 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
thegreatescape
How do I cheat?
![]() Reputation: 0
Joined: 14 Jun 2012
Posts: 5
|
 Posted: Mon Apr 06, 2015 5:42 pm Post subject: CE <3 Now I want to hack a game from outside virtual mach |
 |
|
Hey guy/gals!
I used to make trainers back in the late 90s-! and now I am back to hack again 
So how do we hack games that running inside virtual machine? I already have the addresses and offsets when it is running on the host machine, can I make my life easier somehow with that knowledge? You may think, why not run CE within the virtual machine- its a long answer, but the short is no, must be outside.
I always wondered how this would work in VM. Is there still a handle opened to the game process? I guess not because there is no API call within the guest OS. Intriguing 
Any tips? Getting back into gamehacking is great fun! Once I have a solid solution, would be happy to make a tutorial in due course.
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 470
Joined: 09 May 2003
Posts: 25808
Location: The netherlands
|
| Posted: Mon Apr 06, 2015 7:25 pm Post subject: |
|
|
get the sourcecode of the virtual machine and make it build a list of CR3 values and where it stores it's virtualized physical memory
then with the CR3 values you can build a list of virtual to physical mappings, and use the physical memory to look it up.
In short: Get the sourcecode of the virtual machine
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
thegreatescape
How do I cheat?
![]() Reputation: 0
Joined: 14 Jun 2012
Posts: 5
|
| Posted: Tue Apr 07, 2015 5:46 am Post subject: |
|
|
| Dark Byte wrote: | get the sourcecode of the virtual machine and make it build a list of CR3 values and where it stores it's virtualized physical memory
then with the CR3 values you can build a list of virtual to physical mappings, and use the physical memory to look it up.
In short: Get the sourcecode of the virtual machine |
OK I understand, VirtualBox is the fastest open source one I could find. It is written in C++ which I haven't learnt . Before deciding, can you think of any other techniques that could be used as an alternative ?
Many thanks 
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25808
Location: The netherlands
|
| Posted: Tue Apr 07, 2015 6:54 am Post subject: |
|
|
you can always do AOB scans looking for signatures, but the memory layout will be randomized in chunks of 4KB
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
justa_dude
Grandmaster Cheater
 Reputation: 23
Joined: 29 Jun 2010
Posts: 893
|
| Posted: Tue Apr 07, 2015 8:43 am Post subject: |
|
|
| Dark Byte wrote: | get the sourcecode of the virtual machine and make it build a list of CR3 values and where it stores it's virtualized physical memory
then with the CR3 values you can build a list of virtual to physical mappings, and use the physical memory to look it up.
In short: Get the sourcecode of the virtual machine |
I'm out of my element, but mustn't the virtual machine already maintain a memory map and page directory (the shadow page table)? I don't really see how it could function without it.
_________________
A nagy kapu mellett, mindig van egy kis kapu.
----------------------
Come on... |
|
| Back to top |
|
|
thegreatescape
How do I cheat?
![]() Reputation: 0
Joined: 14 Jun 2012
Posts: 5
|
| Posted: Tue Apr 07, 2015 10:43 am Post subject: |
|
|
| Dark Byte wrote: | | you can always do AOB scans looking for signatures, but the memory layout will be randomized in chunks of 4KB |
May I ask if my understanding is correct? Even if I found the base address for the game, the offsets will not be correct for other addresses that I have mapped. To find each address, I would need to scan the whole memory of the VM. Assuming the VM has a memory allocation of 1gb, I would read the entire memory space of the VM (which would only require to happen once) and then iterate through the arrays pulling out each address based on signatures. Once one signature within my mapped datastructures is found, a further iteration could be made to deduce whether the base of the data structure is within the 4kb chunk, and therefore saving time by applying the expected offsets in cases where this is present. I don't know what kind of load this would require and whether performance would be massively hit, but if anyone with good knowledge could advise if I am heading in the right direction I would be massively grateful!
|
|
| Back to top |
|
|
Fresco
Grandmaster Cheater
![]() Reputation: 4
Joined: 07 Nov 2010
Posts: 600
|
| Posted: Tue Apr 07, 2015 9:20 pm Post subject: |
|
|
I'm no expert in the matter. But I think that there would be a lot of problems in trying to modify a Guest OS process from the outside ( i.e. by opening Virtual Box as a process ).
I think that all guest OS processes page-load and load to (physical) memory just like regular processes (within the guest OS itself).
The difference is that when you load a process in Cheat Engine, you're not really loading RAM, but the page file ( mostly called virtual memory ).
So loading Virtual Box as a process would mean to load the actual RAM of the Guest OS, since the guest OS handles virtual memory in it's own way ( by storing the page files inside it's virtual disk ). physical memory locations can be tricky ( i.e. not everything is loaded, and most importantly you can't be entirely sure that everything is loaded contiguously ).
When you "open process" in Cheat Engine, it calls an OS function. Then the OS returns some kind of handle, which is used by Cheat Engine, to make further calls to the OS like ( writing and reading from that process memory ). Which means that CE is not actually writing anything by itself to other processes, but rather asking the OS to do so. In turn the OS either writes to actual RAM or to Page Memory ( virtual memory ) which is then loaded by the same OS when the process being modified asks for it.
That is also why you have to alloc some memory when creating cheat codes, to ensure that they are loaded in RAM, so they're ready to be executed.
The thing is that any 32-bit process has at it's disposal something like 0x7FFFFFFF ( about 4GB ) available memory ( i.e. RAM memory ) but if you only have 2 GB of RAM, how is it possible to run so many processes at once ? Well paging of course, your process memory is not really stored in RAM, but rather in your Hard Drive in some file ( The SWAP partition in Linux OSes ). The RAM memory is not loaded with all the program at once but rather in parts ( only those needed for current operations ).
That is why you have to load a process in CE. You probably have noticed that if you open process "A" and go to address 0x00085000 you'll find some bytes and when you open process "B" at the same address you'll find different bytes.
The Guest OS does the same thing but, the Guest OS's processes don't really page like regular processes which you can open with CE, but rather they page inside the Guest OS meaning that the Guest OS's pages are inside it's own virtual disk and it's physical RAM is what you open with Cheat Engine.
Since we can't really be certain that processes load in physical memory just like they appear in virtual memory ( i.e. the pages I talked about before ). You'll have to do something like:
Open CE Inside the virtual machine.
find out the physical address ( which should correspond to the address in the virtual memory of the virtual machine )
however you can't really be certain that every portion of the game you're trying to hack is loaded in the guest OS memory, furthermore, every end each time you close and reopen the game in the guest OS, the location at which you could previously find the game's start module, could be changed at any time.
| Dark Byte wrote: | | you can always do AOB scans looking for signatures, but the memory layout will be randomized in chunks of 4KB |
He's talking about the fact what what you see in Cheat Engine when opening a guest OS, is not the nice formatted virtual memory that you see when opening a normal process, but rather the physical memory of the guest OS
Your best bet is to modify Virtual Box's source code to allow you make system calls to the guest OS from the host OS, also modify Cheat Engine to be able to use those system calls instead of the host's system calls.
The result would be some kind of Cheat Engine that is run by the host OS but calls the functions inside the guest OS.
I'm not entirely sure that everything above is true, I might have gotten some conceptions completely wrong, so please correct me if I'm wrong.
However I'm pretty sure it's correct.
_________________
... Fresco |
|
| Back to top |
|
|
thegreatescape
How do I cheat?
![]() Reputation: 0
Joined: 14 Jun 2012
Posts: 5
|
| Posted: Wed Apr 08, 2015 5:31 am Post subject: |
|
|
| Fresco wrote: | I'm no expert in the matter. But I think that there would be a lot of problems in trying to modify a Guest OS process from the outside ( i.e. by opening Virtual Box as a process ).
I think that all guest OS processes page-load and load to (physical) memory just like regular processes (within the guest OS itself).
The difference is that when you load a process in Cheat Engine, you're not really loading RAM, but the page file ( mostly called virtual memory ).
So loading Virtual Box as a process would mean to load the actual RAM of the Guest OS, since the guest OS handles virtual memory in it's own way ( by storing the page files inside it's virtual disk ). physical memory locations can be tricky ( i.e. not everything is loaded, and most importantly you can't be entirely sure that everything is loaded contiguously ).
When you "open process" in Cheat Engine, it calls an OS function. Then the OS returns some kind of handle, which is used by Cheat Engine, to make further calls to the OS like ( writing and reading from that process memory ). Which means that CE is not actually writing anything by itself to other processes, but rather asking the OS to do so. In turn the OS either writes to actual RAM or to Page Memory ( virtual memory ) which is then loaded by the same OS when the process being modified asks for it.
That is also why you have to alloc some memory when creating cheat codes, to ensure that they are loaded in RAM, so they're ready to be executed.
The thing is that any 32-bit process has at it's disposal something like 0x7FFFFFFF ( about 4GB ) available memory ( i.e. RAM memory ) but if you only have 2 GB of RAM, how is it possible to run so many processes at once ? Well paging of course, your process memory is not really stored in RAM, but rather in your Hard Drive in some file ( The SWAP partition in Linux OSes ). The RAM memory is not loaded with all the program at once but rather in parts ( only those needed for current operations ).
That is why you have to load a process in CE. You probably have noticed that if you open process "A" and go to address 0x00085000 you'll find some bytes and when you open process "B" at the same address you'll find different bytes.
The Guest OS does the same thing but, the Guest OS's processes don't really page like regular processes which you can open with CE, but rather they page inside the Guest OS meaning that the Guest OS's pages are inside it's own virtual disk and it's physical RAM is what you open with Cheat Engine.
Since we can't really be certain that processes load in physical memory just like they appear in virtual memory ( i.e. the pages I talked about before ). You'll have to do something like:
Open CE Inside the virtual machine.
find out the physical address ( which should correspond to the address in the virtual memory of the virtual machine )
however you can't really be certain that every portion of the game you're trying to hack is loaded in the guest OS memory, furthermore, every end each time you close and reopen the game in the guest OS, the location at which you could previously find the game's start module, could be changed at any time.
| Dark Byte wrote: | | you can always do AOB scans looking for signatures, but the memory layout will be randomized in chunks of 4KB |
He's talking about the fact what what you see in Cheat Engine when opening a guest OS, is not the nice formatted virtual memory that you see when opening a normal process, but rather the physical memory of the guest OS
Your best bet is to modify Virtual Box's source code to allow you make system calls to the guest OS from the host OS, also modify Cheat Engine to be able to use those system calls instead of the host's system calls.
The result would be some kind of Cheat Engine that is run by the host OS but calls the functions inside the guest OS.
I'm not entirely sure that everything above is true, I might have gotten some conceptions completely wrong, so please correct me if I'm wrong.
However I'm pretty sure it's correct. |
Thank you for that very detailed answer- I now understand. It is a bitter irony that the reason I am using CE outside of VM is that I am not allowed to make system calls from the guest OS.  It seems like this would be a very challenging and involved project- definately not something I would be able to tackle anytime soon. Thanks very much for all your help (everyone)~.
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25808
Location: The netherlands
|
| Posted: Wed Apr 08, 2015 6:26 am Post subject: |
|
|
you only need the cr3 register of the process you're interested in and understanding where and how the virtyal machine stores the emulated physical memory(e. g vmware stores it in the mapped region named vmem, where tge first byte is physical address 0)
with that info you can parse tgrough the pagetables to find the physical address for a virtual address of the process
you can autonate this by hooking ce's rpm/wpm and virtualqueryex apis (lua has some features that help with that)
the only thing is getting the cr3 register, but perhaps a small tool that only querries the system is allowed to run
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
thegreatescape
How do I cheat?
![]() Reputation: 0
Joined: 14 Jun 2012
Posts: 5
|
| Posted: Wed Apr 08, 2015 6:38 am Post subject: |
|
|
| Dark Byte wrote: | you only need the cr3 register of the process you're interested in and understanding where and how the virtyal machine stores the emulated physical memory(e. g vmware stores it in the mapped region named vmem, where tge first byte is physical address 0)
with that info you can parse tgrough the pagetables to find the physical address for a virtual address of the process
you can autonate this by hooking ce's rpm/wpm and virtualqueryex apis (lua has some features that help with that)
the only thing is getting the cr3 register, but perhaps a small tool that only querries the system is allowed to run |
Thank you for the detailed explanation, I can see how I could feasibly do that with some more experience.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
