| View previous topic :: View next topic |
| Author |
Message |
Frouk
Grandmaster Cheater
![]() Reputation: 5
Joined: 22 Jun 2021
Posts: 507
|
 Posted: Tue Jul 08, 2025 4:57 am Post subject: __fastcall call conv C Code |
 |
|
| So I guess it isn't supported yet, I've tried to call a function with __fastcall calling convention and after compilation I was searching for the call in the compiled code - nothing
|
|
| Back to top |
|
 |
Eggs_
How do I cheat?
![]() Reputation: 0
Joined: 19 Jun 2025
Posts: 7
|
| Posted: Thu Jul 10, 2025 2:20 am Post subject: Re: __fastcall call conv C Code |
|
|
| Frouk wrote: | | So I guess it isn't supported yet, I've tried to call a function with __fastcall calling convention and after compilation I was searching for the call in the compiled code - nothing |
Unless you are on 32 bit version of windows the fastcall and stdcall should have the same params.
i don't quiet get what you are doing, did you compile something yourself using a third party compiler and are using CE to check on the code in runtime? (there's way better methods)
|
|
| Back to top |
|
|
Frouk
Grandmaster Cheater
![]() Reputation: 5
Joined: 22 Jun 2021
Posts: 507
|
| Posted: Thu Jul 10, 2025 2:21 am Post subject: |
|
|
| 64 bit always has __fastcall convention instead of __thiscall
|
|
| Back to top |
|
|
Eggs_
How do I cheat?
![]() Reputation: 0
Joined: 19 Jun 2025
Posts: 7
|
| Posted: Thu Jul 10, 2025 2:36 am Post subject: |
|
|
| Frouk wrote: | | 64 bit always has __fastcall convention instead of __thiscall |
if you are using for instance IDA64, it will always decompile functions to __fastcall by default (which is not the case)
but the calling conversion doesn't matter for 64x windows anymore it's all the same your c++ code you can use __fastcall or __cdecl or __stdcall, as long as the app runs in windows 64 it will use the microsoft x64 abi (learn.microsoft com/en-us/cpp/build/x64-calling-convention?view=msvc-170). With Simd calls being the only exception.
So in Cheat engine, the way to check for "thiscall" is to check wether RCX is related to the functions usually if it's a nonstatic class method ull see something like
mov rbx, rcx //backing up rcx
,,stuff..
cmp [rbx+10],1 //do stuff with rcx+offset
...
mov rax,[rbx+28] //do stuff with rcx+offset
test rax,rax
if you see alot of RCX+OFFSET operations you can be 90% sure that this is a "thiscall"
you can also check the RCX address (if its a valid address) if the first pointer [rcx+0x0] leads to a vtable than it's 99% a thiscall.
or if you are using IDA or any other static deassemblers you can just crossreference the function address to check if it's in any Vtable, than you can be 100% sure that it's a thiscall
|
|
| Back to top |
|
|
Frouk
Grandmaster Cheater
![]() Reputation: 5
Joined: 22 Jun 2021
Posts: 507
|
| Posted: Sun Jul 13, 2025 5:24 am Post subject: |
|
|
ofc it's __thiscall, I'm actually trying to call the function from vftable
I'm saying that you can't actually call it in {$ccode}, I've managed to get the virtual table index for a function and am trying to call it as __fastcall(usually it shouldn't care, the rdx register is already being used here)
|
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 470
Joined: 09 May 2003
Posts: 25762
Location: The netherlands
|
| Posted: Sun Jul 13, 2025 6:00 am Post subject: |
|
|
in 64 bit parameter 1 is passed in rcx, the rdx, r8, r9 and the rest in stack
so if the class method is : myclass:mymethod(int x, int y) then to call it with ccode you'd do
int myclass_mymethod(void *myclassinstance, int x, int y)
that way myclassinstance will be in rcx
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping
Last edited by Dark Byte on Sun Jul 13, 2025 6:02 am; edited 1 time in total |
|
| Back to top |
|
|
Frouk
Grandmaster Cheater
![]() Reputation: 5
Joined: 22 Jun 2021
Posts: 507
|
| Posted: Sun Jul 13, 2025 6:02 am Post subject: |
|
|
can you give an example of calling it like this?:
| Code: |
((rettype(callconv)(args))(targetAddress))(args);
|
EDIT:
okay, nevermind, already figured it out, and it seems it is correct this time(used __stdcall to call it, because it will reserve the parameters into a stack if the rcx, rdx, r8, r9 registers were used)
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
