Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


What can I do if VirtualProtect fails?

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming
View previous topic :: View next topic  
Author Message
Viloresi
Expert Cheater
Reputation: 0

Joined: 02 Feb 2017
Posts: 117

PostPosted: Thu Apr 06, 2017 2:50 pm    Post subject: What can I do if VirtualProtect fails? Reply with quote

Hello, I'm trying to write into an address, in the memory of a game, that has read-only protection ( it's an opcode).
So I'm trying to use VirtualProtect to change the protection to EXECUTE_READWRITE ...
I'm kinda sure that this game as some kind of protection that is causing the virtualprotect to fail.
Does somebody has an Idea or a bypass for this??
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 133

Joined: 25 Jan 2006
Posts: 7059
Location: 127.0.0.1

PostPosted: Thu Apr 06, 2017 11:00 pm    Post subject: Reply with quote

Could try manually calling the NT function:
NtProtectVirtualMemory

If the target is protected see if they have a hook on VirtualProtect, if so you can just invoke it manually +5 from the start of the function in some cases. (You will have to account for the stack alignment and such when you do this.)

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
Viloresi
Expert Cheater
Reputation: 0

Joined: 02 Feb 2017
Posts: 117

PostPosted: Fri Apr 07, 2017 12:43 am    Post subject: Reply with quote

Hey atomos , thank you for the reply.
I've checked if the VirtualProtect has been hooked, but it's not, I've attached some screenshots of the function (atleast I hope is what you told me to check).
How should I do the call? How can I pass the 4 parameters (Handle ,BaseAddress, ProtectSize , NewProtection, Oldprotection ) and then call it?
I mean I don't know how to use the NtProtectVirtualMemory alone without the use of the kernel32 VirtualProtect.
Thank you!

Also I've forgot to mention that I'm trying this from an injected dll (but I think you already guessed it probably)



ATOMOS1.png
 Description:
 Filesize:  84.59 KB
 Viewed:  4108 Time(s)

ATOMOS1.png



ATOMOS2.png
 Description:
 Filesize:  96.61 KB
 Viewed:  4108 Time(s)

ATOMOS2.png



ATOMOS3.png
 Description:
 Filesize:  102.92 KB
 Viewed:  4108 Time(s)

ATOMOS3.png


Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 332

Joined: 09 May 2003
Posts: 19642
Location: The netherlands

PostPosted: Fri Apr 07, 2017 3:19 am    Post subject: Reply with quote

perhaps ntProtectVirtualMemory is hooked
anyhow if all else fIls, use kernelmode

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Back to top
View user's profile Send private message MSN Messenger
Viloresi
Expert Cheater
Reputation: 0

Joined: 02 Feb 2017
Posts: 117

PostPosted: Fri Apr 07, 2017 3:28 am    Post subject: Reply with quote

Dark Byte wrote:
perhaps ntProtectVirtualMemory is hooked
anyhow if all else fIls, use kernelmode


Thank you for the reply darkbyte...
I've tried to check if ntProtectVirtualMemory is hooked too, but it doesn't seem to be...
btw I'm trying to do it in c++ from an injected dll, because I've already tried to change that address with cheat engine but nothing happens . (but it's not my point aniway since cheat engine is somehow detected).

I'm not 100% sure that I got what you meant , if you suggested me to use a driver to run this ;/ I may want to find another solution first if it's possible, I'm sure that atomos had a great idea, but I just don't know how to call the ntProtectVirtualMemory and pass it the parameters I need...
Thank you for the help guys



NTVIRTUALPROTECT.png
 Description:
 Filesize:  54.34 KB
 Viewed:  4093 Time(s)

NTVIRTUALPROTECT.png


Back to top
View user's profile Send private message
Viloresi
Expert Cheater
Reputation: 0

Joined: 02 Feb 2017
Posts: 117

PostPosted: Mon Apr 10, 2017 3:51 am    Post subject: Reply with quote

Up
Atomos or somebody knows how to use the NtProtectVirtualMemory?
I mean this function is undocumented, please if someone knows how to call it, it would be much appreciated since it could be a chance to bypass that protection.
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 133

Joined: 25 Jan 2006
Posts: 7059
Location: 127.0.0.1

PostPosted: Mon Apr 10, 2017 2:17 pm    Post subject: Reply with quote

You can find sites like the following that give details on it:
https://undocumented.ntinternals.net/

Or just Google (or search Github) for the API name itself to find examples around the web.

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
Viloresi
Expert Cheater
Reputation: 0

Joined: 02 Feb 2017
Posts: 117

PostPosted: Mon Apr 10, 2017 2:32 pm    Post subject: Reply with quote

Thank you atomos, I knew that you are the best!
I've found it in the site that you gave me... Altough it's loaded from a dll, I've seen it uses the same parameters as the virtualprotect standard func .... But I still don't get why VirtualProtect calls this NtProtectVirtualMemory :S.

Aniway I'll try it, and if it bypass the protection I'll give a reply.
Back to top
View user's profile Send private message
Viloresi
Expert Cheater
Reputation: 0

Joined: 02 Feb 2017
Posts: 117

PostPosted: Thu Apr 13, 2017 10:31 am    Post subject: Reply with quote

I've found the type of protection, (the ntdll functions don't work either btw)
for what I've discovered, they've used an undocumented flag named
" SEC_NO_CHANGE " to map the memory.
so one method to fix this is by re-mapping the views you are interested in (alloc new memory, copy, suspend , resume exc) ...
Can't tell more because I don't want to get anybody in troubles.

Btw I hope whoever was interested in this (or will be) now has an idea of what's the kind of protection.

(initially I tought about DEP or some other weird stuff, but it's not luckily)
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 133

Joined: 25 Jan 2006
Posts: 7059
Location: 127.0.0.1

PostPosted: Thu Apr 13, 2017 5:50 pm    Post subject: Reply with quote

If you are getting to that point, a driver may be of interest for bypassing or altering how things are done. Rather than allowing it to create the memory with 'SEC_NO_CHANGE', alter it to be a different flag that gives you access and allows VirtualProtect and other userland calls to work fine.

Keep in mind it is very easy for a game to monitor changes to things such as page access, a checksum on the memory as well as checking for hooks made to any function userland or not. And given the target you are going after based on your pm to me, I would tread with caution for legal purposes as well.

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites