Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Bluestacks AOB Alloc pointer problem

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
Rotschild
How do I cheat?
Reputation: 0

Joined: 23 Jul 2012
Posts: 4

PostPosted: Fri Nov 08, 2019 7:33 pm    Post subject: Bluestacks AOB Alloc pointer problem Reply with quote

I have problem with AOB AutoAssable with BlueStacks memory.

I want to create Jump for new memory region created by AOB script (pic1) and it works fine in CT MemoryViewer that is outside BlueStacks (Pic2) but when i look at what have script done in CT MemoryViewer from inside BlueStacks (ceserver_x86) i see some crazy jump to nowhere(Pic3). And as a result - app crash.

I assume this is Alloc problems. BlueStacks has its own virtual address table inside itself. How can i fix it?



CheatEnginePic1.jpg
 Description:
 Filesize:  83.57 KB
 Viewed:  323 Time(s)

CheatEnginePic1.jpg



CheatEnginePic2.jpg
 Description:
 Filesize:  33.98 KB
 Viewed:  323 Time(s)

CheatEnginePic2.jpg



CheatEnginePic3.png
 Description:
 Filesize:  46.47 KB
 Viewed:  323 Time(s)

CheatEnginePic3.png


Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 372

Joined: 09 May 2003
Posts: 21974
Location: The netherlands

PostPosted: Sat Nov 09, 2019 1:06 am    Post subject: Reply with quote

From outside bluestacks you are working on the physical memory ofbthe android device, not on the virtual memory of the process running inside the android device.

You need to do the alloc from inside ceserver. Which will require the extension module te get injected into the target first (sometimes the inject works fine, but i never tested that on bluestacks)

Then do the jmp from inside ceserver as well, else the jump distance is wrong, as virtual memory is randomized over physical memory in 4096 byte blocks

-

else find a codecave inside the target process and use and aob to find that.
Then build the jmp yourself using the virtual address of origin and destination

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Doraneko
How do I cheat?
Reputation: 0

Joined: 22 Jul 2018
Posts: 6
Location: Japan Tokyo

PostPosted: Sat Nov 09, 2019 3:13 pm    Post subject: Reply with quote

ceserver's so injection is a little unstable.
Load libceserver-extension_x86.so directly embedded in apk (like frida-gadget).
Or you can inject the so file with frida.

I have confirmed that CE AutoAssemble works correctly with NoxAppPlayer using the above method.
Back to top
View user's profile Send private message
nadinemagazine
How do I cheat?
Ban
Reputation: 0

Joined: 09 Nov 2019
Posts: 0

PostPosted: Sat Nov 09, 2019 3:18 pm    Post subject: thank you Reply with quote

thanks
_________________
Rawshna.
Back to top
View user's profile Send private message
Rotschild
How do I cheat?
Reputation: 0

Joined: 23 Jul 2012
Posts: 4

PostPosted: Wed Nov 13, 2019 10:32 pm    Post subject: Reply with quote

Dark Byte wrote:
From outside bluestacks you are working on the physical memory ofbthe android device, not on the virtual memory of the process running inside the android device.

You need to do the alloc from inside ceserver. Which will require the extension module te get injected into the target first (sometimes the inject works fine, but i never tested that on bluestacks)

Then do the jmp from inside ceserver as well, else the jump distance is wrong, as virtual memory is randomized over physical memory in 4096 byte blocks

-

else find a codecave inside the target process and use and aob to find that.
Then build the jmp yourself using the virtual address of origin and destination

Actually cesrver extension injection is not working on Bluestacks and even on Nox.
Unfortunately, there is no codecaves 4kb near in my target code. I think i will Ret some unused nearby function and will use flesh of this function as donor.


Doraneko wrote:
ceserver's so injection is a little unstable.
Load libceserver-extension_x86.so directly embedded in apk (like frida-gadget).
Or you can inject the so file with frida.

I have confirmed that CE AutoAssemble works correctly with NoxAppPlayer using the above method.


Installing Frida was really pain in the ass.
How do you inject .so library with Frida? There is no frida-inject in windows-python-pip version. Only frida, frida-trace, frida-ps.

Interesting application. But for some reason, "frida-trace -U -f MYAPP -i SSLRead" doesn't give me any results (no handler was generated). Itís a pity (( I tried for years to see what is sending in SSL traffic on Android(with no cert pinning bypass).
Back to top
View user's profile Send private message
Doraneko
How do I cheat?
Reputation: 0

Joined: 22 Jul 2018
Posts: 6
Location: Japan Tokyo

PostPosted: Fri Nov 15, 2019 8:45 am    Post subject: Reply with quote

I verified with a common so file injection program.
(x86 program => x86 program)
Nox 4.4.2: Failure
Nox 5.1.1: Success
Nox 7.1.2: Failure

(x86 program => ARM program)
In the above case, an emulator hooking library called 「EHook」 is used.

I also succeeded with Nox 5.1.1 by modifying the ceserver program. But I didn't know why this was successful.

In Frida, if you implement a script that invokes dlopen, it is possible in Nox5.1.1.
Back to top
View user's profile Send private message
Rotschild
How do I cheat?
Reputation: 0

Joined: 23 Jul 2012
Posts: 4

PostPosted: Fri Nov 15, 2019 3:59 pm    Post subject: Reply with quote

Doraneko wrote:
I verified with a common so file injection program.
(x86 program => x86 program)
Nox 4.4.2: Failure
Nox 5.1.1: Success
Nox 7.1.2: Failure

(x86 program => ARM program)
In the above case, an emulator hooking library called 「EHook」 is used.

I also succeeded with Nox 5.1.1 by modifying the ceserver program. But I didn't know why this was successful.

In Frida, if you implement a script that invokes dlopen, it is possible in Nox5.1.1.


I thought there were easier and more stable ways Very Happy
Whatever thanks.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites