Schnappi Posted October 17, 2014 Share Posted October 17, 2014 Hello,I have stumbled on application I would like to debug. Since it's 64-bit app the OllyDbg is already out of the picture, so I thought I could use x64_dbg. When I try to attach to that process it starts loading all modules and then I get "Terminated: debugging stopped". I tried to play around with ScyllaHide to the point I enabled all options -> didn't help at all. Tried TitanHide -> nope. I also tried to suspend the process first, but it still terminates on attach.It also shows weird behavior when using Cheat Engine's debugger -> when I set breakpoint the application crashes with single-step or maybe breakpoint exception ( don't remember, but I can eventually check again ). So that would seem like the app always tries to handle breakpoints on it's own (Cheat Engine didn't even fire up).What's wrong? What can I do?Thank you for your help. Link to comment
Encrypto Posted October 17, 2014 Share Posted October 17, 2014 Perhaps try using Windbg? It could list some new information or at least indicate why x64_dbg isn't functioning as intentioned. 2 Link to comment
Schnappi Posted October 17, 2014 Author Share Posted October 17, 2014 Seems like WinDbg closes the process too. As I have no idea how to work with WinDbg I can't really pull much information out of it. Link to comment
mrexodia Posted October 17, 2014 Share Posted October 17, 2014 Hi, Take a look at this blog, maybe your target hooks certain system APIs that get called when a debugger is attached. http://waleedassar.blogspot.nl/2011/12/debuggers-anti-attaching-techniques.html Greetings Link to comment
Schnappi Posted October 18, 2014 Author Share Posted October 18, 2014 Thanks for the tip. Checked memory of DbgUiRemoteBreakin and it indeed seems to be modified. I kinda thought all this stuff is fixed by ScyllaHide etc . Anyways I tried to restore the bytes but seems like the app writes the hook like every 0.2s or something. Tried the Cheat Engine's "Find out what writes to this address" and it caused single step exception again. Well I'm gonna sleep on it and see if I can do something about this tricky process tomorrow. Link to comment
Aguila Posted October 18, 2014 Share Posted October 18, 2014 ScyllaHIde doesn't support Anti-Anti-Attach for x64 targets at the moment. Changelog for v1.1:Added kill anti-attach (for x86 only) Link to comment
Schnappi Posted October 18, 2014 Author Share Posted October 18, 2014 Alright I got it working. What I did: Suspend process, Restore modified instructions, attach debugger, resume process. Link to comment
Aguila Posted October 18, 2014 Share Posted October 18, 2014 Can you share the target? Some anti-cheat system? Link to comment
Schnappi Posted October 18, 2014 Author Share Posted October 18, 2014 Well there wasn't any other protection on the target I have noticed after the anti-attach. I haven't spent much time on it yet, so I can't tell, but general debugging seems to be working fine. Debugging also seems to be working even without ScyllaHide -> which introduced some bugs (like cannot pause process) so I disabled it. Target is a game and it's quite large so I doubt you would like to buy/download it just to see the protection. There is a loop like:doSleep(200)VirtualProtect(some functions)OverwriteVirtualProtect(some functions, oldProt)while(some_expression)I just inject my dll, that changes the loop todoSleep(200)NOPSwhile(some_expression)and then restores the bytes of NTDLL functions and then I attach. Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now