Cheat Engine

Gr0t · How do I cheat? Reputation: 0 Joined: 30 Jul 2015 Posts: 2

Ok so today after my Windows 10 was intalled I wanted to try the Cheat Engine's DBVM to see if it still works, After I clicked it everything seemed fine but I couldn't open anything in the taskbar, so then a few seconds later a damn Bluescreen came up saying it my computer crashed with a fucking Frowny Face.

Yes I am new, I just registered to ask for help, and to see if anyone else is having this problem.

Thank you!

Edit: Btw, This has never crashed me before, and I was running on Windows 8.1 before.

Dark Byte · Posted: Thu Jul 30, 2015 3:10 am Post subject:

windows 10 probably has a detection for virtual machine offloading and kills itself when detected.
so don't use dbvm in windows 10

flarn2006 · Posted: Thu Jul 30, 2015 10:16 pm Post subject:

Gr0t · How do I cheat? Reputation: 0 Joined: 30 Jul 2015 Posts: 2

flarn2006 · Posted: Wed Aug 05, 2015 2:42 am Post subject:

In case it will help, I just tried myself and, as Gr0t said, it seemed to work fine (it said my computer was running DBVM) but then nothing would respond to a click. I could still move the cursor though. Shortly after the cursor stopped moving, and my computer restarted. I didn't see a BSOD, but when I checked the event viewer, it said it was a "bug check", which AFAIK means the same kind of error. Here's the text from the event:

Dark Byte · Posted: Wed Aug 05, 2015 2:47 am Post subject:

that is critical_process_died
it will show when an important process has died, like the one responsible for DRM

anyhow, set windows to create full memory dumps and mayby i'll be able to see what the processname is

flarn2006 · Posted: Thu Aug 06, 2015 6:17 pm Post subject:

DRM? You mean sppsvc? Because that's not running constantly. Why do you suspect DRM is to blame?

I'll do it in a VM, since a memory dump from my computer would probably contain personal information and stuff like that. But if doing it in a VM doesn't work (since DBVM itself uses virtualization) then couldn't you try it yourself? It seems to be easy to reproduce on another machine. Just configure your CMOS for a low number of CPU cores (if necessary) and attempt to load DBVM.

EDIT: Yeah, a VM doesn't work. It just says "Your system DOES NOT support DBVM". So could you just take the dump? Or you could tell me where to look in one from my computer.

Dark Byte · Posted: Mon Aug 10, 2015 3:55 am Post subject:

I'm getting a bit closer to pinpointing the issue. It took a bit of major blunt force fuckery in physical memory though

RtlAllocateHeap apparently has a secret protection parameter to obfuscate the stacktrace on exception (RtlAllocateHeap checks the [rcx+10] for 0xdededede )
So I first had to do a global memory edit to get rid of that scenario

Anyhow, after that edit window kept working, so I then loaded dbvm, it obviously crashed, but this time I think I got a valid stacktrace.

It seems the assembler instruction rdtscp (or invplg according to ce's broken disassembler) is raising an exception (not sure why, but it's something I can check now)

(RtlGetcurrentProcessorNumber will use it if available)

Dark Byte · Posted: Mon Aug 10, 2015 11:17 am Post subject:

one way to make dbvm function without waiting for me to compile in rdtscp support:

Enable kernelmode read/write and openprocess
Open any process
In the memoyview hexview part go to to address 7ffe0294
Note down the physical address.

Go to that address in both the hexview and disassemblerview (to make sure you're not accessing unwanted memory)

Go to the processlist and target [Physical Memory] and go back to memview
Change the byte at the physical address you found to 0

Now you should be able to activate DBVM

(Minor sidenote: I found that after a reboot, this value stuck. So it could be a permanent solution, at cost of a slightly slower windows)

Dark Byte · Posted: Tue Aug 11, 2015 10:10 am Post subject:

I've added support for rdtscp and it should work better on windows 10 now

http://cheatengine.org/temp/dbvm9.rar

Just extract these files over the ones in the cheat engine installation folder

flarn2006 · Posted: Wed Aug 12, 2015 9:57 am Post subject:

Thanks! I'll give that a try next time I reboot; right now I'm running with all 12 logical processors which DBVM doesn't seem to like. (Unless you fixed that.)

Do you think that obfuscated stacktrace was made specifically to prevent DBVM from working? Why do you think Microsoft has a problem with DBVM? As I said before, it's not a privilege escalation exploit because you can't load it unless you can already run code at ring 0.

One last thing, are there any plans to do anything about Patchguard in a future CE version? I think it would be a good idea if you're taking suggestions.

Thanks again!

Dark Byte · Posted: Wed Aug 12, 2015 12:41 pm Post subject:

i did do some fixes to the stacksize, so it might work, but as always, assume you're going to crash

the stacktrace obfuscation is probably a more general protection against reversers in general.

As for disabling patchguard, no. That would require me to keep up with every patch and work around that. And windows 10 has updates you can't block.
Same as with uce's, someone else can do that

mgr.inz.Player · Posted: Wed Aug 12, 2015 1:42 pm Post subject:

I launched DBVM ver 9 on Win10. There's no CRITICAL_PROCESS_DIED.

flarn2006 · Posted: Wed Aug 12, 2015 2:02 pm Post subject:

Dark Byte · Posted: Wed Aug 12, 2015 2:23 pm Post subject:

Not sure if the hosts file is enough. Microsoft may have some static IP's in case the host file has been hijacked by malware to prevent such a thing.

UCE is "Undetected Cheat Engine" build. A version of CE that has been changed so much that current anti cheat software doesn't recognize it anymore