Cheat Engine

iPromise

I enabled all of cheat engines kernel routines in the extra settings and I enabled the kernel mode debugger as well. I then restarted Cheat Engine and DBK64 loaded successfully.

I then used the memory viewer to browse to the memory locations given to me by my driver which were really memory locations given by the MmGetSystemRoutineAddress function to kernel functions but when I got there the memory was not read (it gave me ?? where the opcodes should be).

So i'm wondering what i'm doing wrong. I also launched VMware and tested the same procedures on my windows xp and it worked so it may be a compatibility issue with windows 8?

Dark Byte · Posted: Sun May 26, 2013 2:57 am Post subject:

If you go to that address in the hexviewer, does it give a valid physical address?
If not it's possible that memory isn't paged in, and to protect against pagefaults ce doesn't show it

Try disabling query memory locations

iPromise · Posted: Sun May 26, 2013 11:04 am Post subject:

I disabled query memory region routines and kept readprocessmemory enabled. I still kept the kernelmode debugger enabled and I then restarted cheat engine and ran it again. I then repeated the same procedures and went to the memory viewer and browsed to the kernel mode memory location after attaching myself to a process like cheat engine. It didn't work. But I tried the same exact procedures on my windows xp and it worked.

When I browsed to the location in the hex viewer it didn't work as well.

Dark Byte · Posted: Sun May 26, 2013 12:03 pm Post subject:

are you sure the address for windows 8 was correct?

e.g: if I type in on my windows 8 system as address : kernel_MmAllocateContiguousMemory it goes to the address of MmAllocateContiguousMemory and actually shows it (kernel_* is a wrapper for MmGetSystemRoutineAddress )

check out tools->driver list to get the correct base address of the kernel (windows vista and later do not load the kernel at the same spot each time)

iPromise · Posted: Sun May 26, 2013 12:35 pm Post subject:

You're right the addresses are messed up.

My driver returned to me the memory location of ZwQuerySection as 9b26aa20 when I call MmGetSystemRoutineAddress but Cheat Engine returned FFFFF8039B26AA20 when I entered kernel_ZwQuerySection.

Is this normal on all 64 bit computers after XP? How do you programmatically obtain the kernel mode address in this case?

-- EDIT --

I read and compared the first five bytes from the address my driver returned to me to the first five bytes of the address cheat engine returns and they matched. If my address was wrong, I would of gotten an exception when I tried to read from that address because cheat engine states that my address is not valid and hence forth, displays ?? for the opcode?

Dark Byte · Posted: Sun May 26, 2013 12:47 pm Post subject:

if you're using DbgPrint don't use %x but try %I64x (%p might work but not sure)
%x only deals with 4 bytes, not 8

iPromise · Posted: Sun May 26, 2013 1:53 pm Post subject:

Worked. thank you.