 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Caliber
Expert Cheater
![]() Reputation: 2
Joined: 20 Aug 2007
Posts: 102
|
 Posted: Mon Jun 04, 2012 12:37 pm Post subject: Darkbyte -> Cheatengine 6.x Reset debug port method? |
 |
|
greetings DB,
some titles use securom method or some other anticheat method of running two .exe with the same name, except that one executable actually acts as a debugger and attaches to the other executable to make it pesky to attach a debugger to the .exe so that you can evaluate it in a disassembler such as ollydbg.
at any rate, for windows xp 32 bit there are various ways to do this that are successful. in fact some of the methods (at one point) were posted here using cheatengine to find the physical memory and offsets to reset the debug port.
however, for windows 7 using 64 bit OS, i have found no good sources of a way to reset the debug port so that you can again attach a debugger/disassembler such as ollydbg to the process again.
at any rate, one such NEW title is the new max payne game (max payne 3).
the game itself is 32 bit. i am using windows 7 64 bit os and was using cheatengine 6.1. i tried to do similar steps as before to access the physical memory address (which required unsigned driver F8 method to turn on the read/write memory in CE). it 'seemed' to work but i found that when i tried to WRITE to the physical memory address it acted all wonky, and further i have no idea what the offsets are for debug registers/addresses in windows 7 64 bit.
is there some new method to do this? can you provide any guidance?
thanks,
Caliber
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 472
Joined: 09 May 2003
Posts: 25896
Location: The netherlands
|
| Posted: Mon Jun 04, 2012 12:47 pm Post subject: |
|
|
Did you set the correct offset of the eprocess to 0?
The debugport offset in windows 7 is different from the one in xp.
Anyhow, windows is so nice to export the PsGetDebugPort api which you can use to find the debugport offset from if you disassemble it (kernel_PsGetDebugPort when the driver is loaded should bring you to there)
Alternatively, try kernelmode debugging if your system supports dbvm (6.2 fixes the bsod when using global debug as well)
Or try veh. If the injector fails try to figure out why and undo that (e.g local hooks)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Caliber
Expert Cheater
![]() Reputation: 2
Joined: 20 Aug 2007
Posts: 102
|
| Posted: Mon Jun 04, 2012 4:58 pm Post subject: |
|
|
thanks for the info and your reply was appreciated!
i think i miscommunicated to you what i am trying to achieve.
first, i already was able to create a trainer for max payne 3 thanks to cheatengine. VEH worked just fine. the problem comes when trying to attach a more featured debugger/disassembler like ollydbg to the game while in memory (no offense meant to C.E.). in that case you would need to reset the debug port so that when you try to attach to the game in memory with ollydbg, it will allow it. i am able to use alot of functions in ollydbg to break apart games more thoroughly that C.E. just doesn't have...
i am not sure the steps to take with C.E. to actually reset the debug port in windows 7 64 bit OS.
do you mind expanding on how to possibly do this with C.E.? i.e. reset the debug port, and then you can attach to the game with another debugger (like ollydbg). there are several other games that this would be useful for if you were using windows 7 64 bit OS.
thanks!
best,
Cal
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 472
Joined: 09 May 2003
Posts: 25896
Location: The netherlands
|
| Posted: Mon Jun 04, 2012 5:46 pm Post subject: |
|
|
Just setting the debugport in the EProcess structure of the process to NULL should be enough to let windows debug the target process again. you just have to make sure you got the correct offset (it's not +bc)
And you may expect crashes if the previous debugger is actually responsible for dealing with exceptions
Keep in mind, the debugport is actually a pointer, so it's 8 bytes, not 4
When kernelmode openprocess and read/writeprocessmemory is enabled you can rightclick on the processname after opening it. That will pop up useful information, like cr3, idt's and the EProcess. Doubleclicking the eprocess should bring you to the structure.
Now go to the proper offset, fill in 8 0's, and it 'should' work. (I haven't tested that in a while)
Also, I gave the wrong api you should dissect, it's PsGetProcessDebugPort (for me located at ntoskrnl.exe+1044b0)
I've disassembled it myself, the debugport offset is 1f0 in win7 64-bit
Also, give feature requests of what you wish that ce had. But make sure you never use these word combinations :"Like olly", "The same way as olly does" or "how olly does it".
Instead of those, give a detailed description of what you want
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Caliber
Expert Cheater
![]() Reputation: 2
Joined: 20 Aug 2007
Posts: 102
|
| Posted: Mon Jun 18, 2012 9:11 pm Post subject: |
|
|
| Dark Byte wrote: | Just setting the debugport in the EProcess structure of the process to NULL should be enough to let windows debug the target process again. you just have to make sure you got the correct offset (it's not +bc)
And you may expect crashes if the previous debugger is actually responsible for dealing with exceptions
Keep in mind, the debugport is actually a pointer, so it's 8 bytes, not 4
When kernelmode openprocess and read/writeprocessmemory is enabled you can rightclick on the processname after opening it. That will pop up useful information, like cr3, idt's and the EProcess. Doubleclicking the eprocess should bring you to the structure.
Now go to the proper offset, fill in 8 0's, and it 'should' work. (I haven't tested that in a while)
Also, I gave the wrong api you should dissect, it's PsGetProcessDebugPort (for me located at ntoskrnl.exe+1044b0)
I've disassembled it myself, the debugport offset is 1f0 in win7 64-bit
Also, give feature requests of what you wish that ce had. But make sure you never use these word combinations :"Like olly", "The same way as olly does" or "how olly does it".
Instead of those, give a detailed description of what you want |
thanks for the info DB. I will give this a try and see if I have success.
As a side note, I am not comparing C.E. to ollydbg in a condescending or negative way. In many ways the two tools serve completely different purposes, so I hope I didn't offend. I use literally 6 to 7 programs to do my work, some of which are 'homegrown' tools to handle specific issues.
As always, many of us are indebted to your work on Cheatengine here and I'd like to publicly thank you again for your wonderful program.
I will report back if I have any further problems or if I need to ask for your indulgence in regards to using C.E. for this purpose.
best,
Cal
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
