| View previous topic :: View next topic |
| Author |
Message |
n1vX
Advanced Cheater
![]() Reputation: 0
Joined: 27 May 2007
Posts: 61
|
 Posted: Sun Aug 30, 2020 6:24 am Post subject: DBVM and Memory Region |
 |
|
Hello All,
Can we use DBVM Cloak to cloak this selected memory region?
How to make it possible using lua ?
| Description: |
|
| Filesize: |
62.57 KB |
| Viewed: |
4371 Time(s) |
|
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 472
Joined: 09 May 2003
Posts: 25867
Location: The netherlands
|
| Posted: Sun Aug 30, 2020 6:39 am Post subject: |
|
|
Assuming you wish to do this to hide the program, then instead I recommend hooking the kernelmode API responsible for reading process memory,(use dbvm cloak for that) and hide that memory by making it return garbage if it's the specific memory region
You can even detour the OpenProcess call so it fails to open or opens a dummy process instead
If you do insist on using the dbvm cloak to hide ALL that memory, then you must first add 0x9662000*processorcount bytes to DBVM
So if you have 8 logical cpu's then you'll need to add 1.2GB RAM to DBVM
Then do a dbvm_cloak on every page and mark then write garbage to the code
---
If you're asking to use cloak to bypass a integrity check routine in that process then just cloak the pages you are actually going to change, and not more
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
n1vX
Advanced Cheater
![]() Reputation: 0
Joined: 27 May 2007
Posts: 61
|
| Posted: Sun Aug 30, 2020 7:45 am Post subject: |
|
|
| Thank you Dark Byte, I just want to bypass integrity check.
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 472
Joined: 09 May 2003
Posts: 25867
Location: The netherlands
|
| Posted: Sun Aug 30, 2020 8:10 am Post subject: |
|
|
then find the address you wish to change and do something like:
| Code: |
if not hasInitialized then
--make sure that it's possible to get the physical address. Also possible with DBVM raw, but this is easier
dbk_initialize()
dbk_useKernelmodeOpenProcess()
if getOpenedProcessID()~=0 then
OpenProcess(getOpenedProcessID())
end
if dbvm_initialize(true,'This needs DBVM. Launch it? (Make sure all important data is stored just in case...)')==false then
error('this needs DBVM')
end
hasInitialized=true
end
address=address & ~(0xfff) --make sure it's alligned
physicaladdress=dbk_getPhysicalAddress(address)
dbvm_cloak_activate(physicaladdress, address)
|
after this autoAssemble will recognize it's a cloaked region and will assemble the code into the part that gets executed by the CPU, but not what the CPU reads
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
n1vX
Advanced Cheater
![]() Reputation: 0
Joined: 27 May 2007
Posts: 61
|
| Posted: Sun Aug 30, 2020 8:33 pm Post subject: |
|
|
| Thank you for your help, Dark Byte.
|
|
| Back to top |
|
|
n1vX
Advanced Cheater
![]() Reputation: 0
Joined: 27 May 2007
Posts: 61
|
| Posted: Mon Aug 31, 2020 5:37 am Post subject: |
|
|
Hello Dark Byte, everything has work perfectly if only I open single process. But the problem comes when I open game again (two process same game), memory cloak is done but it won't be executed.
I read this note on celua but still don't understand
| Quote: | | Note: It is recommended to cause a copy-on-write on the target first, else this will affect all processes that have this memory block loaded |
So, if I have the game in two process -because I open 2 window- How to make this dbvm cloak can be executed in each process ? In this case, I open 2 games and 2 CE.
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 472
Joined: 09 May 2003
Posts: 25867
Location: The netherlands
|
| Posted: Mon Aug 31, 2020 5:59 am Post subject: |
|
|
ok, so same process running multiple times.
In that case both processes will have the same physical address for the code, until something triggers the copy-on-write
The most efficient way would be to look for a codecave inside the game's module that you can use and jump there. That way you only need to apply the dbvm cloak on one process and it affects the current and all future versions until disabled.
But since that is tricky I recommend just doing a single
| Code: |
writeInteger(address,readInteger(address))
|
this will trigger the copy-on-write giving the selected process a unique physical address for that page but won't trigger any integrity check.
You then apply the cloak to that new physical address
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
n1vX
Advanced Cheater
![]() Reputation: 0
Joined: 27 May 2007
Posts: 61
|
| Posted: Mon Aug 31, 2020 7:20 pm Post subject: |
|
|
Thank you Dark Byte.
Finally I found the problem, if the game run in multiple and I use dbvm cloak in all those games, It change physical address after several minutes.
I just need to disable cloak then get new physical address and cloak it again.
But the problem still there.
I manually cloak 4 addresses then after several minutes, tried to disable it one by one, only 3 got disabled and 1 still cloaked and stuck, and I cannot assemble anything to that stuck cloaked address. In memory viewer the bytes still green.
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 472
Joined: 09 May 2003
Posts: 25867
Location: The netherlands
|
| Posted: Mon Aug 31, 2020 11:27 pm Post subject: |
|
|
if disabling is an issue then try
that will globally disable all dbvm memory hooks
but dbvm_cloak_deativate should work, just keep track of the old PA and if it changes disable it using the old PA
as for the physical address changing, how much RAM do you have?
If you're running out of physical memory windows may swap out pieces of memory to disk temporarily when it needs to and doesn't put it back in the original address
try locking the memory (undocumented)
| Code: |
mdl=lockMemory(address, size)
|
locking the memory will prevent windows from changing the physical address
and when done
(may bsod if the game closes before unlock)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
n1vX
Advanced Cheater
![]() Reputation: 0
Joined: 27 May 2007
Posts: 61
|
| Posted: Tue Sep 01, 2020 4:48 am Post subject: |
|
|
This solved my problem. It my mistake because I forget to track the old PA while deactivate cloak.
I use 8 Gb RAM, the game uses around 1 Gb at the beginning, after a while it left only 500-700 Mb.
Thanks for your help Dark Byte. My problem solved.
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
