View previous topic :: View next topic |
Author |
Message |
lampuiho Expert Cheater Reputation: 6
Joined: 16 Jan 2010 Posts: 122
|
Posted: Thu Oct 20, 2016 11:43 am Post subject: Ida pro with Denuvo Games? |
|
|
I can't analyse those exe with ida pro :/
And I can't seem to get it to attach and dump the memory ...
|
|
Back to top |
|
|
_Veggy Cheater Reputation: 2
Joined: 30 Apr 2013 Posts: 34 Location: BReWErS rox your dox
|
Posted: Sat Oct 22, 2016 12:32 am Post subject: |
|
|
It's because Denuvo executes vital game functions, protection schemes through VMProtect VM.
There is tons of obfuscated code in the VM which causes IDA to have trouble analyzing it.
About the anti-attach it's because Denuvo runs a seperate thread in which it hooks: ntdll!DbgUiRemoteBreakin and overwrites it with a jump to terminate process.
Solution would be to use VEH debugging feature from CE.
|
|
Back to top |
|
|
STN I post too much Reputation: 42
Joined: 09 Nov 2005 Posts: 2672
|
Posted: Sat Oct 22, 2016 2:57 am Post subject: |
|
|
If it was that easy to analyze, the scene groups wouldn't have this much difficulty cracking it lol.
_________________
|
|
Back to top |
|
|
ThePlug Newbie cheater Reputation: 1
Joined: 29 Jul 2016 Posts: 11
|
Posted: Sun Oct 23, 2016 6:17 pm Post subject: |
|
|
What game? I could attach debugger and dump bf1 and hitman just fine.
|
|
Back to top |
|
|
lampuiho Expert Cheater Reputation: 6
Joined: 16 Jan 2010 Posts: 122
|
Posted: Fri Oct 28, 2016 9:55 am Post subject: |
|
|
_Veggy wrote: | It's because Denuvo executes vital game functions, protection schemes through VMProtect VM.
There is tons of obfuscated code in the VM which causes IDA to have trouble analyzing it.
About the anti-attach it's because Denuvo runs a seperate thread in which it hooks: ntdll!DbgUiRemoteBreakin and overwrites it with a jump to terminate process.
Solution would be to use VEH debugging feature from CE. |
yea but you can dump the exe with Cheatengine?
|
|
Back to top |
|
|
_Veggy Cheater Reputation: 2
Joined: 30 Apr 2013 Posts: 34 Location: BReWErS rox your dox
|
Posted: Fri Oct 28, 2016 10:55 am Post subject: |
|
|
I don't know if Cheatengine has a dump function like certain other debuggers.
There are multiple alternatives floating around like:
Scylla, Virtual Section Dumper, CFF Explorer suite has an program called Task Explorer. Best to use though in my opinion say is coding your own file dumper. Than you can adjust it to anything you like.
|
|
Back to top |
|
|
predprey Master Cheater Reputation: 24
Joined: 08 Oct 2015 Posts: 486
|
Posted: Sun Nov 27, 2016 9:57 pm Post subject: |
|
|
the entire PE executable seems to be encrypted itself including the headers. seems like the first layer of protection involves steamapi communicating with denuvo server to generate a key with which it decrypts the exe. as reported countless times, there are probably vital game functions which are decrypted just-in-time so dumping the static memory of the executable is only part of the solution towards debugging denuvo. documentation on denuvo is rather lacking and kept in closed circles and probably would not be shared until its outdated, much like starforce and securom.
|
|
Back to top |
|
|
Kavvman Master Cheater Reputation: 2
Joined: 17 Apr 2004 Posts: 316
|
Posted: Mon Nov 28, 2016 6:37 am Post subject: |
|
|
I don't remember if they ever made a de-virtualizer for vmprotect, they did for themida. You can use that to make sense of the instructions, a lot of the code there is mumbo jumbo mixed in with instructions that vmprotect's vm can understand.
If you're really interested in this, you can probably understand how they devirtualized themida and use that to make (or improve) one for vmprotect.
Simply dumping the memory shouldn't be too hard but that's not the hurdle.
_________________
... |
|
Back to top |
|
|
SunBeam I post too much Reputation: 65
Joined: 25 Feb 2005 Posts: 4022 Location: Romania
|
Posted: Mon Nov 28, 2016 7:07 am Post subject: |
|
|
From the way the post looks like: someone who's heard that if you use a debugger or IDA, you can do lots of things - hack, crack, etc. - in his game. Post also suggests he doesn't know anything about hacking/cracking, just collecting some tools/names and struggling with the process Yeah, my two cents.
|
|
Back to top |
|
|
lampuiho Expert Cheater Reputation: 6
Joined: 16 Jan 2010 Posts: 122
|
Posted: Tue Dec 27, 2016 4:01 am Post subject: |
|
|
SunBeam wrote: | From the way the post looks like: someone who's heard that if you use a debugger or IDA, you can do lots of things - hack, crack, etc. - in his game. Post also suggests he doesn't know anything about hacking/cracking, just collecting some tools/names and struggling with the process Yeah, my two cents. |
I am just lazy and don't want to do things the hard way lol.
IDA pro can make analyzing things so much easier but I haven't used it for quite some time so I can't seem to get it to analyze a running process.
I can make a hook to a certain windows debugger function that makes ida pro crashes but still I can't get it to analyse anything. IDA pro also comes with many other plugins like RTTI, C++ decompiler etc. Those tools make things a lot faster and save me a lot of time.
BTW, i didn't get a few reputation points for contributing nothing
|
|
Back to top |
|
|
++METHOS I post too much Reputation: 92
Joined: 29 Oct 2010 Posts: 4197
|
Posted: Tue Dec 27, 2016 4:29 am Post subject: |
|
|
lampuiho wrote: | BTW, i didn't get a few reputation points for contributing nothing | -But isn't that subjective? The value of the contribution may be weighed differently, depending on who is receiving the information.
Besides, rep could be acquired via the random-spam sub-folder, where most of the 'contributions' are about as valuable as rat droppings that have AIDS in them.
In your defense, though, SunBeam was one of your benefactors.
|
|
Back to top |
|
|
lampuiho Expert Cheater Reputation: 6
Joined: 16 Jan 2010 Posts: 122
|
Posted: Sun Jan 01, 2017 8:02 am Post subject: |
|
|
++METHOS wrote: | lampuiho wrote: | BTW, i didn't get a few reputation points for contributing nothing | -But isn't that subjective? The value of the contribution may be weighed differently, depending on who is receiving the information.
Besides, rep could be acquired via the random-spam sub-folder, where most of the 'contributions' are about as valuable as rat droppings that have AIDS in them.
In your defense, though, SunBeam was one of your benefactors. |
Oh yea, I didn't even realise
|
|
Back to top |
|
|
|