Go Back

Steam's anti-debugging code

I bought a few more steam games on friday (F.E.A.R. 3, DeusEx, Brinck, Fall out series, Duke Nukem) and ran into the annoying crash-at-breakpoint again. This time, however, I decided to put some time into it to try and find why this is happening.

After a lot of googling I ran into this blog post:
http://nsylvain.blogspot.com/2007/08/threadhidefromdebugger-but-why.html

While it does not specifically mention Steam, it does explain why WinDBG (and other debuggers like OllyDBG and C.E.) crash the game when a break point is triggered. Windows simply does not tell WinDBG about the break point and as such it crashes the game (as the game can't handle it either).

So I spend several hours figuring out ways to circumvent the "ThreadHideFromDebugger" flag.

At first I tried to undo the "ThreadHideFromDebugger" flag, but apparently once you've set this flag, it stays on  (there's no way to turn it off on a thread). I then tried to access the ETHREAD structure which gets modified by "NtSetInformationThread" but apparently you can't get access to the ETHREAD structure from User Space (at least not in any way that I could find).

So the only way to get rid of the "ThreadHideFromDebugger" flag is by not letting the application set the flag. There's two ways to do this, stop it in user mode or in kernel mode. Kernel mode is nice, but it really isn't funny to BSOD your system a lot while developing the driver. Also the whole 'need it to be signed' part for x64 sucks. But this is still a valid option which I might look into.

But I decided to write a user mode DLL which you can inject into Steam. Once it's injected, you simply have to start the game you want to debug from within steam and the DLL does all the work for you. It hooks 3 functions, CreateProcessA/W and NtSetInformationThread, the NtSetInformationThread hook is responsible for actually disabling the "ThreadHideFromDebugger" flag. The CreateProcess hooks are used to hook any game launched by Steam.

There's 1 big *read this*, do *not* start VAC-games (and probably also PunkBuster games) with this DLL loaded into Steam! It will most likely get you banned. Also a small disclaimer, only use this to cheat in single player games. Cheating in online-games is wrong mkay! ;)

You can download it here.

Posted by: Da_Teach on Sunday, August 7, 2011  •  Comments (35)  •  Full story  •  C# Hack Cheat Engine WinDBG Anti-Debugger

Metro 2033

While I was letting the L4 Eve Online bot do its business, I was playing a nice game of Metro 2033. I have to say its a very nice story line and the atmosphere in the game is great.

But damn I hated running out of ammo!

So for you guys out there that hate that too, change the function at 0x74C7C3 into nop's and you wont run out of ammo anymore :D

Perhaps this weekend I'll make a proper trainer, although chances are I'll be too busy playing with the L4 Eve Online bot :)

Posted by: Da_Teach on Thursday, August 12, 2010  •  Comments (2)  •  Full story  •  Metro 2033 Hack Cheat Engine

Warhammer Online Influence hack updated

Well I updated the Influence Hack for Warhammer Online, in theory this hack should continue to work after (minor?) updates. It searches through memory for the influence hack location using a pattern created by IDA.

The pattern matching isn't that exciting, just search for an array of bytes and if the match is found then that's the address that I want. Its reasonably fast (it finds the address in 1.3.4.529 within 1 second on my PC).

Anyhow, you can download it here. Enjoy!

Edit:
According to this post Mythic is  apparently detecting influence hacks (finally):
http://www.mmoelites.com/topic/633-a-warning-to-all/

So be careful with using this hack.

Posted by: Da_Teach on Saturday, May 1, 2010  •  Comments (2)  •  Full story  •  C# Hack Warhammer Online Pattern Matching

Warhammer Online (I'm back! :)

The pressure at work is lowering, so I don't have to work overtime anymore. Its not completely over yet, so I'm not back at full strength yet, but I should be able to slowly get back to what I love doing the most: hacking games!

The first hack I wanted to start with is more an actual hack rather then a trainer. The original version of this hack also isn't mine. Its a hack I found here.

The hack uses the fact that influence, unlike with 99.9% of the game's content, is checked client side when selecting influence rewards.

Normal MMO behavior is to assume the client has been compromised, but with this assumption comes a trade off. Handling everything server side makes the game laggy (servers cant handle "everything"), but some games (like Eve Online) pull it off. Usually though games make a trade off, lag vs responsiveness. In Warhammer Online this trade off allows things like Speed Hacking and Teleporting.

That said, what it shouldn't have allowed is this hack. What this hack does is tell the client 'You have full influence', when you then go to the Rally Master to select your reward, you can select the items you want. Now you can call me crazy, but somehow I feel a server-side check should have been in place here.

As I said though the hack that I found wasn't mine, I did however improve on it. The whole ordeal with either TSearch or Cheat Engine, find the value, bla bla bla. Too much work ;)

If you look at the link you will see that they want you to change the register value at a certain instruction to the amount of influence you want. I took the liberty of analyzing where it writes to. The instruction mov [eax+8], edi basically sets your influence amount. Upon further inspection we find that at [eax+14h] the amount of influence you need for the Elite Reward it stored.

So utilizing a code cave, I basically read the maximum needed influence and write that to [eax+8] instead. The end result is that you will get maximum influence in any chapter without the hassle of cheat engine, etc. If you start the hack in your character selection screen then you should in theory have maximum influence in any chapter you go to. If you start the hack while actually in game, you might have to kill something (or do something) that gets you influence.

You can download the hack here. I will not keep this hack up to date because it gets updated too often. However I am willing to update it if its requested through a comment on this post.

Posted by: Da_Teach on Saturday, March 20, 2010  •  Comments (0)  •  Full story  •  C# Hack Warhammer Online