Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Editing Library Functions

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
Corruptor
Advanced Cheater
Reputation: 3

Joined: 10 Aug 2011
Posts: 82
PostPosted: Wed Nov 14, 2012 11:20 am    Post subject: Editing Library Functions Reply with quote
Something i always wondered about. From what i know, DLL's are loaded into the memory only once and every program that includes the DLL uses the same code, preventing pointless code duplication.

Now, if i open a program in cheat engine and decide to totally screw over the CreateWindowEx instruction, it's still totally fine to create any window in any other program; only when i try to do that in the program i opened in cheat engine, this and only this program will crash. Shouldn't every program be affected by this modification?
Back to top
View user's profile Send private message
Gniarf
Grandmaster Cheater Supreme
Reputation: 43

Joined: 12 Mar 2012
Posts: 1285
PostPosted: Wed Nov 14, 2012 12:06 pm    Post subject: Re: Editing Library Functions This post has 1 review(s) Reply with quote
Corruptor wrote:
Something i always wondered about. From what i know, DLL's are loaded into the memory only once and every program that includes the DLL uses the same code, preventing pointless code duplication.
Someone correct me if I'm wrong, but I think this only applies to kernel dlls because of all other dlls are relocatable. Basically when windows loads MyCustomDll.dll for a process, parts (defined in the .reloc section) of its assembly code are patched, like references to imported function.

Corruptor wrote:
Now, if i open a program in cheat engine and decide to totally screw over the CreateWindowEx instruction, it's still totally fine to create any window in any other program; only when i try to do that in the program i opened in cheat engine, this and only this program will crash. Shouldn't every program be affected by this modification?
Only the process for which you botched CreateWindowEx is affected thanks to the copy on write page protection. Simply put: as soon as you write to a kernel .dll, windows creates a copy just for your process.
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 470

Joined: 09 May 2003
Posts: 25806
Location: The netherlands
PostPosted: Wed Nov 14, 2012 1:14 pm    Post subject: Reply with quote
Gniarf is correct yes
As soon as you try to write a a page with the copy on write flag, a page fault exception will trigger. Windows then sees the copy-on-write, copies the page to a new physical address, remaps the pagetable entry for that page and sets it to writable, and then returns without giving an error.

Now, it is possible to make the modification affect every single process though. (with ce)
Enable kernelmode memory access in ce
Go to the address in the hexadecimal view and look at the physical address part and write it down
Go to the process list and select the top process named [Physical Memory]
Now go to the address you wrote down and edit there.
It bypasses the read only protection and thus doesn't incur the page fault, and no copy-on-write will happen, effectively editing the memory of all processes that have that module loaded at that specific location


--
Also, you can also edit the memory without causing a copy-on-write and without going to [Physical Memory] by editing the pagetable entry manually.
the pagetable entry can be found with this formula:
pagetablebase+(address/0x1000)*pageentrysize

in 32-bit the pagetabkebase is located at c0000000 and in 64-bit at fffff68000000000

in 32-bit the pageentrysize can be either 4 or 8 bytes, depending on if PAE paging is used or not. If no-execute support is in, PAE is enabled.
Normally you'd use getCR4() to check if the pae bit is set, but I didn't export that, so it's better to just check the first few entries of the pagetable first and see if you can determine what type it is

in 64-bit the pageentrysize is always 8

Anyhow, when you finally have the entry , change bit 1 (the second bit, RW) to 1
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites