Execute return wrong values on x64bit

[MohamedAlaaJameel]

the function return value = 0x0166DCB00900

execute function return value =0xDCB00900

as you can see there are missing bytes .

the problem in GetExitCodeThread function return , I don't know how to fix that.

var keyAddress = sharp.Assembly.Execute<IntPtr>(gameFunc, CallingConventions.MicrosoftX64, new dynamic[] { ecx });
@JamesMenetrey

[JamesMenetrey]

Hey @MohamedAlaaJameel,

Sorry for the late reply. According to Microsoft's docs, the second parameter of the function GetExitCodeThread is of type LPDWORD, which is a pointer of a DWORD (32-bit unsigned integer).

Since your return value does not store in a 32-bit value, the cast overflows the value. You can see this with this code:

long val = 0x0166DCB00900;
Console.WriteLine($"{(int)val:X8}"); // Print DCB00900

Unfortunately, there is no implementation of GetExitCodeThread that returns a 64-bit value, at least not that I'm aware of. I propose these workarounds:

• If you control the code of the function that is called, store a pointer of the 64-bit value and read it afterwards.
• If you don't control the function's code, you need to write some assembly code that calls the function and stores the result in a pre-allocated buffer, then read that buffer.

I'm going to fix the definition of that P/Invoke function to make it obvious (uint instead of IntPtr). Thanks for the report. I keep this issue open until I have fixed it.