cannot attach debugger, access denied

You can find tutorials and ask questions about memory editing here. You may also post any game-specific information you find (ie. cheat tables or addresses).
Post Reply
Message
Author
User avatar
MiesterMan
Posts: 543
Joined: Tue Jul 06, 2010 9:15 pm
Location: Between the Second and Third Circles of Hell

cannot attach debugger, access denied

#1 Post by MiesterMan » Fri Jul 22, 2011 12:06 am

So, out of curiosity I went back to look at Argo again and it's buzzingly more busy with the few improvements they added. But it seems one of them was a protection for the executable against attaching debug proccesses.

Are there any simple fixes for this or am I really going to have to dissect the launcher and dlls to figure out how to get cheat engine and olly dbg to attach to it again?

User avatar
Administrator
Site Admin
Posts: 4849
Joined: Sat Jan 05, 2008 4:21 pm

Re: cannot attach debugger, access denied

#2 Post by Administrator » Fri Jul 22, 2011 2:13 am

You might have to launch the game via MicroMacro. That sometimes works. Try:

Code: Select all

system("C:/whatever/client.exe");

User avatar
MiesterMan
Posts: 543
Joined: Tue Jul 06, 2010 9:15 pm
Location: Between the Second and Third Circles of Hell

Re: cannot attach debugger, access denied

#3 Post by MiesterMan » Fri Jul 22, 2011 11:51 am

Unfortunately the Launcher is required to start the game executable. It's got some sort of check so it pops up with a message "Please run the game with Launcher.exe".

User avatar
MiesterMan
Posts: 543
Joined: Tue Jul 06, 2010 9:15 pm
Location: Between the Second and Third Circles of Hell

Re: cannot attach debugger, access denied

#4 Post by MiesterMan » Fri Jul 22, 2011 1:08 pm

Ok, I found it. They're using something called "hackshield". I looked up the website and apparently it blocks memory access somehow.

User avatar
Administrator
Site Admin
Posts: 4849
Joined: Sat Jan 05, 2008 4:21 pm

Re: cannot attach debugger, access denied

#5 Post by Administrator » Fri Jul 22, 2011 4:07 pm

Hackshield is pretty easy to remove if the client isn't packed. If you try opening the executable in OllyDb (not attach; open), then try to analyze it. Does it appear to be packed/encrypted?

User avatar
MiesterMan
Posts: 543
Joined: Tue Jul 06, 2010 9:15 pm
Location: Between the Second and Third Circles of Hell

Re: cannot attach debugger, access denied

#6 Post by MiesterMan » Sun Jul 24, 2011 7:32 pm

My post contained spam somehow, lol.

Ok, so I managed to open the executable in olly dbg but I don't know where to look for what you were asking about.

User avatar
Administrator
Site Admin
Posts: 4849
Joined: Sat Jan 05, 2008 4:21 pm

Re: cannot attach debugger, access denied

#7 Post by Administrator » Mon Jul 25, 2011 1:56 am

I think it should warn you if it is encrypted when you try to analyze (CTRL+A). Just copy/paste the first 20 lines of the executable and I can probably tell you.

Also, if you see anything that is bright red and possibly contains "???", then it is most likely encrypted.

User avatar
MiesterMan
Posts: 543
Joined: Tue Jul 06, 2010 9:15 pm
Location: Between the Second and Third Circles of Hell

Re: cannot attach debugger, access denied

#8 Post by MiesterMan » Sun Aug 07, 2011 8:15 pm

Just an update to this, since I left it hanging: I've since moved onto Forsaken World. If/when I come back to this I'll make sure to post it here. For the most part the theory behind building a bot for FW has been most interesting. The methods some have come up with for bypassing the debugger defense and the methods of performing actions through DLL injection seem to be really neat (though I've not successfully done any of it).

For now though, my efforts to debug Argo on hold.

User avatar
MiesterMan
Posts: 543
Joined: Tue Jul 06, 2010 9:15 pm
Location: Between the Second and Third Circles of Hell

Re: cannot attach debugger, access denied

#9 Post by MiesterMan » Mon Oct 31, 2011 3:50 pm

This is for Argo again. I open with OllyDBG but no warning of encryption. The first section of code in the first window is:

Code: Select all

CPU Disasm
Address   Hex dump          Command                                  Comments
00401000  /.  56            PUSH ESI
00401001  |.  8BF1          MOV ESI, ECX
00401003  |.  85F6          TEST ESI, ESI
00401005  |.  74 27         JE SHORT Argo.0040102E
00401007  |.  33C9          XOR ECX, ECX
00401009  |.  8DA424 000000 LEA ESP, [LOCAL.0]
00401010  |>  8A16          /MOV DL, BYTE PTR DS:[ESI]
00401012  |.  84D2          |TEST DL, DL
00401014  |.  74 0C         |JE SHORT Argo.00401022
00401016  |.  881401        |MOV BYTE PTR DS:[EAX+ECX], DL
00401019  |.  41            |INC ECX
0040101A  |.  46            |INC ESI
0040101B  |.  83F9 04       |CMP ECX, 4
0040101E  |.^ 7C F0         \JL SHORT Argo.00401010
00401020  |.  5E            POP ESI
00401021  |.  C3            RETN
00401022  |>  83F9 04       CMP ECX, 4
00401025  |.  7D 0D         JGE SHORT Argo.00401034
00401027  |.  C64401 01 00  MOV BYTE PTR DS:[EAX+ECX+1], 0
0040102C  |.  5E            POP ESI
0040102D  |.  C3            RETN
0040102E  |>  C700 00000000 MOV DWORD PTR DS:[EAX], 0
00401034  |>  5E            POP ESI
00401035  \.  C3            RETN
00401036      CC            INT3
00401037      CC            INT3
00401038      CC            INT3
00401039      CC            INT3
0040103A      CC            INT3
0040103B      CC            INT3
0040103C      CC            INT3
0040103D      CC            INT3
0040103E      CC            INT3
0040103F      CC            INT3
00401040  /.  B0 01         MOV AL, 1
00401042  \.  C3            RETN
00401043      CC            INT3
If I jump back to 400000 then the first section few lines are (this is the PE header right?):

Code: Select all

CPU Disasm
Address   Hex dump          Command                                  Comments
00400000  /.  4D5A          DW 5A4D                                  ; DOS_Signature[2] = "MZ"
00400002  |.  9000          DW 90                                    ; DOS_PartPag = 144.
00400004  |.  0300          DW 3                                     ; DOS_PageCnt = 3
00400006  |.  0000          DW 0                                     ; DOS_ReloCnt = 0
00400008  |.  0400          DW 4                                     ; DOS_HdrSize = 4
0040000A  |.  0000          DW 0                                     ; DOS_MinMem = 0
0040000C  |.  FFFF          DW 0FFFF                                 ; DOS_MaxMem = 65535.
0040000E  |.  0000          DW 0                                     ; DOS_RelSS = 0
00400010  |.  B800          DW 0B8                                   ; DOS_ExeSP = 0B8
00400012  |.  0000          DW 0                                     ; DOS_ChkSum = 0
00400014  |.  0000          DW 0                                     ; DOS_ExeIP = 0
00400016  |.  0000          DW 0                                     ; DOS_RelCS = 0
00400018  |.  4000          DW 40                                    ; DOS_RelocOffset = 40
0040001A  |.  0000          DW 0                                     ; DOS_Overlay = 0
0040001C  |.  0000          DW 0                                     ; DOS_Reserved1[4] = 00000000
0040001E  |.  0000          DW 0
00400020  |.  0000          DW 0
00400022  |.  0000          DW 0
00400024  |.  0000          DW 0                                     ; DOS_OEM_ID = 0
00400026  |.  0000          DW 0                                     ; DOS_OEM_Info = 0
00400028  |.  0000          DW 0                                     ; DOS_Reserved2[10.] = 00000000
0040002A  |.  0000          DW 0
0040002C  |.  0000          DW 0
0040002E  |.  0000          DW 0
00400030  |.  0000          DW 0
00400032  |.  0000          DW 0
00400034  |.  0000          DW 0
00400036  |.  0000          DW 0
00400038  |.  0000          DW 0
0040003A  |.  0000          DW 0
0040003C  \.  48010000      DD 00000148                              ; DOS_PEOffset = 148
And then from where that PEOffset says:

Code: Select all

CPU Disasm
Address   Hex dump          Command                                  Comments
00400148   .  50 45 00 00   ASCII "PE",0,0                           ; IMAGE_NT_SIGNATURE[4] = "PE\0\0"
0040014C  /.  4C01          DW 14C                                   ; Machine = IMAGE_FILE_MACHINE_I386
0040014E  |.  0400          DW 4                                     ; NumberOfSections = 4
00400150  |.  AAA29F4E      DD 4E9FA2AA                              ; TimeDateStamp = 4E9FA2AA
00400154  |.  00000000      DD 00000000                              ; PointerToSymbolTable = 0
00400158  |.  00000000      DD 00000000                              ; NumberOfSymbols = 0
0040015C  |.  E000          DW 0E0                                   ; SizeOfOptionalHeader = 224.
0040015E  \.  0301          DW 103                                   ; Characteristics = EXECUTABLE_IMAGE|32BIT_MACHINE|RELOCS_STRIPPED
00400160  /.  0B01          DW 10B                                   ; MagicNumber = IMAGE_NT_OPTIONAL_HDR32_MAGIC
00400162  |.  09            DB 09                                    ; MajorLinkerVersion = 9
00400163  |.  00            DB 00                                    ; MinorLinkerVersion = 0
00400164  |.  004EEF00      DD 00EF4E00                              ; SizeOfCode = 15683072.
00400168  |.  00DC6400      DD 0064DC00                              ; SizeOfInitializedData = 6609920.
0040016C  |.  00000000      DD 00000000                              ; SizeOfUninitializedData = 0
00400170  |.  CFD47E00      DD 007ED4CF                              ; AddressOfEntryPoint = 7ED4CF
00400174  |.  00100000      DD 00001000                              ; BaseOfCode = 1000
00400178  |.  0060EF00      DD 00EF6000                              ; BaseOfData = 0EF6000
0040017C  |.  00004000      DD 00400000                              ; ImageBase = 400000
00400180  |.  00100000      DD 00001000                              ; SectionAlignment = 1000
00400184  |.  00020000      DD 00000200                              ; FileAlignment = 200
00400188  |.  0500          DW 5                                     ; MajorOSVersion = 5
0040018A  |.  0000          DW 0                                     ; MinorOSVersion = 0
0040018C  |.  0000          DW 0                                     ; MajorImageVersion = 0
0040018E  |.  0000          DW 0                                     ; MinorImageVersion = 0
00400190  |.  0500          DW 5                                     ; MajorSubsystemVersion = 5
00400192  |.  0000          DW 0                                     ; MinorSubsystemVersion = 0
00400194  |.  00000000      DD 00000000                              ; Win32VersionValue = 0
00400198  |.  00206C01      DD 016C2000                              ; SizeOfImage = 23863296.
0040019C  |.  00040000      DD 00000400                              ; SizeOfHeaders = 1024.
004001A0  |.  14FA5401      DD 0154FA14                              ; CheckSum = 154FA14
004001A4  |.  0200          DW 2                                     ; Subsystem = IMAGE_SUBSYSTEM_WINDOWS_GUI
004001A6  |.  0080          DW 8000                                  ; DLLCharacteristics = 8000
004001A8  |.  00001000      DD 00100000                              ; SizeOfStackReserve = 1048576.
004001AC  |.  00100000      DD 00001000                              ; SizeOfStackCommit = 4096.
004001B0  |.  00001000      DD 00100000                              ; SizeOfHeapReserve = 1048576.
004001B4  |.  00100000      DD 00001000                              ; SizeOfHeapCommit = 4096.
004001B8  |.  00000000      DD 00000000                              ; LoaderFlags = 0
004001BC  \.  10000000      DD 00000010                              ; NumberOfRvaAndSizes = 16.
004001C0  /.  00000000      DD 00000000                              ; Export Table address = 0
004001C4  |.  00000000      DD 00000000                              ; Export Table size = 0
004001C8  |.  D85C2101      DD 01215CD8                              ; Import Table address = 1215CD8
004001CC  |.  30020000      DD 00000230                              ; Import Table size = 560.
004001D0  |.  00104101      DD 01411000                              ; Resource Table address = 1411000
004001D4  |.  340A2B00      DD 002B0A34                              ; Resource Table size = 2820660.
004001D8  |.  00000000      DD 00000000                              ; Exception Table address = 0
004001DC  |.  00000000      DD 00000000                              ; Exception Table size = 0
004001E0  |.  00000000      DD 00000000                              ; Certificate File pointer = 0
004001E4  |.  00000000      DD 00000000                              ; Certificate Table size = 0
004001E8  |.  00000000      DD 00000000                              ; Relocation Table address = 0
004001EC  |.  00000000      DD 00000000                              ; Relocation Table size = 0
004001F0  |.  009DEF00      DD 00EF9D00                              ; Debug Data address = 0EF9D00
004001F4  |.  1C000000      DD 0000001C                              ; Debug Data size = 28.
004001F8  |.  00000000      DD 00000000                              ; Architecture Data address = 0
004001FC  |.  00000000      DD 00000000                              ; Architecture Data size = 0
00400200  |.  00000000      DD 00000000                              ; Global Ptr address = 0
00400204  |.  00000000      DD 00000000                              ; Reserved = 00000000
00400208  |.  00000000      DD 00000000                              ; TLS Table address = 0
0040020C  |.  00000000      DD 00000000                              ; TLS Table size = 0
00400210  |.  00000000      DD 00000000                              ; Load Config Table address = 0
00400214  |.  00000000      DD 00000000                              ; Load Config Table size = 0
00400218  |.  00000000      DD 00000000                              ; Bound Import Table address = 0
0040021C  |.  00000000      DD 00000000                              ; Bound Import Table size = 0
00400220  |.  0060EF00      DD 00EF6000                              ; Import Address Table address = 0EF6000
00400224  |.  080D0000      DD 00000D08                              ; Import Address Table size = 3336.
00400228  |.  00000000      DD 00000000                              ; Delay Import Descriptor address = 0
0040022C  |.  00000000      DD 00000000                              ; Delay Import Descriptor size = 0
00400230  |.  00000000      DD 00000000                              ; COM+ Runtime Header address = 0
00400234  |.  00000000      DD 00000000                              ; Import Address Table size = 0
00400238  |.  00000000      DD 00000000                              ; Reserved = 00000000
0040023C  \.  00000000      DD 00000000                              ; Reserved = 00000000
00400240  /.  2E 74 65 78 7 ASCII ".text",0,0,0                      ; Name[8] = ".text\0\0\0"
00400248  |.  DF4CEF00      DD 00EF4CDF                              ; VirtualSize = 15682783.
0040024C  |.  00100000      DD 00001000                              ; VirtualAddress = 1000
00400250  |.  004EEF00      DD 00EF4E00                              ; SizeOfRawData = 15683072.
00400254  |.  00040000      DD 00000400                              ; PointerToRawData = 400
00400258  |.  00000000      DD 00000000                              ; PointerToRelocations = 0
0040025C  |.  00000000      DD 00000000                              ; PointerToLineNumbers = 0
00400260  |.  0000          DW 0                                     ; NumberOfRelocations = 0
00400262  |.  0000          DW 0                                     ; NumberOfLineNumbers = 0
00400264  \.  20000060      DD 60000020                              ; Characteristics = CODE|EXECUTE|READ
00400268  /.  2E 72 64 61 7 ASCII ".rdata",0,0                       ; Name[8] = ".rdata\0\0"
00400270  |.  8A453200      DD 0032458A                              ; VirtualSize = 3294602.
00400274  |.  0060EF00      DD 00EF6000                              ; VirtualAddress = 0EF6000
00400278  |.  00463200      DD 00324600                              ; SizeOfRawData = 3294720.
0040027C  |.  0052EF00      DD 00EF5200                              ; PointerToRawData = 0EF5200
00400280  |.  00000000      DD 00000000                              ; PointerToRelocations = 0
00400284  |.  00000000      DD 00000000                              ; PointerToLineNumbers = 0
00400288  |.  0000          DW 0                                     ; NumberOfRelocations = 0
0040028A  |.  0000          DW 0                                     ; NumberOfLineNumbers = 0
0040028C  \.  40000040      DD 40000040                              ; Characteristics = INITIALIZED_DATA|READ
00400290  /.  2E 64 61 74 6 ASCII ".data",0,0,0                      ; Name[8] = ".data\0\0\0"
00400298  |.  985C1F00      DD 001F5C98                              ; VirtualSize = 2055320.
0040029C  |.  00B02101      DD 0121B000                              ; VirtualAddress = 121B000
004002A0  |.  008A0700      DD 00078A00                              ; SizeOfRawData = 494080.
004002A4  |.  00982101      DD 01219800                              ; PointerToRawData = 1219800
004002A8  |.  00000000      DD 00000000                              ; PointerToRelocations = 0
004002AC  |.  00000000      DD 00000000                              ; PointerToLineNumbers = 0
004002B0  |.  0000          DW 0                                     ; NumberOfRelocations = 0
004002B2  |.  0000          DW 0                                     ; NumberOfLineNumbers = 0
004002B4  \.  400000C0      DD C0000040                              ; Characteristics = INITIALIZED_DATA|READ|WRITE
004002B8  /.  2E 72 73 72 6 ASCII ".rsrc",0,0,0                      ; Name[8] = ".rsrc\0\0\0"
004002C0  |.  340A2B00      DD 002B0A34                              ; VirtualSize = 2820660.
004002C4  |.  00104101      DD 01411000                              ; VirtualAddress = 1411000
004002C8  |.  000C2B00      DD 002B0C00                              ; SizeOfRawData = 2821120.
004002CC  |.  00222901      DD 01292200                              ; PointerToRawData = 1292200
004002D0  |.  00000000      DD 00000000                              ; PointerToRelocations = 0
004002D4  |.  00000000      DD 00000000                              ; PointerToLineNumbers = 0
004002D8  |.  0000          DW 0                                     ; NumberOfRelocations = 0
004002DA  |.  0000          DW 0                                     ; NumberOfLineNumbers = 0
004002DC  \.  40000040      DD 40000040                              ; Characteristics = INITIALIZED_DATA|READ
And just in case it helps, from the listed entry point:

Code: Select all

CPU Disasm
Address   Hex dump          Command                                  Comments
007ED4CF  |?  F0            LOCK
007ED4D0  |?  FE            DB FE                                    ; Unknown command
007ED4D1  |?  FF            DB FF                                    ; Unknown command
007ED4D2  |?  FF68 00       JMP FAR FWORD PTR DS:[EAX]               ; Far jump or call
007ED4D5  |?  0100          ADD DWORD PTR DS:[EAX], EAX
007ED4D7  |?  0051 E8       ADD BYTE PTR DS:[ECX-18], DL
007ED4DA  |?  F2:F73F       REPNE IDIV DWORD PTR DS:[EDI]            ; Superfluous REPxx prefix
007ED4DD  |?  0083 C4148D95 ADD BYTE PTR DS:[EBX+958D14C4], AL
007ED4E3  |?  F0            LOCK
007ED4E4  |?  FE            DB FE                                    ; Unknown command
007ED4E5  |?  FF            DB FF                                    ; Unknown command
007ED4E6  |?  FF52 8D       CALL NEAR DWORD PTR DS:[EDX-73]
007ED4E9  |?  8DB8 FEFFFFE8 LEA EDI, [EAX+E8FFFFFE]                  ; |
007ED4EF  |?  9D            POPFD
007ED4F0  |?  4A            DEC EDX
007ED4F1  |?  C1FF 53       SAR EDI, 53                              ; Shift out of range
007ED4F4  |.  53            PUSH EBX                                 ; |Arg10
007ED4F5  |.  53            PUSH EBX                                 ; |Arg9
007ED4F6  |.  68 000000FF   PUSH FF000000                            ; |Arg8 = FF000000
007ED4FB  |.  6A FF         PUSH -1                                  ; |Arg7 = -1
007ED4FD  |.  56            PUSH ESI                                 ; |Arg6
007ED4FE  |.  6A 0C         PUSH 0C                                  ; |Arg5 = 0C
007ED500  |.  8D85 D4FEFFFF LEA EAX, [LOCAL.75]                      ; |
007ED506  |.  50            PUSH EAX                                 ; |Arg4 => OFFSET LOCAL.75
007ED507  |.  8D8D B8FEFFFF LEA ECX, [LOCAL.82]                      ; |
007ED50D  |.  51            PUSH ECX                                 ; |Arg3 => OFFSET LOCAL.82
007ED50E  |.  68 09010000   PUSH 109                                 ; |Arg2 = 109
007ED513  |.  68 1C020000   PUSH 21C                                 ; |Arg1 = 21C
007ED518  |.  C645 FC 4A    MOV BYTE PTR SS:[LOCAL.1], 4A            ; |
007ED51C  |.  E8 5F284600   CALL Argo.00C4FD80                       ; \Argo.00C4FD80

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest