Go Back

Steam's anti-debugging code

I bought a few more steam games on friday (F.E.A.R. 3, DeusEx, Brinck, Fall out series, Duke Nukem) and ran into the annoying crash-at-breakpoint again. This time, however, I decided to put some time into it to try and find why this is happening.

After a lot of googling I ran into this blog post:
http://nsylvain.blogspot.com/2007/08/threadhidefromdebugger-but-why.html

While it does not specifically mention Steam, it does explain why WinDBG (and other debuggers like OllyDBG and C.E.) crash the game when a break point is triggered. Windows simply does not tell WinDBG about the break point and as such it crashes the game (as the game can't handle it either).

So I spend several hours figuring out ways to circumvent the "ThreadHideFromDebugger" flag.

At first I tried to undo the "ThreadHideFromDebugger" flag, but apparently once you've set this flag, it stays on  (there's no way to turn it off on a thread). I then tried to access the ETHREAD structure which gets modified by "NtSetInformationThread" but apparently you can't get access to the ETHREAD structure from User Space (at least not in any way that I could find).

So the only way to get rid of the "ThreadHideFromDebugger" flag is by not letting the application set the flag. There's two ways to do this, stop it in user mode or in kernel mode. Kernel mode is nice, but it really isn't funny to BSOD your system a lot while developing the driver. Also the whole 'need it to be signed' part for x64 sucks. But this is still a valid option which I might look into.

But I decided to write a user mode DLL which you can inject into Steam. Once it's injected, you simply have to start the game you want to debug from within steam and the DLL does all the work for you. It hooks 3 functions, CreateProcessA/W and NtSetInformationThread, the NtSetInformationThread hook is responsible for actually disabling the "ThreadHideFromDebugger" flag. The CreateProcess hooks are used to hook any game launched by Steam.

There's 1 big *read this*, do *not* start VAC-games (and probably also PunkBuster games) with this DLL loaded into Steam! It will most likely get you banned. Also a small disclaimer, only use this to cheat in single player games. Cheating in online-games is wrong mkay! ;)

You can download it here.

Posted by: Da_Teach on Sunday, August 07, 2011  •  C# Hack Cheat Engine WinDBG Anti-Debugger

  • Facebook
  • Twitter
  • DZone It!
  • Digg It!
  • StumbleUpon
  • Technorati
  • Del.icio.us
  • NewsVine
  • Reddit
  • Blinklist
  • Add diigo bookmark
  • So what does this DLL do? Does it allow you to cheat all by itself, or does it just circumvent the Steam anti-cheat protection (thereby allowing to cheat with another tool like Cheat Engine)?
    And how do you use it? Just copy to the steam directory and run the AntiDebuggerLoader.exe with Steam running? Or do you have to start a game first?
    Thanks for the effort in any case, I greatly appreciated your Defense Grid Trainer. :-)

    Alarion  •  07 Aug

  • Currently when you try to use Cheat Engine's "Find out what access/writes to this address", you will crash some steam games. If you inject the anti-anti-debug dll into steam before starting your game of choice. You can actually use the "Find out what access/writes to this address" function within Cheat Engine.

    For the more advanced people, it'll also allow you to use WinDbg / OllyDbg on the steam games that used to crash when using either debuggers.

    If the game has anti-cheat detection (like VAC/PunkBuster) then this DLL will get seen and you will get banned. It does not try to hide itself in any way, shape or form.

    I use this to be able to debug a game to find the more advanced cheats or to find static addresses, which was hard without being able to debug.

    Da_Teach  •  07 Aug

  • hi thx 4 this !! I tried injecting into steam and all but it did not work ( for Deus EX )

    ch33ch  •  25 Aug

  • Just another question, did u test this with Deus eX? =) Cuz  Deus Ex really closes when Find out what writes to this  address ..  even  injected. Any ideas  ?  If I could help  in  any way too.

    ch33ch  •  25 Aug

  • I'll look into Dues Ex tomorrow/sunday, it could be that it uses another method and it could also be that the injection fails for Dues Ex.

    Da_Teach  •  26 Aug

  • Thank you very much, id appreciate that =) if ud like  u can email me

    Cheers

    ch33ch  •  27 Aug

  • Im sorry bout the duplicate msg, anyway , i was looking into  Deus Ex (olly) and i found  a isDebugger text reference (no  t isDebuggerPresent but olny isDebugger) and i  checked it out i  canceld it Like nopping the  jnz and nothing seemed to happen ...but still checking  it out...

    ch33ch  •  27 Aug

  • Ok i got Deus Ex to run in a VMware Win XP  and i tried kernel mode and all and Find out what writes  makes the game close , i wonder DBVM in win  xp in VMWare...would trhat  work...

    ch33ch  •  28 Aug

  • Ok dbvm is only for 64bit ... Xp 32bit in this  case

    tried to  inject  ur  dll on Vware XP  error on  opening  .exe  cuz of .net framework  idk why it wont  instal..

    ch33ch  •  28 Aug

  • I've taken a quick look at it and it seems that the game just exits the moment a debugger is attached. It's not the same as the other games and I suspect this utilizes other anti-debugger tricks.

    I'll look into it, I'll start with disabling tricks like isDebuggerPresent, etc. I'll let you know what the outcome is.

    Da_Teach  •  28 Aug

  • Ok , ill be checking that out also =)

    ch33ch  •  28 Aug

  • Well I disabled most of the anti-debugger technique's (not all of them though) and it still crashes. I'll find it, if its the last thing I'll do :)

    Da_Teach  •  29 Aug

  • Nice !
    I support that and would like to help !
    Could u email me where i could search for this also ? I appreciate if u do

    ch33ch  •  30 Aug

  • I tested Deus Ex steam edition ;

    VMware and Win Xp KernelMode on Cheatengine  6.1 did not work,

    i tested on win  7 64 cheatengine 6.1 VEH debugger did not work then i  started Ollying a bit and i found a isDebugger text reference...still nopped those addresses and  nothing , i mean, it did not work...thats for now... ill be testing further...

    ch33ch  •  30 Aug

  • I got 0 results till now  it still closes i must find this, still searching... lol

    ch33ch  •  03 Sep

  • Great read. I've had this same issue with a MMORPG I was debugging some time ago.

    Manoer  •  04 Sep

  • Ive seen some trainers out there and on ce.org i saw a ce  script so the person must have broken the code... i still  havnt ,

    ch33ch  •  07 Sep

  • Steam update today also.. lol

    ch33ch  •  07 Sep

  • I have found a way. Just use WIn Xp or 7 32bit with debugger mode on CE and use Global Routine checked on...!!!

    ch33ch  •  24 Oct

  • Thanks!  I have been trying to hack Borderlands and I was unable to successfully use breakpoints.  Injecting your dll fixed the problem.

    dcx2  •  26 Nov

  • Exellent read, how do you find class objects with cheat engine?

    Andrew Dickinson  •  11 Jun

  • sweet thanks it works. im using it to hack Magic The Gathering Duels of The Planeswalker and unlock all the cards in offline mode, which the devs made way to tedious to unlock normally. im using cheat engine's debugger for it.

    ColacX  •  13 Oct

  • Doesn't work for me with Dark Souls

    anonymous  •  17 Oct

  • If you injected this into Steam, how to u get it back to normal? get injected dll removed from the steam?

    just close steam and re open the steam?


    hawaw  •  20 Oct

  • You guys call this hacking? what ever happened to networking and breaking into firewalls and boxes?

    Just joking.. any guide on how to learn to hack games? I have little programing experience with VB... is it worth it to learn C++? I have craking tools but they might be old .. website where i can keep updated?

    Thanks...

    dbr8kr  •  20 Dec

  • There's no real "quick guide to hacking/cracking". To become a skilled (software) reverse engineer (which is basically the start of all hacking), you require knowledge of programming in general and extensive knowledge of assembler code.

    Although with IDA's ability to generate C/C++ code from assembler code helps understand complex functions, you often have to read raw assembler and that's a skill which is slowly lost by today's youth :)

    That said, I do think good knowledge of C/C++ is nice to have due to the fact that its one of the languages that's pretty close to assembler and it gives you a great insight in "how programs are setup".

    Da_Teach  •  19 Jan

  • Hey Da_Teach,

    thx for this article. I stumbled across this problem while dealing with Themida protected games and this helped me a lot. I've also noticed that using the VEH debugger in CE would avoid this problem too.

    But i got a problem...could you give me some advice how to attach ollydbg after hooking the three functions? :> i mean, if you hook CreateProcessA/W, olly will fail to attach.

    freitag  •  01 Feb

  • I'm guessing you want to start the game using OllyDBG?  You can try OllyDBG plugins like this:
    http://tuts4you.com/download.php?view.3375
    (note I haven't tried that myself)

    Another way would be to just start the game using a loader (which has my DLL loaded, like the steam platform usually has) and then attach OllyDBG (instead of loading through Olly).

    Da_Teach  •  06 Feb

  • Such an old thread, but I have to comment and thank you and the http://nsylvain.blogspot.com guy for this. I seriously thought an extra thread was checking memory integrity and somehow crashing itself. I'd never find out NtSetInformationThread among ThreadHideFromDebugger were doing the trick. Thank you. :)

    CGR  •  23 Jun

  • By the way? What actually calls NtSetInformationThread? The game itself? The steam_api.dll? Couldn't find any of them calling GetProcAddress with "Nt/ZwSetInformationThread", any ideas?



    By the way, I tested with 2 games (including one recently released, Dungeons and Dragons: Chronicles of Mystara, which, btw, brought me up that it is totally emulated with some filters? And they call this HD... tsc tsc...) and it worked perfectly.



    Thank you.

    CGR  •  24 Jun

  • By the way? What actually calls NtSetInformationThread? The game itself? The steam_api.dll? Couldn't find any of them calling GetProcAddress with "Nt/ZwSetInformationThread", any ideas?



    By the way, I tested with 2 games (including one recently released, Dungeons and Dragons: Chronicles of Mystara, which, btw, brought me up that it is totally emulated with some filters? And they call this HD... tsc tsc...) and it worked perfectly.



    Thank you.

    CGR  •  24 Jun

  • Old thread, I know.

    I just got Borderlands 2, and when I try to attach OllyDbg the game crashes.  I have an anti-anti-debugger plugin for Olly, which I hoped would do the trick, but it doesn't.  Hence, I stumbled across your blog.

    I downloaded your injector and DLL and read through the code.  Well commented - easy to follow.  Unfortunately even after injecting the DLL into Steam Olly still crashes the game!  Has something changed since you released this tool?  I can debug using the VEH debugger and CE, but I really want to use Olly!

    Thanks.

    avejidah  •  05 Aug

  • As a follow up, I don't see Steam using NtSetInformationThread - it seems to use ZwSetInformationThread now.  If I set a BP on that function, the ThreadInformationClass parameter is 5 (ThreadImpersonationToken) rather than 17 (ThreadHideFromDebugger).

    Any input is greatly appreciated.

    avejidah  •  05 Aug

  • @avejidah
    I'd have to look into it, I haven't been hacking for a while now. But I'm not aware of the fact that ThreadImpersonationToken might cause issues too. Though it's a weird flag to set (for a game).

    @CGR
    Only games that use STEAM's protection libraries (not entirely sure which one) will set the flag, or at least it looked like that when I wrote this blog.

    Da_Teach  •  07 Aug

  • Dude thanks, you are a life saver :)

    Jake  •  07 Oct

Post a comment!
  1. Formatting options