[MAC] Using watch/rwatch with GDB

[Tanaris4]

So ever since blizzard introduced new anti-debugging techniques I've unfortunately been unable to attach and watch memory locations. Has anyone been successful in attaching a debugger + using it on OS X?

Obviously it will crash during login, so you have to attach after you're already in game (gdb -q -p <pid>). From here you can continue + do whatever in game, but as soon as you try to watch a memory location (and that memory location is then written to/read from) it will crash.

I tried injecting + hooking sysctl and removing the P_TRACE flag. And interestingly enough sysctl is called right before the crash, and I change the info->kp_proc.p_flag variable from 0x4802 to 0x4002 (0x800 is the "under a debugger" flag). But it still crashes, here is the stack trace when sysctl is called:

[bt] Execution path:
[bt] 0 wow 0x3b22f796 show_stackframe + 46
[bt] 1 wow 0x3b22fa0f _hook_sysctl + 93
[bt] 2 World of Warcraft 0x00909a38 _Z5roundRK6unreal + 1678760
[bt] 3 World of Warcraft 0x009ae9ac _Z5roundRK6unreal + 2354460
[bt] 4 World of Warcraft 0x0012475e start + 566618
[bt] 5 World of Warcraft 0x0012592a start + 571174
[bt] 6 World of Warcraft 0x0073d5f5 AssertAndCrash + 117
[bt] 7 Battle.net.bundle 0x298eea0f ordinal00010 + 2293871
[bt] 8 Battle.net.bundle 0x298eeaff ordinal00010 + 2294111
[bt] 9 Battle.net.bundle 0x29787fe3 ordinal00010 + 824899
[bt] 10 Battle.net.bundle 0x29693ea0 0x0 + 694763168
[bt] 11 World of Warcraft 0x00119e96 start + 523410
[bt] 12 World of Warcraft 0x0074771d AssertAndCrash + 41373
[bt] 13 World of Warcraft 0x003022cb start + 2523335
[bt] 14 World of Warcraft 0x0077778d _Z5roundRK6unreal + 31485
[bt] 15 World of Warcraft 0x0077b218 _Z5roundRK6unreal + 46472

And here is the trace from what wow wants to send back home:

Thread 0 0x00000903 (Current)
0 0x298eea0f _ordinal00010+2293871
1 0x298eeaff _ordinal00010+2294111
2 0x29787fe3 _ordinal00010+824899
3 0x29693ea0
4 0x00119e96 start+523410
5 0x0074771d _AssertAndCrash+41373
6 0x003022cb start+2523335
7 0x0077778d round(unreal const&)+31485
8 0x0077b218 round(unreal const&)+46472
9 0x0077b61a round(unreal const&)+47498
10 0x009bf8ce _bliz_catch_exception_raise+30814
11 0x97f929b0 ___NSFireTimer+141
12 0x968bbadb ___CFRunLoopRun+8059
13 0x968b9464 _CFRunLoopRunSpecific+452
14 0x968b9291 _CFRunLoopRunInMode+97
15 0x98cc7f9c _RunCurrentEventLoopInMode+392
16 0x98cc7d51 _ReceiveNextEventCommon+354
17 0x98cc7bd6 _BlockUntilNextEventMatchingListInMode+81
18 0x94a5e78d __DPSNextEvent+847
19 0x94a5dfce -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:]+156
20 0x94a20247 -[NSApplication run]+821
21 0x009bfbe3 _bliz_catch_exception_raise+31603
22 0x0077b5bd round(unreal const&)+47405
23 0x009b391b round(unreal const&)+2374795
24 0x009c0074 _bliz_catch_exception_raise+32772
25 0x0009a2ff start+251
26 0x0009a22d start+41

Here is my hook for those that are interested:

Code:

int (*_real_sysctl)(int *a1, unsigned int a2, struct kinfo_proc *info, size_t *size, void *a5, size_t a6);
int _hook_sysctl(int *a1, unsigned int a2, struct kinfo_proc *info, size_t *size, void *a5, size_t a6){
	
	printf("-- sysctl --\n");
	int i;
	for ( i = 0; i < a2; i++ ){
		printf(" 0x%X", a1[i]);
	}
	printf("\n");

	show_stackframe();
	
	int res = _real_sysctl(a1, a2, info, size, a5, a6);
	
	// we can't access the info struct if it's not even the right size now can we??
	if ( size && *size == sizeof(struct kinfo_proc) ){
		// remove the trace if it exists!
		if ( (info->kp_proc.p_flag & P_TRACED) != 0 ){
			info->kp_proc.p_flag = info->kp_proc.p_flag & ~P_TRACED;
		}
	}

	return res;
}

Anyone have any ideas on how I can do this? Here is the latest mac binary: Build 13329.

Thanks in advance!

[Wish311]

I haven't tried. But will start looking into it.

[Tanaris4]

Let me know if you get anywhere, seriously frustrating. I'm not sure how else it's checking to see if it's under a debugger. Or if suddenly an address being watched would actually put the game in a bad state?