View previous topic :: View next topic |
Author |
Message |
Gr0t How do I cheat? Reputation: 0
Joined: 30 Jul 2015 Posts: 2
|
Posted: Thu Jul 30, 2015 1:11 am Post subject: Windows 10 DBVM |
|
|
Ok so today after my Windows 10 was intalled I wanted to try the Cheat Engine's DBVM to see if it still works, After I clicked it everything seemed fine but I couldn't open anything in the taskbar, so then a few seconds later a damn Bluescreen came up saying it my computer crashed with a fucking Frowny Face.
Yes I am new, I just registered to ask for help, and to see if anyone else is having this problem.
Thank you!
Edit: Btw, This has never crashed me before, and I was running on Windows 8.1 before.
_________________
What is a signature? |
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25287 Location: The netherlands
|
Posted: Thu Jul 30, 2015 3:10 am Post subject: |
|
|
windows 10 probably has a detection for virtual machine offloading and kills itself when detected.
so don't use dbvm in windows 10
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
flarn2006 Advanced Cheater Reputation: 1
Joined: 27 Nov 2012 Posts: 73
|
Posted: Thu Jul 30, 2015 10:16 pm Post subject: |
|
|
Dark Byte wrote: | windows 10 probably has a detection for virtual machine offloading and kills itself when detected.
so don't use dbvm in windows 10 |
Why is that something they'd try to prevent? It's not like it's a privilege escalation exploit or anything like that; DBVM can't load unless it already has kernel privileges.
If this is in fact the case, is it safe to assume you plan on figuring out how this detection works and disabling it somehow?
(Something to disable Patchguard would be nice as well; I'm surprised DBVM doesn't do that already.)
|
|
Back to top |
|
|
Gr0t How do I cheat? Reputation: 0
Joined: 30 Jul 2015 Posts: 2
|
Posted: Thu Jul 30, 2015 10:58 pm Post subject: |
|
|
Dark Byte wrote: | windows 10 probably has a detection for virtual machine offloading and kills itself when detected.
so don't use dbvm in windows 10 |
Well this fucking sucks!
_________________
What is a signature? |
|
Back to top |
|
|
flarn2006 Advanced Cheater Reputation: 1
Joined: 27 Nov 2012 Posts: 73
|
Posted: Wed Aug 05, 2015 2:42 am Post subject: |
|
|
In case it will help, I just tried myself and, as Gr0t said, it seemed to work fine (it said my computer was running DBVM) but then nothing would respond to a click. I could still move the cursor though. Shortly after the cursor stopped moving, and my computer restarted. I didn't see a BSOD, but when I checked the event viewer, it said it was a "bug check", which AFAIK means the same kind of error. Here's the text from the event:
Quote: | The computer has rebooted from a bugcheck. The bugcheck was: 0x000000ef (0xffffe00114e8d840, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 080515-8328-01. |
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25287 Location: The netherlands
|
Posted: Wed Aug 05, 2015 2:47 am Post subject: |
|
|
that is critical_process_died
it will show when an important process has died, like the one responsible for DRM
anyhow, set windows to create full memory dumps and mayby i'll be able to see what the processname is
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
flarn2006 Advanced Cheater Reputation: 1
Joined: 27 Nov 2012 Posts: 73
|
Posted: Thu Aug 06, 2015 6:17 pm Post subject: |
|
|
DRM? You mean sppsvc? Because that's not running constantly. Why do you suspect DRM is to blame?
I'll do it in a VM, since a memory dump from my computer would probably contain personal information and stuff like that. But if doing it in a VM doesn't work (since DBVM itself uses virtualization) then couldn't you try it yourself? It seems to be easy to reproduce on another machine. Just configure your CMOS for a low number of CPU cores (if necessary) and attempt to load DBVM.
EDIT: Yeah, a VM doesn't work. It just says "Your system DOES NOT support DBVM". So could you just take the dump? Or you could tell me where to look in one from my computer.
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25287 Location: The netherlands
|
Posted: Mon Aug 10, 2015 3:55 am Post subject: |
|
|
I'm getting a bit closer to pinpointing the issue. It took a bit of major blunt force fuckery in physical memory though
RtlAllocateHeap apparently has a secret protection parameter to obfuscate the stacktrace on exception (RtlAllocateHeap checks the [rcx+10] for 0xdededede )
So I first had to do a global memory edit to get rid of that scenario
Anyhow, after that edit window kept working, so I then loaded dbvm, it obviously crashed, but this time I think I got a valid stacktrace.
It seems the assembler instruction rdtscp (or invplg according to ce's broken disassembler) is raising an exception (not sure why, but it's something I can check now)
(RtlGetcurrentProcessorNumber will use it if available)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping
Last edited by Dark Byte on Mon Aug 10, 2015 3:21 pm; edited 1 time in total |
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25287 Location: The netherlands
|
Posted: Mon Aug 10, 2015 11:17 am Post subject: |
|
|
one way to make dbvm function without waiting for me to compile in rdtscp support:
Enable kernelmode read/write and openprocess
Open any process
In the memoyview hexview part go to to address 7ffe0294
Note down the physical address.
Go to that address in both the hexview and disassemblerview (to make sure you're not accessing unwanted memory)
Go to the processlist and target [Physical Memory] and go back to memview
Change the byte at the physical address you found to 0
Now you should be able to activate DBVM
(Minor sidenote: I found that after a reboot, this value stuck. So it could be a permanent solution, at cost of a slightly slower windows)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25287 Location: The netherlands
|
Posted: Tue Aug 11, 2015 10:10 am Post subject: |
|
|
I've added support for rdtscp and it should work better on windows 10 now
http://cheatengine.org/temp/dbvm9.rar
Just extract these files over the ones in the cheat engine installation folder
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
flarn2006 Advanced Cheater Reputation: 1
Joined: 27 Nov 2012 Posts: 73
|
Posted: Wed Aug 12, 2015 9:57 am Post subject: |
|
|
Thanks! I'll give that a try next time I reboot; right now I'm running with all 12 logical processors which DBVM doesn't seem to like. (Unless you fixed that.)
Do you think that obfuscated stacktrace was made specifically to prevent DBVM from working? Why do you think Microsoft has a problem with DBVM? As I said before, it's not a privilege escalation exploit because you can't load it unless you can already run code at ring 0.
One last thing, are there any plans to do anything about Patchguard in a future CE version? I think it would be a good idea if you're taking suggestions.
Thanks again!
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25287 Location: The netherlands
|
Posted: Wed Aug 12, 2015 12:41 pm Post subject: |
|
|
i did do some fixes to the stacksize, so it might work, but as always, assume you're going to crash
the stacktrace obfuscation is probably a more general protection against reversers in general.
As for disabling patchguard, no. That would require me to keep up with every patch and work around that. And windows 10 has updates you can't block.
Same as with uce's, someone else can do that
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
mgr.inz.Player I post too much Reputation: 218
Joined: 07 Nov 2008 Posts: 4438 Location: W kraju nad Wisla. UTC+01:00
|
Posted: Wed Aug 12, 2015 1:42 pm Post subject: |
|
|
I launched DBVM ver 9 on Win10. There's no CRITICAL_PROCESS_DIED.
_________________
|
|
Back to top |
|
|
flarn2006 Advanced Cheater Reputation: 1
Joined: 27 Nov 2012 Posts: 73
|
Posted: Wed Aug 12, 2015 2:02 pm Post subject: |
|
|
Dark Byte wrote: | i did do some fixes to the stacksize, so it might work, but as always, assume you're going to crash
the stacktrace obfuscation is probably a more general protection against reversers in general.
As for disabling patchguard, no. That would require me to keep up with every patch and work around that. And windows 10 has updates you can't block.
Same as with uce's, someone else can do that |
I understand the thing with patchguard I guess. The updates would be an issue. But you can block Windows 10 updates using a hosts file, can't you? And you can also uninstall them once they're downloaded. (Just go to the control panel where you can uninstall programs, and click "View installed updates".)
What's uce?
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25287 Location: The netherlands
|
Posted: Wed Aug 12, 2015 2:23 pm Post subject: |
|
|
Not sure if the hosts file is enough. Microsoft may have some static IP's in case the host file has been hijacked by malware to prevent such a thing.
UCE is "Undetected Cheat Engine" build. A version of CE that has been changed so much that current anti cheat software doesn't recognize it anymore
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
|