| View previous topic :: View next topic |
| Author |
Message |
Rotschild
Newbie cheater
![]() Reputation: 0
Joined: 23 Jul 2012
Posts: 11
|
 Posted: Fri Nov 08, 2019 7:33 pm Post subject: Bluestacks AOB Alloc pointer problem |
 |
|
I have problem with AOB AutoAssable with BlueStacks memory.
I want to create Jump for new memory region created by AOB script (pic1) and it works fine in CT MemoryViewer that is outside BlueStacks (Pic2) but when i look at what have script done in CT MemoryViewer from inside BlueStacks (ceserver_x86) i see some crazy jump to nowhere(Pic3). And as a result - app crash.
I assume this is Alloc problems. BlueStacks has its own virtual address table inside itself. How can i fix it?
| Description: |
|
| Filesize: |
83.57 KB |
| Viewed: |
6500 Time(s) |
|
| Description: |
|
| Filesize: |
33.98 KB |
| Viewed: |
6500 Time(s) |
|
| Description: |
|
| Filesize: |
46.47 KB |
| Viewed: |
6500 Time(s) |
|
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 458
Joined: 09 May 2003
Posts: 25287
Location: The netherlands
|
| Posted: Sat Nov 09, 2019 1:06 am Post subject: |
|
|
From outside bluestacks you are working on the physical memory ofbthe android device, not on the virtual memory of the process running inside the android device.
You need to do the alloc from inside ceserver. Which will require the extension module te get injected into the target first (sometimes the inject works fine, but i never tested that on bluestacks)
Then do the jmp from inside ceserver as well, else the jump distance is wrong, as virtual memory is randomized over physical memory in 4096 byte blocks
-
else find a codecave inside the target process and use and aob to find that.
Then build the jmp yourself using the virtual address of origin and destination
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Doraneko
Newbie cheater
![]() Reputation: 1
Joined: 22 Jul 2018
Posts: 10
Location: Japan Tokyo
|
| Posted: Sat Nov 09, 2019 3:13 pm Post subject: |
|
|
ceserver's so injection is a little unstable.
Load libceserver-extension_x86.so directly embedded in apk (like frida-gadget).
Or you can inject the so file with frida.
I have confirmed that CE AutoAssemble works correctly with NoxAppPlayer using the above method.
|
|
| Back to top |
|
|
nadinemagazine
How do I cheat?
![]() Reputation: 0
Joined: 09 Nov 2019
Posts: 0
|
| Posted: Sat Nov 09, 2019 3:18 pm Post subject: thank you |
|
|
thanks
_________________
Rawshna. |
|
| Back to top |
|
|
Rotschild
Newbie cheater
![]() Reputation: 0
Joined: 23 Jul 2012
Posts: 11
|
| Posted: Wed Nov 13, 2019 10:32 pm Post subject: |
|
|
| Dark Byte wrote: | From outside bluestacks you are working on the physical memory ofbthe android device, not on the virtual memory of the process running inside the android device.
You need to do the alloc from inside ceserver. Which will require the extension module te get injected into the target first (sometimes the inject works fine, but i never tested that on bluestacks)
Then do the jmp from inside ceserver as well, else the jump distance is wrong, as virtual memory is randomized over physical memory in 4096 byte blocks
-
else find a codecave inside the target process and use and aob to find that.
Then build the jmp yourself using the virtual address of origin and destination |
Actually cesrver extension injection is not working on Bluestacks and even on Nox.
Unfortunately, there is no codecaves 4kb near in my target code. I think i will Ret some unused nearby function and will use flesh of this function as donor.
| Doraneko wrote: | ceserver's so injection is a little unstable.
Load libceserver-extension_x86.so directly embedded in apk (like frida-gadget).
Or you can inject the so file with frida.
I have confirmed that CE AutoAssemble works correctly with NoxAppPlayer using the above method. |
Installing Frida was really pain in the ass.
How do you inject .so library with Frida? There is no frida-inject in windows-python-pip version. Only frida, frida-trace, frida-ps.
Interesting application. But for some reason, "frida-trace -U -f MYAPP -i SSLRead" doesn't give me any results (no handler was generated). It’s a pity (( I tried for years to see what is sending in SSL traffic on Android(with no cert pinning bypass).
|
|
| Back to top |
|
|
Doraneko
Newbie cheater
![]() Reputation: 1
Joined: 22 Jul 2018
Posts: 10
Location: Japan Tokyo
|
| Posted: Fri Nov 15, 2019 8:45 am Post subject: |
|
|
I verified with a common so file injection program.
(x86 program => x86 program)
Nox 4.4.2: Failure
Nox 5.1.1: Success
Nox 7.1.2: Failure
(x86 program => ARM program)
In the above case, an emulator hooking library called 「EHook」 is used.
I also succeeded with Nox 5.1.1 by modifying the ceserver program. But I didn't know why this was successful.
In Frida, if you implement a script that invokes dlopen, it is possible in Nox5.1.1.
|
|
| Back to top |
|
|
Rotschild
Newbie cheater
![]() Reputation: 0
Joined: 23 Jul 2012
Posts: 11
|
| Posted: Fri Nov 15, 2019 3:59 pm Post subject: |
|
|
| Doraneko wrote: | I verified with a common so file injection program.
(x86 program => x86 program)
Nox 4.4.2: Failure
Nox 5.1.1: Success
Nox 7.1.2: Failure
(x86 program => ARM program)
In the above case, an emulator hooking library called 「EHook」 is used.
I also succeeded with Nox 5.1.1 by modifying the ceserver program. But I didn't know why this was successful.
In Frida, if you implement a script that invokes dlopen, it is possible in Nox5.1.1. |
I thought there were easier and more stable ways 
Whatever thanks.
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
