Xlive (GFWL) Memory Integrity Check Bypass

Hacking Any Other Offline Single-Player Game

Moderators: g3nuin3, SpeedWing, WhiteHat, mezzo

Xlive (GFWL) Memory Integrity Check Bypass

Postby [Psych] » Tue Aug 18, 2009 3:03 am

Hi folks.

I had come up with a way of bypassing the memory checks of xlive. As many will know, if you try and alter gamecode on a live-enabled game (such as gears of war, fallout 3, street fighter, fuel etc) it will crash. Perhaps not immediately, but it will at some stage.

Anyway, I had only shared this method with certain people, because it was a certain 'rarity'. However, now H4x0r (the now-famous trainer-ripper) has skanked it from a cheathappens release recently. So now, suprise suprise, many more people know. So I have decided to post it and make this known, so other people can benefit from it.

There is a byte-sequence you should search for (took a while to track down obviously, seen as though no-one else has done one):
8B EC 83 EC 20 53 56 57 8D 45 E0 33 F6 50 FF 75 0C 8B F9

Search for this in the xlive module and this will land you at the start of the routine which deals with the checking. All you have to do is prevent it from doing it's stuff, so placing a RETN 0C at the start of the code is one way to achieve this.

This byte pattern has been present since the earliest versions of xlive and still works for the very latest v3 version. I worked very carefully to find a 'universal pattern'. So find that in the game, patch it and modify memory with your hacks. Done!

Feel free to share and use in your releases. A note of some kind would be nice though to show where you got it from and so I know who's making use of it.

~Psych
[Psych]
Hacker Smacker
 
Posts: 41
Joined: Thu Jul 16, 2009 4:15 pm

Postby WhiteHat » Tue Aug 18, 2009 11:23 pm

This is great !...
Thanks a lot Psych !...

Gotta try this soon...

:)
.. to boldly go where no eagle has gone before...
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...

Postby CoMPMStR » Tue Sep 22, 2009 7:47 am

This has nothing to do with allowing debugger access though. I tried this for Resident Evil 5 and I still can't attach the debugger to even find out what accesses. Found the byte pattern easy, changed it to RET 0C NOP NOP, but nothing.

So I have a question, what is this exactly used for and does it need to be applied at any specific time, like as soon as the game starts or something? Ok, maybe that's 2 questions... :shock: just wondering.
Image

______________________________________________________
My Utilities:
CT <-> LSSAVE Converter
LSS Visual Dialog Designer
.NET Trainer Helper Library

~Whether you think you can or you think you can't, you're right.

L. Spiro wrote:In my left hand is a red pill. If you take it I will show you the truth. I lost my right hand in the war, so I’m afraid you’re stuck with the red pill.
User avatar
CoMPMStR
(P)ot (I)n (M)y (P)ipe
 
Posts: 451
Joined: Thu Mar 06, 2008 7:50 am
Location: Best Place

Postby WhiteHat » Tue Sep 22, 2009 11:48 am

I just tried this last night for Batman Arkham Asylum, and sadly it did not work.
The byte pattern were there and changing it to RETN 0C was not prevent MHS
debugger from crashing/closing the game...

:(
.. to boldly go where no eagle has gone before...
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...

Postby CoMPMStR » Sun Oct 04, 2009 5:03 am

Ok I finally figured it out after reading your cheat engine post. I thought that you were supposed to patch the first bytes of the byte pattern you posted, not 3 bytes before. Why didn't you just post the byte pattern as such?

Code: Select all
8B FF 55 8B EC 83 EC 20 53 56 57 8D 45 E0 33 F6 50 FF 75 0C 8B F9


Anyway, no matter, I tried it with Red Faction: Guerilla patching the correct bytes and it works perfectly. I still can't attach the debugger without any crashes though. I attach it and it stays attached just long enough for me to get the code locations before the game crashes. Great job, I can now apply those code changing hacks without any crashes (I'm glad I decided to give it another try :D). If you can allow debugger access I'll be more than happy to test it for you. :P :lol:
Image

______________________________________________________
My Utilities:
CT <-> LSSAVE Converter
LSS Visual Dialog Designer
.NET Trainer Helper Library

~Whether you think you can or you think you can't, you're right.

L. Spiro wrote:In my left hand is a red pill. If you take it I will show you the truth. I lost my right hand in the war, so I’m afraid you’re stuck with the red pill.
User avatar
CoMPMStR
(P)ot (I)n (M)y (P)ipe
 
Posts: 451
Joined: Thu Mar 06, 2008 7:50 am
Location: Best Place

Postby WhiteHat » Sun Oct 04, 2009 7:10 pm

Patching three bytes before works ? Great...

I’ve tried patching about 5 bytes before or so, i forgot, that is the one
right after the JMP, but failed. Guess that explains something feels odd
about the routine...

Going to try this. Hope it works...
.. to boldly go where no eagle has gone before...
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...

Postby CoMPMStR » Sun Oct 04, 2009 9:45 pm

Yea, you need to patch the MOV EDI, EDI and PUSH EBP commands which is 3 bytes, the same length as RETN 0C. It's right after the jmp and 3 bytes before the byte pattern that [Psych] posted. ;)

What's the point of moving a register to itself?
Image

______________________________________________________
My Utilities:
CT <-> LSSAVE Converter
LSS Visual Dialog Designer
.NET Trainer Helper Library

~Whether you think you can or you think you can't, you're right.

L. Spiro wrote:In my left hand is a red pill. If you take it I will show you the truth. I lost my right hand in the war, so I’m afraid you’re stuck with the red pill.
User avatar
CoMPMStR
(P)ot (I)n (M)y (P)ipe
 
Posts: 451
Joined: Thu Mar 06, 2008 7:50 am
Location: Best Place

Postby WhiteHat » Mon Oct 05, 2009 1:38 pm

I failed somehow, when i was hacking Resident Evil 5

Hex String Search for those bytes:
Code: Select all
8B FF 55 8B EC 83 EC 20 53 56 57 8D 45 E0 33 F6 50 FF 75 0C 8B F9


Found in two addresses:
- 0x015CA6AD (= "xlive.dll"+0x13A6AD)
- 0x12D39AAD (not within any particular modul)
(after several trial, these addresses always came up)

Changed the first 3 bytes to RETN 0C opcode:
Code: Select all
C2 0C 00 8B EC 83 EC 20 53 56 57 8D 45 E0 33 F6 50 FF 75 0C 8B F9

was successful for address 0x015CA6AD, but was not so for address 0x12D39AAD.

Problem was the property of 0x12C00000 is read only, and i can’t change it to full access via MHS Process Property.
Here is what it was look like:
Code: Select all
0x10000000 - Read/Write
0x12C00000 - Read Only    ---> Can't change this at all
0x13A9A000 - No Access


No, idea what’s the next step from here... :?
.. to boldly go where no eagle has gone before...
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...

Postby CoMPMStR » Mon Oct 05, 2009 10:11 pm

Well according to my xlive.dll, you patched the wrong bytes:

Code: Select all
015CA6AD | 3D CC000000   | cmp eax, CC  |
015CA6B2 | 0F84 40FFFFFF | je 015CA5F8  |
015CA6B8 | 32C9          | xor cl, cl   |
015CA6BA | E9 39FFFFFF   | jmp 015CA5F8 |
015CA6BF | 8BFF          | mov edi, edi |
015CA6C1 | 55            | push ebp     |


If you did modify 015CA6AD then that could be the reason it doesn't work. You are supposed to modify 015CA6BF instead, changing those 3 bytes to RETN 0C (directly beneath the jmp mnemonic).

Still can't attach the debugger without crashes, I get a memory overrun error when I do so with RE5 but most of the time it does allow you to get 1 or 2 locations before it closes. Here's one I just found... max money:
Code: Select all
fullaccess(RE5DX9.exe+5FEE9F, 7)
alloc(jmpcash, 90)
label(retjmp)

[enable]
jmp jmpcash
nop
nop

jmpcash:
mov dword ptr [ecx+eax+1C0], 0098967F
mov edx, dword ptr [ecx+eax+1C0]
jmp retjmp

[disable]
mov edx, dword ptr [ecx+eax+1C0]
dealloc(jmpcash)

retjmp:
RE5DX9.exe+5FEEA4:


Bundle it together with this so the game doesn't crash when max money is enabled:
Code: Select all
fullaccess(xlive.dll+13A6BF, 3)

[enable]
retn C

[disable]
mov edi, edi
push ebp


I hope this helps. ;)
Image

______________________________________________________
My Utilities:
CT <-> LSSAVE Converter
LSS Visual Dialog Designer
.NET Trainer Helper Library

~Whether you think you can or you think you can't, you're right.

L. Spiro wrote:In my left hand is a red pill. If you take it I will show you the truth. I lost my right hand in the war, so I’m afraid you’re stuck with the red pill.
User avatar
CoMPMStR
(P)ot (I)n (M)y (P)ipe
 
Posts: 451
Joined: Thu Mar 06, 2008 7:50 am
Location: Best Place

Postby WhiteHat » Tue Oct 06, 2009 10:02 pm

I thought i’ve done it correctly...

to quote from my previous post:
WhiteHat wrote:Hex String Search for those bytes:
8B FF 55 8B EC 83 EC 20 53 56 57 8D 45 E0 33 F6 50 FF 75 0C 8B F9

Changed the first 3 bytes to RETN 0C opcode:
C2 0C 00
8B EC 83 EC 20 53 56 57 8D 45 E0 33 F6 50 FF 75 0C 8B F9

Now... Aren’t 8B FF 55 the same in your Disassembler snippet, line 0x15CA6BF:
CoMPMStR wrote:
Code: Select all
015CA6AD | 3D CC000000   | cmp eax, CC  |
015CA6B2 | 0F84 40FFFFFF | je 015CA5F8  |
015CA6B8 | 32C9          | xor cl, cl   |
015CA6BA | E9 39FFFFFF   | jmp 015CA5F8 |
015CA6BF | 8BFF          | mov edi, edi | <----- This One...
015CA6C1 | 55            | push ebp     |


If you did modify 015CA6AD then that could be the reason it doesn't work. You are supposed to modify 015CA6BF instead, changing those 3 bytes to RETN 0C (directly beneath the jmp mnemonic).

I could be wrong, but am pretty sure that 8B FF 55 was resided in 0x015CA6AD. I’ll make recheck later when i get home, and will post the snippet too. Just to be sure if our xlive.dll allocated in different addresses...

CoMPMStR wrote:I get a memory overrun error when I do so with RE5

Exactly the message i always got for failure... ^^;

And thanks for sharing those Money hack. Now, i need to make this bypass work somehow...
Actually i managed to get the Complex Addresses for Chris & Sheva Health and Inventories. Going to share it real soon in new thread...

Thank you for kind replies... :)
.. to boldly go where no eagle has gone before...
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...

Postby CoMPMStR » Tue Oct 06, 2009 10:59 pm

Yes, 88 FF 55 is located at 0x15CA6BF in my snippet. I know the static location for it is xlive.dll+13A6BF, at least for the latest GFWL version, and we should both have the same version.

That message doesn't mean failure, it just means we can't attach the debugger still (ok, maybe it's a failure for that). I noticed that all games using GFWL act differently when you attach the debugger. You have to test by rewriting some of the game code, like the money hack, with this patch enabled to see if the game crashes. I've been using it with Red Faction and tested it with RE5 yesterday.. and it's been working for me so I'll help any way I can. ;)

I also have the pointers for inventory and treasure items, as well as money and ingame items so when you make your new post I'll share my finds as well. :D I only use the DX9 version though, don't know if DX10 is any different. I also have the item structure layout and item digits if you don't have those yet. I didn't need to be bothered with finding infinite health when I have infinite ammo and items. Automatic S&W M500 + Automatic Rocket Launcher = Invincible. :lol:
Image

______________________________________________________
My Utilities:
CT <-> LSSAVE Converter
LSS Visual Dialog Designer
.NET Trainer Helper Library

~Whether you think you can or you think you can't, you're right.

L. Spiro wrote:In my left hand is a red pill. If you take it I will show you the truth. I lost my right hand in the war, so I’m afraid you’re stuck with the red pill.
User avatar
CoMPMStR
(P)ot (I)n (M)y (P)ipe
 
Posts: 451
Joined: Thu Mar 06, 2008 7:50 am
Location: Best Place

Postby WhiteHat » Wed Oct 07, 2009 5:52 pm

Hi... I have some screen shots of our previous discussion...

CoMPMStR wrote:Yes, 88 FF 55 is located at 0x15CA6BF in my snippet. I know the static location for it is xlive.dll+13A6BF, at least for the latest GFWL version, and we should both have the same version.

This is the screen shot from Hex String Search for those bytes:
Image

and following is the disassembler to the first address:
Image

so, i think our addresses are somehow different yet i suppose i had patched the opcodes (RETN 0C) on the correct address. No luck of attaching debugger, however...
Anyway, i play with the DX9 version too, BUT maybe it’s due the *crckd* executable i use that our addresses become different...


CoMPMStR wrote:That message doesn't mean failure, it just means we can't attach the debugger still (ok, maybe it's a failure for that). I noticed that all games using GFWL act differently when you attach the debugger. You have to test by rewriting some of the game code, like the money hack, with this patch enabled to see if the game crashes. I've been using it with Red Faction and tested it with RE5 yesterday.. and it's been working for me so I'll help any way I can. ;)

I see... So you’re saying that i should continue with RETN 0C patch and try some code-injection instead trying to attach the debugger ?.. I will try this.
Though it’s kind of sad for unable to debug games since i love finding pointers whenever it is possible...

Thanks for this suggestion...


CoMPMStR wrote:I also have the pointers for inventory and treasure items, as well as money and ingame items so when you make your new post I'll share my finds as well. :D I only use the DX9 version though, don't know if DX10 is any different.

I’ve posted some of mine here: http://memoryhacking.com/forums/viewtopic.php?t=5476
Feel free to add anything there... ^^


CoMPMStR wrote:I also have the item structure layout and item digits if you don't have those yet.

I already have those structures. Kind of lazy to post the complete ones, but i gave a little example and clues in above link... Yet, please don’t hesitate to post yours. I am sure they would be very much useful, and might learn something from them...


CoMPMStR wrote:I didn't need to be bothered with finding infinite health when I have infinite ammo and items. Automatic S&W M500 + Automatic Rocket Launcher = Invincible. :lol:

That’s the effective kind of invincibility... :lol:
.. to boldly go where no eagle has gone before...
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...

Postby CoMPMStR » Wed Oct 07, 2009 10:53 pm

No it's not the crkd exe that makes the address different (I use it too), so maybe you do have a different xlive.dll version than I do. It is weird, maybe because I installed RFG after RE5. :?

Here's a shot from my RE5:
Image

Here's a shot from my RFG:
Image

Either way, you are patching the correct bytes. All you need to do is test it by modifying the game ASM code. It should work 100% no matter which version of GFWL you have installed, unless they change the routine in a future version. :lol:
Image

______________________________________________________
My Utilities:
CT <-> LSSAVE Converter
LSS Visual Dialog Designer
.NET Trainer Helper Library

~Whether you think you can or you think you can't, you're right.

L. Spiro wrote:In my left hand is a red pill. If you take it I will show you the truth. I lost my right hand in the war, so I’m afraid you’re stuck with the red pill.
User avatar
CoMPMStR
(P)ot (I)n (M)y (P)ipe
 
Posts: 451
Joined: Thu Mar 06, 2008 7:50 am
Location: Best Place

Postby WhiteHat » Fri Oct 09, 2009 12:47 pm

CoMPMStR wrote:No it's not the crkd exe that makes the address different (I use it too), so maybe you do have a different xlive.dll version than I do. It is weird, maybe because I installed RFG after RE5. :?

Or maybe it’s because any XLIVE games we have installed ?
Here’s list of what i have installed before (orderly):
- Street Fighter 4
- Battle Station Pacific (uninstalled already)
- Batman Arkham Asylum (uninstalled already)
- Resident Evil 5


CoMPMStR wrote:Either way, you are patching the correct bytes. All you need to do is test it by modifying the game ASM code. It should work 100% no matter which version of GFWL you have installed, unless they change the routine in a future version. :lol:

I confirm that it works nicely... Even i have managed to do a couple of code-injections for RE5 which i posted in RE5 thread. I have tested them for about 5 minutes...

:)
.. to boldly go where no eagle has gone before...
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...

xlive

Postby careca » Mon Oct 19, 2009 5:14 am

Hi, i've come across this forum when i searched for the xlive memory check and crash, so i followed the steps described on the first post, and patched the xlive dll directly, problem is, when i start red faction, GFW is not active, and if i try to load the save, it asks if i want to sign in... then i used the unpatched dll and used a cheat table someone made to cheat engine, with the same code, i mean:

xlive.dll+13A6AD:
retn 0c

activated it, got in, but then crashed some minutes after i activated the cheat. What can i do?

my dll version is v3.0.19.0
careca
I Have A Few Questions
 
Posts: 2
Joined: Mon Oct 19, 2009 5:06 am

Next

Return to Others (Offline)

Who is online

Users browsing this forum: No registered users and 0 guests