| View previous topic :: View next topic |
| Author |
Message |
predprey
Master Cheater
![]() Reputation: 24
Joined: 08 Oct 2015
Posts: 486
|
 Posted: Wed Dec 12, 2018 5:02 am Post subject: Is it just me or it seems StealthEdit can be easily blocked? |
 |
|
| As long as the game itself handles the page fault exception and resets back the page execution flag, execution flow seems to completely bypass stealthedit’s exception handler?
|
|
| Back to top |
|
 |
OldCheatEngineUser
Whateven rank
 Reputation: 20
Joined: 01 Feb 2016
Posts: 1586
|
| Posted: Wed Dec 12, 2018 6:01 am Post subject: |
|
|
stealthedit is old, so i would expect this.
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
| STN wrote: | | i am a sweetheart. |
|
|
| Back to top |
|
|
predprey
Master Cheater
![]() Reputation: 24
Joined: 08 Oct 2015
Posts: 486
|
| Posted: Wed Dec 12, 2018 7:00 am Post subject: |
|
|
| I guess one can hook the exception handler and disable the reset and any nearby checks or hook the virtualprotect routine but it ends up being a purely cat and mouse game with the devs?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25827
Location: The netherlands
|
| Posted: Wed Dec 12, 2018 8:10 am Post subject: |
|
|
Or use it to find the integrity check codes instead and patch those
(or get an intel cpu)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
OldCheatEngineUser
Whateven rank
Reputation: 20
Joined: 01 Feb 2016
Posts: 1586
|
| Posted: Wed Dec 12, 2018 8:16 am Post subject: |
|
|
intel cpu?
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
| STN wrote: | | i am a sweetheart. |
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25827
Location: The netherlands
|
| Posted: Wed Dec 12, 2018 8:22 am Post subject: |
|
|
| OldCheatEngineUser wrote: | | intel cpu? |
Hardware based integrity check bypass
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
OldCheatEngineUser
Whateven rank
Reputation: 20
Joined: 01 Feb 2016
Posts: 1586
|
| Posted: Wed Dec 12, 2018 8:29 am Post subject: |
|
|
interesting, where can i find some more info about it?
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
| STN wrote: | | i am a sweetheart. |
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25827
Location: The netherlands
|
| Posted: Wed Dec 12, 2018 8:37 am Post subject: |
|
|
Intel VMX EPT. It can mark a physical memory(RAM) page as executable, but not read or write. So the cpu will just fetch instructions and execute it without any slowdown, but read and writes will trigger a cpu event you have to capture (e.g swap out memory with original, single step, swap back, continue)
And swapping is as easy and fast as updating a single pointer
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
OldCheatEngineUser
Whateven rank
Reputation: 20
Joined: 01 Feb 2016
Posts: 1586
|
| Posted: Wed Dec 12, 2018 8:59 am Post subject: |
|
|
ah damn, sounds like a pretty much complicated topic. (because its related to virtualization which i dont have much knowledge about)
thanks db.
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
| STN wrote: | | i am a sweetheart. |
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25827
Location: The netherlands
|
| Posted: Wed Dec 12, 2018 9:01 am Post subject: |
|
|
| Code: |
dbvm_cloak_activate
|
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
predprey
Master Cheater
![]() Reputation: 24
Joined: 08 Oct 2015
Posts: 486
|
| Posted: Wed Dec 12, 2018 9:02 am Post subject: |
|
|
| Dark Byte wrote: | Intel VMX EPT. It can mark a physical memory(RAM) page as executable, but not read or write. So the cpu will just fetch instructions and execute it without any slowdown, but read and writes will trigger a cpu event you have to capture (e.g swap out memory with original, single step, swap back, continue)
And swapping is as easy and fast as updating a single pointer |
Interesting.... maybe I should do a plugin on it. But that web server is still on my backlog. I still need to go do a pull request for exposing the events I need before the next CE releases.
EDIT:
| Dark Byte wrote: | | Code: |
dbvm_cloak_activate
|
|
Oh, that's actually what it uses I see.
EDIT2:
Speaking of which, I BSODed myself twice recently by unloading the kernel driver after loading up DBVM, doh! On hindsight, that was a pretty stupid idea, not sure what I was smoking when I did it. 
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25827
Location: The netherlands
|
| Posted: Wed Dec 12, 2018 9:13 am Post subject: |
|
|
Hmm, that should have been fine. DBVM does not need the driver to keep live(You can even load DBVM at boottime using floppy, CD, or USB, even uefi is supported).
But you will need to find a way to get physical addresses though (dbvm_log_cr3_start and parse the pagetables manually)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
predprey
Master Cheater
![]() Reputation: 24
Joined: 08 Oct 2015
Posts: 486
|
| Posted: Wed Dec 12, 2018 9:45 am Post subject: |
|
|
| Dark Byte wrote: | Hmm, that should be fine. DBVM does not need the driver to keep live(You can even load DBVM at boottime using floppy, CD, or USB, even uefi is supported).
But you will need to find a way to get physical addresses though (dbvm_log_cr3_start and parse the pagetables manually) |
Apparently unloading dbk64.sys while DBVM was live is unsafe, or so the BSOD message said, error code was SYSTEM_SERVICE_EXCEPTION. I unloaded it and proceeded to restarting, and it crashed on the restart screen. I would have looked at the dump file but my system hard crashed and I had to hard power reset and it was lost in the process.
EDIT: I was actually trying out DBVM memory cloak when that BSOD happened, I actually thought of using getPhysicalAddressCR3 to get the physicalbase parameter for the activate function. Is that not the same thing?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25827
Location: The netherlands
|
| Posted: Wed Dec 12, 2018 10:10 am Post subject: |
|
|
well, restarting your comp with dbvm loaded is always bit iffy as you're turning of the virtual machine inside DBVM OS and that's not really supported
(Tip: You can unload DBVM by putting your computer to sleep/standby
Tip2: Don't let your computer go into sleep/standby when using DBVM related things using the driver lol)
and yeah, getPhysicalAddressCR3 is what you'll need, I forgot about that helper (once you've figured out the CR3 you need. Though I guess you can read the physical memory and confirm it matches the virtual memory)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
OldCheatEngineUser
Whateven rank
Reputation: 20
Joined: 01 Feb 2016
Posts: 1586
|
| Posted: Wed Dec 12, 2018 1:36 pm Post subject: |
|
|
| Dark Byte wrote: | | DBVM does not need the driver to keep live |
so how can you turn VM mode on? i thought it requires some kernel-mode code for virtualization. (OS virtualization)
or you meant it runs the driver to set the VM mode, and then unloads it? (but if so how it could operate normally when the driver is unloaded)
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
| STN wrote: | | i am a sweetheart. |
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
