View previous topic :: View next topic |
Author |
Message |
ulysse31 Master Cheater Reputation: 2
Joined: 19 Mar 2015 Posts: 324 Location: Paris
|
Posted: Mon Jul 06, 2020 6:28 am Post subject: Code injection to bluestack's game crashes the game |
|
|
Hello,
I am a bluestack (android) newbie reverse engineer.
For some reason, the simplest code injection on my bluestack program crashes the game.
This picture is just for the sake of showing code should not affect program behaviour. The code replaced by jump was already 5 bytes large.
The injection is done with CE 7.1 on windows 10 x64.
The reason I do not use CE with ceserverx86 is that whenever i do code injection on bluestacks, cheat engine becomes unable to write any memory in the game *only when using CE server connect to rooted android device with ceserverx86*.
1st question) Does code injection through ceserver supposedly work with android devices ?
2nd question) Do you have any idea why the android game crashes (not bluestack itself) when I inject to it from CE windows using process target (and not through ceserver) ("empty code injection" ie ctrl+c ctrl+i and execute) ?
for question 2) i should add that this seemingly isn't due to any memory integrity check because the game keeps running fine after code injection unless i start to click around (in which case i am confident the injected code gets executed.[/img]
Ps : long time since I last came to this forum... Long live DarkByte and the amazing toys he keeps feeding us.
Edit :
My researchs lead me to believe that the code being disasembled by CE (be it by ceserver or by regular ce windows use on bluestacks) is wrong.
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25296 Location: The netherlands
|
Posted: Mon Jul 06, 2020 1:26 pm Post subject: |
|
|
when you attach to bluestacks instead of using ceserver you are looking at physical memory of the android system
the memory at 7bf36000 to 7bf36fff may belong to the process you're looking at, but that is no guarantee that any other address belongs it (depends on the virtual to physical memory paging in the android paging system)
unless you manually adjusted the pagetable of the process to map that physical address to a virtual address at exactly the same distancen that is not going to work
In short: You can not do memory allocations in emulators unless you do it from within. And for that ce needs to have the functional ceserver extension .so and still no guarantee it works
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
ulysse31 Master Cheater Reputation: 2
Joined: 19 Mar 2015 Posts: 324 Location: Paris
|
Posted: Tue Jul 07, 2020 2:01 am Post subject: |
|
|
Dark Byte wrote: | when you attach to bluestacks instead of using ceserver you are looking at physical memory of the android system
the memory at 7bf36000 to 7bf36fff may belong to the process you're looking at, but that is no guarantee that any other address belongs it (depends on the virtual to physical memory paging in the android paging system)
unless you manually adjusted the pagetable of the process to map that physical address to a virtual address at exactly the same distancen that is not going to work
In short: You can not do memory allocations in emulators unless you do it from within. And for that ce needs to have the functional ceserver extension .so and still no guarantee it works |
Thanks, that explains it.
I do have the .so server extension, however injecting code from within still fails.
However one solution could be to scan for a code cave -from within, with ce server- and use it to inject code
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25296 Location: The netherlands
|
Posted: Tue Jul 07, 2020 2:31 am Post subject: |
|
|
A codecave from within is possible, but you will have to write the relative jump manually
e.g:
7b36000 might be at virtual address 00400000 of the target process
7001000 might be at virtual address 00401000 of the target process
So if you do a code injection with CE, and you do somehow find the physical address of the memory of the process, the jump distance has to be calculated properly. CE will fail because it will go based on the 7001000 and 7b35000 while in reality it's just between 00400000 and 00401000
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
|