 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Weatherman
How do I cheat?
![]() Reputation: 0
Joined: 09 Sep 2021
Posts: 6
|
 Posted: Thu Sep 09, 2021 1:21 pm Post subject: Cheat Engine DBVM causes system crash |
 |
|
I'm trying to use Cheat Engine DBVM kernel debugger, whether it's kernel debugging with Global Debug Routines checked + HWBP, or DBVM breakpoint, my system always crashes (tried lowering processor count, tried closing applications, tried many things and the issue is persistent)
It only seems to happen when a breakpoint is hit and I'm expected to handle the exception, as long as I handle it within 1s of it showing up on Cheat Engine I don't crash, but that also means I don't really get a chance to even debug. If I take any longer the system crashes with PAGE_FAULT_IN_NON_PAGED_AREA (HWBP) or CLOCK_DOGWATCH_TIMEOUT (Even with fewer processors).
Is there anything I can do?
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25830
Location: The netherlands
|
| Posted: Thu Sep 09, 2021 3:58 pm Post subject: |
|
|
what CPU do you have?
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Weatherman
How do I cheat?
![]() Reputation: 0
Joined: 09 Sep 2021
Posts: 6
|
| Posted: Thu Sep 09, 2021 4:18 pm Post subject: |
|
|
| Dark Byte wrote: | | what CPU do you have? |
Intel Core i7-7700
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25830
Location: The netherlands
|
| Posted: Thu Sep 09, 2021 4:39 pm Post subject: |
|
|
make sure you don't have any virtual machines running
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Weatherman
How do I cheat?
![]() Reputation: 0
Joined: 09 Sep 2021
Posts: 6
|
| Posted: Thu Sep 09, 2021 5:00 pm Post subject: |
|
|
| Dark Byte wrote: | | make sure you don't have any virtual machines running |
I don't currently have any running, This is all done under an environment where HVCI ("memory integrity") /Hyper-V is not running and Cheat Engine's hypervisor is the only one running.
I should note that the features mostly work fine (find out where r/w/x occurred, CE's tracer, etc) the only thing that causes a crash is setting a breakpoint then trying to single step.
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25830
Location: The netherlands
|
| Posted: Fri Sep 10, 2021 6:22 am Post subject: |
|
|
are you using the DBVM level debugger, or kernelmode debugger?
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Weatherman
How do I cheat?
![]() Reputation: 0
Joined: 09 Sep 2021
Posts: 6
|
| Posted: Fri Sep 10, 2021 7:52 am Post subject: |
|
|
| Dark Byte wrote: | | are you using the DBVM level debugger, or kernelmode debugger? |
Kernel mode debugger - PAGE_FAULT_IN_NON_PAGED_AREA
DBVM Level - CLOCK_DOGWATCH_TIMEOUT <---- Seems to be fixed when I don't specify a type of breakpoint and just click "toggle breakpoint"?
Anyways all good, just one last question:
When using DBVM, it seems like Cheat Engine still relies on EnumProcessModules & Sym API to enumerate through modules, instead of using the getPEB() function and iterating through modules this way.
Is there any option to work with kernel reading? Or will I have to hook these functions to redirect them to the kernel?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25830
Location: The netherlands
|
| Posted: Fri Sep 10, 2021 10:03 am Post subject: |
|
|
easiest is hook them and redirect to kernel.
Also, look at the "privatebuild" define in CE's sourcecode. It will hook NtOpenProcess to ce's implementation of NtOpenProcess which uses the kernelmode memory api then (including redirecting rpm/wpm in case of handleless operation)
Alternatively, if you need symbols, you can scan the memory for module start signatures (MZ header and potential PE header later) and then use the lua symbolhandler interface to register new modules and attached symbols after parsing the module's headers for the exports
I have some lua code laying around that can parse PE headers
CE's memory scan is quite fast when scanning with fastscan and an alignment of 0x10000
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Weatherman
How do I cheat?
![]() Reputation: 0
Joined: 09 Sep 2021
Posts: 6
|
| Posted: Fri Sep 10, 2021 12:57 pm Post subject: |
|
|
| Dark Byte wrote: | easiest is hook them and redirect to kernel.
Also, look at the "privatebuild" define in CE's sourcecode. It will hook NtOpenProcess to ce's implementation of NtOpenProcess which uses the kernelmode memory api then (including redirecting rpm/wpm in case of handleless operation)
Alternatively, if you need symbols, you can scan the memory for module start signatures (MZ header and potential PE header later) and then use the lua symbolhandler interface to register new modules and attached symbols after parsing the module's headers for the exports
I have some lua code laying around that can parse PE headers
CE's memory scan is quite fast when scanning with fastscan and an alignment of 0x10000 |
Thank you once again for your feedback...
I have decided to stray from signature scanning for PE headers (although it worked, it contained false positives and there is no real method of identifying the image name through this) I decided to go ahead and write a quick LUA script to iterate through all modules through PEB, subsequently resolving the full path, name, base, and size.
Script:
| Code: |
function read_qword(ptr)
return byteTableToQword(readProcessMemoryCR3(dbk_getCR3(), ptr, 8))
end
function read_wstring(ptr, size)
return byteTableToWideString(readProcessMemoryCR3(dbk_getCR3(), ptr, size))
end
function read_dword(ptr)
return byteTableToDword(readProcessMemoryCR3(dbk_getCR3(), ptr, 4))
end
function read_word(ptr)
return byteTableToWord(readProcessMemoryCR3(dbk_getCR3(), ptr, 2))
end
function get_ldr()
return read_qword(getPEB() + 0x18)
end
function get_module_list()
return read_qword(get_ldr() + 0x10)
end
function read_name(unicode_string)
local name = nil
local length = read_word(unicode_string)
if length ~= nil then
name = read_wstring(read_qword(unicode_string + 0x8), length)
end
return name
end
local entry = get_module_list()
while (entry ~= (get_ldr() + 0x10)) do
local module = read_qword(entry)
local base = read_qword(module + 0x30)
local size = read_dword(module + 0x40)
-- path = windows image path
-- name = the name of the image
local path = read_name(module + 0x48)
local name = read_name(module + 0x58)
printf("Image Name -> %s, Image Base -> 0x%X, Image Size -> 0x%X", name, base, size)
getMainSymbolList().addModule(name, path, base, size)
entry = read_qword(module)
end
|
My next step is to add these modules to CE's module table, is there any function provided to do this? Reading through the documentation it seems like by calling getMainSymbolList().addModule() you should be able to do this, however, it doesn't seem like anything changes afterward.
Any suggestions on where to look? Pretty new to Cheat Engine's LUA API so anything helps.
EDIT: I also tried getCommonModuleList().add(name) and the modules were all added to whatever the StringList was but it doesn't make any changes either.
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25830
Location: The netherlands
|
| Posted: Fri Sep 10, 2021 2:15 pm Post subject: |
|
|
This will add a module and a symbol to the symbollist. it will even show up in the enum modules and symbols window
| Code: |
sl=createSymbolList()
sl.register()
sl.addModule('somemodule.xxx', nil, 0x00400000, 0x34000, true)
sl.addSymbol('somemodule.xxx', 'symbol1',0x00400500, 1)
sl.addSymbol('somemodule.xxx', 'somemodule.symbol1',0x00400500, 1,true) --not necesary but handy in case you want to use a module specific notation
|
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Weatherman
How do I cheat?
![]() Reputation: 0
Joined: 09 Sep 2021
Posts: 6
|
| Posted: Fri Sep 10, 2021 2:42 pm Post subject: |
|
|
| Dark Byte wrote: | This will add a module and a symbol to the symbollist. it will even show up in the enum modules and symbols window
| Code: |
sl=createSymbolList()
sl.register()
sl.addModule('somemodule.xxx', nil, 0x00400000, 0x34000, true)
sl.addSymbol('somemodule.xxx', 'symbol1',0x00400500, 1)
sl.addSymbol('somemodule.xxx', 'somemodule.symbol1',0x00400500, 1,true) --not necesary but handy in case you want to use a module specific notation
|
|
Perfect, this display's the modules inside the module list like expected. Sad that it looks like it doesn't show up on "Show Patches" option and symbols aren't really loaded automatically. I suppose the only remaining option is to hook these APIs and have them read out the PEB manually.
Thanks for your help.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
