Cheat Engine

flarn2006

I came across this on Wikipedia. I don't really know much about how exactly it works, so it might not be useful at all. But it looks like SMM could provide an environment for Cheat Engine, or at least software that interacts with Cheat Engine, to reside, and execute with a privilege level above even the operating system.

Wikipedia mentions that exploits have been shown that enables it to be "broken into" to run "high-privileged rootkits". That makes it sound even more like it could be useful for Cheat Engine, in terms of running undetected and debugging software that was designed to resist such techniques. Of course, with physical access to the computer, an exploit shouldn't be necessary--it would just require a lower-level installation process. From my understanding it'll probably involve something that runs before Windows boots, like in the EFI or something.

Dark Byte · Posted: Sat Apr 11, 2015 4:08 am Post subject:

that's basically dbvm
it runs above the operating system, and cheat engine can interface with it

flarn2006 · Posted: Sat Apr 11, 2015 11:00 pm Post subject:

What would be neat though would be to have a key combination that opens some kind of interface with a debugger, memory editor, etc. that, as you said, runs above the operating system. My impression from that Wikipedia article was that SMM would let you do that, but how DBVM works could probably do that as well. Does DBVM run in System Management Mode?

Also, every time I try to load DBVM from the About box my computer freezes for a few seconds and then I get a BSOD. The boot CD doesn't work either, could be because I have BitLocker. Do you have any tips?

hhhuut · Posted: Sun Apr 12, 2015 5:56 am Post subject:

Try to decrease the number of used cores, restart the computer and try enabling DBVM again.

Dark Byte · Posted: Sun Apr 12, 2015 6:40 am Post subject:

dbvm does have that when compiled in debug mode
when you send the b key to the serial port it'll break next vmexit (usually a taskswitch or pagefault)
from there you can set a breakpoint and disassemble the code

but as you can imagine, not everyone likes using the serial port.

to do what you wish would require an display driver that can be accessed from outside of windows and deals with those state changes. And i don't think the drivers by nvidia and AMD support that right now (or ever)

dbvm doesn't run in smm mode, but it basically emulates it
also, smm isn't as useful for debugging as it can't fake system registers like a virtual machine can (so breakpoint will be visible and bp interrupts do get to the operating system)

flarn2006 · Posted: Mon Apr 13, 2015 8:52 pm Post subject:

hhhuut · Posted: Tue Apr 14, 2015 8:59 am Post subject:

Try this version:
http://forum.cheatengine.org/viewtopic.php?p=5588229#5588229

flarn2006 · Posted: Thu Apr 16, 2015 2:00 am Post subject:

Dark Byte · Posted: Thu Apr 16, 2015 6:37 am Post subject:

you replaced both vmdisk.img and dbk64 and booted with unsigned driver support? Because just replacing dbk64 would have no effect

what cpu model do you have?

flarn2006 · Posted: Fri Apr 17, 2015 12:33 am Post subject:

Dark Byte · Posted: Fri Apr 17, 2015 3:13 am Post subject:

same thread, a few posts above that

flarn2006 · Posted: Fri Apr 17, 2015 6:37 pm Post subject: