 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Corruptor
Advanced Cheater
![]() Reputation: 3
Joined: 10 Aug 2011
Posts: 82
|
 Posted: Fri Aug 17, 2018 10:32 am Post subject: CE cant write to memory |
 |
|
a game i play is getting updates again, and the last patch added quite an aggresive hacker protection.
Unfortunately, this protection also applies to the world editor. If youve ever used it, you will know that its pretty much unusable without third party addons, and with the new hacker protection going on, those dont work anymore.
Now, the protection itself has a lot of stuff going on: breakpoints that are being hit instantly crash the editor, tons of random exceptions (everything from illegal instructions to port I/O exceptions) are being thrown, but the one thing i dont really understand is this:
when the editor gets loaded, the entire code is encripted, but still writeable. After the new dll loads, it decripts the code and then does something with it to "protect" it somehow: after the decryption process, cheat engine can not write to it. It doesnt throw any errors, the changes simply dont apply. Trying to change the page protection to Read/write/execute (from read/execute) also has no effect and doesnt show any errors.
When i try to change the values with other debuggers (e.g x64dbg), it doesnt work either, though that debugger tells me that it failed to write to memory (though it doesnt tell me why).
Notably, other modules (e.g KERNEL32) are not protected in this way and can be written to normally.
I always thought cheat engine maps the virtual memory into its own address space and then works on that, but then i'd expect it to either be unable to read it (since the mapping somehow failed) or to write to it without noticing that the changes didnt apply (in some sort of copy on write scenario), but neither of these are the case. Im not exactly an expert on debuggers and memory architecture though.
Does anybody have an idea what could cause this behavoir? I don't really know where to start looking for something like this. |
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 458
Joined: 09 May 2003
Posts: 25295
Location: The netherlands
|
| Posted: Sat Aug 18, 2018 12:55 am Post subject: |
|
|
have you tried kernelmode memory access?
or tried unmapping the view and then map a new one with the same contents there ? (check lua)
or if your system is fast enough you can try dbvm memory cloaking and then edit the page using page replacements
or if nothing works, check the physical address of the memory you're changing (requires kernelmode memory access) and then open the [Physical memory] process and edit it there
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Corruptor
Advanced Cheater
![]() Reputation: 3
Joined: 10 Aug 2011
Posts: 82
|
| Posted: Sat Aug 18, 2018 11:18 am Post subject: |
|
|
| Dark Byte wrote: | | have you tried kernelmode memory access? |
If you mean settings -> extra -> CE Kernel routines for read/write process memory: yes, i have tried them, but it didnt work either
| Dark Byte wrote: | | or tried unmapping the view and then map a new one with the same contents there ? (check lua) |
I had to guess a few parameters as the documentation i found didnt list parameters, so correct me if im wrong, but this is the script i came up with:
| Code: | weBase = 0x146953D
weSize = 0xA50000
-- make copy of section
weCopy = allocateMemory(weSize)
print(weCopy)
--copyMemory(weCopy, weBase, weSize) --doesnt work
--copyMemory(weBase, weSize, weCopy) --doesnt work either
--read test (worked, so we do it manually)
--intTest = readInteger(weBase)
--writeInteger(weCopy, intTest)
for i=0, weSize, 8
do
copyVal = readQword(weBase+i)
writeQword(weCopy+i, copyVal)
end
--create new section
testhandle = createSection(weSize)
--do replacing. i wonder if this leaks a section somehow
unMapViewOfSection(process, weBase)
mapViewOfSection(testhandle, process, weBase, weSize)
--copy saved content into new section
--copyMemory(weCopy, weSize, weBase)
for i=0, weSize, 8
do
copyVal = readQword(weCopy+i)
writeQword(weBase+i, copyVal)
end |
I executed this script with the process suspended (because it took about a minute or two to execute), and after it executed i could indeed write to memory again - once i unsuspended the process died though.
Does that mean that there is some sort of section table (on top of the page table?) that can be set to make a section unwriteable? If so, can one observe the table somehow?
| Dark Byte wrote: | | or if your system is fast enough you can try dbvm memory cloaking and then edit the page using page replacements |
Im afraid you lost me here. I found a lua function, but the way you word that it sounds like its supposed to be a system wide setting. mind explaining it a little more in-depth? |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
