Dark Byte
Site Admin
 Reputation: 458
Joined: 09 May 2003
Posts: 25288
Location: The netherlands
|
 Posted: Tue Jun 14, 2016 5:47 pm Post subject: Intel Processor Trace |
 |
|
This script requires the cpuid script from: http://forum.cheatengine.org/viewtopic.php?t=592536
I've been playing with the Intel Processor Trace feature (intel 6xxx family and later) using lua and the kernelmode functions
for those that want to experiment with it, and perhaps see what they can do with it, here's an example script:
(enable kernelmode read/write process memory in settings->extra)
| Code: |
--make sure the cpu affinity of ce is set to only 1 cpu
--make sure the cpu affinity of ce is set to only 1 cpu
check1=CPUID(0)
if (check1.ebx~=1970169159) or (check1.ecx ~= 1818588270) or (check1.edx ~= 1231384169) then
print("I do recommend you get a real CPU")
return
end
if ((CPUID(0x7,0).ebx >> 25) & 1)==0 then --check cpu feature flag if it supports trace
print("Error: Your cpu sucks")
return
end
CPUID_14_0=CPUID(0x14,0)
if (CPUID_14_0.ecx & (1 << 1)==0) and (CPUID_14_0.ecx & (1 << 0)==0) then
print("Error: Single Output Region ToPA Only CPU. Not supported. Sorry!")
return
end
if (CPUID_14_0.ebx & 1)==0 then
print("Error: No CR3 Filter support for this CPU")
return
end
print("Your cpu passed the tests. It should support Ultimap V2.0")
--MSR's
IA32_PERF_GLOBAL_STATUS=0x38e --bit 55=Trace_ToPA_PMI
IA32_RTIT_CTL=0x570
IA32_RTIT_STATUS=0x571
IA32_RTIT_CR3_MATCH=0x572
--ToPA
IA32_RTIT_OUTPUT_BASE=0x560
IA32_RTIT_OUTPUT_MASK_PTRS=0x561
function ToPA_Table_Entry_To_Value(e)
local v=e.PhysicalAddress -- << 12;
v=v | (e.Size << 6)
if e.STOP then v=v | (1 << 4) end
-- if e.INT then v=v | (1 << 2) end --I don't recommend using this in lua
if e.END then v=v | 1 end
return v
end
function Value_To_ToPA_Table_Entry(v)
local e={}
e.PhysicalAddress=(v & 0xfffffffffffff000)-- >> 12;
e.Size = (v << 6) & 0xf
e.STOP = (v & (1 << 4))~=0
e.INT = (v & (1 << 2))~=0
e.END = (v & 1)~=0
return e
end
function RTIT_CTL_To_Value(e)
local v=0
if e.TraceEn then v=v | 1 end
if e.OS then v=v | (1 << 2) end
if e.USER then v=v | (1 << 3) end
if e.CR3Filter then v=v | (1 << 7) end
if e.ToPA then v=v | (1 << 8) end
if e.TSCEn then v=v | (1 << 10) end
if e.DisRETC then v=v | (1 << 11) end
if e.Bit13 then v=v | (1 << 13) end
return v
end
function Value_To_RTIT_CTL(v)
local e={}
e.TraceEn = (v & 1)~=0
e.OS = (v & (1 << 2))~=0
e.USER = (v & (1 << 3))~=0
e.CR3Filter = (v & (1 << 7))~=0
e.ToPA = (v & (1 << 8))~=0
e.TSCEn = (v & (1 << 10))~=0
e.DisRETC = (v & (1 << 11))~=0
e.Bit13 = (v & (1 << 13))~=0
return e
end
function setRTIT_CTL(e)
return dbk_writeMSR(IA32_RTIT_CTL, RTIT_CTL_To_Value(e))
end
function getRTIT_CTL()
return Value_To_RTIT_CTL(dbk_readMSR(IA32_RTIT_CTL))
end
function Value_To_RTIT_STATUS(v)
local e={}
e.ContextEn = (v & (1 << 1))~=0
e.TriggerEn = (v & (1 << 2))~=0
e.Error = (v & (1 << 4))~=0
e.Stopped = (v & (1 << 5))~=0
return e
end
function getRTIT_STATUS()
return Value_To_RTIT_STATUS(dbk_readMSR(IA32_RTIT_STATUS))
end
function setupToPA(size)
dbk_initialize()
dbk_useKernelmodeOpenProcess()
dbk_useKernelmodeProcessMemoryAccess()
if getOpenedProcessID()==0 then error('First open a process') end
if (size<12288) then error('setupToPA: size<12288') end --at least one page for data
if ToPAMemory~=nil then
print("Free old ToPA memory block")
freeKernelMemory(ToPAMemory)
ToPAMemory=nil
end
ToPAMemory=allocateKernelMemory(size)
if (ToPAMemory~=0) then
--configure it
--zero the memory
print(string.format("ToPA allocated at %x", ToPAMemory))
for i=0, size-7, 8 do
writeQword(ToPAMemory+i,0)
end
dbk_writeMSR(IA32_RTIT_OUTPUT_BASE, dbk_getPhysicalAddress(ToPAMemory))
dbk_writeMSR(IA32_RTIT_OUTPUT_MASK_PTRS,0)
local maxAddress=ToPAMemory+size-1
local currentOutput=ToPAMemory+4096
local currentToPA=ToPAMemory
local maxToPA=currentToPA+4096-9
local e={}
local lastToPA=currentToPA
while (currentOutput<maxAddress) do
lastToPA=currentToPA
e.PhysicalAddress= dbk_getPhysicalAddress(currentOutput)
e.Size = 0 --todo: group together if on a proper alignment
e.STOP = false
e.INT = false
if currentToPA>=maxToPA then
--this block becomes a new ToPA
print("new ToPA list")
e.END = true
currentToPA=currentOutput
maxToPA=currentToPA+4096-9
else
e.END = false
currentToPA=currentToPA+8
end
writeQword(lastToPA, ToPA_Table_Entry_To_Value(e))
currentOutput=currentOutput+4096
end
--end of memory
e.STOP = true
e.INT = false
e.END = false
e.Size = 0
writeQword(lastToPA, ToPA_Table_Entry_To_Value(e)) --mark it as stop
end
end
function launchRTIT()
local e=getRTIT_CTL()
e.TraceEn = true
e.OS = false
e.USER = true
e.CR3Filter = false --for now
e.ToPA = true
e.TSCEn = true
e.DisRETC = true
setRTIT_CTL(e)
end
dbk_writeMSR(IA32_RTIT_CTL,0)
dbk_writeMSR(IA32_RTIT_STATUS,0)
dbk_writeMSR(IA32_RTIT_OUTPUT_BASE, 0)
dbk_writeMSR(IA32_RTIT_OUTPUT_MASK_PTRS,0)
setupToPA(4194304)
launchRTIT()
sleep(1000)
if (getRTIT_STATUS().Error) then
print("fuck")
else
print("Yeeeh. ")
end
|
Set your ce to a specific affinity before running this
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
