 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Christbru
Newbie cheater
![]() Reputation: 0
Joined: 11 Jan 2013
Posts: 15
|
 Posted: Wed Jan 15, 2014 10:48 pm Post subject: Anyone know a workaround for breakpoints? |
 |
|
I cannot run any debugger other than VEH with Page Exceptions.. this is limited aswell because if I add any breakpoints, the game disconnects me.. I need to be able to get around the detection and I thought the first place I could try is here.. [DBVM is also not supported by my machine.. believe me, I've tried everything to get it working again but it will not..]
This is the type of thing I need to recode [Lua]:
debug_setBreakpoint({"level", { 0x89, 0x74, 0x24, 0x0C, 0x89, 0x06, 0xe8}, 4, ContextChanger})
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25819
Location: The netherlands
|
| Posted: Wed Jan 15, 2014 11:06 pm Post subject: |
|
|
do an aobscan for 0x89, 0x74, 0x24, 0x0C, 0x89, 0x06, 0xe8 and then do a code injection there that will change the context to the appropriate method
I assume that you can't do that because of an integrity check, but since you say that VEH debug works with page exceptions you can use those page exceptions to find out what reads the code.
Then figure out how the integrity check(s) works, and rewrite it so it won't see it. (e.g change the read pointer to an unmodified pointer)
if VEH's Debug Register breakpoints don't work but DBVM does then try to figure out why DBVM works. (If global debug is REQUIRED then try a hook on GetThreadContext and fake that no debug registers are set, which is what DBVM does with global debug enabled)
Also look at the debug event log when attaching and setting a breakpoint, it may show some info. (and check out the thread states and debug registers)
And are you debugging with the option enabled to override existing breakpoints ? If so, don't
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Christbru
Newbie cheater
![]() Reputation: 0
Joined: 11 Jan 2013
Posts: 15
|
| Posted: Wed Jan 15, 2014 11:14 pm Post subject: |
|
|
| Dark Byte wrote: | do an aobscan for 0x89, 0x74, 0x24, 0x0C, 0x89, 0x06, 0xe8 and then do a code injection there that will change the context to the appropriate method
I assume that you can't do that because of an integrity check, but since you say that VEH debug works with page exceptions you can use those page exceptions to find out what reads the code.
Then figure out how the integrity check(s) works, and rewrite it so it won't see it. (e.g change the read pointer to an unmodified pointer)
if VEH's Debug Register breakpoints don't work but DBVM does then try to figure out why DBVM works. (If global debug is REQUIRED then try a hook on GetThreadContext and fake that no debug registers are set, which is what DBVM does with global debug enabled)
Also look at the debug event log when attaching and setting a breakpoint, it may show some info. (and check out the thread states and debug registers)
And are you debugging with the option enabled to override existing breakpoints ? If so, don't |
"(If global debug is REQUIRED then try a hook on GetThreadContext and fake that no debug registers are set, which is what DBVM does with global debug enabled)"
Would you mind giving me a small example of how I'd be able to do this?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25819
Location: The netherlands
|
| Posted: Thu Jan 16, 2014 12:16 am Post subject: |
|
|
something like this lua script
| Code: |
autoAssemble([[
alloc(newZwGetContextThread,128)
alloc(oldZwGetContextThread,4)
registersymbol(newZwGetContextThread)
registersymbol(oldZwGetContextThread)
newZwGetContextThread:
push ebp
mov ebp,esp
push [ebp+C] //context
push [ebp+8] //threadhandle
call [oldZwGetContextThread]
//clear the debug registers. (tip: Also hook SetThreadContext and keep a per thread list the states of the debug registers and show those instead of 0)
push eax
mov eax,[ebp+c]
mov [eax+4],0 //dr0
mov [eax+8],0 //dr1
mov [eax+c],0 //dr2
mov [eax+10],0 //dr3
mov [eax+14],0 //dr6
mov [eax+18],0 //dr7
pop eax
pop ebp
ret 8
]]
)
script=generateAPIHookScript("ntdll.ZwGetContextThread", "newZwGetContextThread", "oldZwGetContextThread")
autoAssemble(script)
|
It just stupidly fakes the debug registers to be 0. DBVM also emulates the writes though, so if you want it complete, also hook SetThreadContext (And perhaps OpenThread to figure out which threadhandle belongs to what if it isn't ffffffff )
So check the threadlist if you need to do that
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Christbru
Newbie cheater
![]() Reputation: 0
Joined: 11 Jan 2013
Posts: 15
|
| Posted: Thu Jan 16, 2014 4:28 am Post subject: |
|
|
| Dark Byte wrote: | something like this lua script
| Code: |
autoAssemble([[
alloc(newZwGetContextThread,128)
alloc(oldZwGetContextThread,4)
registersymbol(newZwGetContextThread)
registersymbol(oldZwGetContextThread)
newZwGetContextThread:
push ebp
mov ebp,esp
push [ebp+C] //context
push [ebp+8] //threadhandle
call [oldZwGetContextThread]
//clear the debug registers. (tip: Also hook SetThreadContext and keep a per thread list the states of the debug registers and show those instead of 0)
push eax
mov eax,[ebp+c]
mov [eax+4],0 //dr0
mov [eax+8],0 //dr1
mov [eax+c],0 //dr2
mov [eax+10],0 //dr3
mov [eax+14],0 //dr6
mov [eax+18],0 //dr7
pop eax
pop ebp
ret 8
]]
)
script=generateAPIHookScript("ntdll.ZwGetContextThread", "newZwGetContextThread", "oldZwGetContextThread")
autoAssemble(script)
|
It just stupidly fakes the debug registers to be 0. DBVM also emulates the writes though, so if you want it complete, also hook SetThreadContext (And perhaps OpenThread to figure out which threadhandle belongs to what if it isn't ffffffff )
So check the threadlist if you need to do that |
This is very interesting! I may be able to rebuild the exploit to work with this instead of DBVM, but I haven't done anything like this before so I must ask.. Would you mind giving a small example of hooking "SetThreadContext" and such to set the debug registers?..
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
