Register for your free account! | Forgot your password?

Go Back   elitepvpers > Aion > Aion Hacks, Bots, Cheats & Exploits
You last visited: Today at 11:22

  • Please register to post and access all features, it's quick, easy and FREE!

 

[Tutorial] Aion Anti-Anti-Debugger (work in progress)

Reply
 
Old   #1
 
elite*gold: 0
Join Date: May 2008
Posts: 29
Received Thanks: 4
[Tutorial] Aion Anti-Anti-Debugger (work in progress)

Hey all,

Even though Gameguard has been removed from Aion's launch, some parts of its protection remain. For instance, when you try to run OllyDbg, Aion immediately exits. This guide will demonstrate one simple way to prevent that from happening. Ultimately, I aim to also remove Aion's anti-breakpoint code and all other anti-debugging code.

This guide assumes that you have the following software:
  • OllyDbg
  • AionPauser (written by myself in C# )

Without further ado...

Step 1 -
Run Aion and (preferably) wait until you get to the login screen.

Step 2 -
Run AionPauser.exe and press space or otherwise suspend all of Aion's threads. This works because Aion's anti-cheat code runs entirely within its own process. Suspending all threads ensures that Aion can do _not shit_ against us. Leave AionPauser running - you will need it later to resume.

Step 3 -
Run OllyDbg, attach to Aion's process (default is AION.bin.) You will get messages informing you that AION.bin, CrySyste.dll, and Game.dll are packed. Just hit OK for all of them. Now, feel mildly satisfied that Aion hasn't shut down while OllyDbg is running and attached. Of course, Aion is still paused and we can't learn much from debugging a paused process! If we were to unpause now, Aion would almost immediately notice OllyDbg and shut down as before.

Interjection -
Now, thinking time. How was Aion detecting OllyDbg? It turns out that it uses several really, really commonplace and well-documented methods. One of which is the dumb-shit Win32 API, IsDebuggerPresent. So let's set a breakpoint on that API.

Step 4 -
Pressing CTRL+G in OllyDbg will open up the "Enter expression to follow" window. Type "IsDebuggerPresent" and hit enter. Press F2 to set a breakpoint on the function address that you jump to.

Step 5 -
Resume all threads by hitting space in AionPauser. Press F9 in OllyDbg to allow Aion to run. Smile as OllyDbg catches the IsDebuggerPresent breakpoint shortly after resuming.

Step 6 -

In the title bar of OllyDbg's CPU/debugging window (i.e. NOT OllyDbg's main window), you will see what thread IsDebuggerPresent was called on. Select View>Threads and _KILL_ the thread that was calling IsDebuggerPresent. By doing so, we've terminated the thread that was running anti-debugger code.

Conclusion -
Now Aion is running while OllyDbg is attached! Sadly, if you set a breakpoint, and the breakpoint is caught, Aion will crash.

TODO:
  • Reverse the anti-breakpoint code
  • Automate everything



aocunderground is offline  
Thanks
4 Users
Old   #2
 
elite*gold: 0
Join Date: Aug 2007
Posts: 133
Received Thanks: 11
Tested it, and when i pause it, aion completely freezes. Nice concept though


boblhead is offline  
Old   #3
 
elite*gold: 0
Join Date: May 2008
Posts: 29
Received Thanks: 4
A much easier method involves patching or otherwise hooking IsDebuggerPresent and simply changing OllyDbg's window name.

Additionally, I've discovered that Aion is packed with Themida version 2.0.6.5. I am currently working on bypassing the other protections that it provides.
aocunderground is offline  
Old   #4
 
elite*gold: 0
Join Date: Sep 2009
Posts: 5
Received Thanks: 1
How about you use a proper olly hidding plugin?

My olly has never been detected and my breakpoints work fine.


Koelkast is offline  
Old   #5
 
elite*gold: 0
Join Date: Jun 2005
Posts: 42
Received Thanks: 3
@Koelkast, I've tried several with all failed attempts.

HideOlly, StrongOD, Phantom, etc. All crash aion on setting a breakpoint within the main thread (game thread).

So, if you have some magic plugin PLEASE share it with us, as it would help the entire community. Even if its just the name of it.
gameroz is offline  
Old   #6
 
elite*gold: 0
Join Date: Feb 2009
Posts: 27
Received Thanks: 1

maybe here u can find what are you looking for... dunno actually wich can help u, have a look
tankozzu is offline  
Old   #7
 
elite*gold: 0
Join Date: Jun 2005
Posts: 42
Received Thanks: 3
UPDATE: For those interested, you can set breakpoints, from Win32 OS's only. From Win64, they all fail. Tested and working with WinXP 32-bit setting breakpoints.
gameroz is offline  
Old   #8
 
elite*gold: 0
Join Date: Jul 2005
Posts: 39
Received Thanks: 1
awesome artice, thank you!
General is offline  
Old   #9
 
elite*gold: 0
Join Date: Sep 2009
Posts: 92
Received Thanks: 13
anyone found a bypass yet? thanks
Mesosneaky is offline  
Old   #10
 
elite*gold: 0
Join Date: May 2008
Posts: 29
Received Thanks: 4
Unpacking Themida is the key. my cracking/non-game related rce skills are little lackluster, so I'm stuck. If I ever successfully unpack it, I'll likely post a tutorial/unpacker.

BTW: whoever said breakpoints work in x86... well, I tried Win 7600 x86 and it didn't work. Counterexample, or just a windows 7 bug.
aocunderground is offline  
Old   #11
 
elite*gold: 0
Join Date: Sep 2009
Posts: 23
Received Thanks: 27
"IsDebuggerPresent" and "Hide Debugger" from OpenRCE do not work. Aion still closes.

I have a few offsets I'd like to find, and I don't think I'll be able to do it this time without a proper debugger.

Anyone have any luck?
Novi_nofap is offline  
Old   #12
 
elite*gold: 0
Join Date: May 2008
Posts: 29
Received Thanks: 4
Quote:
Originally Posted by Novi_nofap View Post
"IsDebuggerPresent" and "Hide Debugger" from OpenRCE do not work. Aion still closes.

I have a few offsets I'd like to find, and I don't think I'll be able to do it this time without a proper debugger.

Anyone have any luck?
Try windows XP 32-bit. It seems that you can set hardware breakpoints at the very least if you bypass anti-debugging checks. I know Cheat Engine works, and I don't see why Olly wouldn't.
aocunderground is offline  
Old   #13
 
elite*gold: 0
Join Date: Jun 2008
Posts: 510
Received Thanks: 89
Everything unpacked
Enjoy
ddarek is offline  
Old   #14
 
elite*gold: 0
Join Date: Feb 2005
Posts: 182
Received Thanks: 9
is this stuff for stoping cheat detection?? is it up to date can i run it and bot safe?
Sizzla is offline  
Old   #15
 
elite*gold: 0
Join Date: Jan 2009
Posts: 7
Received Thanks: 5
Quote:
Originally Posted by Sizzla View Post
is this stuff for stoping cheat detection?? is it up to date can i run it and bot safe?
has nothing to do with cheat detection, is most current game binaries which I unpack from its WinLicense shell... updated every new patch, yes.

-Fyyre

p.s. for running via ollydbg, x86 platform -- use HideToolz(can d/l from my web site...) and HideOD plugin. Set options via HideOD 'HideNtDebugBit' and 'ClearHeapMagic', 'Auto run HideOD' -- set Olly to ignore exceptions and exception ranges 0x00000000 - 0xFFFFFFFF


Fyyre is offline  
Thanks
2 Users
Reply

Tags
aion, anti-anti-debugger, ollydbg, reversing



« Previous Thread | Next Thread »

Similar Threads
[Tutorial]Anti Invisible & Anti Stealth Exploit - PK2
Anti Invisible part 1 of 2(skill 1 level 1-6) Hello E*PvP Members, In this tutorial I will show you how to be able to see players under Invisible ...
113 Replies - SRO Coding Corner
Anti Recoil+Anti flash+anti smoke+Clear scope
Hi guys my brother making hack new not me image program http://img519.imageshack.us/img519/1492/wwwwo.jpg 1. open the program 2.select all...
2 Replies - Soldier Front



All times are GMT +2. The time now is 11:22.


Powered by vBulletin®
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.

Support | Contact Us | FAQ | Advertising | Privacy Policy
Copyright ©2017 elitepvpers All Rights Reserved.