Rumble Fighters Anti-Anti-Debug

[raheem51]

I don't get this.
First, you might think I'm retarded.
Second of all, no one has hacked Rumble Fighter before.
Third of all, I found a way how, but I can attach the debugger:
1. Find the address
2. Find what writes it
3. Inject a code so instead of losing HP, you get HP form getting hit O_O
4. There ya go!
Can someone please help me?
I'm a noob.
Lol
LOOK! ITS THE BEGGAR!

[JiaSen]

You can get banned from the forum from saying that?

[XDLuisXD]

oooo, Nice

[OMGZorz]

WHA DA FOOK? imma wait till someone releases a cilent...jeez..


stop stalking me luis. =) ******.

[ElDorado]

Nice, nice.

[darkninja569]

Quote:

Originally Posted by Fovea

Disclaimer: This article is for the technically inclined. Specifically, those who are amateur reversers/memory editers. If you have no idea what those two previous terms mean, then this is not an article for you.

The Problem: Those that have tried to debug/reverse Rumble Fighters would know, that loading Rumble Fighters in your debugger would cause Rumble Fighters to terminate after the OGPlanet logo dissapears.

Explanation: Rumble Fighters employs one simple anti-debug trick. When your debugger loads the process, the debugger writes entries into a structure called the Process Environment Block. One of those entries is called BeingDebugged (Boolean). Now, just how does Rumble Fighters access the PEB? Rumble Fighters employs two methods. One is calling the API IsDebuggerPresent. The other is a custom function that does the exact same thing as IsDebuggerPresent. So, the most logical way to bypass this trick is to change BeingDebugged. Now, how would one access BeingDebugged?

Code:

 
mov eax, dword ptr fs:[0x18]
mov eax, dword ptr ds:[eax+0x30]
movzx eax, byte ptr ds:[eax+0x2]

Let's examine. The fs:[0x18] refers you to a data structure called the Thread Information Block. Thus, the first line is getting the address of the TIB (One entry inside the TIB is the address of the TIB, aka 0x18). Inside the TIB, at the 30th byte, resides the pointer to the PEB. The second line tells you the address of the PEB. The third line gets the value of BeingDebugged. It is the byte at 0x2 of the PEB. Rumble Fighters checks the value of BeingDebugged, to see if its one. If it is, Rumble Fighters will close itself.

Solution: Luckily, many members of the reversing community have made plugins for most of your favorite debuggers. Search for IsDebuggerPresent bypass plugins/PEB patching plugins. If you absolutely cannot find a plugin for IsDebuggerPresent/PEB patching, you can write your own.

Code:

 
IsDebuggerPresent+0x9:
mov byte ptr ds:[eax+2], 0
xor eax, eax
retn

Code:

 
IsDebuggerPresent+0x9:
db: C6 40 02 00 33 C0 C3

This works because IsDebuggerPresent is called before the custom function. This way we only need to hook the API, because the API changes the value of BeingDebugged. The first example is what you would inline/assemble into a DLL. The second is compatible with Cheat Engine. Make sure to change the memory before Rumble Fighters runs.

Happy Reversing!
Shoutout to Jonyleeson.

and you told me that debugger had nothing to do with this? I'm confuse =-=

[DIEISAIDIE]

Quote:

Originally Posted by darkninja569

and you told me that debugger had nothing to do with this? I'm confuse =-=

Welcome to the club man <_<.

[darkninja569]

I was just wondering how he insults me for not knowing shit when I posted the right information. ugh w.e

[OMGZorz]

Can someone do this, then upload a cilent? :D

[raheem51]

I shall donate 500 points to one who can translate this for a 7th grader!!

Thank you... :)

Name it: Rumble Fighter's Anti-Anti-Debug (Easy)