Cheat Engine

[ulysse31]

Hi, I am trying to kill a memory integrity checker (used the first game I had at hand with such a defense mecanism) followed the tutorials (Geri) and eventually got stuck.

This code manages coordonates (x) :
mov [02158ED4],eax

This code does the memory integrity check :
add al,[ebx]

This code checks the code checking integrity :
mov edx,[edx]


I traced the mem checkers but the return adress I get, as you will see in video, is wrong.
I still tracked the first checker (add al,[ebx]) up to his conditional call however editing jne to jmp works but makes the game crash because of mov edx,[edx].

So I tracked mov edx,[edx] up to a point I know the instruction throwing this path is a jmp edi (see how edi value is the same as adress) however the breakpoint still wont return the correct adress.


Video with all steps :
apparently forum doesn't let me post url

Help please (I am using CE 64 bit on a 32 bit game, VEH debugger).
This is just for understanding purpose (stealth edit plugin does the job here)

[Geri]

Post the link with some spaces between the letters or remove the dots.

There are many ways to check the return address. Break and trace, manual debugging and checking the return addresses or manual debugging and executing until return, code dissection, etc.

[ulysse31]

Aight.
Thanks !
Adress is this :
h t t p s : / /w w w . y o u t u b e . c o m / w a t c h ? v = w _ 3 3 n I K x F K U

It would have been more pertinent if i added the result of "see what adresses this instruction accesses" with mov edx,[edx] because it shows that it reads once a bunch of adresses and then isn't ran for some time then reads again all those adresses.
So obviously the sequence of code is ran several times, and is always call with jmp edi. (at least thats what i saw with backtrace that goes back here).
But those jmp edi just redirect the code to the sequence so it's reread XXX times in X millisecond, this happens somewhat every min, i can't find the first call that initiates this every minute
Did break and trace but can't trace enough instructions.
Did manual debugging with return adress but sends me back to a fake adress.
Did code dissection but the call is a jmp edi and code dissection doesn't show register calls (afaik)

[Geri]

Yeah, the add al,[ebx] instruction was already suspicious and I was guessing it's an error and the rest of the code is pretty much the same. This code was not disassembled correctly and since the debugger is based on the disassembler, the debugger is also not working properly.

It may happen that if you shift a few bytes left or right with the left/right arrow keys, then you will get the proper code.

Though it may happen that this is not an error, just a complicated encryption algorithm. Either way, I don't think I can help too much based on this video, because it seems to be a complex issue.

However I can tell you that break and trace can trace far more than 1000 lines, just set it to higher. And you can also look at the stack to see if there are any possible return addresses (press the S button in the trace window). You can also set the manual debugger to show the full stack, not just the guessed return addresses.

[ulysse31]

I did a backtrace to 10 000 lines of codes (just game crashed when i asked 20 000) didn't help me too much but It's hard to know if i simply missed something.
Thanks for taking the time to look into my case

[Geri]

Ah yes, it may crash when it's an online game, because it's not responding to the server etc.

[ulysse31]

B-but it didn't work.
Besides, it trully was only for study purpose, as the stealth edit is indeed working.
And he didn't know it was online game !
As a matter of fact, it simply was the closest game with mem protect at hand installed on the comp.

Anyway, I did little research, the security system handling mem integrity is the Themida suite

[Geri]

He didn't post the name of the game or posted any gameplay. I just figured it out from the memory view in the video.