| View previous topic :: View next topic |
| Author |
Message |
sullx
Cheater
![]() Reputation: 0
Joined: 03 Jan 2013
Posts: 37
|
 Posted: Sat Aug 16, 2014 9:23 pm Post subject: CE kernel mode debugger setting BPs that the client handles |
 |
|
Hello all,
I am currently using cheat engine on a game that is protected by HS. I am thus using all of cheat engines kernel mode drivers for memory scanning and debugging. However, when I attach the CE debugger (by using 'find out what writes to this address' for example) the games exception handler actually picks up on the breakpoint and handles it by throwing a dialog that says something on the order of "A single step event occurred ... Press OK to close or Cancel to debug", and then the game usually closes.
My question is, do I need to remove their debugger so that CE can handle the exception? If so, do I need to do it externally with my own code or can CE do it? Or is this likely a different issue I am not understanding?
Also, attempts to attach Olly have failed, probably because it's already being debugged.
Thanks
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 458
Joined: 09 May 2003
Posts: 25295
Location: The netherlands
|
| Posted: Sun Aug 17, 2014 3:00 am Post subject: |
|
|
Are you using 32 or 64 bit windows?
And are you using global debug?
If 32 bit, try loading dbvm manually. Even though it's not required for 32 bit, dbvm can do interrupt hooks that can't be undone by other tools
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
sullx
Cheater
![]() Reputation: 0
Joined: 03 Jan 2013
Posts: 37
|
| Posted: Sun Aug 17, 2014 11:52 am Post subject: |
|
|
Hi DB,
I am on win7 x64 using ce-6.4_x86-x64.exe, I have the kernel mode debugger selected along with global debug routines and step through kernel code, as well as the extra settings for kernel mode open process read/write proc mem, and proc watcher.
When I boot ce, the first thing I so is click the about menu and click the green text to enable DBVM. I usually do this right when my pc boots to prevent a crash.
Some how, with all of this the client is still catching the debug events... And based on your question I am guessing the client is somehow picking up on the Dr registers..
Thanks
----edit ----
A few further comments-
I have been successful in attaching a debugger if I interrupt hackshield's initialization and attach the CE debugger before it attaches its own debugger. I can then debug while in game. But HS is smart and eventually shuts down the client, probably because it wasn't able to attach it's own debugger since I had already attached CE's.
This method (attaching before HS) has different outcomes depending on the debugger I use. If I use the VEH debugger, I am actually able to debug in game until HS closes the client. On the other hand, if I attach the kernel mode debugger before HS initializes, the client will close before I can actually make it in game. So it appears that somehow HS is detecting the use of the kernel mode debugger, and in the case of the VEH it only seems to detect that it can no longer attach it's own debugger.. I am assuming a little bit there..
Also, when I use the kernelmode debugger after suspending HS, after HS closes down the client, the game refuses to launch, giving a HS error thereafter unless I restart windows. This doesn't happen when I use the VEH debugger.
Last edited by sullx on Sun Aug 17, 2014 1:44 pm; edited 1 time in total |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 458
Joined: 09 May 2003
Posts: 25295
Location: The netherlands
|
| Posted: Sun Aug 17, 2014 1:18 pm Post subject: |
|
|
try ce 6.3. Perhaps there is an issue with 6.4 not handling breakpoints it doesn't expect (global debug will let the kernel decide which debug register is used at runtime, but 6.4 has added stricter debug register validation)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
sullx
Cheater
![]() Reputation: 0
Joined: 03 Jan 2013
Posts: 37
|
| Posted: Sun Aug 17, 2014 1:43 pm Post subject: |
|
|
(in case you missed it, see my edit above ^)
Have just tried 6.3 with the same result, the client is catching the breakpoint, not CE. Some how the Dr registers are not being cloaked. I guess HS is doing something to reveal/prevent CE's kernel mode from hiding them..
At this point, I am not sure what else I can do. If I use the method I posted above (in the edit) I can debug for about 2 minutes before the client is closed, which makes analyzing the byte code difficult, and finding offsets nearly impossible.
---edit---
Also, don't think it should matter but I am running with patchguard disabled via http://fyyre.ivory-tower.de - disable_pg_ds_v3.rar - - Disable PatchGuard & Driver Signing on X64 Windows 7 + SP1
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 458
Joined: 09 May 2003
Posts: 25295
Location: The netherlands
|
| Posted: Sun Aug 17, 2014 2:32 pm Post subject: |
|
|
No idea then
Do you need to run patchguard to use debugging with dbvm? If so, that's one possible cause as that indicates dbvm isn't functional on your system (it falls back on software interrupt hooking if dbvm isn't detected by the kernel)
What cpu do you have?
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
sullx
Cheater
![]() Reputation: 0
Joined: 03 Jan 2013
Posts: 37
|
| Posted: Sun Aug 17, 2014 2:52 pm Post subject: |
|
|
No I don't need to disable patchguard in order to use dbvm. Before I was doing the simple f8 -> Disable driver sig enforcement, and that worked fine. I recenlty started disabling patchguard to use TitanHide https://bitbucket.org/mrexodia/titanhide, to try to hide ollydbg, so it's unrelated. Good to know about the fallback, but if I try to attach one of the user mode debuggers (windows or VEH) instead of the kernel mode debugger, I get a "failed to attach debugger error", presumably because HS is already debugging. The kernel mode debugger never has this problem, it is clearly able to set breakpoints, but some how the client is picking them up before CE.
Also, I have successfully used dbvm on other games many times, so I am sure that my setup works with it. But my cpu is i7-2600k.
Do you think using something to try to unhook HS from kernel mode and then using CE would work?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 458
Joined: 09 May 2003
Posts: 25295
Location: The netherlands
|
| Posted: Mon Aug 18, 2014 6:15 am Post subject: |
|
|
Could be a bug in the debug register emulation(perhaps the emulated dr6 forgets to clear the flags), or the specific address you've targeted is explicitly protected (having it's own bp on that exact address)
Try this: debug any other program (e.g the tutorial )and do a kernelmode find what accesses on an address.
Then stop it and close ce, and see if the game will run.
This way the interrupt hook is present but not actively doing things
If that goes fine reboot, and do the same, but keep cheat engine and the debugging active
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
sullx
Cheater
![]() Reputation: 0
Joined: 03 Jan 2013
Posts: 37
|
| Posted: Mon Aug 18, 2014 6:34 pm Post subject: |
|
|
| Dark Byte wrote: | Could be a bug in the debug register emulation(perhaps the emulated dr6 forgets to clear the flags), or the specific address you've targeted is explicitly protected (having it's own bp on that exact address)
Try this: debug any other program (e.g the tutorial )and do a kernelmode find what accesses on an address.
Then stop it and close ce, and see if the game will run.
This way the interrupt hook is present but not actively doing things
|
Great observation! I do exactly as you say, after a fresh restart I use the kernelmode find what accesses/writes an address on the CE tutorial, I then close the tutorial and CE. Then I boot up the game, and within about 30 seconds the game closes itself down.
So a bug in the debug register emulation must be the culprit?
--- edit ---
Something else to add. After doing the above test and HS closes the game, all of my drivers go nuts. I for instance, no longer have internet access and my display driver causes the screen to flicker. It seems as though HS detects the kernelmode driver and tries to do something about it, and ends up bricking the system until restart.
|
|
| Back to top |
|
|
sullx
Cheater
![]() Reputation: 0
Joined: 03 Jan 2013
Posts: 37
|
| Posted: Sat Aug 23, 2014 1:00 am Post subject: |
|
|
| Is this something that could be fixed and pushed to a development branch for testing?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 458
Joined: 09 May 2003
Posts: 25295
Location: The netherlands
|
| Posted: Sat Aug 23, 2014 4:53 am Post subject: |
|
|
No, i'm still working on some other stuff, but next month i may have time
It'd help to have an open source example that reproduces this so i can make the emulator return exactly what the program expects
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
sullx
Cheater
![]() Reputation: 0
Joined: 03 Jan 2013
Posts: 37
|
| Posted: Sat Aug 23, 2014 11:46 am Post subject: |
|
|
Fair enough. I could look in to it and see if I can't write something to reproduce the issue and then send you the source. It would be in c++ as that is what I am experienced in. But I have not ever written anything out side the user level, so I would have to read up on kernel mode programming. (If you have any suggestions for resources, let me know).
Thanks Dark Byte.
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
