| View previous topic :: View next topic |
| Author |
Message |
fingersmith
Newbie cheater
![]() Reputation: 0
Joined: 05 Apr 2016
Posts: 17
|
 Posted: Sun Oct 23, 2016 8:26 am Post subject: No longer able to find same ops code with same jar, JRE/JVM |
 |
|
Hi all.
I have located the address of variable "position", it is at D932EC50.
The instruction that was writing to this address is at address 05B17E40
| Code: | 05B17E40 4B B9 0300000000000000 mov rcx,0000000000000003
05B17E4A 48 8B C6 mov rax,rsi
05B17E4D 48 0FAF C1 imul rax, rcx |
D932EC50 77 C4 D4 D9 57 01 00 00 ! 65 C8 1C EA 57 01 00 00
The corresponding Java code is as follows:
this.position += timeDelta * 3;
When I changed the value of 48 B9 03 to 48 B9 06, I was able to double the value written to variable "position". Everything worked perfectly and I was happy.
The next day, I was still able to locate the address of variable "position" at a different address D8566AB0. However, what puzzled me was that the instruction writing to this location is now completely different!
| Code: | 025F2D27 48 89 04 19 mov [rcx+rbx],rax
025F2D2B 85 D2 test edx,edx
025F2D2D 0F84 05000000 je 025F2D38
025F2D33 F0 83 04 24 00 lock add dword ptr [rsp],00
025F2D38 41 0FB6 5D 03 movzx ebx,byte ptr [r13+03]
025F2D3D 49 83 C5 03 add r13, 03
025F2D41 49 BA 90A9985100000000 mov r10,jvm.hHotSpotVMLongConstantEntryArrayStride+4C138 |
I am no longer seeing familiar opscode like
mov rcx, 00000000000003
mov rax, rsi
imul rax,rcx
but some other strange codes that involve gHotspotVMLongConstantEntryArrayStride blab blab.
In fact I can’t even find a single occurrence of 48 0FAF C1 to locate the previous opscode imul rax,rcx, even if I performed a complete "Array of byte" scanning.
I have not changed the jar file, the JRE/JVM version or environment. These remain the same as the day before.
Any help, advice will be greatly appreciated. Thank you !
|
|
| Back to top |
|
 |
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4703
|
| Posted: Sun Oct 23, 2016 8:39 am Post subject: |
|
|
| fingersmith wrote: | The instruction that was writing to this address is at address 05B17E40
| Code: | | 05B17E40 4B B9 0300000000000000 mov rcx,0000000000000003 |
|
That instruction is not writing to any address. It's moving 3 into rcx; that's it.
What's above the instruction mov [rcx+rbx],rax?
Did you scan through all memory (not just writable) when searching for that AoB?
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
fingersmith
Newbie cheater
![]() Reputation: 0
Joined: 05 Apr 2016
Posts: 17
|
| Posted: Sun Oct 23, 2016 11:01 am Post subject: |
|
|
Thanks for your reply.
Yes, the first opscode did not write to the address, but the 3rd instruction imul rax, rcx did. What puzzles me is why the ops code changed completely the next day,with all things remain the same.
FS
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4703
|
| Posted: Sun Oct 23, 2016 11:21 am Post subject: |
|
|
imul rax,rcx does not write to any address either. It performs signed multiplication of the two operands and stores the result in the destination operand (rax). Both operands are registers. No memory is accessed.
You didn't answer either question.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
fingersmith
Newbie cheater
![]() Reputation: 0
Joined: 05 Apr 2016
Posts: 17
|
| Posted: Sun Oct 23, 2016 6:17 pm Post subject: |
|
|
Thank you PP for your reply.
My bad that I'm not good with opscode and did not realize that I have not provided enough opscode.
Below is the code which I have managed to see only ONCE and capture the screen.
I retyped as follow, and checked for typo:
| Code: | 05B17E33 0F85 22000000 jne 05B17E5B
05817E39 48 8B BA 80010000 mov rdi,[rdx+00000180]
05B17E40 4B B9 0300000000000000 mov rcx,0000000000000003
05B17E4A 48 8B C6 mov rax,rsi
05B17E4D 48 0FAF C1 imul rax, rcx
05B17E51 48 03 F8 add rdi,rax
05B17E54 48 89 BA 80010000 mov [rdx+00000180],rdi
05B17E5B 48 8B F2 mov rsi,rdx
05B17E5E 48 BF D052A13100000000 mov rdi,0000000031A152D0
05B17E68 48 83 87 50040000 01 add qword ptr [rdi+00000450],01
05B17E70 48 BE C8FD9D3400000000 mov rsi,00000000349DFDC8
05B17E7A 8B Be DC000000 mov edi,[rsi+000000DC]
05B17E80 83 C7 08 add edi,08 |
Since then I have been scanning for code signature "488BC6480FAFC1" using AOB, but to no avail.
Yes, I did scan through all memory (not just writable).
I am most concern to be able to find and adjust the multiplier value again.
My objective is to change it from 3 long to 5 long.
Cheers,
FS
|
|
| Back to top |
|
|
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Sun Oct 23, 2016 6:58 pm Post subject: |
|
|
Java likes to change up the code during runtime, as it tries to optimize frequent executions.
You'd have better luck decompiling the Java .class files themselves.
You specifically mentioned some Java code, have you tried this?
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4703
|
| Posted: Sun Oct 23, 2016 7:26 pm Post subject: |
|
|
JIT compilers can seem strange sometimes. My guess is that the second code is the result of the bytecode being interpreted, and the first code is after the method has been called enough for the JVM to actually compile it.
There is a simple and concise explanation of JIT compilation here.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
fingersmith
Newbie cheater
![]() Reputation: 0
Joined: 05 Apr 2016
Posts: 17
|
| Posted: Mon Oct 24, 2016 8:00 am Post subject: |
|
|
Whoa, that's new to me.
So I can't be expecting the same opscode/machine hex code based on the same Java code each time I run it? It sounds like JIT may kick in any time it fancy and try optimize machine code. Isn't it the very principle of how CE work, looking for consistent code signature and try to perform injection or change value?
Btw the bytecode for the Java instruction is
| Code: | #55 = Long 3l
.
.
.
249: ldc2_w #55 // long 3l
252: lmul
253: ladd
254: putfield #36 // Field position:J
257: aload_0 |
Thank you both gentlemen for your kind reply. Is there any way that you know of that I can stop the interference from the JIT.
I would very much like to get back to the version of opscode that has the imul within.
05B17E4A 48 8B C6 mov rax,rsi
05B17E4D 48 0FAF C1 imul rax, rcx
05B17E51 48 03 F8 add rdi,rax
@Zanzer. You mentioned about having better luck decompiling the Java .class files themselves. I don't quite get what you mean. Can you please tell me more?
Cheers,
FS 
|
|
| Back to top |
|
|
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
|
| Back to top |
|
|
fingersmith
Newbie cheater
![]() Reputation: 0
Joined: 05 Apr 2016
Posts: 17
|
| Posted: Tue Oct 25, 2016 7:40 am Post subject: |
|
|
Nope, no deal.
The moment I alter the class file and update the jar file, the program no longer work as is. I guess there is some form of checksum.
I ain't sure if the jar file is compressed (even though I can see some clear text within). In addition I am not sure when to modify 3L to 6L in the jar file, hence I am unable to change it.
I think it has to be done in memory, and I gonna miss that day when a small surgical change of 3L to 6L did the work beautifully....
FS
|
|
| Back to top |
|
|
fingersmith
Newbie cheater
![]() Reputation: 0
Joined: 05 Apr 2016
Posts: 17
|
| Posted: Sat Oct 29, 2016 10:18 am Post subject: |
|
|
I am still working on this...
The method is not called > 10000 times, so it was not JIT compiled.
How is lmul being interpreted by JVM? Why am I not seeing any corresponding imul or mul assembly code. If it is there I would have found it using CE AOB
Why?
FS
|
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 470
Joined: 09 May 2003
Posts: 25803
Location: The netherlands
|
| Posted: Sat Oct 29, 2016 11:17 am Post subject: |
|
|
Ce's jvmti interface does have a method to change classes on the fly
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
