All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 10 posts ] 
Author Message
 Post subject: Xlive (GFWL) Memory Integrity Check Bypass
PostPosted: Mon Aug 17, 2009 4:05 pm 
Offline
User avatar

Joined: Fri Jun 12, 2009 10:53 am
Posts: 80
Hi folks.

I had come up with a way of bypassing the memory checks of xlive. As many will know, if you try and alter gamecode on a live-enabled game (such as gears of war, fallout 3, street fighter, fuel etc) it will crash. Perhaps not immediately, but it will at some stage.

Anyway, I had only shared this method with certain people, because it was a certain 'rarity'. However, now H4x0r (the now-famous trainer-ripper) has skanked it from a cheathappens release recently. So now, suprise suprise, many more people know. So I have decided to post it and make this known, so other people can benefit from it.

There is a byte-sequence you should search for (took a while to track down obviously, seen as though no-one else has done one):
8B EC 83 EC 20 53 56 57 8D 45 E0 33 F6 50 FF 75 0C 8B F9

Search for this in the xlive module and this will land you at the start of the routine which deals with the checking. All you have to do is prevent it from doing it's stuff, so placing a RETN 0C at the start of the code is one way to achieve this.

This byte pattern has been present since the earliest versions of xlive and still works for the very latest v3 version. I worked very carefully to find a 'universal pattern'. So find that in the game, patch it and modify memory with your hacks. Done!

Feel free to share and use in your releases. A note of some kind would be nice though to show where you got it from and so I know who's making use of it.

~Psych


Top
 Profile  
 
 Post subject:
PostPosted: Tue Aug 18, 2009 11:17 am 
Offline
User avatar

Joined: Sun May 17, 2009 2:13 pm
Posts: 302
Location: Colorado
Looking good Psy, nice to see you working on new stuff. Any hints on how to find that byte pattern without knowing it?


Top
 Profile  
 
 Post subject:
PostPosted: Tue Aug 18, 2009 12:06 pm 
Offline
User avatar

Joined: Fri Jun 12, 2009 10:53 am
Posts: 80
This was nothing new.. just released it now that's all :)

Once I had eventually found the right area to patch, after hours of backtracing and testing etc (you know how it is, lol) I compared the areas in multiple versions of the xlive.dll. From that I figured out a pattern which is common to all versions. So I could make a 'universal' search and replace process for the trainer. Nothing special with that, just comparing manually really.

:)


Top
 Profile  
 
 Post subject:
PostPosted: Wed Aug 19, 2009 9:33 am 
Offline

Joined: Mon Aug 10, 2009 9:02 am
Posts: 27
Psych wrote:
Anyway, I had only shared this method with certain people, because it was a certain 'rarity'. However, now H4x0r (the now-famous trainer-ripper) has skanked it from a cheathappens release recently. So now, suprise suprise, many more people know. So I have decided to post it and make this known, so other people can benefit from it.

From what I remember, neither did Extalia nor RADiANCE "benefit" from this method. And they were your teams. Given CH trainers got ripped, means that the "certain people" are in fact CH people. So, yeah, catch my drift..


Top
 Profile  
 
 Post subject:
PostPosted: Wed Aug 19, 2009 9:36 am 
Offline
User avatar

Joined: Fri Jun 12, 2009 10:53 am
Posts: 80
eXtalia no, because it wasn't nailed then. eXtreme used it in RADiANCE and so did I. Ok, so perhaps not so much the whole team, but the point is, it was there to be used. You wouldn't have benefitted from anything people showed you mate, coz you are too l33t, and so above everyone else in your abilities. I must have forgot that :/ CH know this method, so do Brewers, and now a lot more people now since it's all out in the open. It doesn't matter now. It's a good thing that people know as it means more trainers can be produced for xlive titles, and that's good all-round. Perhaps not great for certain sites that require subs from people, as it may lower their user-base, but that's not my problem. Ahh yeah, but I see what you mean, i'm an employee of CH right sunbeam? Still have to slip the odd line in don't you? Always need the last sarcy comment. What is your problem? What business is it of yours anyway, even if I did work for them, or have worked for them? None. Absolutely fuck all. Is this all because you can't take the fact that I might be getting offered work or positions that you never got? In any case, butt out. You're the one carrying this crap on, and for no reason whatsoever.


Top
 Profile  
 
 Post subject:
PostPosted: Wed Aug 19, 2009 9:49 am 
Offline

Joined: Mon Aug 10, 2009 9:02 am
Posts: 27
How about you make a tutorial and explain the "method". I've been a moderator in Cheat Engine Forums before and replies like "look for this array of bytes" make me sick. Just make a video tutorial (like you did with other 'titles') and explain why you look for that array. How about - "this is a function where xlive reads memory from X to Y and computes a hash"? Or ".text and .data sections (code) are mapped in memory and checked for alterations against an opened instance of the file" etc...? "Your" method, without explanations, equals 0 - anyone could say it's theirs. Catch my drift?

As for CH, you keep revolving around "what if I worked for them, it's not your problem". This is like the 3rd or 4th time. So, basically, you did work for them. I just want to know, don't have any other problems. That's all..

P.S.: I never worked online, never will, lol. You make hilarious naive assumptions.


Top
 Profile  
 
 Post subject:
PostPosted: Wed Aug 19, 2009 10:07 am 
Offline
User avatar

Joined: Mon Jul 20, 2009 5:52 am
Posts: 128
I think we've heard enough about CH by now.:mad: We get your point Sunbeam. Whatever Psych has done wrong there's no need to go on about it every time. And it didn't happen on these forums, so please, fight your fight somewhere else.


Top
 Profile  
 
 Post subject:
PostPosted: Wed Aug 19, 2009 10:20 am 
Offline
User avatar

Joined: Fri Jun 12, 2009 10:53 am
Posts: 80
It will shut him up if I say I work/worked for them, even if I didn't. Not sure why he's so torn up inside about this, lol. So, here we go "I worked for them", "I still work for them", and "I get paid". No need to keep posting now Sunbeam :)

I didn't do 'anything' wrong, that's the point Teneb :) I don't have to explain myself to anyone at any rate, least of all someone like Sunbeam (oh. how you find out quickly what people are truly like when they get like this :P). Anyways, i've said all i'm willing to say, so I won't be adding anymore catalyst to this argument.


Top
 Profile  
 
 Post subject:
PostPosted: Wed Aug 19, 2009 11:20 am 
Offline

Joined: Mon Aug 10, 2009 9:02 am
Posts: 27
Oaki. Point made, conversation ended. You didn't shut me up, and I don't believe you work for them. Now back on track - any tutorials? Am saying this because I am curious how XLive works - sure, people will ask me to get a game that uses XLive.. name one that works on 512 DDR 1, ATI Radeon 9800 and a dusty 1.92 Ghz AMD CPU and I will take that suggestion into consideration..

Seen a lot of integrity checks, both in games and protectors. Back in MapleStory days, there was a custom hash made on first two sections of the file, 400000-end of .data section, and this was a dynamic hash as it was constantly accessed and compared:

http://theoklibrary.org/showthread.php?t=113

So for that matter, a swapping of main ptr to data buffer was enough. I don't know how XLive works, but from what you say:

"so placing a RETN 0C at the start of the code is one way to achieve this."

I guess it maps whole file in memory (CreateFileMapping, MapViewOfFile) etc.. and checks it against active memory (ReadProcessMemory, ReadFile). Just assuming, that's why I want you to make a tutorial.. :-) Of course, not for my benefit, since I rarely touch games these days, but I reckon you want it documented (and not simply a thrown array of bytes at random), right?

Cheerios,
Sun


Top
 Profile  
 
 Post subject:
PostPosted: Wed Aug 19, 2009 11:48 am 
Offline
User avatar

Joined: Fri Jun 12, 2009 10:53 am
Posts: 80
I would absolutely love to break this down, do a tut or at least some detailed notes on it, and explore other parts of xlive. But it's just not going to happen at the moment, due to time-constraints and what not. It would mean taking attention of other things which wouldn't be too great atm.

Of course, no-one likes spoon-feeding etc, but for now that is the way in which people can get memory-based hacks working without much hassle. It can always be backed up later with more stuff. I do plan on doing this at some point for sure.

~P


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 10 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Style created by © Matti, gry komputerowe, reklama sem reklama seo

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Localized by MaĆ«l Soucaze © 2010 phpBB.fr