Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Need help with DBVM/What writes to this address

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Discussions
View previous topic :: View next topic  
Author Message
lyaniku
Newbie cheater
Reputation: 0

Joined: 26 Aug 2017
Posts: 14

PostPosted: Tue Jun 04, 2019 8:36 am    Post subject: Need help with DBVM/What writes to this address Reply with quote

Hello,

I am trying to figure out where code is written/generated from in a game.
The game that's only running in Usermode generates some code at runtime that I am interested in how it's generated. It's likely happening in one of their TLS callbacks, so my current attempt with Cheat Engine was the following:

1) Start the process and look at what VA the code is when it's generated
2) Restart the game and verify that it always is at the same VA
3) Start the process suspended
4) DBVM Look what writes to this address/VA from above
5) Resume process

Even though I see in the Memory viewer how the bytes at the address change (how the data turns into the code) - there is nothing logged in the DBVM window.

On the other hand, if I look what Reads or Writes to this address, I am getting some results with the same Method. All the read accesses happen before the code is generated though.

So it seems like there is no direct write to that location, my questions are now the following:

1) What other ways has a Ring3 game to put code onto that location, that does not get caught by DBVM?

2) What ways do I have accordingly to still catch it?

I also attached 2 screenshots, 1 from suspended state, and 1 when the process is loaded.

Oh and the code does definitely not exist in that form directly, a pattern scan doesn't find it and the code is different for every pc too.

Thanks everyone!



after.png
 Description:
when process is loaded.
 Filesize:  17.7 KB
 Viewed:  762 Time(s)

after.png



before.png
 Description:
in CREATE_SUSPENDED state.
 Filesize:  17.78 KB
 Viewed:  762 Time(s)

before.png


Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 371

Joined: 09 May 2003
Posts: 21921
Location: The netherlands

PostPosted: Tue Jun 04, 2019 8:48 am    Post subject: Reply with quote

Does the PA of the VA change between starting it suspended and after resuming?

Because DBVM watches the PA for writes

e.g it could be triggering a COW or even remapping a region

And try the kernelmode debugger interface and then find what writes (not the DBVM one, though you need DBVM to prevent windows from BSODing)
(Won't catch remaps but will catch COW writes)

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
lyaniku
Newbie cheater
Reputation: 0

Joined: 26 Aug 2017
Posts: 14

PostPosted: Tue Jun 04, 2019 9:07 am    Post subject: Reply with quote

I tried using the kernelmode debugger and look what writes to this address, no result again.

The page does change, I attached 2 screenshots again of before and after loaded.

What do you mean with it could trigger a COW? I don't know what COW means, I'm at beginner level when it comes to kernel mode, Paging.

I know that they are remapping their module with PAGE_EXECUTE_READ and SEC_NOCHANGE.

I don't know enough however, to know how that stops CE from detecting the write. Would CE detect it if they were using NtWriteVirtualMemory for example?



after_.png
 Description:
loaded.
 Filesize:  10.52 KB
 Viewed:  751 Time(s)

after_.png



before_.png
 Description:
suspended
 Filesize:  28.07 KB
 Viewed:  751 Time(s)

before_.png


Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 371

Joined: 09 May 2003
Posts: 21921
Location: The netherlands

PostPosted: Tue Jun 04, 2019 9:40 am    Post subject: Reply with quote

Look at the PA, not the VA (PA is shown in the hexview header)

COW is copy on write. It causes windows to allocate a new PA for the region, and copy the contents to there

As for CE not detecting it, is because they aren't writing to the memory.
They just swap the pagetable entry with a new address that contains the memory

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
lyaniku
Newbie cheater
Reputation: 0

Joined: 26 Aug 2017
Posts: 14

PostPosted: Tue Jun 04, 2019 9:49 am    Post subject: Reply with quote

The physical address does change, yes (1ca6a3894 -> bdced894).

Okay that makes sense now that DBVM doesn't catch it to me. And if KM CE catches COW but not remapping, then it has to be remapped... I guess?!
I will try to patch an EB FE after the remapping tomorrow then, and attach CE after.

If anyone has different suggestions on what I can try please reply, I also don't know if the game will just let me do what I said above and how much trouble it will be to make it let it do.
Back to top
View user's profile Send private message
lyaniku
Newbie cheater
Reputation: 0

Joined: 26 Aug 2017
Posts: 14

PostPosted: Tue Jun 11, 2019 11:51 am    Post subject: Reply with quote

Btw. it turned out to be very easy with this information Dark Byte.

I just had to hw:bp ntdll.ZwMapViewOfSection and press F9 and watched the PA until change, and then DBVM what writes to this address returned the repe movsb.

Thanks again.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Discussions All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites