wtf i thought you had to call them in Present/Endscene unless you bypass the check ?
wtf i thought you had to call them in Present/Endscene unless you bypass the check ?
I just like programming, that is all.
Current Stuff:
- GPU Programmer (Cuda)
- Client/Server (Cloud Server)
- Mobile App Development
Back in January, the only requirement was that the console be called from an address within the address bounds of Engine.exe. Apparently since then there's been a thread ID check as well.
Previously, in January, it only required 2 NOP patches and the address bounds check was gone. I'm not sure if the thread check is actually true, since I haven't done any CA work since then.
The thread check is true, there is a check for the thread ID. The thread ID gets compared with the thread ID of main thread of Engine.exe.
The difference is now that you can't NOP the checks because they are virtualized by Themida. But that doesn't mean you can't bypass them.
I'm SCHiM
Morals derive from the instinct to survive. Moral behavior is survival behavior above the individual level.
Polymorphic engine
Interprocess callback class
SIN
Infinite-precision arithmetic
Hooking dynamic linkage
(sloppy)Kernel mode Disassembler!!!
Semi debugger
Nah, sorry for being unclear. I meant the EntryPoint. As you might know, every thread has an own stack. When the thread is created the entrypoint of the thread is stored on the 3rd DWORD from the stack top (you start from the top address in the stack and move to the beginning).
This address can be retrieved from the ThreadEnvironmentBlock (TEB).
At TEB+0x04 there is a DWORD indicating the address of the stack top. And as I said earlier the entrypoint is located as the 3rd DWORD from the top, meaning it's in TopOfStack - 0xC.
In ASM this could be done like this:
Hope that this made any sense.Code:mov eax,dword ptr fs:[18h] // TEB mov eax,dword ptr ds:[eax+4h] // TEB.TopOfStack lea eax,dword ptr ds:[eax-0Ch] // TEB.TopOfStack.EP mov dword ptr ds:[eax],MY_ADDRESS // Change the EP to your address
Last edited by HellSpider; 05-28-2011 at 03:08 AM.
freedompeace (05-28-2011)
Hey, you're right, I didn't know that an threads entry point was moved there. I have been looking for this information for a long time. Where did you find out that the EP is moved there?
ps a quicker way to do things:
Code:mov eax, fs:[4h] // fs is actually an index to the TEB mov [eax-0Ch], NewEntryPoint
Last edited by .::SCHiM::.; 05-28-2011 at 02:48 AM.
I'm SCHiM
Morals derive from the instinct to survive. Moral behavior is survival behavior above the individual level.
Polymorphic engine
Interprocess callback class
SIN
Infinite-precision arithmetic
Hooking dynamic linkage
(sloppy)Kernel mode Disassembler!!!
Semi debugger
I unvirtualized the Themida virtual machine and had a look how the check works. I didn't know it before either.
And yeah, I know it can be shortened, just wanted to show you it in "steps", didn't know you were familiar with ASM (a lot of people have no idea how ASM works).
SNal2F (05-28-2011)
Well I'm pretty familiar with asm I made my own hook library (which I'm currently using) so no need so spare me the details
Anyways, I think I may have wasted all of your time, since I was trying to use the wrong ltc client. I have to find the correct one first
I'm EU btw, so I can't use the NA addresses, perhaps you know of a good address logger, or file dumper? I can't use kerneldetective.
I'm SCHiM
Morals derive from the instinct to survive. Moral behavior is survival behavior above the individual level.
Polymorphic engine
Interprocess callback class
SIN
Infinite-precision arithmetic
Hooking dynamic linkage
(sloppy)Kernel mode Disassembler!!!
Semi debugger
.::SCHiM::. (05-28-2011)
Well them I have good news for you now, here's a working module/file dumper for windows server 2008 r2, (which is windows 7 in all but name)
This works for me, and it dumps all files. But since I may not post download links: search google for "Memoryze". If it doesn't work, I can share the dumped files with you.
I'm SCHiM
Morals derive from the instinct to survive. Moral behavior is survival behavior above the individual level.
Polymorphic engine
Interprocess callback class
SIN
Infinite-precision arithmetic
Hooking dynamic linkage
(sloppy)Kernel mode Disassembler!!!
Semi debugger
is it like gamegaurd with all the jmp's and random garbage all over?
@ console , i was just hooking it on the table @ 0x208 and returning it to my own function , when i played the checks were in the function so i rewrote it.
Code:int __cdecl myConsoleCommand( const char* szCommand ) { ConsoleSub(0x8003F0 , szCommand); return orConsoleCommand(szCommand); }
sort of a waste since i could just call the consoleSub
Last edited by SNal2F; 05-28-2011 at 01:40 PM.