Cheat Engine

lampuiho · Posted: Thu Oct 20, 2016 11:43 am Post subject: Ida pro with Denuvo Games?

I can't analyse those exe with ida pro :/

And I can't seem to get it to attach and dump the memory ...

_Veggy · Posted: Sat Oct 22, 2016 12:32 am Post subject:

It's because Denuvo executes vital game functions, protection schemes through VMProtect VM.
There is tons of obfuscated code in the VM which causes IDA to have trouble analyzing it.
About the anti-attach it's because Denuvo runs a seperate thread in which it hooks: ntdll!DbgUiRemoteBreakin and overwrites it with a jump to terminate process.
Solution would be to use VEH debugging feature from CE.

STN · Posted: Sat Oct 22, 2016 2:57 am Post subject:

If it was that easy to analyze, the scene groups wouldn't have this much difficulty cracking it lol.

ThePlug · Newbie cheater Reputation: 1 Joined: 29 Jul 2016 Posts: 11

What game? I could attach debugger and dump bf1 and hitman just fine.

lampuiho · Posted: Fri Oct 28, 2016 9:55 am Post subject:

_Veggy · Posted: Fri Oct 28, 2016 10:55 am Post subject:

I don't know if Cheatengine has a dump function like certain other debuggers.
There are multiple alternatives floating around like:
Scylla, Virtual Section Dumper, CFF Explorer suite has an program called Task Explorer. Best to use though in my opinion say is coding your own file dumper. Than you can adjust it to anything you like.

predprey · Posted: Sun Nov 27, 2016 9:57 pm Post subject:

the entire PE executable seems to be encrypted itself including the headers. seems like the first layer of protection involves steamapi communicating with denuvo server to generate a key with which it decrypts the exe. as reported countless times, there are probably vital game functions which are decrypted just-in-time so dumping the static memory of the executable is only part of the solution towards debugging denuvo. documentation on denuvo is rather lacking and kept in closed circles and probably would not be shared until its outdated, much like starforce and securom.

Kavvman · Posted: Mon Nov 28, 2016 6:37 am Post subject:

I don't remember if they ever made a de-virtualizer for vmprotect, they did for themida. You can use that to make sense of the instructions, a lot of the code there is mumbo jumbo mixed in with instructions that vmprotect's vm can understand.

If you're really interested in this, you can probably understand how they devirtualized themida and use that to make (or improve) one for vmprotect.

Simply dumping the memory shouldn't be too hard but that's not the hurdle.

SunBeam · Posted: Mon Nov 28, 2016 7:07 am Post subject:

From the way the post looks like: someone who's heard that if you use a debugger or IDA, you can do lots of things - hack, crack, etc. - in his game. Post also suggests he doesn't know anything about hacking/cracking, just collecting some tools/names and struggling with the process Smile

Yeah, my two cents.

lampuiho · Posted: Tue Dec 27, 2016 4:01 am Post subject:

++METHOS · Posted: Tue Dec 27, 2016 4:29 am Post subject:

lampuiho · Posted: Sun Jan 01, 2017 8:02 am Post subject: