|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
kabachi How do I cheat? Reputation: 0
Joined: 08 May 2015 Posts: 7
|
Posted: Fri May 08, 2015 10:18 pm Post subject: |
|
|
Dark Byte wrote: |
or it's just that one single game has recently added integrity checks |
I can certify that the game I"m interested in has none worth mentioning, I was just contemplating adding hypervisor-based stealth breakpoints to something and here this thread comes up on google. It looks like you did some research on this, so TYVM for sharing! Now I know how to shop for a new CPU
EDIT:
dbk_readMSR(0x48C)=f0106114141
I guess I'm in luck and my CPU supports it?
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 465
Joined: 09 May 2003 Posts: 25540 Location: The netherlands
|
Posted: Sat May 09, 2015 7:13 am Post subject: |
|
|
Yes, bit 0 indicates it's supported
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
kabachi How do I cheat? Reputation: 0
Joined: 08 May 2015 Posts: 7
|
Posted: Sun May 10, 2015 2:57 pm Post subject: |
|
|
Ok, while my RS232 cable is in the mail here are some thoughts that you hopefully can validate:
1. That PET you mentioned in this thread, it is EPT right? Google returns some weird stuff when you google for intel pets
2. EPT is not in DBVM in the present, so it needs to be added. First, added as 1:1 mapping to the physical addresses to make things easier
3. A new command commands to DBVM that would allow taking a snapshot of a certain page given its address and store it in the reserved space
4. Add another command that would mark this page as "split", meaning two pages are used. Either the snapshot with "Read" access or the actual copy with "Execute only" access. Flip them in the VM exit that is supposed to happen in case of access violation from EPT permissions.
5. If a write happens when a snapshot is active, invalidate the snapshot and restore the original page contents from it.
6. Two more new commands to invalidate the snapshot and to check the page state. This should get us to the point where you can set INT 3 breakpoints on a code page or add some instrumentation to it and then trick any consistency checks in the malware we are trying to analyse More can be done to deal with self-modifying code, but this should be enough for the 1st cut.
7. If the page gets swapped out, the effect should disappear when its "guest" physical memory is overwritten. That means all our instrumentation would be gone - just disable the swap file for better effect.
8. Debugging it inside vmware or virtualbox is not feasible because they likely don't emulate EPT. That means I'll need RS232 to USB converter plus a null modem cable to debug it from my laptop (PC has a com port, laptop doesn't)
9. Virtual box implements EPT and can be used as an example with its source code
10. Same thing can be added to virtualbox built-in debugger and that would convert it into a badass malware analysis tool
Am I making sense here or just babbling?
I also noticed that when kernel debugging is enabled in CE only hardware breakpoints can be used. Would regular breakpoints be hard to implement and is anything happening to hide debug registers from the OS or the process?
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 465
Joined: 09 May 2003 Posts: 25540 Location: The netherlands
|
Posted: Sun May 10, 2015 4:12 pm Post subject: |
|
|
1: yes, I meant EPT
2: correct. Some architectures (like your support huge page mapping, so that can make things easier)
It will probably still require a bit more memory than the default 4MB
3: that's one posibility yes. Alternatively, allocate the copy in the target process and adjust read/write registers to there on access violation (a bit easier to detect, but faster)
4: you could probably add that in the one of 3
5: restore the original page, and set the TF flag in eflags. This will cause the current cpu to execute the instruction referencing the memory and then raise an debug exception.
Resume and block external interrupts for at least one cpu cycle, else there could be task switching anoyances(alternatively, the timed vmexit could be used to exit after 1 instruction cycle, but not sure if it can be that accurate)
6:
7: Code that is executed will almost never get paged out by windows so shouldn't be an issue. Besides, when it's loaded back, it's a write operation, and thus an access violation which you can deny
8: should work, but expect a BSOD once in a while on the laptop if there's a LOT of data coming through at once. (two of my usb com devices tend to cause a bsod when flooded, different manufacturers, so could be a generic driver things)
9-10: it might be easier to start with virtualbox
Quote: |
Would regular breakpoints be hard to implement
|
Not really, just needs to implement an interrupt 3 handler then and pass on that data to ce's debuggerinterface. (most people that go for kernel debug usually don't want software breakpoints)
Quote: |
and is anything happening to hide debug registers from the OS or the process?
|
Only when global debug is enabled.
It will then break on every single debug register access and emulate the read and write. This includes when windows does an context switch
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping
Last edited by Dark Byte on Fri Feb 12, 2016 2:07 pm; edited 1 time in total |
|
Back to top |
|
|
kabachi How do I cheat? Reputation: 0
Joined: 08 May 2015 Posts: 7
|
Posted: Sun May 10, 2015 6:04 pm Post subject: |
|
|
Dark Byte wrote: |
2: correct. Some architectures (like your support huge page mapping, so that can make things easier)
It will probably still require a bit more memory than the default 4MB
|
If I didn't mess up the math, it is about 24 meg just to hold the structure with regular pages for 12gb of RAM. And if I go for bigger pages, chances are I'd get a mix of code and data and data writes will screw me up. 1:1 relationship between pages seems necessary. Even in virtualbox I'd have to disable large pages in EPT. No way to just add a proper virtualProtect that supports execute-only.
Dark Byte wrote: |
3: that's one posibility yes. Alternatively, allocate the copy in the target process and adjust read/write registers to there on access violation (a bit easier to detect, but faster)
|
Faster to write or will work faster? I got an impression that those flags are for EPT and not for your regular paging tables, meaning I'll still have to go all the way to DBVM to make it work and EPT will have to be implemented there.
Dark Byte wrote: |
4: you could probably add that in the one of 3
|
May be, but how I would change the data from the user mode then? My idea was to use the first instruction then set breakpoints/instrumentation and then use the second instruction.
Dark Byte wrote: |
5: restore the original page, and set the TF flag in eflags. This will cause the current cpu to execute the instruction referencing the memory and then raise an debug exception. (alternatively, the timed vmexit could be used to exit after 1 instruction cycle, but not sure if it can be that accurate)
|
So, this way I could recover from writes. Good point.
Dark Byte wrote: |
7: Code that is executed will almost never get paged out by windows so shouldn't be an issue. Besides, when it's loaded back, it's a write operation, and thus an access violation which you can deny
|
That's what I have been thinking as well. It would be loaded back to a different address though and I won't know it from just the hypervisor.
Dark Byte wrote: |
8: should work, but expect a BSOD once in a while on the laptop if there's a LOT of data coming through at once. (two of my usb com devices tend to cause a bsod when flooded, different manufacturers, so could be a generic driver things)
|
I have a linux laptop and windows PC where I run DBVM, so it is other way around - DBVM will have a proper serial. I sure hope laptop won't crash
Dark Byte wrote: |
9-10: it might be easier to start with virtualbox
|
Good point, I was actually digging in that direction already, just found all those articles online saying that this can't be done on Intel and almost gave up before I found this thread.
EDIT: It looks like my laptop supports it as well:
sudo rdmsr 0x48C
f0106114141
|
|
Back to top |
|
|
John111 How do I cheat? Reputation: 0
Joined: 05 May 2015 Posts: 2 Location: Netherlands
|
Posted: Tue May 12, 2015 12:47 pm Post subject: |
|
|
Looks like there was a talk on blackhat 2014 about using EPT with a small hypervisor.
Slides and hypervisor code is on github (dot) com (slash) ainfosec (slash) MoRE
|
|
Back to top |
|
|
kabachi How do I cheat? Reputation: 0
Joined: 08 May 2015 Posts: 7
|
Posted: Tue May 12, 2015 5:28 pm Post subject: |
|
|
John111 wrote: | Looks like there was a talk on blackhat 2014 about using EPT with a small hypervisor.
Slides and hypervisor code is on github (dot) com (slash) ainfosec (slash) MoRE |
Looking into it already, it is for 32bit only, one CPU and based on DDK instead of gcc&stuff Dark Byte used. But they did exactly what I am trying to accomplish, so should be a good example.
|
|
Back to top |
|
|
tigerite How do I cheat? Reputation: 0
Joined: 16 May 2007 Posts: 9
|
Posted: Thu Oct 15, 2015 2:35 pm Post subject: |
|
|
Did anyone have any luck with merging the memory code from the MoRE source with DBVM? As MoRE's VM/hypervisor is nothing compared to DBVM's..
|
|
Back to top |
|
|
kabachi How do I cheat? Reputation: 0
Joined: 08 May 2015 Posts: 7
|
Posted: Mon Feb 01, 2016 1:05 am Post subject: |
|
|
Dark Byte wrote: |
9-10: it might be easier to start with virtualbox
|
I managed to add TLB splitting to KVM (the damned forum doesn't let me to post the link, search for split tlb on github). This solves the issue of hiding patches in general because you can virtualize almost anything with KVM, including most games, but adding this to DBVM would make it more accessible. Unfortunately, DBVM is way trickier to work with than KVM where I didn't even get a single panic while working on it, at least not before I started stress testing on low memory. Also, solution in MORE appeared to be a bit over complicated. For some reason, in MORE Jacob always uses single step to go over the offending instruction and in my case the naive approach of just flipping the flag+address in EPT violation handler seems to work fine. The special case of combined read+execute seems to never happen, at least not in read-only mode that I've implemented.
|
|
Back to top |
|
|
tigerite How do I cheat? Reputation: 0
Joined: 16 May 2007 Posts: 9
|
Posted: Thu Feb 11, 2016 4:04 am Post subject: |
|
|
Thanks for posting this, it's really useful, so do I take that to mean you're using Linux and running Windows as a (K)VM within it? If so, it's funny because I've started doing something similar, you may want to look into DRAKVUF as well, it's mostly for malware analysis but could come in useful to monitor what system calls games are making.
|
|
Back to top |
|
|
kabachi How do I cheat? Reputation: 0
Joined: 08 May 2015 Posts: 7
|
Posted: Sun Feb 14, 2016 6:38 pm Post subject: |
|
|
tigerite wrote: | Thanks for posting this, it's really useful, so do I take that to mean you're using Linux and running Windows as a (K)VM within it? If so, it's funny because I've started doing something similar, you may want to look into DRAKVUF as well, it's mostly for malware analysis but could come in useful to monitor what system calls games are making. |
DRAKVUF is actually very interesting. What I have now requires a common injector and you can just write your DLL so that it conceals its own code section and any patches it makes. I am thinking of writing a hypervisor based DLL/process injector and DRAKVUF claims to have something along these lines. This would require some windows kernel hooking from hypervisor, which is really some wild stuff. It is encouraging if somebody got it working and have it available open source. I am also sure there is a reason they only support Windows 7
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You cannot download files in this forum
|
|