View previous topic :: View next topic |
Author |
Message |
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25294 Location: The netherlands
|
Posted: Wed Dec 29, 2004 12:17 am Post subject: Debugging an already debugged process |
|
|
This was a nice post that deserves to come back:
If you use windows xp SP2:
Go to settings->extra and enable Read Process Memory/Write Process memory
Open the process (not attach yet)
in the main window doubleclick on the text of the processid and name.(e.g 00001214-GAME.DAT)
it will popup a window with the text peprocess=xxxxxxxx Write that address down somewhere.
Go to the memory view window
in the hex view part (bottom part) rightclick and choose "goto address"
type there the address of peprocess and add the text "+bc" to it. (so if peprocess=868FDDA0 you type in the goto window "868FDDA0+bc")
Now change the 4 bytes there to 0 and you'll be able to use the attach debugger option
windows xp sp1, or no sp, no idea... (you'll need to make the debugport NULL)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Shodan How do I cheat? Reputation: 0
Joined: 16 Nov 2004 Posts: 7
|
Posted: Sun Jan 02, 2005 9:17 pm Post subject: |
|
|
I'm able to figure out how to get there but the next part goes over my head. Which are the 4 bytes I'm suposed to change?
Adress is: 855CB520+BC
|
|
Back to top |
|
|
stomperz Expert Cheater Reputation: 0
Joined: 18 Jul 2004 Posts: 193 Location: USA Chicago
|
Posted: Mon Jan 03, 2005 7:30 am Post subject: |
|
|
Here ya go
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25294 Location: The netherlands
|
Posted: Thu Jan 06, 2005 11:47 am Post subject: |
|
|
Oh yes, there might be a chance that the offset bc is the same in sp1 and even without a sp, but i'm not sure.
You could try it. But I must warn you that if you modify the wrong spot windows may crash or act strange(r)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Faldo How do I cheat? Reputation: 0
Joined: 06 Jan 2005 Posts: 7
|
Posted: Fri Jan 07, 2005 7:09 am Post subject: ACK! |
|
|
I have two AMD computers at home, once i enable that read/write option they tell me that there's an error in dbk32.dll and the functions won't work. I tried CE at work today with a intel CPU and it worked, but this computer isn't powerfull enough to run the game.
Will there be a version in the future that supports AMD CPUs?
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25294 Location: The netherlands
|
Posted: Fri Jan 07, 2005 11:22 am Post subject: |
|
|
Check your computers for security settings etc... I've sometimes seen that some computers have file encryption on by default and that seems to mess up the driver. (rightclick the cheat engine folder click advanced and disable that option)
But if that doesn't work you'll have to wait for me to have enough money for a new computer with AMD cpu , or for someone with a amd to fix the driver. Just loading the driver shouldn't give a problem for amd's though.
Does it say SOME functions wont work or does it give a error that it couldn't load dbk32.sys ? Because in the case of some functions the memory at the location of peprocess may still be accessible (you just wont be able to use stealth)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Faldo How do I cheat? Reputation: 0
Joined: 06 Jan 2005 Posts: 7
|
Posted: Fri Jan 07, 2005 1:29 pm Post subject: |
|
|
No, my files arn't encrypted.
It tells me: "KeServiceDescriptorTableShadow couldn't be located, this means that some functions will not work"
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25294 Location: The netherlands
|
Posted: Fri Jan 07, 2005 1:42 pm Post subject: |
|
|
you should still be able to read the kernel memory even though you get that error. (it just wont be able to hide cheat engine very well)
Hmm, or not. Because the only reason I can think of that prevents finding the shadow table is if the page table isn't showing it as readable, and to prvent crashes ce will then not read that memory. And if the page table is different on a amd that will also cause problems for reading the kernel memory on other locations
Yup, I really need a AMD computer to test stuff.
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25294 Location: The netherlands
|
Posted: Fri Jan 07, 2005 1:54 pm Post subject: |
|
|
Well.... there may be another approach if you have a AMD but I'm also not sure if it'll work and it's quite advanced...
Go to the location peprocess tells you.
in the memory view you'll propably see all ??'s but also a text that says "physical address=xxxxxxxx"
now switch the process to [Physical memory] and go to that address
then that address+bc and change the 4 bytes there to 0
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Faldo How do I cheat? Reputation: 0
Joined: 06 Jan 2005 Posts: 7
|
Posted: Fri Jan 07, 2005 1:54 pm Post subject: |
|
|
I think you're right... thing is, when i choose "goto" and enter the address+BC there is nothing there... just a buch of questionmarks.
However, in the image that Shodan pasted there is a section in the hexview that sais "game.dat" i took another hexeditor with a search function and found something similar but not in the same code area:
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25294 Location: The netherlands
|
Posted: Fri Jan 07, 2005 2:17 pm Post subject: |
|
|
For those with some technical experience: Try disabling the no-execute option in windows and make sure PAE is disabled. (might want to check boot.ini)
I bet this has to do with the 3th page table needed for PAE. Which is needed for the no-execute bit
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Faldo How do I cheat? Reputation: 0
Joined: 06 Jan 2005 Posts: 7
|
Posted: Fri Jan 07, 2005 3:37 pm Post subject: Mini tutorial for AMD users |
|
|
Ok, I finally managed to make this work, thanx to DarkByte.
Mini tutorial on how to debugg a process that is already debugged (or blocked by the game). FOR AMD USERS!
1. Open CE 4.4 and open the settings window. Go to "extra" and select "Read process memory/Write process memory". Click "Ok"
Ignore the message telling "KeServiceDescriptorTableShadow couldn't be located, this means that some functions will not work" you don't really need those functions for this anyways.
2. Open your game process by double-clicking it.
3. In the main CE window, double-click the text in the top where it gives you the PID and process name and write down the PEProcess address.
4. Open the "Memory view" window. In the lower part of the window (Hex View) right click and select "Goto address". Enter the address you wrote down and add the hex number BC ie: 85528BC0+BC
5. Untill this step everything was the same as for INTEL users.
If the address you wrote down was 85528BC0 you should have the address 85528C7C (85528BC0+BC) at the top of the hex view window.
All you see as hex code is a bunch of "??". That's perfectly normal, don't worry
In the Hex View window you'll also see something called "Physical address", write down this address (ie: 551977C)
6. Exit the Memory Viewer and open the process list again. Double-click the "[Physical Memory]" process.
7. Open the Memory Viewer and this time enter the physical address in the "goto address" field.
8. You'll now see the physical address as the first line in your hex view. After that address you'll see 4 sets of numbers (ie: 68 72 75 85). The list of numbers goes on, but you need to change those 8 numbers to 0s (ie: 00 00 00 00).
You'll now be able to attach CE to the game, or any other debugger aswell for that matter.
Cheers!
|
|
Back to top |
|
|
Shodan How do I cheat? Reputation: 0
Joined: 16 Nov 2004 Posts: 7
|
Posted: Sat Jan 08, 2005 4:25 pm Post subject: |
|
|
Just letting you guys know that it worked.
Thanks, stomperz
With XP SP1 and a pentium 4.
|
|
Back to top |
|
|
girlie777 How do I cheat? Reputation: 0
Joined: 19 Feb 2005 Posts: 2
|
Posted: Sat Feb 19, 2005 12:50 pm Post subject: |
|
|
hi, so how do i actually use the debugger and make trainers workable? I've done all the steps except the debugging part.. so when i use trainers, i still get booted out of the game..
|
|
Back to top |
|
|
girlie777 How do I cheat? Reputation: 0
Joined: 19 Feb 2005 Posts: 2
|
Posted: Sat Feb 19, 2005 1:03 pm Post subject: Re: Mini tutorial for AMD users |
|
|
[quote="Faldo"]
6. Exit the Memory Viewer and open the process list again. Double-click the "[Physical Memory]" process.
7. Open the Memory Viewer and this time enter the physical address in the "goto address" field.
8. You'll now see the physical address as the first line in your hex view. After that address you'll see 4 sets of numbers (ie: 68 72 75 85). The list of numbers goes on, but you need to change those 8 numbers to 0s (ie: 00 00 00 00).
You'll now be able to attach CE to the game, or any other debugger aswell for that matter.
Cheers![/quote]
How do I use the debugger or any other trainer for the game after Step 8? Btw, for step 7, when you input the physical address, do you have to add +BC? e.g : 12345678+BC
|
|
Back to top |
|
|
|