|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
buraktamturk Newbie cheater Reputation: 0
Joined: 29 Jun 2014 Posts: 18
|
Posted: Fri Mar 04, 2016 8:09 am Post subject: sysenter hook via dbvm |
|
|
Hello,
I want to hook sysenter, just saw sysenter hook is supported by DBVM, what paralog/epilog should be for sysenter hook (i look something like interrupt1_asmentry)?
I am writing a cheat to a game that is protected by a hackish anti-cheat (they have drivers too), thanks for the dbvm, the anticheat doesn't know anything about my cheat. But the anticheat itself preventing the creation of the second game instance, may be their drivers written in a way that does not support two process at a time, or may be they have support for this and preventing this by checking their internal structures or the case i hope to find is they check it by using functions that are in SSDT, that would be a bingo case for me.
I thought i can hook sysenter and trace the functions they use, and the eip that they call ZwTerminateProcess so i may break it by using hw breakpoints/page faults etc..
And I wonder the 32bit pointer parameters and the pointers in the structs are normalized by windows before calling sysenter? What I mean is can I get the arguments by reading the stack in my hook?
Thanks,
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25288 Location: The netherlands
|
Posted: Fri Mar 04, 2016 8:27 am Post subject: |
|
|
I'm not sure it's active right now (not implemented, hidden_sysenter_modification is 0 if i'm not mistaken which disables that feature)
it's also only for the 32-bit (64-bit uses syscall)
Of course, dbvm can be adjusted to hook those MSR's read and write, but it's not currently in
As for multiple instances, it might be as simple as a named object that is being checked for it's existance. (e.g a named event or a named pipe, or one of many other options)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
buraktamturk Newbie cheater Reputation: 0
Joined: 29 Jun 2014 Posts: 18
|
Posted: Fri Mar 04, 2016 1:53 pm Post subject: |
|
|
Dark Byte wrote: | I'm not sure it's active right now (not implemented, hidden_sysenter_modification is 0 if i'm not mistaken which disables that feature)
it's also only for the 32-bit (64-bit uses syscall)
Of course, dbvm can be adjusted to hook those MSR's read and write, but it's not currently in
As for multiple instances, it might be as simple as a named object that is being checked for it's existance. (e.g a named event or a named pipe, or one of many other options) |
There is a global mutex object for sure, when i bypass the routine via int1 hook and hw breakpoints, the first instance got closed after a few seconds with the second instance, which I think the anti-cheat itself does the second checking.
Thanks for the explanation, i would have wasted my time trying to implement it
Thanks,
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You cannot download files in this forum
|
|