Cheat Engine

denyMe · How do I cheat? Reputation: 0 Joined: 08 Jul 2013 Posts: 6

DB, is it possible to redirect eip when it rich some address in the process? (without code modification)

Dark Byte · Posted: Mon Jul 08, 2013 12:16 pm Post subject:

you could try a breakpoint that when hit changes EIP (there's a specific "Change reg on breakpoint" breakpoint type for that)
Or you could apply the same method of stealthedit in kernelmode , mark the page entry as non executable(pagefaults are hookable with dbvm) That requires the ability to write drivers yourself though

Or you could get the dbvm source and implement PET, so you can mark physical memory as non executable and capture it inside dbvm completly outside of the os
Actually, you can configure it to break on read and write the page, but NOT on execute, so you can modify the code as much as you want, and when the integrity check reads it, it breaks, and you modify it to read a copy, at the exact same spot

(there are other methods though, like a modified ultimap where the buffersize is only big enough for 1 branch, so each branch taken causes an interrupt, so you can catch it that way, but not very accurate, unless the instruction is directly jumped to)

denyMe · How do I cheat? Reputation: 0 Joined: 08 Jul 2013 Posts: 6

Dark Byte · Posted: Tue Jul 09, 2013 2:01 pm Post subject:

Interracting with dbvm can even be done from usermode, but the problem with interrupts is that they execute in the context of another process, so your code must be present in kernelmode, which is where a driver comes in to play (you could use dbvm to raise prilvilege to ring0 so you can allocate kernel memory and copy your own interrupt handler to there, but that's just ugly)

You can use ce's driver, but you must compile it yourself and then either boot with unsigned driver support, or sign the driver yourself. The one that comes with CE(64-bit) does not allow it to be controlled by any other program besides cheatengine itself

denyMe · How do I cheat? Reputation: 0 Joined: 08 Jul 2013 Posts: 6

OK. I had some experience of compiling and debbuging drivers. What i should pass in parametrs to IOCTL_CE_USERDEFINEDINTERRUPTHOOK
interruptnumber - 14 (page fault)
What next?

I would call ring3 code by APC. Is APC fast enough to call it every single frame to draw some stuff? (I really don't want debug entire cheat code in kernel)

Dark Byte · Posted: Tue Jul 09, 2013 3:57 pm Post subject:

I don't recommend using the userdefined interrupthook unless you actually inject your own code into the kernel.

I suggest writing the int14 handler inside the driver itself
Then use inthook_HookInterrupt(14, kernelmodecs (0x8 for 32-bit, 0x10 for 64-bit), addressofyourint14hook, &addressofjumpbackobject)

Look at the int1 interrupt stuff for some ideas on the interrupt entrypoint, but in your case it shouldn't be that complex

When setup, make a copy of the module (or a few pages and manually modify all the relative eip addressing instruction...)
And mark the page that has the code you wish to hook as non executable. (either the normal VirtualProtectEx api call, or modify the pagetable entry directly)

Then when a pagefault occurs, your interrupt handler will get called (remember, it will get called for EVERY pagefault in the system, including those you don't want and those of other processes)

To filter that check if the value of CR2 is inside your non-executable page, and the errorcode signals that it's a fault due to an execution protection violation, then adjust the EIP/RIP in the stackframe to your copy that is executable, and return. (iretq)

If not, call the "jumpback" so windows will handle the pagefault normally

And in your copy, (which runs in usermode) you can do your normal hooks and draw operations

denyMe · How do I cheat? Reputation: 0 Joined: 08 Jul 2013 Posts: 6

I understood that thing what i said about APC is a little dummy =)

Summary:
All i need is create a driver which filtering faults and adjusting EIP(32-bits in my case) to VA of my version of copied-hooked function then do iretq.

Copying might be a problem because function is much complex as a module.

Why i can't just change rights back to executable, call it and again change rights to non executable?

If i do this i'll send it to you because would be much easier to hook something with dbvm if DBK would be handle hooking exeptions itself without any additional drivers.

Dark Byte · Posted: Tue Jul 09, 2013 5:44 pm Post subject:

Thats why i recommend a full module copy so relative jumps will work without a problem and direct memory references still point to the old data(which is what you want), so no need to do slow switching back and forth
But yes, you could do it all step by step.
Pf->setto executable+set tf(single step). Wait for int1, change protectionhe whole page (4096 bytes) is non executable, you will immediately get a new PF and do the same. (Slow) if you can just execute the code without singe stepping it's a lot faster

Dbk does already support doing stuff without the driver loadedr, but it wasn't made as an interrupt handler
When you boot up the system with dbvm and launch ce, it will give you the option to force the driver to load in memory(if it's unsigned and you forgot to press f Cool

. You could use a similar approach to load your int14 handler in kernelmode

denyMe · How do I cheat? Reputation: 0 Joined: 08 Jul 2013 Posts: 6

Disasm engine could help. I should copy all 4096 bytes(with whole last function) since hooked function entry point. Change relative jumps and calls. Redirect page faults to them(with shifting if its not hooked function). Tomorrow i will try to implement knowledge that you given me.

Many thanks

Dark Byte · Posted: Tue Jul 09, 2013 7:31 pm Post subject:

4096 works, but I still recommend the whole module copy (just one page non executable, but have the whole module as fallback)

for example, 00450009 might contain a short jump to 0044fff0
that can be encoded using 2 bytes, but if it's relocated to a different page, and you reassemble it, it needs 5 bytes

you could make it jump to the page before, and there have a big version jump to the relative location, but you may still come into problem if two jump destinations come close

For a 1 page copy I recommend a more complex method. First follow every possible entry point into that page and reassemble every path separately..
Then in the redirector check what EIP is and which path should be jumped to

denyMe · How do I cheat? Reputation: 0 Joined: 08 Jul 2013 Posts: 6

What do you think about bypassing PG by handling VMX_VMEXIT_RDMSR and hooking MSR(176h)?

Dark Byte · Posted: Wed Jul 10, 2013 6:44 pm Post subject:

Not sure how patchguard can be can be bypassed with editing the value of an msr. (Memory integrity checks still happen)

If you mean adjusting the syscall msr so it points to your function then that's already implemented in dbvm. Check vmcall.h for the command number to set that up. (I don't think i implemented that for the amd version though,so intel only for now)

Edit: ah yes, 176 is syscall. Yeah, that's already available
It's not implemented in the driver, but it shouldn't be too difficult to add, or just do it from usermode (again, same as interrupts, the code it jumps to must be available, so has to be in kernel memory)

John111 · Posted: Tue May 05, 2015 2:30 pm Post subject:

kabachi · How do I cheat? Reputation: 0 Joined: 08 May 2015 Posts: 7

Dark Byte · Posted: Fri May 08, 2015 6:20 pm Post subject:

According to http://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-system-programming-manual-325384.pdf#page=1107&zoom=auto,-265,517 a few cpu's do support the 100 setup for EPT (execute only)

This code will show (or bsod you) if your system supports it (if i where to implement it)