 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
shakib187
Expert Cheater
 Reputation: 0
Joined: 24 May 2007
Posts: 215
|
 Posted: Mon Nov 25, 2013 5:09 pm Post subject: 64 bit targets are supported yet with the user mode(SE) |
 |
|
| Is there a way to fix this? I cannot stealthedit my game
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 470
Joined: 09 May 2003
Posts: 25794
Location: The netherlands
|
| Posted: Tue Nov 26, 2013 10:30 am Post subject: |
|
|
the problem with 64bit is that address specifiers can be RIP relative. That means that relocated code needs to be rewritten, which causes shifts in opcode locations, which causes other code to break.
it can be fixed, but will require a person to manually fill in the relocated block of code
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
shakib187
Expert Cheater
Reputation: 0
Joined: 24 May 2007
Posts: 215
|
| Posted: Tue Nov 26, 2013 6:25 pm Post subject: |
|
|
| Code: |
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat)
stealthedit(herp,"cry.dll"+9B76E,10)
alloc(newmem,2048,"cry.dll"+9B76E)
label(returnhere)
label(originalcode)
label(exit)
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
cmp RAX,00000001
jne originalcode
mov [rbx+1],(float)999
jmp returnhere
originalcode:
movss [rbx+1],xmm1
exit:
jmp returnhere
herp:
jmp newmem
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
"cry.dll"+9B76E:
movss [rbx+1],xmm1
|
How would I go about doing this? can you give an example??
|
|
| Back to top |
|
|
shakib187
Expert Cheater
Reputation: 0
Joined: 24 May 2007
Posts: 215
|
| Posted: Tue Dec 03, 2013 3:30 pm Post subject: |
|
|
bump, com on DB please help 
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25794
Location: The netherlands
|
| Posted: Tue Dec 03, 2013 5:18 pm Post subject: |
|
|
First you'll need a stealthedit compiled to 64-bit. (probably not going to happen anytime soon)
Then instead of such a script, you need a script that's about 5000 times bigger.
For every possible entry point into the page(including the page boundary instructions), you must make a different redirect which points to a standalone path from that point. Rewriting all RIP relative accesses to direct memory accesses, until you're out of the page, and then jump back
In short: I think it might be easier to find the integrity check routines, and change those to read a copy instead
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
justa_dude
Grandmaster Cheater
 Reputation: 23
Joined: 29 Jun 2010
Posts: 891
|
| Posted: Tue Dec 03, 2013 7:17 pm Post subject: |
|
|
| Dark Byte wrote: | the problem with 64bit is that address specifiers can be RIP relative. That means that relocated code needs to be rewritten, which causes shifts in opcode locations, which causes other code to break.
it can be fixed, but will require a person to manually fill in the relocated block of code |
Forgive my ignorance, please, but why is this more difficult than relocating short/near jumps which are coded relative to eip?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25794
Location: The netherlands
|
| Posted: Tue Dec 03, 2013 8:04 pm Post subject: |
|
|
Because jumps do not modify/rely on updated data so don't need to be rewritten.
Address specifiers do need to be rewritten when their position changes
e.g:
| Code: |
cmp [eip+40],1
mov [eip+44],0
|
if the location changes then the addresses this code reads and writes to will change as well. And non relocated code would still read the original address/code.
the +40 part of the instruction will then need to be changed to something else to make it point to the original function (e.g: +4ff00040)
And if the module copy is made beyond the 32-bit range, then the byte size of the instruction will change as well.
It can be done, but it'll need the 64-bit disassembler to be perfect and no guessing and no unaligned function entry points, and no data between functions that can break alignment, else it won't be able to find all eip relative opcodes, or it finds the wrong ones
So, it ends up in the user's responsibility to provide a properly coded module copy that the stealthedit can redirect calls to
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
justa_dude
Grandmaster Cheater
Reputation: 23
Joined: 29 Jun 2010
Posts: 891
|
| Posted: Wed Dec 04, 2013 1:40 am Post subject: |
|
|
| Dark Byte wrote: | Because jumps do not modify/rely on updated data so don't need to be rewritten.
Address specifiers do need to be rewritten when their position changes
e.g:
| Code: |
cmp [eip+40],1
mov [eip+44],0
|
if the location changes then the addresses this code reads and writes to will change as well. And non relocated code would still read the original address/code.
the +40 part of the instruction will then need to be changed to something else to make it point to the original function (e.g: +4ff00040)
And if the module copy is made beyond the 32-bit range, then the byte size of the instruction will change as well.
It can be done, but it'll need the 64-bit disassembler to be perfect and no guessing and no unaligned function entry points, and no data between functions that can break alignment, else it won't be able to find all eip relative opcodes, or it finds the wrong ones
So, it ends up in the user's responsibility to provide a properly coded module copy that the stealthedit can redirect calls to |
Thank you for responding, DB. I'm afraid I still don't quite understand, but that's probably just my inexperience with AMD64.
I was under the impression that relative addressing was introduced to make it /easier/ to relocate code and my uninformed mental image coincided with this; when you say it's more difficult, is it because you assume (in the example above) that the code bits 40 and 44 bytes beyond the bit you shown wouldn't also be relocated? That is, if we were relocating a whole function at a time or something, would it be easier?
Sorry, again, for asking rudimentary questions instead of Googling.
PS, when I asked about near/short jumps being equally difficult I should've instead asked about near/short jumps to labels.
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25794
Location: The netherlands
|
| Posted: Wed Dec 04, 2013 6:09 am Post subject: |
|
|
Relocating is easier yes, but that's not what stealthedit does
When it encounters the non-executable page it jumps to the copy, but all it's data access must still point to the original addresses.(stack pointers are unaffected as well)
In 32-bit this is easy because once the module has been loaded the relocation table has updated all the opcodes that access data inside the module to point to the correct address. So when that gets copied they still point to the exact address before the copy(they point to the original module)
So when a function in the copy is executed, like acquiring a critical section lock, it will acquire the lock on the variable in the original memory and not in the copy, so other threads that want to acquire the lock, and currently aren't executing in the copy, can see the lock has been obtained and wait till it's released
In 64-bit with rip relative addressing it would lock the critical section in the copy, and no other thread would see it
Calls and jumps inside the module are fine since they do not get changed during runtime. So if the copy calls another function it executes the same type of code as the original. Eventually returning to the original module thanks to the stack, or a hardcoded address jmp
An alternate solution is to write an x86 emulator that emulates the execution of the protected page.
If you're one of the few lucky people that can use dbvm, then it might be easier. With that i can set specific callbacks on reads, and ignore executions.(only on newer cpu's so even less people can use it)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
justa_dude
Grandmaster Cheater
Reputation: 23
Joined: 29 Jun 2010
Posts: 891
|
| Posted: Wed Dec 04, 2013 8:51 am Post subject: |
|
|
| Dark Byte wrote: | | Relocating is easier yes, but that's not what stealthedit does |
Ahhhhhh, I see now. Thank you for explaining.
|
|
| Back to top |
|
|
shakib187
Expert Cheater
Reputation: 0
Joined: 24 May 2007
Posts: 215
|
| Posted: Wed Dec 04, 2013 8:26 pm Post subject: |
|
|
| Dark Byte wrote: | First you'll need a stealthedit compiled to 64-bit. (probably not going to happen anytime soon)
Then instead of such a script, you need a script that's about 5000 times bigger.
For every possible entry point into the page(including the page boundary instructions), you must make a different redirect which points to a standalone path from that point. Rewriting all RIP relative accesses to direct memory accesses, until you're out of the page, and then jump back
In short: I think it might be easier to find the integrity check routines, and change those to read a copy instead |
I shouldn't have asked lol, thank you anyway though... I should have known there was a reason you didn't expand on it..
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
