CassiOwOpeia
Newbie cheater
![]() Reputation: 0
Joined: 29 Nov 2018
Posts: 18
Location: France
|
 Posted: Sat Aug 12, 2023 12:55 am Post subject: About integrity check error and optimisation |
 |
|
Hi,
So I saw the video of Cheat Engine's YouTube channel about integrity check error. I'm still learning and understanding what does the code do. So I copy-paste the code that he created, and, because I saw that newmem was the same for all three addresses, I though that we could just use one newmem for the three addresses.
I was very quickly disarmed, before thinking of the eib and rib register, as well as the CALL and RET instructions. So here's the code "clean up".
I would like your opinions on whether this is a good way to go about it, if something is missing to make the code even better and more optimized (I am already aware that it would be necessary to store the bytes in order to rewrite in the addresses when disabling the script, but I don't know how to do that yet.)
I'd love to know your opinions on this!
| Code: | [ENABLE]
{$lua}
if addressOfCopy==nil then
addressOfCopy=copyMemory(getAddress(process), getModuleSize(process))
end
{$asm}
alloc(newmem,2048,"gtutorial-x86_64.exe"+38E8F)
alloc(addressModuleBase,8,"gtutorial-x86_64.exe"+38E8F)
alloc(addressModuleEnd,8,"gtutorial-x86_64.exe"+38E8F)
alloc(addressCopyBase,8,"gtutorial-x86_64.exe"+38E8F)
addressModuleBase:
dq $process
addressModuleEnd:
dq $process+getModuleSize(process)
addressCopyBase:
dq $addressOfCopy
label(originalcode)
label(exit)
newmem:
push rax
lea rax,[r9+rcx*2]
cmp rax,[addressModuleBase]
jb originalcode
cmp rax,[addressModuleEnd]
ja originalcode
sub rax,[addressModuleBase]
add rax,[addressCopyBase]
movzx ecx,word ptr [rax]
jmp exit
originalcode:
movzx ecx,word ptr [r9+rcx*2]
exit:
pop rax
ret
"gtutorial-x86_64.exe"+38E8F:
call newmem
"gtutorial-x86_64.exe"+38E4F:
call newmem
"gtutorial-x86_64.exe"+38DFF:
call newmem
[DISABLE]
dealloc(*)
"gtutorial-x86_64.exe"+38E8F:
movzx ecx,word ptr [r9+ecx*2] //db 41 0F B7 0C 49
"gtutorial-x86_64.exe"+38E4F:
movzx ecx,word ptr [r9+ecx*2] //db 41 0F B7 0C 49
"gtutorial-x86_64.exe"+38DFF:
movzx ecx,word ptr [r9+ecx*2] //db 41 0F B7 0C 49 |
Also I don't know if it's possible to regroup these instructions:
| Code: | "gtutorial-x86_64.exe"+38E8F:
movzx ecx,word ptr [r9+ecx*2] //db 41 0F B7 0C 49
"gtutorial-x86_64.exe"+38E4F:
movzx ecx,word ptr [r9+ecx*2] //db 41 0F B7 0C 49
"gtutorial-x86_64.exe"+38DFF:
movzx ecx,word ptr [r9+ecx*2] //db 41 0F B7 0C 49 |
Into something like that:
| Code: | "gtutorial-x86_64.exe"+38E8F:
"gtutorial-x86_64.exe"+38E4F:
"gtutorial-x86_64.exe"+38DFF:
movzx ecx,word ptr [r9+ecx*2] //db 41 0F B7 0C 49 |
It is just an exemple of what I mean by regrouping!
New edit:
I thought about regrouping the three allocations like this :
| Code: | alloc(addressModule,18,[…])
addressModule:
dq $process, $process+getModuleSize(process), $addressOfCopy |
So the instructions would become:
| Code: | cmp rax,[addressModule]
cmp rax,[addressModule+8]
sub rax,[addressModule]
add rax,[addressModule+10] |
|
|
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4710
|
| Posted: Sat Aug 12, 2023 11:54 am Post subject: |
|
|
eib/rib should be eip/rip
The reason why most code injections use jmp instead of call is to not screw up the stack. You'll need to account for the return address that was implicitly pushed onto the stack whenever you access the stack in the code injection.
If your injection calls anything else, it's also more of a pain to adhere to calling conventions. See windows 64-bit calling conventions for details as to why.
No, you can't "regroup" instructions like that.
Regrouping those three allocations is just stupid. You lose information on what each value is.
Shorter code doesn't mean better code. It's far more important that the code can be read easily.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
