View previous topic :: View next topic |
Author |
Message |
Burningmace Grandmaster Cheater Reputation: 5
Joined: 17 Feb 2008 Posts: 520 Location: Inside the Intel CET shadow stack
|
Posted: Sun Jun 13, 2021 8:50 am Post subject: Groupscan values for valid pointers & inequalities |
|
|
Something I've been running into a lot recently is scanning for structures where the values are mostly unknown, but some of them are known to be valid pointers into memory.
For example, I know an application has the following sequential fields in a struct related to GC:
Code: |
uint8_t** markList;
uint8_t** markListCopy;
size_t markListSize;
bool markListOverflow;
segment_t* segmentTable;
|
In the current implementation this isn't something I can groupscan for, since all I know is that there are two 64-bit pointers, a size_t whose value is likely to be under 16MB, a bool with the value false (padded to a 64-bit boundary), and another 64-bit pointer. So the best I can do is wildcard with 8:* 8:* 8:* 8:0 8:*, which is obviously not useful here.
It'd be really helpful if groupscan fields could scan for valid pointers an inequalities. Then I could do something like 8:P 8:P 8:<0xFFFFFF 8:0 8:P and have a much greater chance of finding the struct. Having the ability to specify static/mapped vs. dynamic pointers (e.g. SP / DP) would be a nice value-add, but that's not critical.
I'm sure there's already some implementation inside CE for checking valid pointers, but if using that implementation in a scanning context is problematic a quick and dirty approach would be to just grab the memory regions at the start of the scan (MEMORY_BASIC_INFORMATION or whatever) and check if the scanned value points inside any of the ranges there.
Alternatively, is there some other feature of CE that can already do this? Groupscan certainly seems like the most obvious and convenient approach but I might be missing something.
_________________
It's not fun unless every exploit mitigation is enabled. |
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25291 Location: The netherlands
|
Posted: Sun Jun 13, 2021 9:20 am Post subject: |
|
|
i'll look into it
but you can use a custom type (lua type) with size 40 bytes for this which returns 1 on match and 0 on no match and then scan for the value 1
and in the type then check if readInteger returns nil for the values inside
(will be slow)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Burningmace Grandmaster Cheater Reputation: 5
Joined: 17 Feb 2008 Posts: 520 Location: Inside the Intel CET shadow stack
|
Posted: Tue Jun 15, 2021 8:31 am Post subject: |
|
|
Thanks. I think I'd need to spend a bit of time learning the Lua scripting stuff to get that working, but I'll give it a go.
Would definitely appreciate it if you can take a look at the groupscan stuff!
_________________
It's not fun unless every exploit mitigation is enabled. |
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25291 Location: The netherlands
|
Posted: Tue Jun 15, 2021 9:13 am Post subject: |
|
|
it's implemented on github (p:* will finds valid pointers)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Burningmace Grandmaster Cheater Reputation: 5
Joined: 17 Feb 2008 Posts: 520 Location: Inside the Intel CET shadow stack
|
Posted: Sat Jun 19, 2021 5:35 am Post subject: |
|
|
Excellent! Thanks for the quick turn around on this.
EDIT: Based on your changes I opened a PR to add support for static/dynamic pointers as well as just any pointer. https://github.com/cheat-engine/cheat-engine/pull/1654
_________________
It's not fun unless every exploit mitigation is enabled. |
|
Back to top |
|
|
|