[Aion ] Anti-Debugger

[D4rkAngeL666]

Dunno if this was already posted, of still work since I got few minutes to stay in nfront of pc I dont got time to test again.

 

well here we go.

 

Even though Gameguard has been removed from Aion's launch, some parts of its protection remain. For instance, when you try to run OllyDbg, Aion immediately exits. This guide will demonstrate one simple way to prevent that from happening. Ultimately, I aim to also remove Aion's anti-breakpoint code and all other anti-debugging code.

 

This guide assumes that you have the following software:

 

    * OllyDbg

    * AionPauser (written by myself in C# download binary+source)

 

 

Without further ado...

 

Step 1 -

Run Aion and (preferably) wait until you get to the login screen.

 

Step 2 -

Run AionPauser.exe and press space or otherwise suspend all of Aion's threads. This works because Aion's anti-cheat code runs entirely within its own process. Suspending all threads ensures that Aion can do _not shit_ against us. Leave AionPauser running - you will need it later to resume.

 

Step 3 -

Run OllyDbg, attach to Aion's process (default is AION.bin.) You will get messages informing you that AION.bin, CrySyste.dll, and Game.dll are packed. Just hit OK for all of them. Now, feel mildly satisfied that Aion hasn't shut down while OllyDbg is running and attached. Of course, Aion is still paused and we can't learn much from debugging a paused process! If we were to unpause now, Aion would almost immediately notice OllyDbg and shut down as before.

 

Interjection -

Now, thinking time. How was Aion detecting OllyDbg? It turns out that it uses several really, really commonplace and well-documented methods. One of which is the dumb-shit Win32 API, IsDebuggerPresent. So let's set a breakpoint on that API.

 

Step 4 -

Pressing CTRL+G in OllyDbg will open up the "Enter expression to follow" window. Type "IsDebuggerPresent" and hit enter. Press F2 to set a breakpoint on the function address that you jump to.

 

Step 5 -

Resume all threads by hitting space in AionPauser. Press F9 in OllyDbg to allow Aion to run. Smile as OllyDbg catches the IsDebuggerPresent breakpoint shortly after resuming.

 

Step 6 -

In the title bar of OllyDbg's CPU/debugging window (i.e. NOT OllyDbg's main window), you will see what thread IsDebuggerPresent was called on. Select View>Threads and _KILL_ the thread that was calling IsDebuggerPresent. By doing so, we've terminated the thread that was running anti-debugger code.

 

Conclusion -

Now Aion is running while OllyDbg is attached! Sadly, if you set a breakpoint, and the breakpoint is caught, Aion will crash.

 

ALL:

 

    * Reverse the anti-breakpoint code

    * Automate everything

 

 

this info was posted by Guturrul

[Mywk]

X

Edited November 1, 2021 by Mywk