cannot attach debugger, access denied
- MiesterMan
- Posts: 543
- Joined: Tue Jul 06, 2010 9:15 pm
- Location: Between the Second and Third Circles of Hell
cannot attach debugger, access denied
So, out of curiosity I went back to look at Argo again and it's buzzingly more busy with the few improvements they added. But it seems one of them was a protection for the executable against attaching debug proccesses.
Are there any simple fixes for this or am I really going to have to dissect the launcher and dlls to figure out how to get cheat engine and olly dbg to attach to it again?
Are there any simple fixes for this or am I really going to have to dissect the launcher and dlls to figure out how to get cheat engine and olly dbg to attach to it again?
My RoM Bot toys:
- Object Viewer: http://www.solarstrike.net/phpBB3/viewt ... =27&t=2619
Teleporter Functions: http://www.solarstrike.net/phpBB3/viewt ... =27&t=2605
Waypoint Finder: http://www.solarstrike.net/phpBB3/viewt ... =27&t=2616
Mail Functions: http://www.solarstrike.net/phpBB3/viewt ... =27&t=2612
Equipment Swapper(TempFixed): http://www.solarstrike.net/phpBB3/viewt ... =27&t=2571
- Administrator
- Site Admin
- Posts: 5312
- Joined: Sat Jan 05, 2008 4:21 pm
Re: cannot attach debugger, access denied
You might have to launch the game via MicroMacro. That sometimes works. Try:
Code: Select all
system("C:/whatever/client.exe");
- MiesterMan
- Posts: 543
- Joined: Tue Jul 06, 2010 9:15 pm
- Location: Between the Second and Third Circles of Hell
Re: cannot attach debugger, access denied
Unfortunately the Launcher is required to start the game executable. It's got some sort of check so it pops up with a message "Please run the game with Launcher.exe".
My RoM Bot toys:
- Object Viewer: http://www.solarstrike.net/phpBB3/viewt ... =27&t=2619
Teleporter Functions: http://www.solarstrike.net/phpBB3/viewt ... =27&t=2605
Waypoint Finder: http://www.solarstrike.net/phpBB3/viewt ... =27&t=2616
Mail Functions: http://www.solarstrike.net/phpBB3/viewt ... =27&t=2612
Equipment Swapper(TempFixed): http://www.solarstrike.net/phpBB3/viewt ... =27&t=2571
- MiesterMan
- Posts: 543
- Joined: Tue Jul 06, 2010 9:15 pm
- Location: Between the Second and Third Circles of Hell
Re: cannot attach debugger, access denied
Ok, I found it. They're using something called "hackshield". I looked up the website and apparently it blocks memory access somehow.
My RoM Bot toys:
- Object Viewer: http://www.solarstrike.net/phpBB3/viewt ... =27&t=2619
Teleporter Functions: http://www.solarstrike.net/phpBB3/viewt ... =27&t=2605
Waypoint Finder: http://www.solarstrike.net/phpBB3/viewt ... =27&t=2616
Mail Functions: http://www.solarstrike.net/phpBB3/viewt ... =27&t=2612
Equipment Swapper(TempFixed): http://www.solarstrike.net/phpBB3/viewt ... =27&t=2571
- Administrator
- Site Admin
- Posts: 5312
- Joined: Sat Jan 05, 2008 4:21 pm
Re: cannot attach debugger, access denied
Hackshield is pretty easy to remove if the client isn't packed. If you try opening the executable in OllyDb (not attach; open), then try to analyze it. Does it appear to be packed/encrypted?
- MiesterMan
- Posts: 543
- Joined: Tue Jul 06, 2010 9:15 pm
- Location: Between the Second and Third Circles of Hell
Re: cannot attach debugger, access denied
My post contained spam somehow, lol.
Ok, so I managed to open the executable in olly dbg but I don't know where to look for what you were asking about.
Ok, so I managed to open the executable in olly dbg but I don't know where to look for what you were asking about.
My RoM Bot toys:
- Object Viewer: http://www.solarstrike.net/phpBB3/viewt ... =27&t=2619
Teleporter Functions: http://www.solarstrike.net/phpBB3/viewt ... =27&t=2605
Waypoint Finder: http://www.solarstrike.net/phpBB3/viewt ... =27&t=2616
Mail Functions: http://www.solarstrike.net/phpBB3/viewt ... =27&t=2612
Equipment Swapper(TempFixed): http://www.solarstrike.net/phpBB3/viewt ... =27&t=2571
- Administrator
- Site Admin
- Posts: 5312
- Joined: Sat Jan 05, 2008 4:21 pm
Re: cannot attach debugger, access denied
I think it should warn you if it is encrypted when you try to analyze (CTRL+A). Just copy/paste the first 20 lines of the executable and I can probably tell you.
Also, if you see anything that is bright red and possibly contains "???", then it is most likely encrypted.
Also, if you see anything that is bright red and possibly contains "???", then it is most likely encrypted.
- MiesterMan
- Posts: 543
- Joined: Tue Jul 06, 2010 9:15 pm
- Location: Between the Second and Third Circles of Hell
Re: cannot attach debugger, access denied
Just an update to this, since I left it hanging: I've since moved onto Forsaken World. If/when I come back to this I'll make sure to post it here. For the most part the theory behind building a bot for FW has been most interesting. The methods some have come up with for bypassing the debugger defense and the methods of performing actions through DLL injection seem to be really neat (though I've not successfully done any of it).
For now though, my efforts to debug Argo on hold.
For now though, my efforts to debug Argo on hold.
My RoM Bot toys:
- Object Viewer: http://www.solarstrike.net/phpBB3/viewt ... =27&t=2619
Teleporter Functions: http://www.solarstrike.net/phpBB3/viewt ... =27&t=2605
Waypoint Finder: http://www.solarstrike.net/phpBB3/viewt ... =27&t=2616
Mail Functions: http://www.solarstrike.net/phpBB3/viewt ... =27&t=2612
Equipment Swapper(TempFixed): http://www.solarstrike.net/phpBB3/viewt ... =27&t=2571
- MiesterMan
- Posts: 543
- Joined: Tue Jul 06, 2010 9:15 pm
- Location: Between the Second and Third Circles of Hell
Re: cannot attach debugger, access denied
This is for Argo again. I open with OllyDBG but no warning of encryption. The first section of code in the first window is:
If I jump back to 400000 then the first section few lines are (this is the PE header right?):
And then from where that PEOffset says:
And just in case it helps, from the listed entry point:
Code: Select all
CPU Disasm
Address Hex dump Command Comments
00401000 /. 56 PUSH ESI
00401001 |. 8BF1 MOV ESI, ECX
00401003 |. 85F6 TEST ESI, ESI
00401005 |. 74 27 JE SHORT Argo.0040102E
00401007 |. 33C9 XOR ECX, ECX
00401009 |. 8DA424 000000 LEA ESP, [LOCAL.0]
00401010 |> 8A16 /MOV DL, BYTE PTR DS:[ESI]
00401012 |. 84D2 |TEST DL, DL
00401014 |. 74 0C |JE SHORT Argo.00401022
00401016 |. 881401 |MOV BYTE PTR DS:[EAX+ECX], DL
00401019 |. 41 |INC ECX
0040101A |. 46 |INC ESI
0040101B |. 83F9 04 |CMP ECX, 4
0040101E |.^ 7C F0 \JL SHORT Argo.00401010
00401020 |. 5E POP ESI
00401021 |. C3 RETN
00401022 |> 83F9 04 CMP ECX, 4
00401025 |. 7D 0D JGE SHORT Argo.00401034
00401027 |. C64401 01 00 MOV BYTE PTR DS:[EAX+ECX+1], 0
0040102C |. 5E POP ESI
0040102D |. C3 RETN
0040102E |> C700 00000000 MOV DWORD PTR DS:[EAX], 0
00401034 |> 5E POP ESI
00401035 \. C3 RETN
00401036 CC INT3
00401037 CC INT3
00401038 CC INT3
00401039 CC INT3
0040103A CC INT3
0040103B CC INT3
0040103C CC INT3
0040103D CC INT3
0040103E CC INT3
0040103F CC INT3
00401040 /. B0 01 MOV AL, 1
00401042 \. C3 RETN
00401043 CC INT3
Code: Select all
CPU Disasm
Address Hex dump Command Comments
00400000 /. 4D5A DW 5A4D ; DOS_Signature[2] = "MZ"
00400002 |. 9000 DW 90 ; DOS_PartPag = 144.
00400004 |. 0300 DW 3 ; DOS_PageCnt = 3
00400006 |. 0000 DW 0 ; DOS_ReloCnt = 0
00400008 |. 0400 DW 4 ; DOS_HdrSize = 4
0040000A |. 0000 DW 0 ; DOS_MinMem = 0
0040000C |. FFFF DW 0FFFF ; DOS_MaxMem = 65535.
0040000E |. 0000 DW 0 ; DOS_RelSS = 0
00400010 |. B800 DW 0B8 ; DOS_ExeSP = 0B8
00400012 |. 0000 DW 0 ; DOS_ChkSum = 0
00400014 |. 0000 DW 0 ; DOS_ExeIP = 0
00400016 |. 0000 DW 0 ; DOS_RelCS = 0
00400018 |. 4000 DW 40 ; DOS_RelocOffset = 40
0040001A |. 0000 DW 0 ; DOS_Overlay = 0
0040001C |. 0000 DW 0 ; DOS_Reserved1[4] = 00000000
0040001E |. 0000 DW 0
00400020 |. 0000 DW 0
00400022 |. 0000 DW 0
00400024 |. 0000 DW 0 ; DOS_OEM_ID = 0
00400026 |. 0000 DW 0 ; DOS_OEM_Info = 0
00400028 |. 0000 DW 0 ; DOS_Reserved2[10.] = 00000000
0040002A |. 0000 DW 0
0040002C |. 0000 DW 0
0040002E |. 0000 DW 0
00400030 |. 0000 DW 0
00400032 |. 0000 DW 0
00400034 |. 0000 DW 0
00400036 |. 0000 DW 0
00400038 |. 0000 DW 0
0040003A |. 0000 DW 0
0040003C \. 48010000 DD 00000148 ; DOS_PEOffset = 148
Code: Select all
CPU Disasm
Address Hex dump Command Comments
00400148 . 50 45 00 00 ASCII "PE",0,0 ; IMAGE_NT_SIGNATURE[4] = "PE\0\0"
0040014C /. 4C01 DW 14C ; Machine = IMAGE_FILE_MACHINE_I386
0040014E |. 0400 DW 4 ; NumberOfSections = 4
00400150 |. AAA29F4E DD 4E9FA2AA ; TimeDateStamp = 4E9FA2AA
00400154 |. 00000000 DD 00000000 ; PointerToSymbolTable = 0
00400158 |. 00000000 DD 00000000 ; NumberOfSymbols = 0
0040015C |. E000 DW 0E0 ; SizeOfOptionalHeader = 224.
0040015E \. 0301 DW 103 ; Characteristics = EXECUTABLE_IMAGE|32BIT_MACHINE|RELOCS_STRIPPED
00400160 /. 0B01 DW 10B ; MagicNumber = IMAGE_NT_OPTIONAL_HDR32_MAGIC
00400162 |. 09 DB 09 ; MajorLinkerVersion = 9
00400163 |. 00 DB 00 ; MinorLinkerVersion = 0
00400164 |. 004EEF00 DD 00EF4E00 ; SizeOfCode = 15683072.
00400168 |. 00DC6400 DD 0064DC00 ; SizeOfInitializedData = 6609920.
0040016C |. 00000000 DD 00000000 ; SizeOfUninitializedData = 0
00400170 |. CFD47E00 DD 007ED4CF ; AddressOfEntryPoint = 7ED4CF
00400174 |. 00100000 DD 00001000 ; BaseOfCode = 1000
00400178 |. 0060EF00 DD 00EF6000 ; BaseOfData = 0EF6000
0040017C |. 00004000 DD 00400000 ; ImageBase = 400000
00400180 |. 00100000 DD 00001000 ; SectionAlignment = 1000
00400184 |. 00020000 DD 00000200 ; FileAlignment = 200
00400188 |. 0500 DW 5 ; MajorOSVersion = 5
0040018A |. 0000 DW 0 ; MinorOSVersion = 0
0040018C |. 0000 DW 0 ; MajorImageVersion = 0
0040018E |. 0000 DW 0 ; MinorImageVersion = 0
00400190 |. 0500 DW 5 ; MajorSubsystemVersion = 5
00400192 |. 0000 DW 0 ; MinorSubsystemVersion = 0
00400194 |. 00000000 DD 00000000 ; Win32VersionValue = 0
00400198 |. 00206C01 DD 016C2000 ; SizeOfImage = 23863296.
0040019C |. 00040000 DD 00000400 ; SizeOfHeaders = 1024.
004001A0 |. 14FA5401 DD 0154FA14 ; CheckSum = 154FA14
004001A4 |. 0200 DW 2 ; Subsystem = IMAGE_SUBSYSTEM_WINDOWS_GUI
004001A6 |. 0080 DW 8000 ; DLLCharacteristics = 8000
004001A8 |. 00001000 DD 00100000 ; SizeOfStackReserve = 1048576.
004001AC |. 00100000 DD 00001000 ; SizeOfStackCommit = 4096.
004001B0 |. 00001000 DD 00100000 ; SizeOfHeapReserve = 1048576.
004001B4 |. 00100000 DD 00001000 ; SizeOfHeapCommit = 4096.
004001B8 |. 00000000 DD 00000000 ; LoaderFlags = 0
004001BC \. 10000000 DD 00000010 ; NumberOfRvaAndSizes = 16.
004001C0 /. 00000000 DD 00000000 ; Export Table address = 0
004001C4 |. 00000000 DD 00000000 ; Export Table size = 0
004001C8 |. D85C2101 DD 01215CD8 ; Import Table address = 1215CD8
004001CC |. 30020000 DD 00000230 ; Import Table size = 560.
004001D0 |. 00104101 DD 01411000 ; Resource Table address = 1411000
004001D4 |. 340A2B00 DD 002B0A34 ; Resource Table size = 2820660.
004001D8 |. 00000000 DD 00000000 ; Exception Table address = 0
004001DC |. 00000000 DD 00000000 ; Exception Table size = 0
004001E0 |. 00000000 DD 00000000 ; Certificate File pointer = 0
004001E4 |. 00000000 DD 00000000 ; Certificate Table size = 0
004001E8 |. 00000000 DD 00000000 ; Relocation Table address = 0
004001EC |. 00000000 DD 00000000 ; Relocation Table size = 0
004001F0 |. 009DEF00 DD 00EF9D00 ; Debug Data address = 0EF9D00
004001F4 |. 1C000000 DD 0000001C ; Debug Data size = 28.
004001F8 |. 00000000 DD 00000000 ; Architecture Data address = 0
004001FC |. 00000000 DD 00000000 ; Architecture Data size = 0
00400200 |. 00000000 DD 00000000 ; Global Ptr address = 0
00400204 |. 00000000 DD 00000000 ; Reserved = 00000000
00400208 |. 00000000 DD 00000000 ; TLS Table address = 0
0040020C |. 00000000 DD 00000000 ; TLS Table size = 0
00400210 |. 00000000 DD 00000000 ; Load Config Table address = 0
00400214 |. 00000000 DD 00000000 ; Load Config Table size = 0
00400218 |. 00000000 DD 00000000 ; Bound Import Table address = 0
0040021C |. 00000000 DD 00000000 ; Bound Import Table size = 0
00400220 |. 0060EF00 DD 00EF6000 ; Import Address Table address = 0EF6000
00400224 |. 080D0000 DD 00000D08 ; Import Address Table size = 3336.
00400228 |. 00000000 DD 00000000 ; Delay Import Descriptor address = 0
0040022C |. 00000000 DD 00000000 ; Delay Import Descriptor size = 0
00400230 |. 00000000 DD 00000000 ; COM+ Runtime Header address = 0
00400234 |. 00000000 DD 00000000 ; Import Address Table size = 0
00400238 |. 00000000 DD 00000000 ; Reserved = 00000000
0040023C \. 00000000 DD 00000000 ; Reserved = 00000000
00400240 /. 2E 74 65 78 7 ASCII ".text",0,0,0 ; Name[8] = ".text\0\0\0"
00400248 |. DF4CEF00 DD 00EF4CDF ; VirtualSize = 15682783.
0040024C |. 00100000 DD 00001000 ; VirtualAddress = 1000
00400250 |. 004EEF00 DD 00EF4E00 ; SizeOfRawData = 15683072.
00400254 |. 00040000 DD 00000400 ; PointerToRawData = 400
00400258 |. 00000000 DD 00000000 ; PointerToRelocations = 0
0040025C |. 00000000 DD 00000000 ; PointerToLineNumbers = 0
00400260 |. 0000 DW 0 ; NumberOfRelocations = 0
00400262 |. 0000 DW 0 ; NumberOfLineNumbers = 0
00400264 \. 20000060 DD 60000020 ; Characteristics = CODE|EXECUTE|READ
00400268 /. 2E 72 64 61 7 ASCII ".rdata",0,0 ; Name[8] = ".rdata\0\0"
00400270 |. 8A453200 DD 0032458A ; VirtualSize = 3294602.
00400274 |. 0060EF00 DD 00EF6000 ; VirtualAddress = 0EF6000
00400278 |. 00463200 DD 00324600 ; SizeOfRawData = 3294720.
0040027C |. 0052EF00 DD 00EF5200 ; PointerToRawData = 0EF5200
00400280 |. 00000000 DD 00000000 ; PointerToRelocations = 0
00400284 |. 00000000 DD 00000000 ; PointerToLineNumbers = 0
00400288 |. 0000 DW 0 ; NumberOfRelocations = 0
0040028A |. 0000 DW 0 ; NumberOfLineNumbers = 0
0040028C \. 40000040 DD 40000040 ; Characteristics = INITIALIZED_DATA|READ
00400290 /. 2E 64 61 74 6 ASCII ".data",0,0,0 ; Name[8] = ".data\0\0\0"
00400298 |. 985C1F00 DD 001F5C98 ; VirtualSize = 2055320.
0040029C |. 00B02101 DD 0121B000 ; VirtualAddress = 121B000
004002A0 |. 008A0700 DD 00078A00 ; SizeOfRawData = 494080.
004002A4 |. 00982101 DD 01219800 ; PointerToRawData = 1219800
004002A8 |. 00000000 DD 00000000 ; PointerToRelocations = 0
004002AC |. 00000000 DD 00000000 ; PointerToLineNumbers = 0
004002B0 |. 0000 DW 0 ; NumberOfRelocations = 0
004002B2 |. 0000 DW 0 ; NumberOfLineNumbers = 0
004002B4 \. 400000C0 DD C0000040 ; Characteristics = INITIALIZED_DATA|READ|WRITE
004002B8 /. 2E 72 73 72 6 ASCII ".rsrc",0,0,0 ; Name[8] = ".rsrc\0\0\0"
004002C0 |. 340A2B00 DD 002B0A34 ; VirtualSize = 2820660.
004002C4 |. 00104101 DD 01411000 ; VirtualAddress = 1411000
004002C8 |. 000C2B00 DD 002B0C00 ; SizeOfRawData = 2821120.
004002CC |. 00222901 DD 01292200 ; PointerToRawData = 1292200
004002D0 |. 00000000 DD 00000000 ; PointerToRelocations = 0
004002D4 |. 00000000 DD 00000000 ; PointerToLineNumbers = 0
004002D8 |. 0000 DW 0 ; NumberOfRelocations = 0
004002DA |. 0000 DW 0 ; NumberOfLineNumbers = 0
004002DC \. 40000040 DD 40000040 ; Characteristics = INITIALIZED_DATA|READ
Code: Select all
CPU Disasm
Address Hex dump Command Comments
007ED4CF |? F0 LOCK
007ED4D0 |? FE DB FE ; Unknown command
007ED4D1 |? FF DB FF ; Unknown command
007ED4D2 |? FF68 00 JMP FAR FWORD PTR DS:[EAX] ; Far jump or call
007ED4D5 |? 0100 ADD DWORD PTR DS:[EAX], EAX
007ED4D7 |? 0051 E8 ADD BYTE PTR DS:[ECX-18], DL
007ED4DA |? F2:F73F REPNE IDIV DWORD PTR DS:[EDI] ; Superfluous REPxx prefix
007ED4DD |? 0083 C4148D95 ADD BYTE PTR DS:[EBX+958D14C4], AL
007ED4E3 |? F0 LOCK
007ED4E4 |? FE DB FE ; Unknown command
007ED4E5 |? FF DB FF ; Unknown command
007ED4E6 |? FF52 8D CALL NEAR DWORD PTR DS:[EDX-73]
007ED4E9 |? 8DB8 FEFFFFE8 LEA EDI, [EAX+E8FFFFFE] ; |
007ED4EF |? 9D POPFD
007ED4F0 |? 4A DEC EDX
007ED4F1 |? C1FF 53 SAR EDI, 53 ; Shift out of range
007ED4F4 |. 53 PUSH EBX ; |Arg10
007ED4F5 |. 53 PUSH EBX ; |Arg9
007ED4F6 |. 68 000000FF PUSH FF000000 ; |Arg8 = FF000000
007ED4FB |. 6A FF PUSH -1 ; |Arg7 = -1
007ED4FD |. 56 PUSH ESI ; |Arg6
007ED4FE |. 6A 0C PUSH 0C ; |Arg5 = 0C
007ED500 |. 8D85 D4FEFFFF LEA EAX, [LOCAL.75] ; |
007ED506 |. 50 PUSH EAX ; |Arg4 => OFFSET LOCAL.75
007ED507 |. 8D8D B8FEFFFF LEA ECX, [LOCAL.82] ; |
007ED50D |. 51 PUSH ECX ; |Arg3 => OFFSET LOCAL.82
007ED50E |. 68 09010000 PUSH 109 ; |Arg2 = 109
007ED513 |. 68 1C020000 PUSH 21C ; |Arg1 = 21C
007ED518 |. C645 FC 4A MOV BYTE PTR SS:[LOCAL.1], 4A ; |
007ED51C |. E8 5F284600 CALL Argo.00C4FD80 ; \Argo.00C4FD80
My RoM Bot toys:
- Object Viewer: http://www.solarstrike.net/phpBB3/viewt ... =27&t=2619
Teleporter Functions: http://www.solarstrike.net/phpBB3/viewt ... =27&t=2605
Waypoint Finder: http://www.solarstrike.net/phpBB3/viewt ... =27&t=2616
Mail Functions: http://www.solarstrike.net/phpBB3/viewt ... =27&t=2612
Equipment Swapper(TempFixed): http://www.solarstrike.net/phpBB3/viewt ... =27&t=2571
Who is online
Users browsing this forum: No registered users and 1 guest