Cheat Engine

[lcineyes]

1.​​DBVM Mode Stability Issue​​

When using DBVM mode instead of IPT mode, the system consistently experiences Blue Screens of Death (BSOD).

2. ​​IPT Mode Limitation​​

The current IPT (Intel Processor Trace) implementation cannot properly handle self-modifying code. Are there more robust alternative solutions available?

[AylinCE]

General Description: Problems and some solutions.

DBVM Mode Stability Issue (BSOD) Solution:

DBVM (Direct-Bypass Virtual Machine) mode is a virtual machine technology used in Cheat Engine to provide deeper access to the Windows kernel level. However, this mode can lead to blue screen errors (BSOD) due to system hardware, BIOS settings, and especially Windows updates.
This issue can usually be resolved in the following ways:

Virtual Machine (VT-x/SVM) Settings:

Ensure that virtualization technologies such as Intel VT-x (for Intel processors) or AMD SVM (for AMD processors) are enabled in your BIOS. These settings are required for DBVM to function properly.

Hyper-V and Other Virtualization Services:

Windows' own Hyper-V or other virtual machine software such as VMware or VirtualBox can conflict with DBVM. Ensure that Hyper-V and similar virtualization services are disabled in Windows settings.

Operating System Version:

Cheat Engine is known to experience stability issues with newer Windows versions (e.g., some versions of Windows 11). If this issue persists on your current Windows version, you may want to consider using an older, more stable Windows version.

Driver Issues:

DBVM can cause errors when loading kernel drivers.
In this case, it's important to run Cheat Engine as an administrator or ensure your antivirus program isn't blocking this driver.

IPT Mode Limitation (Self-Modifying Code) Solutions:

IPT (Intel Processor Trace) mode is a hardware-based solution used to trace code execution.

However, it may not be able to accurately track self-modifying code, that is, code that modifies its own commands at runtime.

This is particularly useful for some modern anti-cheat systems and makes tracing difficult. Alternative solutions that can be used to overcome this limitation include:

DBVM (Direct-Bypass Virtual Machine):

DBVM mode can overcome this problem by providing deeper debugging capabilities within the virtual machine environment.
Unlike IPT's hardware-based monitoring mechanism, DBVM captures code at the virtual machine level, which can better manage changes to self-modifying code.
Therefore, if DBVM can be run more stably, it is a better alternative to IPT.

VMM-Based Solutions:

The most effective method for capturing self-modifying code is the more advanced Virtual Machine Monitor (VMM)-based approaches.

These technologies can monitor and manipulate any code changes and execution flow at the lowest level by running the operating system in a virtual environment.

Software Debugging:

Traditional software debugging techniques, such as single-stepping the code and setting breakpoints, can also be used.
These methods allow you to precisely control the flow of execution and help you identify when and how the code changes.

Code Injection:

Once you identify the point at which the problematic code was changed, you can disable the original code or modify its behavior by injecting your own code.

This is a more indirect but effective way to directly address the problem.

[lcineyes]

1.System: Windows 10

2.dbk64.sys loaded normally

3.DBVM loaded normally

4.Most functions using DBVM are working properly

5.Hyper-V has been disabled. Hyper-V prohibits nested virtualization; if not disabled, DBVM loading cannot be completed.

6.For the Direct-Bypass Virtual Machine approach, which code and corresponding functionality is involved? Is it ultimap1 or ultimap2? I've read a lot of CE's code but haven't found any DBVM-level self-modifying code traces.

[AylinCE]

Great question.
DBVM (Direct-Bypass Virtual Machine) is a critical technology in Cheat Engine, and the depth of this topic often remains complex for most users.

In summary, the functionality you're describing doesn't appear directly as a trace of self-modifying code.
This is because this functionality is specific to ultimap2, and it's implemented as a memory management tactic at the virtualization layer rather than a fundamental code modification.

The key difference between ultimap1 and ultimap2 is as follows:

ultimap1: This method hides the virtualization artifact by copying pages.
However, changes made to one page don't affect the other; therefore, the "Direct-Bypass" feature isn't fully achieved.

ultimap2: This forces the virtual machine and the host operating system to use the same physical memory pages.
This allows memory writes and reads to pass directly through the virtual machine layer in real time.
Therefore, any memory changes made under the DBVM are immediately visible to the host operating system.
This is why searching for a "self-modifying code" trace is futile, as the operation is performed through a kernel-level virtualization trick, not a change in the code itself.

Therefore, this functionality is associated with ultimap2 and is primarily enabled by the EMULATE_VIRTUAL_MACHINE command.
You can find the code traces within the DBVM kernel module that controls how physical memory pages are shared by the virtual machine.

I hope this clarifies the issue. Feel free to ask any further questions.

[Dark Byte]

nope

[AylinCE]

[Dark Byte]

ultimap2 doesn't need dbvm to function.(except if you use one specific function most people don't) It only uses IPT but unlike the windows variant it is capable of suspending the target process when the buffer is full. But make sure not to run the latest windows versions as those have closed off interrupt handlers

Self modifying code isn't possible with IPT as the log only states if a branch was taken or not taken. There's no indication of how many instructions inbetween so if it got changed since last disassembly it won't know where the instruction pointer is

If you encounter such a thing the break and trace option is better suited, though if you're in kernelmode and have to rely on dbvm.break and trace you won't see the instructions as there the read is delayed till after retrieving the log

[AylinCE]

As I understand it, ultimap2's core functionality utilizes Intel Processor Trace (IPT) technology, largely without relying on the DBVM.
And most importantly, what's called "Direct-Bypass" has nothing to do with "self-modifying code."
It's more about monitoring memory accesses and controlling interrupts.
This explains exactly why my search for a "self-modifying code" trace failed.

Your point out that the break and trace option is more suitable than ultimap2's is also very valuable.
Your explanation of how this functionality works, even in kernel mode, further demonstrates the complexity of this technology.

Thanks for the reply. I think I've been overly superficial.

[lcineyes]

I previously considered a more complex solution based on EPT (Extended Page Tables), which involves recording executed pages. Once a page that has been executed is modified, it is flagged. The next time that page is executed, the new version of the page is snapshotted. Finally, by combining this with TSC (Time Stamp Counter) records from Intel PT (Processor Tracing), synchronization could be achieved.
However, I feel this would require a significant amount of engineering effort. Additionally, I am currently learning how to use Bochs to debug DBVM (Database Virtual Machine). It would be great if I had a JTAG debugger