 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
ducspam
Expert Cheater
![]() Reputation: 0
Joined: 07 Oct 2005
Posts: 171
|
 Posted: Tue Oct 11, 2005 1:07 pm Post subject: |
 |
|
| I did not include "IsDebuggerPresent" API when making the dubugger. I didn't know I needed it. I'll test it again when I get back home from work.
|
|
| Back to top |
|
 |
ducspam
Expert Cheater
![]() Reputation: 0
Joined: 07 Oct 2005
Posts: 171
|
| Posted: Tue Oct 11, 2005 7:27 pm Post subject: |
|
|
Ok, here is the output of the debugger. And it went all the way to the 4th stage, and said "isdebuggerpresent" and it return true.
debugtest
| Code: | New thread created: thread id = 3624, thread handle = 940, start address = 0x7C95077B
Debug Exception: thread id = 3624, exception address = 0x7C901230, exception code = EXCEPTION_BREAKPOINT
// int3 breakpoint aways happen
// do DBG_EXCEPTION_NOT_HANDLED
Debug Exception: thread id = 2020, exception address = 0x7C81EB33, exception code = 0xEEDFADE
// occur when button 1 was press
// no fucking clue what exception 0xEEDFADE is
// do DBG_EXCEPTION_NOT_HANDLED
Debug Exception: thread id = 2020, exception address = 0x452220, exception code = EXCEPTION_BREAKPOINT
// occur when button 2 was press
// do DBG_EXCEPTION_NOT_HANDLED
Debug Exception: thread id = 2020, exception address = 0x0, exception code = EXCEPTION_ACCESS_VIOLATION
// occur when button 3 was press
// do DBG_EXCEPTION_NOT_HANDLED
// press button 4, pop up box appear, close pop up box
// debug event loops and enter the last exception (over and over) |
So, does that look correct? I think its the process that I try to debug, it's killing the debugger. I put more output on the dubugger that trying to debug that troublesome process.
| Code: | // New Process Created: (debuggee)
New Thread Created: process id = 3564, thread id = 2016, thread handle = 900, start address = 0x7C810856
New Thread Created: process id = 3564, thread id = 3364, thread handle = 904, start address = 0x7C810856
New Thread Created: process id = 3564, thread id = 1008, thread handle = 908, start address = 0x7C810856
New Thread Created: process id = 3564, thread id = 2992, thread handle = 912, start address = 0x7C810856
New Thread Created: process id = 3564, thread id = 3148, thread handle = 916, start address = 0x7C810856
New Thread Created: process id = 3564, thread id = 3792, thread handle = 1128, start address = 0x7C95077B
Debug Exception: process id = 3564, thread id = 3792, exception address = 0x7C901230, exception code = 0x80000003
Thread Exited: process id = 3564, thread id = 3792
New Thread Created: process id = 3564, thread id = 2900, thread handle = 780, start address = 0x7C810856
Debug Exception: process id = 3564, thread id = 2352, exception address = 0x7C81EB33, exception code = 0xE06D7363
Debug Exception: process id = 3564, thread id = 2352, exception address = 0x7C81EB33, exception code = 0xE06D7363
New Thread Created: process id = 3564, thread id = 3044, thread handle = 776, start address = 0x7C810856
Thread Exited: process id = 3564, thread id = 3148
Thread Exited: process id = 3564, thread id = 1008
Thread Exited: process id = 3564, thread id = 2992
Thread Exited: process id = 3564, thread id = 3044
Thread Exited: process id = 3564, thread id = 2016
Thread Exited: process id = 3564, thread id = 3364
Thread Exited: process id = 3564, thread id = 2900
Process Exited: process id = 3564, thread id = 2352 |
| Code: | | exception code = 0xE06D7363 |
That exception code is killing it. Don't know what it is but DBG_EXCEPTION_NOT_HANDLE doesn't have an affect on it.
Well, I think I found out the cause of the process dying. I tested it using CE, and the process die like 20-30 seconds after CE attached to it. But if I check "Try to prevent detection of the debugger", the process never dies. So, I guess my next main question is what is the method for "Try to prevent detection of the debugger" that's in CE?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 470
Joined: 09 May 2003
Posts: 25807
Location: The netherlands
|
| Posted: Wed Oct 12, 2005 6:33 am Post subject: |
|
|
| ducspam wrote: |
Well, I think I found out the cause of the process dying. I tested it using CE, and the process die like 20-30 seconds after CE attached to it. But if I check "Try to prevent detection of the debugger", the process never dies. So, I guess my next main question is what is the method for "Try to prevent detection of the debugger" that's in CE? |
for one it patches the isdebuggerpresetn api with:
and when that option is enabled it also returns DBG_EXCEPTION_NOT_HANDLED for OUTPUT_DEBUG_STRING_EVENT
Oh yes, for any other debug event that isn't handled it returns DBG_EXCEPTION_NOT_HANDLED
it only returns DBG_CONTINUE for CREATE_PROCESS_DEBUG_EVENT all other debug events default to DBG_EXCEPTION_NOT_HANDLED (including thread creation and other stuff)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25807
Location: The netherlands
|
| Posted: Wed Oct 12, 2005 6:34 am Post subject: |
|
|
What you might want to check is when ce has been debugging the app and it dies go to memory view->view->debug strings.
perhaps it wrote some data to there explaining why it killed itself
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
ducspam
Expert Cheater
![]() Reputation: 0
Joined: 07 Oct 2005
Posts: 171
|
| Posted: Wed Oct 12, 2005 7:25 am Post subject: |
|
|
Nope, it did not write anything to the debug string.
So, now I have to edit the kernell32.dll to do the anti-debugger detection?
You know an easy way of doing this through the debugger? What values do I need to write to the address and so on?
|
|
| Back to top |
|
|
Thy Gamer
Newbie cheater
![]() Reputation: 0
Joined: 12 Oct 2005
Posts: 13
Location: Usa
|
| Posted: Wed Oct 12, 2005 6:00 pm Post subject: |
|
|
Is this in C++? Is there any way I can do this in VB6 or vb .net?
_________________
What Sig? :p |
|
| Back to top |
|
|
ducspam
Expert Cheater
![]() Reputation: 0
Joined: 07 Oct 2005
Posts: 171
|
| Posted: Wed Oct 12, 2005 8:37 pm Post subject: |
|
|
Yeah, you can do this in VB or VB.NET. I have been googling, reading up on the Windows API and also annoying the hell out of Dark Byte to figure some of this out.
I'm still googling and trying to find out how exactly do I patch the kernel32.dll with the debugger program I made. I guess one wrong move can mess up your computer.
So far, I got this out of W32Dasm:
| Code: | // 7C812E03 64A118000000 mov eax, dword ptr fs:[00000018]
// 7C812E09 8B4030 mov eax, dword ptr [eax+30]
// 7C812E0C 0FB64002 movzx eax, btye ptr [eax+02] // write "xor eax, eax"
// 7C812E10 C3 ret |
So, I coded this to get the address of where I should start patching:
| Code: | int hModule = LoadLibrary("kernel32"); // load kernel32.dll
int startAddress = GetProcAddress(hModule, "IsDebuggerPresent"); // starting address = 7C812E03
int writeAddress = startAddress + 9; // write address = 7C812E0C |
I'm stuck on how to write 33C09090 (xor eax,eax) at the "writeAddress". Delphi has a SetProcAddress API but I can't seem to find one for C. Does anyone have any clue?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25807
Location: The netherlands
|
| Posted: Thu Oct 13, 2005 3:17 am Post subject: |
|
|
try:
WriteProcessMemory(processhandle,(PVOID)writeAddress,arraywith33c09090,4,NULL);
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
ducspam
Expert Cheater
![]() Reputation: 0
Joined: 07 Oct 2005
Posts: 171
|
| Posted: Thu Oct 13, 2005 6:56 am Post subject: |
|
|
| Quote: | | WriteProcessMemory(processhandle,(PVOID)writeAddress,arraywith33c09090,4,NULL); |
Haven't tested it yet, though the kernel32 isn't really a process, will I still able to use hModule in replace of processhandle?
Thanks
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25807
Location: The netherlands
|
| Posted: Thu Oct 13, 2005 7:59 am Post subject: |
|
|
No, the processhandle is the processhandle of the process you are debugging
and the location of isdebuggerpresent is the same in the debugged proces as it is in your own app
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Thy Gamer
Newbie cheater
![]() Reputation: 0
Joined: 12 Oct 2005
Posts: 13
Location: Usa
|
| Posted: Thu Oct 13, 2005 8:34 am Post subject: |
|
|
ducspam, If you ever figure it out in c++ or vb, Could you help me out, kinda lost badly. Thanks if so.
_________________
What Sig? :p |
|
| Back to top |
|
|
ducspam
Expert Cheater
![]() Reputation: 0
Joined: 07 Oct 2005
Posts: 171
|
| Posted: Thu Oct 13, 2005 9:53 am Post subject: |
|
|
Sure, Thy Gamer.
When I get home, I'm going to test the anti-debugger detection with WriteProcessMemory on Dark Byte's debugtest app. Hopefully, it should tell me that I don't have a debugger attached.
Once that is done, I still have the Get/SetThreadContext, debug register, and exception event to deal with.
|
|
| Back to top |
|
|
Thy Gamer
Newbie cheater
![]() Reputation: 0
Joined: 12 Oct 2005
Posts: 13
Location: Usa
|
|
| Back to top |
|
|
ducspam
Expert Cheater
![]() Reputation: 0
Joined: 07 Oct 2005
Posts: 171
|
| Posted: Fri Oct 14, 2005 12:18 am Post subject: |
|
|
After the "WriteProcessMemory", it patched "IsDebuggerPresent". Tested this on debugtest and the 4th stage say it didn't find a debugger. (So patching was a success.)
But a new exception occurred when I debug the old process. I did DBG_EXCEPTION_NOT_HANDLE to every event except for CREATE_PROCESS_DEBUG_EVENT (just like you said).
| Code: | //Process id = 472, thread handle = 892
New Process Created: process id = 472, thread id = 2588, thread handle = 900, start address = 0x0
New Thread Created: process id = 472, thread id = 3872, thread handle = 912, start address = 0x7C810856
New Thread Created: process id = 472, thread id = 3376, thread handle = 916, start address = 0x7C810856
New Thread Created: process id = 472, thread id = 3848, thread handle = 920, start address = 0x7C810856
New Thread Created: process id = 472, thread id = 3508, thread handle = 924, start address = 0x7C810856
New Thread Created: process id = 472, thread id = 2248, thread handle = 928, start address = 0x7C810856
New Thread Created: process id = 472, thread id = 992, thread handle = 932, start address = 0x7C810856
New Thread Created: process id = 472, thread id = 3152, thread handle = 936, start address = 0x7C810856
New Thread Created: process id = 472, thread id = 3556, thread handle = 1156, start address = 0x7C95077B
Debug Exception: process id = 472, thread id = 3556, exception address = 0x7C901230, exception code = 0x80000003
Thread Exited: process id = 472, thread id = 3556
Debug Exception: process id = 472, thread id = 2588, exception address = 0x7C90EB74, exception code = 0xC0000008
Debug Exception: process id = 472, thread id = 2588, exception address = 0x7C90EB74, exception code = 0xC0000008
Thread Exited: process id = 472, thread id = 3848
Thread Exited: process id = 472, thread id = 3508
Thread Exited: process id = 472, thread id = 2248
Thread Exited: process id = 472, thread id = 3872
Thread Exited: process id = 472, thread id = 2588
Thread Exited: process id = 472, thread id = 3376
Thread Exited: process id = 472, thread id = 992
Process Exited: process id = 472, thread id = 3152 |
The exception that crash the debugger has the thread id = 2588, which is the same as the firstcreate process debug event. exception code = 0xC0000008 is EXCEPTION_INVALID_HANDLE. exception address = 0x7C90EB74 is the KiRaiseUserExceptionDispatcher.
Do you know anything about this? Is it another anti-debugger scheme? Or is it because I call "WriteProcessMemory" and that made the handle invalid?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25807
Location: The netherlands
|
| Posted: Fri Oct 14, 2005 3:16 am Post subject: |
|
|
I have no idea. Are you sure you're not editing anything else in the game (e.g debug regs, etc?)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
