speedhack using memory allocation as an exercise to write your first bypass.

Hope this "guide" was helpful for those who would like to get better on gamehacking and reverse engineering.
Write below a comment if you have any questions!

Do you need to ask me something? Feel free to join my discord server at: or ask me something in my YouTube channel:
Back to top
View user's profile Send private message
How do I cheat?
Reputation: 0

Joined: 19 Jul 2016
Posts: 7

PostPosted: Tue Jul 19, 2016 9:51 am    Post subject: Reply with quote

How did you learn assembly? What did you do exactly? Coding in ASM? Reading functions you know what they do?
Back to top
View user's profile Send private message
Master Cheater
Reputation: 17

Joined: 27 Apr 2013
Posts: 306

PostPosted: Wed Jul 20, 2016 2:14 pm    Post subject: Reply with quote

Nice, thanks for sharing this!
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials All times are GMT - 6 Hours
Page 1 of 1

Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum

Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites