Does anyone knows how to bypass TDU's anti-debug protection

[32qYVQdH]

I'm unsure where to post this, but I can't find much of anything online, seeing as this place has probably the largest amount of modders for this game, maybe someone here knows something.

I tried using Pix a while back in the past to tried to capture DirectX calls, the game call a function to tell Pix it doesn't want to be captured but that's easily patched, however it creates/allocate a bunch of surfaces (it's been a while I don't remember well) and then Pix says it's running out of memory (it's not, but I guess this is a 32bit program also, maybe it hit 4GB), bypassing those allocation make the game crash, I also tried another graphical "debugger" Apitrace, and it also just straight up crash.

And now I've tried using the code filter function in cheat engine, to try to find the code responsible for traffic swerving out of the road when it think you're gonna hit it, and once again it just straight up crash, and it's definitely anti-debug since it happens when CE sets up software breakpoints, also the place where the exception happens isn't code and the last value in the stack is the address for IsDebuggerPresent, anyways long story short, the game definitely obfuscate things and has a bunch of call to IsDebuggerPresent (or even one to CreateToolhelp32Snapshot, which I don't know a reason TDU would need to call if not for anti-debug), and most likely some sort of checksum (probably checking for software breakpoints replacing calls or at the beginning of functions).

Does anyone knows an easy way to bypass any of that ? (I could probably maybe bypass some of it, but I've got little experience aside from lazy anti-debug only calling IsDebuggerPresent once, I don't want to waste hours unnecessarily and I'm lazy) Did anyone manage to get a capture of TDU in Pix or some other graphical debugger, or is there a beta/patched exe without all that crap that I can use to find what I want in the game's code ?

Edited June 19 by 32qYVQdH

[MeFisto94]

Hey 32qYVQdH!

You've come to the right place. I guess Turboduck is the only remaining big TDU community and is the home of a lot top tier modders.

On 6/19/2024 at 9:31 PM, 32qYVQdH said:

and then Pix says it's running out of memory (it's not, but I guess this is a 32bit program also, maybe it hit 4GB)

I think I had the same problem and you indeed need the https://ntcore.com/4gb-patch/. You can read up on the backgrounds but the TLDR is that otherwise the game can only allocate 1.5 GiB of virtual address space. And PiX has an overhead, while TDU certainly had been trimmed to exactly ride the 1.5GiB border. What you can also do is inspect the capture using the 64bit PiX application and/or trying to 4GB patch the 32bit one, I think that was also a problem.

FWIW TDU contains the shaders as blobs in the application, whereas TDU2 has dedicated .sob files. Furthermore static analysis will help you understand tdu1's rendering whereas tdu2 is using some xbox derived command list abstraction where it's building a linked list of "commands" that are then implemented by some backend that polls the list.

 

On 6/19/2024 at 9:31 PM, 32qYVQdH said:

also the place where the exception happens isn't code and the last value in the stack is the address for IsDebuggerPresent,

Probably not the case here, but remember that asserts kind of compile to:

if (IsDebuggerPresent()) {
  __asm int 3; // maybe there's a WinAPI function for that too
}

Actually, that's probably a give away for you of where anti debug resides anyway, so you can get rid of it.

 

On 6/19/2024 at 9:31 PM, 32qYVQdH said:

Does anyone knows an easy way to bypass any of that ?

Cracks. Since the game is abandonware, there's probably no legit (i.e. requiring activation) version floating around anymore anyway, and depending on the crack (maybe there's multiple "vendors") they may have removed the DRM protection more or less.

 

On 6/19/2024 at 9:31 PM, 32qYVQdH said:

from lazy anti-debug only calling IsDebuggerPresent once, I don't want to waste hours unnecessarily and I'm lazy

Could just hook it to "return false", but yeah there's a lot more Anti Debug techniques.

Besides that, do a lot of static analysis and maybe try to fiddle with some less mainstream functions. Generally, DRM will only try to monitor protection worthy functions, as everything else will become too expensive.