Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Finding native bytecode after JIT

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
LtO
Advanced Cheater
Reputation: 0

Joined: 09 Mar 2015
Posts: 71

PostPosted: Fri Mar 30, 2018 7:53 am    Post subject: Finding native bytecode after JIT Reply with quote

I'm still looking to find the native bytecodes in a flash application, I have learned a few things on it but it's hard to find conclusive info or tutorials to do this... Awesome would be if I could just conver the code into how it would be after the jit compilation. But I guess it's probably not that easy.
When I check for in the memory with ffdec, I also notice javaw and javactivex are running and I thought maybe is that a way I could find it? But as I said I'm not finding specific info about this and would love some assistance with it...
Back to top
View user's profile Send private message
FreeER
Grandmaster Cheater Supreme
Reputation: 53

Joined: 09 Aug 2013
Posts: 1091

PostPosted: Fri Mar 30, 2018 9:52 am    Post subject: Reply with quote

Perhaps try and find the flash bytecode pre-jit and set a breakpoint to see what reads it, whatever does is probably the code to jit it, so then you just need to look at the code to figure out where it writes the native code to during/after jitting.
_________________
https://github.com/FreeER/ has a few CE related repos
Back to top
View user's profile Send private message
LtO
Advanced Cheater
Reputation: 0

Joined: 09 Mar 2015
Posts: 71

PostPosted: Fri Mar 30, 2018 12:42 pm    Post subject: Reply with quote

FreeER wrote:
Perhaps try and find the flash bytecode pre-jit and set a breakpoint to see what reads it, whatever does is probably the code to jit it, so then you just need to look at the code to figure out where it writes the native code to during/after jitting.


Ok, I certainly have access to all bytecodes pre-jit, that ain't a problem I just decompile the app and find all the bytecode in memory Smile.
With breakpoints do you mean using the function 'find out what accesses/writes to this address?
Back to top
View user's profile Send private message
FreeER
Grandmaster Cheater Supreme
Reputation: 53

Joined: 09 Aug 2013
Posts: 1091

PostPosted: Fri Mar 30, 2018 1:28 pm    Post subject: Reply with quote

do an aobscan for the flash p-code and find what accesses that, eg.


"whatever does is probably the code to jit it, so then you just need to look at the code to figure out where it writes the native code to during/after jitting. "

(disclaimer: I haven't done this myself, it's just something that seems logical to me)

_________________
https://github.com/FreeER/ has a few CE related repos
Back to top
View user's profile Send private message
LtO
Advanced Cheater
Reputation: 0

Joined: 09 Mar 2015
Posts: 71

PostPosted: Fri Mar 30, 2018 3:05 pm    Post subject: Reply with quote

FreeER wrote:
do an aobscan for the flash p-code and find what accesses that, eg.


"whatever does is probably the code to jit it, so then you just need to look at the code to figure out where it writes the native code to during/after jitting. "

(disclaimer: I haven't done this myself, it's just something that seems logical to me)


Thanks, that's a good tip, I tried it now and this is what I get (in attachment). I just wonder now where I can see the bytecodes or instructions that I need to look for in the code...

Oh stupid me, it's probably already visible in the picture I added here Smile

I cannot find those bytecodes in my source though, what bytecode should I be looking for?



Untitled.png
 Description:
 Filesize:  75.61 KB
 Viewed:  4764 Time(s)

Untitled.png


Back to top
View user's profile Send private message
FreeER
Grandmaster Cheater Supreme
Reputation: 53

Joined: 09 Aug 2013
Posts: 1091

PostPosted: Fri Mar 30, 2018 6:49 pm    Post subject: Reply with quote

You'd look for any byte code that you know exists, preferably one you're interested in finding the jitted code for... after that it's a matter of reverse-engineering the code you find to see where it writes the jitted intel assembly code...
_________________
https://github.com/FreeER/ has a few CE related repos
Back to top
View user's profile Send private message
LtO
Advanced Cheater
Reputation: 0

Joined: 09 Mar 2015
Posts: 71

PostPosted: Sat Mar 31, 2018 12:27 am    Post subject: Reply with quote

FreeER wrote:
You'd look for any byte code that you know exists, preferably one you're interested in finding the jitted code for... after that it's a matter of reverse-engineering the code you find to see where it writes the jitted intel assembly code...


I'm not finding any of those bytecodes unfortunately, I'm afraid that code is already jit compiled too when the game logged on... Or is that not possible? I can look at all the bytecodes of the source and it's not there.
Back to top
View user's profile Send private message
FreeER
Grandmaster Cheater Supreme
Reputation: 53

Joined: 09 Aug 2013
Posts: 1091

PostPosted: Sat Mar 31, 2018 11:18 am    Post subject: Reply with quote

I suppose it's possible, use the windows debugger and open the process from the file (which will break on the entry point, before the jit code could run), then do your scan and breakpoint setup.

If for some reason you can't do that with the flash player plugin then go get the standalone flash player (https://www.adobe.com/support/flashplayer/debug_downloads.html) and use that for finding the jit code and what the asm is, hopefully the jitted bytes will be the same.

_________________
https://github.com/FreeER/ has a few CE related repos
Back to top
View user's profile Send private message
LtO
Advanced Cheater
Reputation: 0

Joined: 09 Mar 2015
Posts: 71

PostPosted: Sun Apr 01, 2018 11:59 am    Post subject: Reply with quote

FreeER wrote:
I suppose it's possible, use the windows debugger and open the process from the file (which will break on the entry point, before the jit code could run), then do your scan and breakpoint setup.

If for some reason you can't do that with the flash player plugin then go get the standalone flash player (https://www.adobe.com/support/flashplayer/debug_downloads.html) and use that for finding the jit code and what the asm is, hopefully the jitted bytes will be the same.


Thanks, that's a great tip actually, I tested it and the only problem I come across is that the process of the flashplayer plugin (in firefox) only is created when the game has started running... So I tried to start the flash process with another game and then attach to it with Windebug, when I then try to run my game it does pause quickly as we want it, but the game is not loaded in the memory yet then so I cannot change any values there... The new flash process then starts when I detach the debugger, but I guess it's already too late then... It would be great if the game could be paused before the first jit compilation, then I wouldn't need to find any jitted codes... Or would there be another process that contains that memory of the game already before flashplayer plugin is started? I tried some processes but no luck.

I now downloaded the flashplayer projector like you said, I'm not sure if I could run the game from there but I'll give a try.

I'm glad someone finally drives me in the right direction with this Smile


I'm stuck again, could someone help me please with this?
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites