View previous topic :: View next topic |
Author |
Message |
kitesan Expert Cheater Reputation: 0
Joined: 01 May 2014 Posts: 124
|
Posted: Sun Feb 08, 2015 3:18 pm Post subject: Help and Infos |
|
|
Hello boys.. i hate to be repetitive but i need infos and help about integrity check inside FC4 and ACU.. i would like to know how to do what stealthedit does so i can do it manually...
|
|
Back to top |
|
|
hhhuut Grandmaster Cheater Reputation: 6
Joined: 08 Feb 2015 Posts: 607
|
Posted: Sun Feb 08, 2015 7:36 pm Post subject: |
|
|
Well, there's a great tutorial about the stealthedit plugin here: *Sorry, can't post URLs yet, but just search for "cheat engine stealthedit" via Google and click on the second link*
In short version:
It marks a specific Memory page as "Not executable" which will raise a DEP-Error when the program tries to enter (and execute) this Code page.
CE will kind of interfere this error and redirects the program to the page's copy, where you can inject code despite integrity checks.
Note: The stealthedited code page is still readable, so the memory check routines will scan the original code (and find no injections) while the code is actually executed from a different memory region.
|
|
Back to top |
|
|
kitesan Expert Cheater Reputation: 0
Joined: 01 May 2014 Posts: 124
|
Posted: Mon Feb 09, 2015 10:19 am Post subject: |
|
|
Thanks alot, and how to mark a specific Memory page as "Not executable" manually? i must change something inside the header? how to redirects the program to the page's copy? Thanks in advance
|
|
Back to top |
|
|
++METHOS I post too much Reputation: 92
Joined: 29 Oct 2010 Posts: 4197
|
Posted: Mon Feb 09, 2015 10:31 am Post subject: |
|
|
Here is a template for Stealthedit with AOB:
Code: | [ENABLE]
aobscan(AOB1,00 00 00 00 00 00 00)
stealthedit(YYYY,AOB1,248)
alloc(newmem,248)
label(returnhere)
label(originalcode)
label(XXXX)
registersymbol(XXXX)
newmem:
//newmem
jmp returnhere
originalcode:
//originalcode
jmp returnhere
YYYY:
XXXX:
//nop's
returnhere:
[DISABLE]
dealloc(newmem)
XXXX:
db 00 00 00 00 00 00 00
unregistersymbol(XXXX) |
Make sure the proper Stealthedit plugin is loaded, then just enable the script. In order for a trainer to work, you also have to load the appropriate files when compiling the trainer and also create an LUA script with something like this:
Code: | plugin = loadPlugin(getCheatEngineDir() .. 'plugins\\StealthEdit\\umstealthedit-i386.dll') |
However, to answer your original question, the Stealthedit plugin can be used to locate the integrity checks for you...allowing you to more easily manipulate them. How it does this/how to do this? I'd like to know myself. But, I'm sure some of the answers are not so simple and require a level of understanding that just takes time to develop.
|
|
Back to top |
|
|
kitesan Expert Cheater Reputation: 0
Joined: 01 May 2014 Posts: 124
|
Posted: Mon Feb 09, 2015 10:35 am Post subject: |
|
|
thanks alot METHOS But I wanted to learn how to do stealthedit's job manually..
NEW: my goal was to learn lol
|
|
Back to top |
|
|
++METHOS I post too much Reputation: 92
Joined: 29 Oct 2010 Posts: 4197
|
Posted: Mon Feb 09, 2015 10:56 am Post subject: |
|
|
Ask Geri about Stealthedit.
Writing a dll that performs similarly to stealthedit has been discussed, but the discussions have always been brief and limited because the topic just requires all involved to already have some understanding of things that are generally more advanced and those things just take time to learn.
There are a handful of members here that can help with it if they have time and are willing. But...most of it just has to be learned...there is no magic answer that will give you understanding, I'm afraid.
|
|
Back to top |
|
|
Geri Moderator Reputation: 111
Joined: 05 Feb 2010 Posts: 5636
|
Posted: Mon Feb 09, 2015 11:30 am Post subject: |
|
|
If it would be just "change a few bytes here, click a few times there", someone would post it in 5 sentences how to do it, but it's not working that way.
CE has many features, amongst these are the options to show memory regions (CTRL+R) and also to change access and copy memory with AA instructions and it has a few different debuggers too. If you are really curious how are these things done, get the source code and dig through it.
To do something similar to stealthedit "manually", you could use the debugger. Set up a breakpoint and change EIP register to point to a different location. That can be done with CE debuggers.
This plugin is much more complicated than you think. After all, it contains features which are above the basic CE and even the basic CE packs so many advanced features, that beginners don't even have a clue about the extent of this software.
_________________
|
|
Back to top |
|
|
kitesan Expert Cheater Reputation: 0
Joined: 01 May 2014 Posts: 124
|
Posted: Mon Feb 09, 2015 12:21 pm Post subject: |
|
|
Thanks alot boys but at least tell me from where to start to get an overall understanding of it... or at least give me some advice about killing multiple checks at once
|
|
Back to top |
|
|
Geri Moderator Reputation: 111
Joined: 05 Feb 2010 Posts: 5636
|
Posted: Mon Feb 09, 2015 2:15 pm Post subject: |
|
|
There is no easy solution, this is why the plugin was created.
I told you a solution which is easier to do with the debugger and I have also made an article years ago about bypassing a single memory check. Of course you can also try to use pointers.
_________________
|
|
Back to top |
|
|
danrevella Master Cheater Reputation: 2
Joined: 11 Jun 2008 Posts: 290
|
Posted: Mon Jun 01, 2015 7:05 am Post subject: |
|
|
++METHOS wrote: | Here is a template for Stealthedit with AOB:
Code: | [ENABLE]
aobscan(AOB1,00 00 00 00 00 00 00)
stealthedit(YYYY,AOB1,248)
alloc(newmem,248)
label(returnhere)
label(originalcode)
label(XXXX)
registersymbol(XXXX)
newmem:
//newmem
jmp returnhere
originalcode:
//originalcode
jmp returnhere
YYYY:
XXXX:
//nop's
returnhere:
[DISABLE]
dealloc(newmem)
XXXX:
db 00 00 00 00 00 00 00
unregistersymbol(XXXX) |
Make sure the proper Stealthedit plugin is loaded, then just enable the script. In order for a trainer to work, you also have to load the appropriate files when compiling the trainer and also create an LUA script with something like this:
Code: | plugin = loadPlugin(getCheatEngineDir() .. 'plugins\\StealthEdit\\umstealthedit-i386.dll') |
However, to answer your original question, the Stealthedit plugin can be used to locate the integrity checks for you...allowing you to more easily manipulate them. How it does this/how to do this? I'd like to know myself. But, I'm sure some of the answers are not so simple and require a level of understanding that just takes time to develop. |
Please excuse, I only utilize the simple generic trainer creator.
I don't understand this line of lua code, maybe you may post the "entire" line please
Code: | plugin = loadPlugin(getCheatEngineDir() .. 'plugins\\StealthEdit\\umstealthedit-i386.dll') |
|
|
Back to top |
|
|
|