Jump to content

  • Log In with Google      Sign In   
  • Create Account


#ActualTheChubu

Posted 19 December 2012 - 07:58 PM

If I understand correctly what ENB injector does, it's only just injecting a DLL (some kind of D9D wrapper?) into another process' address space.

Boris differentiates between both in its files. It has an "Injector version" and a "Wrapper version"

Originally, it had a d3d9.dll that got loaded by the game, probably because it has the same name as the actual Windows library. That means that the game would load the "fake" d3d9.dll and then that dll would call the proper library?

That can be done rather easily, for example by installing a global hook procedure (from which you load that DLL) or using CreateRemoteThread or simply by either setting the AppInit_DLLs key in the registry or by placing a wrapper DLL into the executable's directory.

So, with those methods one could load a dll, but how that dll would interact with the process? Can the dll call functions in the .exe?

All that assumes proper access rights of course, but this is usually the case, given that you own, and have physical access to your computer. Reading and writing another process' memory as you've suggested in your last paragraph is of course possible too, if you have proper access right (running a mini-debugger is a certain way of having rights). Oh, speaking of mini-debugger... a debugger is notified of every DLL being loaded or unloaded. You can probably use that to trivially exchange (or inject) DLLs too.

Interesting. The debugger would need to be compiled into the exe or its just another dll that can be injected?

Now of course, doing it and doing it without triggering an anti-exploit mechanism may be slightly different things (you have to assume that the developers of a game title are not complete idiots and know all the obvious tricks too). Also, doing it and doing it without breaking the law are again different things.

Of course, dealing with copy protection and all that.

In particular what made me curious is the Skyboost project. It goes like this: Skyrim for PC's executable code was compiled pretty much without optimization flags, thus some very critical code wasn't taking advantage of compiler optimizations neither modern instruction sets (ie, SSE2) and the game was severely CPU limited.

So, this guy comes ahead with a profiler, catches up the issue and codes in ASM a replacement for some critical functions in Skyrim's exe and calls it "TESVAL". Massive performance improvements ensue (ie, +20% to +40% perf increase) but with a big big drawback, the injector had to be updated every time Skyrim was updated (in contrast with other injector i've seen, probably because this one replaced .exe code instead of adding functions).

Since TESVAL author didn't had enough time, Alexander Blade (pretty experienced guy from what i've seen) picks up the project, ports it to C, calls it "Skyboost" and starts experimenting with more optimizations. After a few updates Bethesda updated Skyrim with a properly compiled exe and the patch was made irrelevant.

See this old thread for more discussion.

Thanks! I'll check the links mentioned on that thread.

#3TheChubu

Posted 19 December 2012 - 07:58 PM

If I understand correctly what ENB injector does, it's only just injecting a DLL (some kind of D9D wrapper?) into another process' address space.

Boris differentiates between both in its files. It has an "Injector version" and a "Wrapper version"

Originally, it had a d3d9.dll that got loaded by the game, probably because it has the same name as the actual Windows library. That means that the game would load the "fake" d3d9.dll and then that dll would call the proper library?

That can be done rather easily, for example by installing a global hook procedure (from which you load that DLL) or using CreateRemoteThread or simply by either setting the AppInit_DLLs key in the registry or by placing a wrapper DLL into the executable's directory.

So, with those methods one could load a dll, but how that dll would interact with the process? Can the dll call functions in the .exe?

All that assumes proper access rights of course, but this is usually the case, given that you own, and have physical access to your computer. Reading and writing another process' memory as you've suggested in your last paragraph is of course possible too, if you have proper access right (running a mini-debugger is a certain way of having rights). Oh, speaking of mini-debugger... a debugger is notified of every DLL being loaded or unloaded. You can probably use that to trivially exchange (or inject) DLLs too.

Interesting. The debugger would need to be compiled into the exe or its just another dll that can be injected?

Now of course, doing it and doing it without triggering an anti-exploit mechanism may be slightly different things (you have to assume that the developers of a game title are not complete idiots and know all the obvious tricks too). Also, doing it and doing it without breaking the law are again different things.

Of course, dealing with copy protection and all that.

In particular what made me curious is the Skyboost project. It goes like this: Skyrim for PC's executable code was compiled pretty much without optimization flags, thus some very critical code wasn't taking advantage of compiler optimizations neither modern instruction sets (ie, SSE2) and the game was severely CPU limited.

So, this guy comes ahead with a profiler, catches up the issue and codes in ASM a replacement for some critical functions in Skyrim's exe and calls it "TESVAL". Massive performance improvements ensue (ie, +20% to +40% perf increase) but with a big big drawback, the injector had to be updated every time Skyrim was updated (in contrast with other injector i've seen, probably because this one replaced .exe code instead of adding functions).

Since TESVAL author didn't had enough time, Alexander Blade (pretty experienced guy from what i've seen) picks up the project, ports it to C, and starts experimenting with more optimizations. After a few updates Bethesda updated Skyrim with a properly compiled exe and the patch was made irrelevant.

See this old thread for more discussion.

Thanks! I'll check the links mentioned on that thread.

#2TheChubu

Posted 19 December 2012 - 07:56 PM

If I understand correctly what ENB injector does, it's only just injecting a DLL (some kind of D9D wrapper?) into another process' address space.

Boris differentiates between both in its files. It has an "Injector version" and a "Wrapper version"

Originally, it had a d3d9.dll that got loaded by the game, probably because it has the same name as the actual Windows library. That means that the game would load the "fake" d3d9.dll and then that dll would call the proper library?

That can be done rather easily, for example by installing a global hook procedure (from which you load that DLL) or using CreateRemoteThread or simply by either setting the AppInit_DLLs key in the registry or by placing a wrapper DLL into the executable's directory.

So, with those methods one could load a dll, but how that dll would interact with the process? Can the dll call functions in the .exe?

All that assumes proper access rights of course, but this is usually the case, given that you own, and have physical access to your computer. Reading and writing another process' memory as you've suggested in your last paragraph is of course possible too, if you have proper access right (running a mini-debugger is a certain way of having rights). Oh, speaking of mini-debugger... a debugger is notified of every DLL being loaded or unloaded. You can probably use that to trivially exchange (or inject) DLLs too.

Interesting. The debugger would need to be compiled into the exe or its just another dll that can be injected?

Now of course, doing it and doing it without triggering an anti-exploit mechanism may be slightly different things (you have to assume that the developers of a game title are not complete idiots and know all the obvious tricks too). Also, doing it and doing it without breaking the law are again different things.

Of course, dealing with copy protection and all that.

In particular what made me curious is the Skyboost project. It goes like this: Skyrim for PC's executable code was compiled pretty much without optimization flags, thus some very critical code wasn't taking advantage of compiler optimizations neither modern instruction sets (ie, SSE2) and the game was severely CPU limited.

So, this guy comes ahead with a profiler, catches up the issue and codes in ASM a replacement for some critical functions in Skyrim's exe and calls it "TESVAL". Massive performance improvements ensue (ie, +20% to +40% perf increase) but with a big big drawback, the injector had to be updated every time Skyrim was updated (in contrast with other injector i've seen, probably because this one replaced .exe code instead of adding functions).

Since TESVAL author didn't had enough time, Alexander Blades picks up the project, ports it to C, and starts experimenting with more optimizations. After a few updates Bethesda updated Skyrim with a properly compiled exe and the patch was made irrelevant.

See this old thread for more discussion.

Thanks! I'll check the links mentioned on that thread.

#1TheChubu

Posted 19 December 2012 - 07:55 PM

If I understand correctly what ENB injector does, it's only just injecting a DLL (some kind of D9D wrapper?) into another process' address space.

Boris differentiates between both in its files. It has an "Injector version" and a "Wrapper version"

Originally, it had a d3d9.dll that got loaded by the game, probably because it has the same name as the actual Windows library. That means that the game would load the "fake" d3d9.dll and then that dll would call the proper library?

That can be done rather easily, for example by installing a global hook procedure (from which you load that DLL) or using CreateRemoteThread or simply by either setting the AppInit_DLLs key in the registry or by placing a wrapper DLL into the executable's directory.

So, with those methods one could load a dll, but how that dll would interact with the process? Can the dll call functions in the .exe?

All that assumes proper access rights of course, but this is usually the case, given that you own, and have physical access to your computer. Reading and writing another process' memory as you've suggested in your last paragraph is of course possible too, if you have proper access right (running a mini-debugger is a certain way of having rights). Oh, speaking of mini-debugger... a debugger is notified of every DLL being loaded or unloaded. You can probably use that to trivially exchange (or inject) DLLs too.

Interesting. The debugger would need to be compiled into the exe or its just another dll that can be injected?

Now of course, doing it and doing it without triggering an anti-exploit mechanism may be slightly different things (you have to assume that the developers of a game title are not complete idiots and know all the obvious tricks too). Also, doing it and doing it without breaking the law are again different things.

Of course, dealing with copy protection and all that.

In particular what made me curious is the Skyboost project. It goes like this: Basically, PC's executable code was compiled pretty much without optimization flags, thus some very critical code wasn't taking advantage of compiler optimizations neither modern instruction sets (ie, SSE2) and the game was severely CPU limited.

So, this guy comes ahead with a profiler, catches up the issue and codes in ASM a replacement for some critical functions in Skyrim's exe and calls it "TESVAL". Massive performance improvements ensue (ie, +20% to +40% perf increase) but with a big big drawback, the injector had to be updated every time Skyrim was updated (in contrast with other injector i've seen, probably because this one replaced .exe code instead of adding functions).

Since TESVAL author didn't had enough time, Alexander Blades picks up the project, ports it to C, and starts experimenting with more optimizations. After a few updates Bethesda updated Skyrim with a properly compiled exe and the patch was made irrelevant.

See this old thread for more discussion.

Thanks! I'll check the links mentioned on that thread.

PARTNERS