Runtime QVM Modification

[Macpunk]

Recently c0re made a post ( http://forum.gamedeception.net/showthread.php?t=18794 ) that mentioned getting the address of a function in the QVM *after* it's been compiled to native code. I feel I should explain more about what this is and what it can do.

The Quake VM allows a developer to compile a module to a bytecode form and gain two benefits at a minimal cost of speed. These benefits are security and cross compatibility. Any platform that has an implementation of the Quake VM can run a module compiled to QVM code. QVM code is "more secure" because the QVM code can't do anything that the underlying VM can't(unless you find a vulnerability in the VM itself or the syscalls that are implemented in the VM give you access to do so).

There are a few different ways that QVMs are used in Q3 based games but I am going to focus on games that compile the QVM code to native code. That is, it converts the QVM instructions to analogous instructions or instruction sequences of the underlying architecture. In my case, it converts QVM bytecode to PowerPC machine code.

When the game wants to load a module, it calls VM_Create. VM_Create then checks a certain parameter and if the game uses DLLs, it'll load the DLL that was requested. However, if the game uses QVMs it'll call VM_LoadQVM. VM_LoadQVM loads the QVM into memory and does some sanity checks. If everything checks out, it initializes a vm_t struct. This vm_t struct has various information about the VM such as the syscall handler(syscall hooking is as simple as saying vm->systemCalls = &my_syscalls).

Here's the interesting bit. Once the QVM is loaded into memory, depending on how the game uses QVMs(interpreted or compiled, we're talking about compiling here) it'll compile the QVM to native machine code. It does this by going through every instructing in the QVM and creating analogous instruction sequences. If we are able to modify the QVM code *after* it's loaded into memory, but *before* it's compiled to native code, we can essentially change the QVM itself.

The easiest way to do this is to hook VM_LoadQVM, call the original, but before returning do something like this....

Code:

vmHeader_t *hook_VM_LoadQVM( vm_t *vm, qboolean alloc ) {
    vmHeader_t *ret = orig_VM_LoadQVM(vm, alloc);

    if(!strcmp(vm->name, "cgame") {
        vm->instructionPointers[0x0FF5E7] = 0x00; //0x00 is the opcode of whatever you want the instruction to be
    }

    return ret;
}

instructionPointers is a member of the vm_t struct that is an array of bytes, each representing a QVM opcode. 0x0FF5E7 is the number of the instruction(NOT the offset from the start of the code segment) in the QVM to be modified, and the element at instructionPointers[0xFF5E7] is the opcode of the 0x0FF5E7th instruction in the QVM. I don't know of any standard terminology to be applied here, but the main idea is to note that code addresses in the VM are not represented using byte offsets, they are represented using instruction numbers.

Now once the QVM is compiled to native machine code, it compiles a completely different sequence of instructions. You've effectively changed the VM code.

This can be used for ton of things. I'm currently using it for no recoil in Urban Terror. c0re used it to find the address of a function after it's been compiled which would allow for native hooking instead of doing everything in the syscall handler. If you did a bit of work you might be able to implement completely QVM based function hooking.

I plan on doing more research and releasing a complete paper on the Quake 3 VM, as well as an example(UrT no recoil) utilizing this method.

It is 6AM here and I may sound like an idiot at the moment. Please excuse me. :-)

Credits:
q3 sdk
c0re, I believe he said he found this or something similar though we did discover it independently

Shouts: c0re, chaplja, kingOrgy, Ecc, #nixcoders, #game-deception, Naomi

Happy hacking,
Macpunk

[Macpunk]

I wasn't really clear on how c0re managed to find the offset of a function with this. Basically, he made the first instruction of the function a BREAK instruction. When a QVM BREAK instruction is compiled, it basically becomes " *(int *)0 = 0;" which would clearly crash the program. Wherever the program crashes, that's the offset of the function in machine code. Handy trick.

--Macpunk

[learn_more]

nice idea!

looking forward to your paper

[c0re]

Don't expose our secrets. jk. Very good detailed read. Thread should be a sticky. We should make a collaboration of stuff once you get started on making that paper. So hurry up so I can steal your urban terror norecoil.

[h1web]

Don't expose our secrets. jk. Very good detailed read. Thread should be a sticky. We should make a collaboration of stuff once you get started on making that paper. So hurry up so I can steal your urban terror norecoil.

I'll join you guys on *NIX ;D

[Twice]

Sounds nice...
Let's assume I wanna hook CG_EntityEvent in the quake3 clone OpenArena.
The first bad thing is, that the instructionPointers of the cgame-vm aren't set after VM_LoadQVM gets called.
Second, how do you get the Instruction-Number of the CG_EntityEvent-Entrypoint? I may have the Code-Offset after disassembling the .qvm-File, but that's all.

Hoping for an answer.

[Macpunk]

Are you 100% positive instructionPointers isn't initialized? Make sure, because it should be. I don't have the time to check atm.

Getting the instruction number of a given instruction is as easy as looking at the disassembly in your favorite disassembler. I know QVMDisas.py(shameless plug) shows this, and I can't remember if any others do. I'm thinking of writing a GUI version of QVMDisas, maybe in Go for shits and giggles.

Good luck Twice,
Macpunk

[Twice]

Yes, the vmHeader_t struct is filled with valid infos, but vm->instructionPointers == NULL.
The earliest point it's accessible to me is in VM_Create.

Your QVMDisas keeps telling me my qvm-File hasn't got the right size. I'm using ascii's QvmKanker, which doesn't let me know the instruction number.

[c0re]

I wrote a tool for it as well because his qvmdisas was giving me the same similar problems. I'll take a peak and dig through some of my stuff. Where did you download the game at?

[Twice]

Its Homepage:
http://openarena.ws/smfnews.php

Download Version 0.8.1
Download Patch 0.8.5

EDIT\\ After some research I found out, that the VM gets compiled in VM_Create, hence the instruction pointers are set in there, too. So, wouldn't it be easier to do this stuff in VM_Compile rather than in VM_LoadQVM?

[Twice]

I found the address of CG_EntityEvent in native code, now.
Is there anything to care of when hooking vm-functions, or does it work the normal way? My hook is working since the game doesn't crash, but I'm still having trouble obtaining the args.

[Twice]

It works, now. Not the cool way, but at least it works. For everyone, who is interested:

- Disassemble the cgame.qvm with a disassembler, that shows the instructionNumber. I have slightly modified ascii's qvmkanker.
- After VM_Compile create a detour at the address, which vm->instructionNumber[ yoursHere ] contains.
- The function-type should be no return value and no parameter.
- The first thing you do in the hooked function is saving the ESI-Register.
- Then use my crappy function to obtain the arguments:

Code:

// I haven't figured out, what baseAddr actually is, yet (might be some kinda stack).
//	Look at the function in native code and you will see
//	a big number at the beginning lines. That's it.
void* qvmGetArg( int baseAddr, int argIndex, int reg_esi ) // First arg has argIndex == 0
{
	void* result = NULL;

	argIndex *= 4;
	argIndex += 8;

	__asm
	{
		mov		eax, 0

		add		eax, [ reg_esi ]
		add		eax, [ argIndex ]
		lea		eax, dword ptr [ eax ]
		add		eax, [ baseAddr ]
		mov		eax, dword ptr [ eax ]
		add		eax, [ baseAddr ]

		mov		[ result ], eax
	}

	return result;
}

- The original function can be called by doing something like this:

Code:

__asm add	esp, 4
__asm call	origCG_EntityEvent

Sorry for my 3-Posts-In-A-Row

[Macpunk]

At first glance, it would appear that Twice is correct. instructionPointers gets initialized in VM_Compile for the host architecture, *after* VM_LoadQVM is called. Unfortunately, I have no fucking clue why my code for UrT worked if the instructionPointers wasn't initialized. LMFAO.

Congratulations to Twice. I am *very* pleased to see someone using this technique with some rate of success.

--Macpunk

[LuxXx]

btw at first code

Code:

vmHeader_t *hook_VM_LoadQVM( vm_t *vm, qboolean alloc ) {
    vmHeader_t *ret = orig_VM_LoadQVM(vm, alloc);

    if(!strcmp(vm->name, "cgame") {
        vm->instructionPointers[0x0FF5E7] = 0x00; //0x00 is the opcode of whatever you want the instruction to be
    }

    return ret;
}

there is a missing ) at "if(!strcmp(vm->name, "cgame")"

[Tamimego]

Resurrecting a year old thread for a bracket, nice job.