Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


API for "modify register at address"?
Goto page Previous  1, 2, 3  Next
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Source
View previous topic :: View next topic  
Author Message
ducspam
Expert Cheater
Reputation: 0

Joined: 07 Oct 2005
Posts: 171

PostPosted: Tue Oct 11, 2005 1:07 pm    Post subject: Reply with quote

I did not include "IsDebuggerPresent" API when making the dubugger. I didn't know I needed it. I'll test it again when I get back home from work.
Back to top
View user's profile Send private message
ducspam
Expert Cheater
Reputation: 0

Joined: 07 Oct 2005
Posts: 171

PostPosted: Tue Oct 11, 2005 7:27 pm    Post subject: Reply with quote

Ok, here is the output of the debugger. And it went all the way to the 4th stage, and said "isdebuggerpresent" and it return true.

debugtest
Code:
New thread created: thread id = 3624, thread handle = 940, start address =  0x7C95077B
Debug Exception: thread id = 3624, exception address = 0x7C901230, exception code = EXCEPTION_BREAKPOINT     
// int3 breakpoint aways happen
// do DBG_EXCEPTION_NOT_HANDLED
Debug Exception: thread id = 2020, exception address = 0x7C81EB33, exception code = 0xEEDFADE   
// occur when button 1 was press
// no fucking clue what exception 0xEEDFADE is
// do DBG_EXCEPTION_NOT_HANDLED
Debug Exception: thread id = 2020, exception address = 0x452220, exception code = EXCEPTION_BREAKPOINT   
// occur when button 2 was press
// do DBG_EXCEPTION_NOT_HANDLED
Debug Exception: thread id = 2020, exception address = 0x0, exception code = EXCEPTION_ACCESS_VIOLATION   
// occur when button 3 was press
// do DBG_EXCEPTION_NOT_HANDLED
// press button 4, pop up box appear, close pop up box
// debug event loops and enter the last exception (over and over)


So, does that look correct? I think its the process that I try to debug, it's killing the debugger. I put more output on the dubugger that trying to debug that troublesome process.

Code:
// New Process Created: (debuggee)
New Thread Created: process id = 3564, thread id = 2016, thread handle = 900, start address = 0x7C810856
New Thread Created: process id = 3564, thread id = 3364, thread handle = 904, start address = 0x7C810856
New Thread Created: process id = 3564, thread id = 1008, thread handle = 908, start address = 0x7C810856
New Thread Created: process id = 3564, thread id = 2992, thread handle = 912, start address = 0x7C810856
New Thread Created: process id = 3564, thread id = 3148, thread handle = 916, start address = 0x7C810856
New Thread Created: process id = 3564, thread id = 3792, thread handle = 1128, start address = 0x7C95077B
Debug Exception: process id = 3564, thread id = 3792, exception address = 0x7C901230, exception code = 0x80000003
Thread Exited: process id = 3564, thread id = 3792
New Thread Created: process id = 3564, thread id = 2900, thread handle = 780, start address = 0x7C810856
Debug Exception: process id = 3564, thread id = 2352, exception address = 0x7C81EB33, exception code = 0xE06D7363
Debug Exception: process id = 3564, thread id = 2352, exception address = 0x7C81EB33, exception code = 0xE06D7363
New Thread Created: process id = 3564, thread id = 3044, thread handle = 776, start address = 0x7C810856
Thread Exited: process id = 3564, thread id = 3148
Thread Exited: process id = 3564, thread id = 1008
Thread Exited: process id = 3564, thread id = 2992
Thread Exited: process id = 3564, thread id = 3044
Thread Exited: process id = 3564, thread id = 2016
Thread Exited: process id = 3564, thread id = 3364
Thread Exited: process id = 3564, thread id = 2900
Process Exited: process id = 3564, thread id = 2352


Code:
exception code = 0xE06D7363


That exception code is killing it. Don't know what it is but DBG_EXCEPTION_NOT_HANDLE doesn't have an affect on it.


Well, I think I found out the cause of the process dying. I tested it using CE, and the process die like 20-30 seconds after CE attached to it. But if I check "Try to prevent detection of the debugger", the process never dies. So, I guess my next main question is what is the method for "Try to prevent detection of the debugger" that's in CE?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 470

Joined: 09 May 2003
Posts: 25785
Location: The netherlands

PostPosted: Wed Oct 12, 2005 6:33 am    Post subject: Reply with quote

ducspam wrote:

Well, I think I found out the cause of the process dying. I tested it using CE, and the process die like 20-30 seconds after CE attached to it. But if I check "Try to prevent detection of the debugger", the process never dies. So, I guess my next main question is what is the method for "Try to prevent detection of the debugger" that's in CE?


for one it patches the isdebuggerpresetn api with:
Code:
xor eax,eax
ret


and when that option is enabled it also returns DBG_EXCEPTION_NOT_HANDLED for OUTPUT_DEBUG_STRING_EVENT

Oh yes, for any other debug event that isn't handled it returns DBG_EXCEPTION_NOT_HANDLED
it only returns DBG_CONTINUE for CREATE_PROCESS_DEBUG_EVENT all other debug events default to DBG_EXCEPTION_NOT_HANDLED (including thread creation and other stuff)

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Dark Byte
Site Admin
Reputation: 470

Joined: 09 May 2003
Posts: 25785
Location: The netherlands

PostPosted: Wed Oct 12, 2005 6:34 am    Post subject: Reply with quote

What you might want to check is when ce has been debugging the app and it dies go to memory view->view->debug strings.

perhaps it wrote some data to there explaining why it killed itself

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
ducspam
Expert Cheater
Reputation: 0

Joined: 07 Oct 2005
Posts: 171

PostPosted: Wed Oct 12, 2005 7:25 am    Post subject: Reply with quote

Nope, it did not write anything to the debug string.

So, now I have to edit the kernell32.dll to do the anti-debugger detection?

You know an easy way of doing this through the debugger? What values do I need to write to the address and so on?
Back to top
View user's profile Send private message
Thy Gamer
Newbie cheater
Reputation: 0

Joined: 12 Oct 2005
Posts: 13
Location: Usa

PostPosted: Wed Oct 12, 2005 6:00 pm    Post subject: Reply with quote

Is this in C++? Is there any way I can do this in VB6 or vb .net?
_________________
What Sig? :p
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger
ducspam
Expert Cheater
Reputation: 0

Joined: 07 Oct 2005
Posts: 171

PostPosted: Wed Oct 12, 2005 8:37 pm    Post subject: Reply with quote

Yeah, you can do this in VB or VB.NET. I have been googling, reading up on the Windows API and also annoying the hell out of Dark Byte to figure some of this out.

I'm still googling and trying to find out how exactly do I patch the kernel32.dll with the debugger program I made. I guess one wrong move can mess up your computer.

So far, I got this out of W32Dasm:
Code:
// 7C812E03   64A118000000   mov eax, dword ptr fs:[00000018]
// 7C812E09   8B4030         mov eax, dword ptr [eax+30]
// 7C812E0C   0FB64002       movzx eax, btye ptr [eax+02]    // write "xor eax, eax"
// 7C812E10   C3             ret

So, I coded this to get the address of where I should start patching:
Code:
int hModule = LoadLibrary("kernel32");     // load kernel32.dll
int startAddress = GetProcAddress(hModule, "IsDebuggerPresent");     // starting address = 7C812E03
int writeAddress = startAddress + 9;      // write address = 7C812E0C

I'm stuck on how to write 33C09090 (xor eax,eax) at the "writeAddress". Delphi has a SetProcAddress API but I can't seem to find one for C. Does anyone have any clue?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 470

Joined: 09 May 2003
Posts: 25785
Location: The netherlands

PostPosted: Thu Oct 13, 2005 3:17 am    Post subject: Reply with quote

try:
WriteProcessMemory(processhandle,(PVOID)writeAddress,arraywith33c09090,4,NULL);

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
ducspam
Expert Cheater
Reputation: 0

Joined: 07 Oct 2005
Posts: 171

PostPosted: Thu Oct 13, 2005 6:56 am    Post subject: Reply with quote

Quote:
WriteProcessMemory(processhandle,(PVOID)writeAddress,arraywith33c09090,4,NULL);


Haven't tested it yet, though the kernel32 isn't really a process, will I still able to use hModule in replace of processhandle?

Thanks
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 470

Joined: 09 May 2003
Posts: 25785
Location: The netherlands

PostPosted: Thu Oct 13, 2005 7:59 am    Post subject: Reply with quote

No, the processhandle is the processhandle of the process you are debugging
and the location of isdebuggerpresent is the same in the debugged proces as it is in your own app

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Thy Gamer
Newbie cheater
Reputation: 0

Joined: 12 Oct 2005
Posts: 13
Location: Usa

PostPosted: Thu Oct 13, 2005 8:34 am    Post subject: Reply with quote

ducspam, If you ever figure it out in c++ or vb, Could you help me out, kinda lost badly. Thanks if so.
_________________
What Sig? :p
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger
ducspam
Expert Cheater
Reputation: 0

Joined: 07 Oct 2005
Posts: 171

PostPosted: Thu Oct 13, 2005 9:53 am    Post subject: Reply with quote

Sure, Thy Gamer.

When I get home, I'm going to test the anti-debugger detection with WriteProcessMemory on Dark Byte's debugtest app. Hopefully, it should tell me that I don't have a debugger attached.

Once that is done, I still have the Get/SetThreadContext, debug register, and exception event to deal with.
Back to top
View user's profile Send private message
Thy Gamer
Newbie cheater
Reputation: 0

Joined: 12 Oct 2005
Posts: 13
Location: Usa

PostPosted: Thu Oct 13, 2005 4:43 pm    Post subject: Reply with quote

ducspam wrote:
Sure, Thy Gamer.

When I get home, I'm going to test the anti-debugger detection with WriteProcessMemory on Dark Byte's debugtest app. Hopefully, it should tell me that I don't have a debugger attached.

Once that is done, I still have the Get/SetThreadContext, debug register, and exception event to deal with.


Anyway I can help? Of course I only know vb and some c++ Sad

_________________
What Sig? :p
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger
ducspam
Expert Cheater
Reputation: 0

Joined: 07 Oct 2005
Posts: 171

PostPosted: Fri Oct 14, 2005 12:18 am    Post subject: Reply with quote

After the "WriteProcessMemory", it patched "IsDebuggerPresent". Tested this on debugtest and the 4th stage say it didn't find a debugger. (So patching was a success.)

But a new exception occurred when I debug the old process. I did DBG_EXCEPTION_NOT_HANDLE to every event except for CREATE_PROCESS_DEBUG_EVENT (just like you said).

Code:
//Process id = 472, thread handle = 892
New Process Created: process id = 472, thread id = 2588, thread handle = 900, start address = 0x0
New Thread Created: process id = 472, thread id = 3872, thread handle = 912, start address = 0x7C810856
New Thread Created: process id = 472, thread id = 3376, thread handle = 916, start address = 0x7C810856
New Thread Created: process id = 472, thread id = 3848, thread handle = 920, start address = 0x7C810856
New Thread Created: process id = 472, thread id = 3508, thread handle = 924, start address = 0x7C810856
New Thread Created: process id = 472, thread id = 2248, thread handle = 928, start address = 0x7C810856
New Thread Created: process id = 472, thread id = 992, thread handle = 932, start address = 0x7C810856
New Thread Created: process id = 472, thread id = 3152, thread handle = 936, start address = 0x7C810856
New Thread Created: process id = 472, thread id = 3556, thread handle = 1156, start address = 0x7C95077B
Debug Exception: process id = 472, thread id = 3556, exception address = 0x7C901230, exception code = 0x80000003
Thread Exited: process id = 472, thread id = 3556
Debug Exception: process id = 472, thread id = 2588, exception address = 0x7C90EB74, exception code = 0xC0000008
Debug Exception: process id = 472, thread id = 2588, exception address = 0x7C90EB74, exception code = 0xC0000008
Thread Exited: process id = 472, thread id = 3848
Thread Exited: process id = 472, thread id = 3508
Thread Exited: process id = 472, thread id = 2248
Thread Exited: process id = 472, thread id = 3872
Thread Exited: process id = 472, thread id = 2588
Thread Exited: process id = 472, thread id = 3376
Thread Exited: process id = 472, thread id = 992
Process Exited: process id = 472, thread id = 3152

The exception that crash the debugger has the thread id = 2588, which is the same as the firstcreate process debug event. exception code = 0xC0000008 is EXCEPTION_INVALID_HANDLE. exception address = 0x7C90EB74 is the KiRaiseUserExceptionDispatcher.

Do you know anything about this? Is it another anti-debugger scheme? Or is it because I call "WriteProcessMemory" and that made the handle invalid?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 470

Joined: 09 May 2003
Posts: 25785
Location: The netherlands

PostPosted: Fri Oct 14, 2005 3:16 am    Post subject: Reply with quote

I have no idea. Are you sure you're not editing anything else in the game (e.g debug regs, etc?)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Source All times are GMT - 6 Hours
Goto page Previous  1, 2, 3  Next
Page 2 of 3

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites