Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Defeating anti debug, also DBVM issues
Goto page 1, 2  Next
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
Tag-X
Newbie cheater
Reputation: 0

Joined: 19 Jan 2015
Posts: 12
PostPosted: Thu Feb 19, 2015 10:59 am    Post subject: Defeating anti debug, also DBVM issues Reply with quote
I'm made some cheats for a game that worked well. However, they recently release a patch so I had to rebuild most of the stuff I already did (mostly just finding the right addresses of the functions).
They also introduced some anti debugging mechanics that I don't know how to defeat.
Before the patch, I was able to use the VEH debugger with hardware breakpoints pretty well, with some random crashes.
But now neither VEH nor the windows debugger work.
With windows or VEH and HW or Int3 breakpoints the breakpoints simply do not fire (or get removed by the protection ?).
With windows or VEH and page exception the game crashes once the breakpoint fires.
Attaching the debugger is never a problem.

My system is:
OS: Windows 7 64-Bit, up-to-date
CPU: Intel Core i7-3930K (6 cores, 12 threads)
RAM: 16GB

I can't get DBVM to run, neither with on-demand offloading (BSOD with 'A clock interrupt was not received on a secondary processor within the allocated time interval') nor with booting from USB-stick (doesn't even make it into the menu) .

So I set up Windows 10 32-bit on an external hard-drive and was able to debug the game in kernelmode.
The problem now is, that the game doesn't run well on Win10 (bad decision?) and crashes even without CE running.

The game takes up about 2GB of memory so when limited to 3GB on 32-bit things get very slow very fast.

I would really love to be able to debug the game on 64-bit.
I tried other debuggers (olly, ida, etc.) with several different stealth plug-ins without any success.

So the options now are to either defeat the anti-debug stuff or to get DBVM to run (and hope that it works).

I not the pro with debugging I don't even know where to start looking, for the reason the breakpoints are not firing. Also defeating the anti-debug pretty overkill for my purposes.

Now looking into the SVN there weren't any changes to the DBVM in a while.
And when I search for DBVM related stuff it seem that once DBVM runs, it works quite well.
I also read about debugging DBVM via serial port.
My MB has a serial port header, and I surely have a sub-d bracket somewhere. I also have a notebook with a serial port. Making or buying a null modem cable is also not the problem.
So helping the devs out with debugging would be no problem for me if someone told me what do do.

Any suggestions on how to proceed?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 458

Joined: 09 May 2003
Posts: 25288
Location: The netherlands
PostPosted: Thu Feb 19, 2015 7:45 pm    Post subject: Reply with quote
You tried booting up with only 1 cpu enabled and hyperthreading off ?
(and have you tried dbvm on that notebook ? dbvm can be influenced by the cpu type and mainboard so it might work there)

Do you know if the serial port on your system uses port 0x3f8 ?

Anyhow, I have 2 builds here
http://cheatengine.org/temp/dbvm-release.zip : The current build in release mode with a few small fixes (deals with some new cpu incompatibilities)
it includes a bootable cd image you can try

http://cheatengine.org/temp/dbvm-debug-3f8.zip : The current build in debug mode, with serial port configured on port 0x3f8 (tell me if your system has a different port)
Also includes a bootable CD
you probably won't be able to use this much as the debug mode will halt on every CS:RIP it hasn't been told about to ignore (hardcoded) but it may show you why it fails


For using the debug port a serial connection MUST be present, else it will wait indefinitely for a command to launch the virtual machine
If you intend to debug the runtime offloading, first initialize the serial port using a terminal program (putty will suffice. Set it up to 115200 BPS and confirm the serial connection works by typing on both systems)

oh yes, if you intend on trying the runtime offload option, you'll need this to use the vmdisk.img: http://cheatengine.org/temp/dbk64-unsigned.rar (boot up with unsigned driver support)


edit:
and try http://googledrive.com/host/0BwMAnE6mjogMTmpYMGstY1NPQnc/pure%20r2902.7z

it contains a fix for the page exception breakpoints
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Tag-X
Newbie cheater
Reputation: 0

Joined: 19 Jan 2015
Posts: 12
PostPosted: Fri Feb 20, 2015 2:54 am    Post subject: Reply with quote
Thank you for your reply.
I will look into it later, when I have more time on my hand.

edit:

Dark Byte wrote:
You tried booting up with only 1 cpu enabled and hyperthreading off ?

Did that with different settings in BIOS, results:

3 cores, no HT: runtime offload works
4 cores, no HT: runtime offload works
5 cores, no HT: runtime offload works
6 cores, no HT: runtime offload works
3 cores, HT: runtime offload works
4 cores, HT: runtime offload works
5 cores, HT: runtime offload works
6 cores, HT: runtime offload does NOT work (BSOD with 'A clock interrupt was not received on a secondary processor within the allocated time interval')



Dark Byte wrote:

(and have you tried dbvm on that notebook ? dbvm can be influenced by the cpu type and mainboard so it might work there)

The notebook doesn't run the game, it is somewhat ancient.

Dark Byte wrote:

Do you know if the serial port on your system uses port 0x3f8 ?

I was able to configure it so in the BIOS.

Dark Byte wrote:

Anyhow, I have 2 builds here
~~~ : The current build in release mode with a few small fixes (deals with some new cpu incompatibilities)
it includes a bootable cd image you can try

Booting doesn't work, same as with the 6.4 release version.
And the runtime offload behaves just like described above.

Dark Byte wrote:

~~~ : The current build in debug mode, with serial port configured on port 0x3f8 (tell me if your system has a different port)
Also includes a bootable CD
you probably won't be able to use this much as the debug mode will halt on every CS:RIP it hasn't been told about to ignore (hardcoded) but it may show you why it fails


Booting also doesn't work, however I can provide what came in trough the serial port:
Code:

normal
;
--------------------------------
Welcome to Dark Byte's vmloader
--------------------------------
a=3000ffff
b=50004000
_vmloader_main got loaded at address 000307ca
reservedmem_listcount=19 (address of it = 0003015c )
Going to read the VMM into memory...
isAP value=00 (address=00033ba0)
VMM starts at sector 33
LOGO starts at sector 0
i=0 : BaseAddress=0000000000000000, Length=0000000000092800, Type=1
i=1 : BaseAddress=0000000000092800, Length=000000000000d800, Type=2
i=2 : BaseAddress=00000000000e0000, Length=0000000000020000, Type=2
i=3 : BaseAddress=0000000000100000, Length=00000000ba47b000, Type=1
i=4 : BaseAddress=00000000ba57b000, Length=000000000002c000, Type=2
i=5 : BaseAddress=00000000ba5a7000, Length=0000000000132000, Type=1
i=6 : BaseAddress=00000000ba6d9000, Length=00000000001ec000, Type=4
i=7 : BaseAddress=00000000ba8c5000, Length=0000000000cab000, Type=2
i=8 : BaseAddress=00000000bb570000, Length=0000000000024000, Type=1
i=9 : BaseAddress=00000000bb677000, Length=0000000000002000, Type=2
i=10 : BaseAddress=00000000bb596000, Length=0000000000001000, Type=1
i=11 : BaseAddress=00000000bb597000, Length=0000000000086000, Type=4
i=12 : BaseAddress=00000000bb61d000, Length=0000000000444000, Type=1
i=13 : BaseAddress=00000000bba61000, Length=0000000000592000, Type=2
i=14 : BaseAddress=00000000bbff3000, Length=000000000000d000, Type=1
i=15 : BaseAddress=0000000100000000, Length=0000000340000000, Type=1
i=16 : BaseAddress=00000000d0000000, Length=0000000010000000, Type=2
i=17 : BaseAddress=00000000fed1c000, Length=0000000000004000, Type=2
i=18 : BaseAddress=00000000ff000000, Length=0000000001000000, Type=2
Max address=3ffd64

After that it halts with a blinking cursor. No reaction on key press, etc.

And the runtime offload behaves similar to what I described above.
However it doesn't BSOD, but totally freezes the PC:
No keys work, screen freezes (Ctrl+Alt+Del doesn't work either).

Dark Byte wrote:

If you intend to debug the runtime offloading, first initialize the serial port using a terminal program (putty will suffice. Set it up to 115200 BPS and confirm the serial connection works by typing on both systems)

I can't get this to work, there is no data on serial even if the offloading succeeds.

Dark Byte wrote:

and try ~~~

it contains a fix for the page exception breakpoints


Didn't change anything for neither windows nor VEH debugger.
Back to top
View user's profile Send private message
Tag-X
Newbie cheater
Reputation: 0

Joined: 19 Jan 2015
Posts: 12
PostPosted: Sat Feb 21, 2015 12:17 pm    Post subject: Reply with quote
*poke*
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 458

Joined: 09 May 2003
Posts: 25288
Location: The netherlands
PostPosted: Sat Feb 21, 2015 12:42 pm    Post subject: Reply with quote
5 cores with HT is more than anyone could ever need... (jk, perhaps it's a stack allocation issue where there's not enough memory for cpu 11 and/or 12 )

For putty, what part doesn't work? Setting it up so what you type show up on the other system? Or the part where dbvm loads ? If setting it up initially, make sure you provide the proper com port (and that windows didn't assign it a new port number)


for the bootloader part,:
Max address=3ffd64 is weird (sounds like a stack pointer)
Is there anything else on the display ? (there are some display only lines after max address)

if i'm correct it should have picked
Code:

i=12 : BaseAddress=00000000bb61d000, Length=0000000000444000, Type=1

to load itself in, giving it max address BBA61000

check your bios and see if there is an option to set it up for a 64-bit aware system. That changes the memory


edit:
i've uploaded are more verbose version at http://cheatengine.org/temp/dbvm-debug-3f8.zip
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Tag-X
Newbie cheater
Reputation: 0

Joined: 19 Jan 2015
Posts: 12
PostPosted: Sun Feb 22, 2015 8:26 am    Post subject: Reply with quote
Dark Byte wrote:
5 cores with HT is more than anyone could ever need... (jk, perhaps it's a stack allocation issue where there's not enough memory for cpu 11 and/or 12 )

With 16GB of Memory and 2.5GB usage in idle? idk.
From what the error message says it seems more like there is some kind of watchdog process running on one of the cores, that makes sure that some important timers on other cores run properly.
Since I don't know how the offloading works, I can't tell for sure, but if you basically pause all processes, move them into the VM and resume them, it might take too long for a large number of cores, meaning that the timer was not triggered in time. (Just an idea, I'm not an expert, don't take my word for it)

Dark Byte wrote:

For putty, what part doesn't work? Setting it up so what you type show up on the other system? Or the part where dbvm loads ? If setting it up initially, make sure you provide the proper com port (and that windows didn't assign it a new port number)

Setting it up works fine, I can write back and forth with putty. It also works fine trying to boot with DBVM.
However, as far as I understood it, I should be able to get some debug output on serial port, when trying to do the on-demand offloading.
I can't get this to work. I configures the serial port correctly in the device manager and also ran putty with the correct settings and tested it, which always works. I close putty and start CE and initiate the offloading but don't get anything on the serial port. All this of course using the debug build. (Maybe I miss understood you?)

Dark Byte wrote:

for the bootloader part,:
Max address=3ffd64 is weird (sounds like a stack pointer)
Is there anything else on the display ? (there are some display only lines after max address)

if i'm correct it should have picked
Code:

i=12 : BaseAddress=00000000bb61d000, Length=0000000000444000, Type=1

to load itself in, giving it max address BBA61000


I tried it again with the more detailed debug version, here is what came in trough the serial port:

Code:
normal
;

--------------------------------
Welcome to Dark Byte's vmloader
--------------------------------
a=3000ffff
b=50004000
_vmloader_main got loaded at address 000307ca
reservedmem_listcount=19 (address of it = 0003015c )
Going to read the VMM into memory...
isAP value=00 (address=00033d40)
VMM starts at sector 34
LOGO starts at sector 0
i=0 : BaseAddress=0000000000000000, Length=0000000000092800, Type=1
i=1 : BaseAddress=0000000000092800, Length=000000000000d800, Type=2
i=2 : BaseAddress=00000000000e0000, Length=0000000000020000, Type=2
i=3 : BaseAddress=0000000000100000, Length=00000000ba482000, Type=1 < 'new' potential region
i=4 : BaseAddress=00000000ba582000, Length=000000000002c000, Type=2
i=5 : BaseAddress=00000000ba5ae000, Length=0000000000138000, Type=1
i=6 : BaseAddress=00000000ba6e6000, Length=00000000001e6000, Type=4
i=7 : BaseAddress=00000000ba8cc000, Length=0000000000cab000, Type=2
i=8 : BaseAddress=00000000bb577000, Length=0000000000023000, Type=1
i=9 : BaseAddress=00000000bb59a000, Length=0000000000002000, Type=2
i=10 : BaseAddress=00000000bb59c000, Length=0000000000001000, Type=1
i=11 : BaseAddress=00000000bb59d000, Length=0000000000086000, Type=4
i=12 : BaseAddress=00000000bb623000, Length=000000000043e000, Type=1 < 'new' potential region
i=13 : BaseAddress=00000000bba61000, Length=0000000000592000, Type=2
i=14 : BaseAddress=00000000bbff3000, Length=000000000000d000, Type=1
i=15 : BaseAddress=0000000100000000, Length=0000000340000000, Type=1
i=16 : BaseAddress=00000000d0000000, Length=0000000010000000, Type=2
i=17 : BaseAddress=00000000fed1c000, Length=0000000000004000, Type=2
i=18 : BaseAddress=00000000ff000000, Length=0000000001000000, Type=2
Max address=00000000bba61000 (region 12)
1:start=bb661000
1.5:start mod 0x00400000=00261000
2:start=bb400000
chosenregion=12
Adjusting memory map (done for physical memory access devices)
Adjusted reserved memory size as well
newmap=
i=0 : BaseAddress=0000000000000000, Length=0000000000092800, Type=1
i=1 : BaseAddress=0000000000092800, Length=000000000000d800, Type=2
i=2 : BaseAddress=00000000000e0000, Length=0000000000020000, Type=2
i=3 : BaseAddress=0000000000100000, Length=00000000ba482000, Type=1
i=4 : BaseAddress=00000000ba582000, Length=000000000002c000, Type=2
i=5 : BaseAddress=00000000ba5ae000, Length=0000000000138000, Type=1
i=6 : BaseAddress=00000000ba6e6000, Length=00000000001e6000, Type=4
i=7 : BaseAddress=00000000ba8cc000, Length=0000000000cab000, Type=2
i=8 : BaseAddress=00000000bb577000, Length=0000000000023000, Type=1
i=9 : BaseAddress=00000000bb59a000, Length=0000000000002000, Type=2
i=10 : BaseAddress=00000000bb59c000, Length=0000000000001000, Type=1
i=11 : BaseAddress=00000000bb59d000, Length=0000000000086000, Type=4
i=12 : BaseAddress=00000000bb623000, Length=00000000ffddd000, Type=1
i=13 : BaseAddress=00000000bb400000, Length=0000000000bf3000, Type=2
i=14 : BaseAddress=00000000bbff3000, Length=000000000000d000, Type=1
i=15 : BaseAddress=0000000100000000, Length=0000000340000000, Type=1
i=16 : BaseAddress=00000000d0000000, Length=0000000010000000, Type=2
i=17 : BaseAddress=00000000fed1c000, Length=0000000000004000, Type=2
i=18 : BaseAddress=00000000ff000000, Length=0000000001000000, Type=2
reservedmem_listcount=19
Going to zero 0x00400000 bytes at bb400000


Behaviour is the same as before.
After the last line it halts with blinking cursor and no reaction on key press locally or over serial.

Dark Byte wrote:

check your bios and see if there is an option to set it up for a 64-bit aware system. That changes the memory

I searched, but found no such option or anything that seemed similar.
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 458

Joined: 09 May 2003
Posts: 25288
Location: The netherlands
PostPosted: Sun Feb 22, 2015 5:56 pm    Post subject: Reply with quote
i see the problem with booting
the aligning of memory is causing the start to be in a memorylocation occupied by a device (type 2) i'll need to add a check for that (so it picks region3 instead)

what i mean with stack issue, is that dbvm only allocates 8MB RAM and divides it up by cpu count (every cpu gets it's own stack) and some private memory manager. Perhaps it's not enough

it could be that offloading takes too long, but it should do it only after each cpu has finished (cpu 0 is the one triggering the bsod, so that one is already running)

As for debugging, do not close putty. Keep it open. (if you close it windows may mess up the connection)

Anyhow,
I've updated both http://cheatengine.org/temp/dbvm-release.zip and http://cheatengine.org/temp/dbvm-debug-3f8.zip
so it now picks memory regions that have at least 8MB free (it won't fix the offloading)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Tag-X
Newbie cheater
Reputation: 0

Joined: 19 Jan 2015
Posts: 12
PostPosted: Mon Feb 23, 2015 6:07 am    Post subject: Reply with quote
Dark Byte wrote:
i see the problem with booting
the aligning of memory is causing the start to be in a memorylocation occupied by a device (type 2) i'll need to add a check for that (so it picks region3 instead)
[...]
Anyhow,
I've updated both ~~~ and ~~~
so it now picks memory regions that have at least 8MB free (it won't fix the offloading)


Ok, progress (yay!).
I was able to reach the menu now. On release mode when starting the VM it tries to boot windows but it hangs on this screen:
http:/ /i.minus. com/ibczHWEZi9y9P5.gif

On debug mode after starting the VM I get bombarded with errors that I have to handle manually. So I resumed the VM for some time until I notices that it seemed to have run into an infinite loop. Idk if debug output is helpful at that point, but tell me what you need, if so.

Dark Byte wrote:

what i mean with stack issue, is that dbvm only allocates 8MB RAM and divides it up by cpu count (every cpu gets it's own stack) and some private memory manager. Perhaps it's not enough

it could be that offloading takes too long, but it should do it only after each cpu has finished (cpu 0 is the one triggering the bsod, so that one is already running)

Im not on expert on x86 machines, but on microcontrollers you can have hardware controlled timers that can be configured via registers and that trigger a hw-interrupt every time they fire. Some microcontrollers have persistent interrupts meaning that it sets a flag bit in a register that has to be reset manually once the interrupt was handled. If not reset, the interrupt would simply fire again after the return from interrupt. Idk what happens if I put a cpu on halt but I assume that interrupts will not be handled. On resume the cpu might have some interrupts pending that piled up during halt but it is also possible that the cpu blocks interrupts that occur during halt. Some microcontrollers can even be woken up form halt via interrupts and then go back to halt after the return from interrupt.

Dark Byte wrote:

As for debugging, do not close putty. Keep it open. (if you close it windows may mess up the connection)


Ok, that did the trick. Debug serial output is long, so I put it on pastebin:
http:/ /pastebin. com/qJM67uUN
This is the output for 6 cores + HT. Everything else worked.
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 458

Joined: 09 May 2003
Posts: 25288
Location: The netherlands
PostPosted: Mon Feb 23, 2015 6:36 am    Post subject: Reply with quote
Quote:

On release mode when starting the VM it tries to boot windows but it hangs on this screen:
http:/ /i.minus. com/ibczHWEZi9y9P5.gif

How does it freeze? Does the animation stop? Have you tried waiting 15 minutes? (it can be slow during boot as realmode is done using software emulation)

Quote:

On debug mode after starting the VM I get bombarded with errors that I have to handle manually. So I resumed the VM for some time until I notices that it seemed to have run into an infinite loop. Idk if debug output is helpful at that point, but tell me what you need, if so.

It's not really an infinite loop, more a loop of a million iterations

You could post a log and I can add in the debug section some known CS:RIP addresses that are handled correctly so it won't break on those anymore.
Then after you test that you'll have a new list which I have to add as well, ...

it may be easier/faster if you where to compile dbvm yourself and add those entries by yourself (if you feel like it, it's a really annoying task, and ultimately when the OS gets fully loaded and starts randomizing positions it's a bit futile from that point on (unless you use masks but that's not accurate))


for the log, it looks like some things mess up. I see some garbage on the serial output, but not sure if it's just the serial port getting reinitialized by another launching cpu before the buffer has been fully sent.

the important part:
Code:

Setting up cpunr=11
New CPU CORE. CPUNR=11 APICID=12 (cpuinfo struct at : 00453a68 rsp=53fe40)
configured a cpuinfo structure (11 (00453a68) )
CPU CORE 11: entering VMX mode
cpu 11: startvmx:
currentcpuinfo=0000000000453a68  (cpunr=11)
ESP=000000000053fd90
APICID=12
Version Information=206d7 :
        stepping_id=7
        model=13
        family_id=6
        proc_type=0
        ext_model_id=2
        ext_fam_id=0
Brand Index/CLFLUSH/Maxnrcores/Init APIC=b200800 :
        Brand Index=0
        CLFLUSH line size=8
        Maximum logical cpu's=32
        initial APIC=11
11:System check successful. INTEL-VT is supported
!!!!!!!!!!!!!!This system su0orts VMX!!!!!!!!!!!!!!
Going to call IA32_FEATURE_CONTROL=readMSR(0x3a)
IA32_FEATURE_CONTROL=0000000000000005
IA32_FEATURE_CONTROL is locked (value=0000000000000005). (Disabled in bios?)
VMXON was already enabled in the feature control MSR
Gathering VMX info
Setting CR4
Allocated vmxon_region at 00000000004f8000 (000000043504e000)
Allocated vmcs_reg)at 00000000004f9000 (000000043504f000)
revision id=16
IA32_FEATURE_CONTROL=0000000000000005
IA32_VMX_CR0_FIXED0=0000000080000021 IA32_VMX_CR0_FIXED1=00000000ffffffff
IA32_VM23%a=0000000000002000 IA32_VMX_CR4_FIXED1=00000000000627ff
CR0=0000000080050031  (Should be 0000000080050031)
CR4=0000000000002230  (Should be 0000000000002230)
vmxon_region00000043504e000
11:Checks successfull. Going to call vmxon
vmxon success
11: vmxon success
11: calling vmclear
11: calling vmptrld
11: vmptrld successful. Calling setupVMX
11: Calling setupVMX with currentcpuinfo 0000000000453a68
AvailableVirtualAddress=00000000c0000000
Setting up realmode paging
Setting up protected mode paging for nonpaged emu
VirtualMachinePageDirPointer=000000000047f000
VirtualMachinePageDir=0000000000480000
after "if (globals_have_been_configured==0)" rsp=000000000053fce0
11: Initializing vmcs region for launch
Set vm_execution_controls_pin to 00000016 (became 00000016)
IA32_VMX_EXIT_CTLS=007fffff00036dff
Set vm_exit_controls to 0003efff (became 0003efff)
Setting up guest based on loadedOS settings
originalstate->cpucount=12
originalstate->cr0=0000000080050031
originalstate->cr2=fffff9800ee00158
originalstate->cr3=000000037e039000
originalstYK=00000000000406f8
originalstate->rip=fffff88009679d6d
originalstate->cs=10
originalstate->ss=18
originalstate->ds=2b
originalstate->es=2b
originalstate->fs=53
original>gs=2b
originalstate->ldt=0
originalstate->tr=40
originalstate->dr7=0000000000000400
originalstate->gdtbase=fffff88003754740
originalstate->gdtlimit=7f
originalstate->idtbase=fffff880037547c0
originalstate->idtlimit=fff
originalstate->originalLME=1
originalstate->rflags=0000000000000082
originalstate->rax=0000000000000000
originalstate->rbx=0000000000000082
originalstate->rcx=358d122cf26c0000
originalstate->rdx=0000000000000008
originalstate->rsi=0000000000000001
originalstate->rdi=0000000000000000
originalstate->rbp=fffff8800967c7c0
originalstate->rsp=fffff8800bf10498
originalstate->r8=0000000000000001
originalstate->r9=fffff80002eba000
originalstate->r10=0000000000000001
originalstat1=fffff8800bf10498
originalstate->r12=fffff88009677a5c
originalstate->r13=0000000000000001
originalstate->r14=0000000000000000
originalstate->r15=fffffa8017b45c50
Set vm_execution_controls_cpu to 1601e372 (became 1601e372)
guest is 64bit
Set vm_entry_controls to 000013ff (became 000013ff)
inside getPhysicalAddressVM , for address fffff88003754740
U        ͕00000000c02c1740, 0000000000000000, 0, 0
getSegmentBaseEx(00000000c02c1740, 0000000000000000, 43, 0
getSegmentBaseEx(00000000c02c1740, 0000000000000000, 16, 0
getv   ͕00000000c02c1740, 0000000000000000, 24, 0
getSegmentBaseEx(00000000c02c1740, 0000000000000000, 43, 0
64-bit
Have set fs base to 00000000fffe0000 and gs base to fffff88003749000
getSegmentBaseEx(00000000c02c1740, 0000000000000000, 64, 1
Guest is setup to start at 10:fffff88009679d6d
host setup
Finished configuring
11: Virtual Machine configuration successful. Launching...
Calling vmxloop with currentcpuinfo=0000000000453a68
Right before entering the loop:JHandling vm(m)call on cpunr:11
Password1 is valid
Allocating a virtual TLB
AvailableForPaging=15554000
cpunr=11
intnr=14
rsp=53d5e0
cr2=0000000000000000
Interrupt has errorcode : 3 (EXT IDT 0 )
Checking if it was an expected interrupt
not expected
Status:
r15=00000000009fa6c0
r14=00000000009fad58
r13=00000000004360e0
r12=000000000dcc4f40
r11=0000000001dce780
r10=0000000000000000
r9=0000000001dce7e0
r8=0000000001dce158
rbp=000000000053e900
rsi=0000000000001000
rdi=0000000000000000
rdx=0000000000000000
rcx=0000000000000000
rbx=0000000076543210
rax=0000000000000000
intnr=000000000000000e
stack[16]=0000000000000003
stack[17]=000000000040b414
stack[18]=0000000000000050
stack[19]=0000000000010046
--------------
DR6=00000000ffff0ff0
DR2=0000000000000000
eip=000000000040b414
cs=0000000000000050
rflags=0000000000010046 ( PF ZF RF )Trying to disassemble caller instruction
40b3f6 : 8975 e4 - MOV [RBP-0x1c], ESI
40b3f9 : 48 8b45 e8 - MOV RAX, [RBP-0x18]
40b3fd : 48 8945 f0 - MOV [RBP-0x10], RAX
40b401 : c745 fc 00000000 - MOV DWORD [RBP-0x4], 0x0
40b408 : eb 11 - JMP 0x40b41b
40b40a : 8b55 fc - MOV EDX, [RBP-0x4]
40b40d : 48 8b45 f0 - MOV RAX, [RBP-0x10]
40b411 : 48 01d0 - ADD RAX, RDX
>>40b414 : c600 00 - MOV BYTE [RAX], 0x0
40b417 : 8345 fc 01 - ADD DWORD [RBP-0x4], 0x1
40b41b : 8b45 fc - MOV EAX, [RBP-0x4]
40b41e : 3b45 e4 - CMP EAX, [RBP-0x1c]
40b421 : 72 e7 - JB 0x40b40a
40b423 : 5d - POP RBP
40b424 : c3 - RET
40b425 : 55 - PUSH RBP
40b426 : 48 89e5 - MOV RBP, RSP
40b429 : 48 897d d8 - MOV [RBP-0x28], RDI
40b42d : 48 8975 d0 - MOV [RBP-0x30], RSI
40b431 : 8955 cc - MOV [RBP-0x34], EDX
40b434 : 48 8b45 d8 - MOV RAX, [RBP-0x28]
40b438 : 48 8945 f0 - MOV [RBP-0x10], RAX
End of interrupt
----------------------------
Interrupt handler debug menu
----------------------------
1: Exit from interrupt
2: Check CRC values
3: Get vmstate
p: Previous vmstates
cpunr=11
getTaskRegister()=60
Activity state : 0      interruptibility state : 0
IS64BITPAGING=1 IS64BITCODE=1 ISREALMODE=0
efer=d01
ia32e mode guest=1
IA32_SYSENTER_CS=0 IA32_SYSENTER_EIP=0 IA32_SYSENTER_ESP=0
...no registers...
RSP=0000000001dce760                       R12=0000000000000000
RIP=00000000005bf98b                       R13=0000000000000000
                                           R14=0000000000000000
                                           R15=0000000000000000
rflags=0000000000000202 (VM=0 RF=0 IOPL=0 NT=0)
(CF=0 PF=0 AF=0 ZF=0 SF=0 TF=0 IF=1 DF=0 OF=0)
cs=00000033  (base=0000000000000000 , limit=ffffffff, AR=0000a0fb)
ss=0000002b  (base=0000000000000000 , limit=ffffffff, AR=0000c0f3)
ds=0000002b  (base=0000000000000000 , limit=ffffffff, AR=0000c0f3)
es=0000002b  (base=0000000000000000 , limit=ffffffff, AR=0000c0f3)
fs=00000053  (base=00000000fffe0000 , limit=0002fc00, AR=000040f3)
gs=0000002b  (base=000007fffffde000 , limit=ffffffff, AR=0000c0f3)
ldt=00000000 (base=0000000000000000 , limit=00000000, AR=00010000)
tr=00000040  (base=fffff8800374e140 , limit=00000067, AR=0000008b)
gdt: base=fffff88003754740 limit=7f
idt: base=fffff880037547c0 limit=fff
guest: dr0=0000000000000000 dr1=0000000000000000 dr2=0000000000000000
       dr3=0000000000000000 dr6=00000000ffff0ff0 dr7=0000000000000400
host dr7=0000000000000400
cr2=0000000000000000
real:
cr0=0000000080050031 cr3=000000037e039000 cr4=00000000000426f8
fake (what vm sees):
cr0=0000000080050031 cr3=000000037e039000 cr4=00000000000406f8
----------------------------


It wants to write 0 to address 0. But the reason for that could be anything, including stack corruption.
And if it's stack corruption, then the debug information can't be trusted 100% either, so it's a bit annoying to fix

edit: Yup, it's the ONLY cpu that's "Handling vm(m)call" out of nowhere, so it's RIP register got changed to a wrong location
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Dark Byte
Site Admin
Reputation: 458

Joined: 09 May 2003
Posts: 25288
Location: The netherlands
PostPosted: Mon Feb 23, 2015 6:56 am    Post subject: Reply with quote
I've changed the default stacksize of VMM threads from 256KB to 128KB and uploaded those versions here: http://cheatengine.org/temp/dbvm-release.zip and http://cheatengine.org/temp/dbvm-debug-3f8.zip

perhaps it won't cause a problem, else I may have to redo some of the memory management parts (which will be a pain. Could be it's the memory manager to begin with)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Tag-X
Newbie cheater
Reputation: 0

Joined: 19 Jan 2015
Posts: 12
PostPosted: Mon Feb 23, 2015 9:23 am    Post subject: Reply with quote
Dark Byte wrote:
How does it freeze? Does the animation stop? Have you tried waiting 15 minutes? (it can be slow during boot as realmode is done using software emulation)

The animation stops, no reaction on key press, no harddrive access.
Tried it again with the latest release build, still the same, waited 5-10 minutes, with no change.

Dark Byte wrote:
I've changed the default stacksize of VMM threads from 256KB to 128KB and uploaded those versions here: ~~~ and ~~~


Logs from offloading:
http:/ /tny .cz/ac16cac6
With the latest debug build I'm no longer able to give commands back to the pc over serial. Pressing 1 does nothing, this used to work before.

Logs from boot:
http:/ /tny .cz/391a6e6e
I held down 1 once it started with the exceptions.
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 458

Joined: 09 May 2003
Posts: 25288
Location: The netherlands
PostPosted: Mon Feb 23, 2015 3:37 pm    Post subject: Reply with quote
hmm, instead of stack it could be memory allocation just failed (AvailableForPaging is too large, as there should be only 4MB max. Perhaps an underflow, but then i'd expected a MUCH higher value)


About the boot log, did you press 9 to quit the vm at the end ? (I should let it echo the command)
Next time when in that loop, press 5 for a disassembly of the code you're in to see why it's looping. Perhaps it's waiting for something that never happens, or you booted a wrong disk. Tip: If booting from usb, remove the usb disk before launching the virtual machine. Some systems don't like it when the dbvm image is on a usb disk. (old ASUS systems can even freeze the whole system, even in OS'es without usb support, like DOS)

another thing from the boot log I see is that it doesn't wake the hyperthreaded CPU's. Only the main ones get awakened

I've adjusted the memory manager so it has some more memory to use (it uses the space generated by the smaller stack now)
and I made the memory manager a bit more verbose about what it's doing

http://cheatengine.org/temp/dbvm-release.zip and http://cheatengine.org/temp/dbvm-debug-3f8.zip
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Tag-X
Newbie cheater
Reputation: 0

Joined: 19 Jan 2015
Posts: 12
PostPosted: Tue Feb 24, 2015 3:31 am    Post subject: Reply with quote
Dark Byte wrote:
About the boot log, did you press 9 to quit the vm at the end ? (I should let it echo the command)
Next time when in that loop, press 5 for a disassembly of the code you're in to see why it's looping. Perhaps it's waiting for something that never happens, or you booted a wrong disk. Tip: If booting from usb, remove the usb disk before launching the virtual machine. Some systems don't like it when the dbvm image is on a usb disk. (old ASUS systems can even freeze the whole system, even in OS'es without usb support, like DOS)

Yes, I pressed 9 at the end.
I'm sure that I'm booting from the right disk, because on release mode it start to boot windows (I only have one drive with windows).

Dark Byte wrote:

another thing from the boot log I see is that it doesn't wake the hyperthreaded CPU's. Only the main ones get awakened

I was booting with HT disabled.

Dark Byte wrote:

I've adjusted the memory manager so it has some more memory to use (it uses the space generated by the smaller stack now)
and I made the memory manager a bit more verbose about what it's doing

~~~ and ~~~


Boot with 6 cores and no HT:
https:/ /paste.ee/p/iKi4l
I pressed 5 and 1 by turns at the start, later pressed 2, 5 and 1 by turns.
At the end I quit with 9.
On release mode it is the same as before:
Halts on "Starting Windows" with no reaction on key press and no hard disc access.

Offload with 6 cores and no HT:
https:/ /paste.ee/p/tdqsX
Ran through it smoothly.

Offload with 6 cores and HT:
https:/ /paste.ee/p/N5OOe
Halted at the end with no reaction on key press neither locally nor via serial.
On release mode it is the same as before:
BSOD with 'A clock interrupt was not received on a secondary processor within the allocated time interval'
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 458

Joined: 09 May 2003
Posts: 25288
Location: The netherlands
PostPosted: Tue Feb 24, 2015 4:38 am    Post subject: Reply with quote
ok, this confirms the memory allocation fails (something has eaten all the available memory, even after the memory boost)

the booting, yeah, it's not an infinite loop, but a way for protected mode to call realmode code. It's possible it's doing that for every single byte it accesses (e. g windows text boot switches between realmode and protectedmode for every character it writes to the screen)
but because it causes a vmexit and subsewuent serial port slowness, it's going to be slow/takes a while
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Dark Byte
Site Admin
Reputation: 458

Joined: 09 May 2003
Posts: 25288
Location: The netherlands
PostPosted: Tue Feb 24, 2015 5:12 am    Post subject: Reply with quote
oops, I forgot to adjust the size of the allocatable memory to the new memory size

I've uploaded new versions with fixed size, got rid of some less than useful debug message(for this case) and added a few cs:rip addresses to the ignore list based on the log

same urls
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites