[Tutorial] Aion Anti-Anti-Debugger (work in progress)

[aocunderground]

Hey all,

Even though Gameguard has been removed from Aion's launch, some parts of its protection remain. For instance, when you try to run OllyDbg, Aion immediately exits. This guide will demonstrate one simple way to prevent that from happening. Ultimately, I aim to also remove Aion's anti-breakpoint code and all other anti-debugging code.

This guide assumes that you have the following software:

• OllyDbg
• AionPauser (written by myself in C# )

Without further ado...

Step 1 -
Run Aion and (preferably) wait until you get to the login screen.

Step 2 -
Run AionPauser.exe and press space or otherwise suspend all of Aion's threads. This works because Aion's anti-cheat code runs entirely within its own process. Suspending all threads ensures that Aion can do _not shit_ against us. Leave AionPauser running - you will need it later to resume.

Step 3 -
Run OllyDbg, attach to Aion's process (default is AION.bin.) You will get messages informing you that AION.bin, CrySyste.dll, and Game.dll are packed. Just hit OK for all of them. Now, feel mildly satisfied that Aion hasn't shut down while OllyDbg is running and attached. Of course, Aion is still paused and we can't learn much from debugging a paused process! If we were to unpause now, Aion would almost immediately notice OllyDbg and shut down as before.

Interjection -
Now, thinking time. How was Aion detecting OllyDbg? It turns out that it uses several really, really commonplace and well-documented methods. One of which is the dumb-shit Win32 API, IsDebuggerPresent. So let's set a breakpoint on that API.

Step 4 -
Pressing CTRL+G in OllyDbg will open up the "Enter expression to follow" window. Type "IsDebuggerPresent" and hit enter. Press F2 to set a breakpoint on the function address that you jump to.

Step 5 -
Resume all threads by hitting space in AionPauser. Press F9 in OllyDbg to allow Aion to run. Smile as OllyDbg catches the IsDebuggerPresent breakpoint shortly after resuming.

Step 6 -
In the title bar of OllyDbg's CPU/debugging window (i.e. NOT OllyDbg's main window), you will see what thread IsDebuggerPresent was called on. Select View>Threads and _KILL_ the thread that was calling IsDebuggerPresent. By doing so, we've terminated the thread that was running anti-debugger code.

Conclusion -
Now Aion is running while OllyDbg is attached! Sadly, if you set a breakpoint, and the breakpoint is caught, Aion will crash.

TODO:

• Reverse the anti-breakpoint code
• Automate everything

[boblhead]

Tested it, and when i pause it, aion completely freezes. Nice concept though

[aocunderground]

A much easier method involves patching or otherwise hooking IsDebuggerPresent and simply changing OllyDbg's window name.

Additionally, I've discovered that Aion is packed with Themida version 2.0.6.5. I am currently working on bypassing the other protections that it provides.

[Koelkast]

How about you use a proper olly hidding plugin?

My olly has never been detected and my breakpoints work fine.

[gameroz]

@Koelkast, I've tried several with all failed attempts.

HideOlly, StrongOD, Phantom, etc. All crash aion on setting a breakpoint within the main thread (game thread).

So, if you have some magic plugin PLEASE share it with us, as it would help the entire community. Even if its just the name of it.

[tankozzu]

maybe here u can find what are you looking for... dunno actually wich can help u, have a look

[gameroz]

UPDATE: For those interested, you can set breakpoints, from Win32 OS's only. From Win64, they all fail. Tested and working with WinXP 32-bit setting breakpoints.

[General]

awesome artice, thank you!

[Mesosneaky]

anyone found a bypass yet? thanks

[aocunderground]

Unpacking Themida is the key. my cracking/non-game related rce skills are little lackluster, so I'm stuck. If I ever successfully unpack it, I'll likely post a tutorial/unpacker.

BTW: whoever said breakpoints work in x86... well, I tried Win 7600 x86 and it didn't work. Counterexample, or just a windows 7 bug.

[Novi_nofap]

"IsDebuggerPresent" and "Hide Debugger" from OpenRCE do not work. Aion still closes.

I have a few offsets I'd like to find, and I don't think I'll be able to do it this time without a proper debugger.

Anyone have any luck?

[aocunderground]

Quote:

Originally Posted by Novi_nofap

"IsDebuggerPresent" and "Hide Debugger" from OpenRCE do not work. Aion still closes.

I have a few offsets I'd like to find, and I don't think I'll be able to do it this time without a proper debugger.

Anyone have any luck?

Try windows XP 32-bit. It seems that you can set hardware breakpoints at the very least if you bypass anti-debugging checks. I know Cheat Engine works, and I don't see why Olly wouldn't.

[ddarek]

Everything unpacked
Enjoy

[Sizzla]

is this stuff for stoping cheat detection?? is it up to date can i run it and bot safe?

[Fyyre]

Quote:

Originally Posted by Sizzla

is this stuff for stoping cheat detection?? is it up to date can i run it and bot safe?

has nothing to do with cheat detection, is most current game binaries which I unpack from its WinLicense shell... updated every new patch, yes.

-Fyyre

p.s. for running via ollydbg, x86 platform -- use HideToolz(can d/l from my web site...) and HideOD plugin. Set options via HideOD 'HideNtDebugBit' and 'ClearHeapMagic', 'Auto run HideOD' -- set Olly to ignore exceptions and exception ranges 0x00000000 - 0xFFFFFFFF