-
Any success with debugging the client? I've tried many methods here, but I'm always crash and burn
What I've tried
- remote VM with gdbserver
- scyllahide
- titanhide
- windbg preview (kernel to VM com port)
In the past I tried some of the OC methods of modifying the client, but I'm not really willing to go this route anymore especially if there is an alternative. The other thing I'll eventually try is kernel debugging a separate physical system. I have higher hopes for this, but it would be nice to know before investing in another screen and some gear if this isn't even worth the trouble.
My final attempt would be some all-kill win api hook setup to defeat everything in usermode. I don't think I need to hush warden because I don't think it's involved in this process other than possibly monitoring the activity of certain events. Please let me know if you are having luck with debugging and TY.
edit: I'm being a bit greedy in my desire here. I think I really just need a method to dump properly and rebuild the IAT first. After a bit more practice, I can look into the debug thing...
Last edited by Glitt; 04-01-2023 at 01:47 AM.
Reason: hmm
-
Member
Use CE for debugging.It's work for me
-
Member
Originally Posted by
ValikK
Use CE for debugging.It's work for me
what debugger do you use(VEH or windbg)? Wow crash, when I use windbg and with VEH i got VEH dll error. Did you tried it on vanilla version?
-
Banned
Originally Posted by
ValikK
Use CE for debugging.It's work for me
No, it does not without defeating the anti debug stuff. Even with kernel debugger or veh
-
Originally Posted by
Glitt
edit: I'm being a bit greedy in my desire here. I think I really just need a method to dump properly and rebuild the IAT first. After a bit more practice, I can look into the debug thing...
GitHub - namreeb/dumpwow: Unpacker for World of Warcraft
-
Post Thanks / Like - 3 Thanks
-
Member
Methods:
1.find and patch all anti-debug functions to debug.(Wow patched userbreakpoint function(2 functions) to prevent debugger attach and also check the patched bytes are restored),also they remapped text with SEC_NO_CHANGE what you cant set softBP)
2.use CE DBVM debugger
3.use HardwareBP and hook get/setContextThread(in kernel) to hide debug operation.
4.rewrite all the debugport related functions in kernel to 'hide' the debugger.(Must use VM tech)
-
Post Thanks / Like - 1 Thanks
air999 (1 members gave Thanks to dogesharp for this useful post)
-
Contributor
In retail they also hook KiUSerDispatchException or used to. So you have to handle that as they will catch most exception types.
-
Thanks for all the responses I'm going to take another crack at by patching their winAPI
-
It turns out knowing all the things is nice, but as long as you can understand shit, it's even better to just focus on the parts you're succeeding at.
I have a nice MM project I'm willing to share as long as you aren't a noob. Don't necessarily have to offer something in return just that you aren't a moron.
p.s. I deleted Discord once again and it won't let me recover even though I still have access to the email it says it's sending out a recovery to. Long story short, I'm not trying to be a dick and ghost you.
-
Member
Originally Posted by
Glitt
What I've tried
- remote VM with gdbserver
- scyllahide
- titanhide
- windbg preview (kernel to VM com port)
In the past I tried some of the OC methods of modifying the client, but I'm not really willing to go this route anymore especially if there is an alternative. The other thing I'll eventually try is kernel debugging a separate physical system. I have higher hopes for this, but it would be nice to know before investing in another screen and some gear if this isn't even worth the trouble.
My final attempt would be some all-kill win api hook setup to defeat everything in usermode. I don't think I need to hush warden because I don't think it's involved in this process other than possibly monitoring the activity of certain events. Please let me know if you are having luck with debugging and TY.
edit: I'm being a bit greedy in my desire here. I think I really just need a method to dump properly and rebuild the IAT first. After a bit more practice, I can look into the debug thing...
check my video :
-
Post Thanks / Like - 3 Thanks