Jump to content
View in the app

A better way to browse. Learn more.

Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Process terminates on attach

Featured Replies

Posted

Hello,I have stumbled on application I would like to debug. Since it's 64-bit app the OllyDbg is already out of the picture, so I thought I could use x64_dbg. When I try to attach to that process it starts loading all modules and then I get "Terminated: debugging stopped". I tried to play around with ScyllaHide to the point I enabled all options -> didn't help at all. Tried TitanHide -> nope. I also tried to suspend the process first, but it still terminates on attach.It also shows weird behavior when using Cheat Engine's debugger -> when I set breakpoint the application crashes with single-step or maybe breakpoint exception ( don't remember, but I can eventually check again ). So that would seem like the app always tries to handle breakpoints on it's own (Cheat Engine didn't even fire up).What's wrong? What can I do?Thank you for your help.

Perhaps try using Windbg? It could list some new information or at least indicate why x64_dbg isn't functioning as intentioned.


  • Author

Seems like WinDbg closes the process too. As I have no idea how to work with WinDbg I can't really  pull much information out of it.


  • Author

Thanks for the tip. Checked memory of DbgUiRemoteBreakin and it indeed seems to be modified. I kinda thought all this stuff is fixed by ScyllaHide etc :D. Anyways I tried to restore the bytes but seems like the app writes the hook like every 0.2s or something. Tried the Cheat Engine's "Find out what writes to this address" and it caused single step exception again. Well I'm gonna sleep on it and see if I can do something about this tricky process tomorrow.


ScyllaHIde doesn't support Anti-Anti-Attach for x64 targets at the moment.


 


Changelog for v1.1:


Added kill anti-attach (for x86 only)

  • Author

Alright I got it working. What I did: Suspend process, Restore modified instructions, attach debugger, resume process.


Can you share the target? Some anti-cheat system?


  • Author

Well there wasn't any other protection on the target I have noticed after the anti-attach. I haven't spent much time on it yet, so I can't tell, but general debugging seems to be working fine. Debugging also seems to be working even without ScyllaHide -> which introduced some bugs (like cannot pause process) so I disabled it. Target is a game and it's quite large so I doubt you would like to buy/download it just to see the protection. There is a loop like:do
Sleep(200)
VirtualProtect(some functions)
Overwrite
VirtualProtect(some functions, oldProt)
while(some_expression)I just inject my dll, that changes the loop to
do
Sleep(200)
NOPS
while(some_expression)
and then restores the bytes of NTDLL functions and then I attach.

Create an account or sign in to comment

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.