Jump to content
We promise no intrusive ads, Please help keep the community alive
Consider supporting us by disabling your ad blocker / add to whitelist / purchasing VIP.

Does anyone knows how to bypass TDU's anti-debug protection


32qYVQdH

Recommended Posts

I'm unsure where to post this, but I can't find much of anything online, seeing as this place has probably the largest amount of modders for this game, maybe someone here knows something.

I tried using Pix a while back in the past to tried to capture DirectX calls, the game call a function to tell Pix it doesn't want to be captured but that's easily patched, however it creates/allocate a bunch of surfaces (it's been a while I don't remember well) and then Pix says it's running out of memory (it's not, but I guess this is a 32bit program also, maybe it hit 4GB), bypassing those allocation make the game crash, I also tried another graphical "debugger" Apitrace, and it also just straight up crash.

And now I've tried using the code filter function in cheat engine, to try to find the code responsible for traffic swerving out of the road when it think you're gonna hit it, and once again it just straight up crash, and it's definitely anti-debug since it happens when CE sets up software breakpoints, also the place where the exception happens isn't code and the last value in the stack is the address for IsDebuggerPresent, anyways long story short, the game definitely obfuscate things and has a bunch of call to IsDebuggerPresent (or even one to CreateToolhelp32Snapshot, which I don't know a reason TDU would need to call if not for anti-debug), and most likely some sort of checksum (probably checking for software breakpoints replacing calls or at the beginning of functions).

Does anyone knows an easy way to bypass any of that ? (I could probably maybe bypass some of it, but I've got little experience aside from lazy anti-debug only calling IsDebuggerPresent once, I don't want to waste hours unnecessarily and I'm lazy) Did anyone manage to get a capture of TDU in Pix or some other graphical debugger, or is there a beta/patched exe without all that crap that I can use to find what I want in the game's code ?

Edited by 32qYVQdH
Link to comment
Share on other sites

Hey 32qYVQdH!

You've come to the right place. I guess Turboduck is the only remaining big TDU community and is the home of a lot top tier modders.

On 6/19/2024 at 9:31 PM, 32qYVQdH said:

and then Pix says it's running out of memory (it's not, but I guess this is a 32bit program also, maybe it hit 4GB)

I think I had the same problem and you indeed need the https://ntcore.com/4gb-patch/. You can read up on the backgrounds but the TLDR is that otherwise the game can only allocate 1.5 GiB of virtual address space. And PiX has an overhead, while TDU certainly had been trimmed to exactly ride the 1.5GiB border. What you can also do is inspect the capture using the 64bit PiX application and/or trying to 4GB patch the 32bit one, I think that was also a problem.

FWIW TDU contains the shaders as blobs in the application, whereas TDU2 has dedicated .sob files. Furthermore static analysis will help you understand tdu1's rendering whereas tdu2 is using some xbox derived command list abstraction where it's building a linked list of "commands" that are then implemented by some backend that polls the list.

 

On 6/19/2024 at 9:31 PM, 32qYVQdH said:

also the place where the exception happens isn't code and the last value in the stack is the address for IsDebuggerPresent,

Probably not the case here, but remember that asserts kind of compile to:

if (IsDebuggerPresent()) {
  __asm int 3; // maybe there's a WinAPI function for that too
}

Actually, that's probably a give away for you of where anti debug resides anyway, so you can get rid of it.

 

On 6/19/2024 at 9:31 PM, 32qYVQdH said:

Does anyone knows an easy way to bypass any of that ?

Cracks. Since the game is abandonware, there's probably no legit (i.e. requiring activation) version floating around anymore anyway, and depending on the crack (maybe there's multiple "vendors") they may have removed the DRM protection more or less.

 

On 6/19/2024 at 9:31 PM, 32qYVQdH said:

from lazy anti-debug only calling IsDebuggerPresent once, I don't want to waste hours unnecessarily and I'm lazy

Could just hook it to "return false", but yeah there's a lot more Anti Debug techniques.

Besides that, do a lot of static analysis and maybe try to fiddle with some less mainstream functions. Generally, DRM will only try to monitor protection worthy functions, as everything else will become too expensive.

Link to comment
Share on other sites

  • 3 months later...

Sorry for replying so late, this account was a throwaway because I kind of expected to not get any answers so thank you for answering !

On 6/21/2024 at 4:29 PM, MeFisto94 said:

I think I had the same problem and you indeed need the https://ntcore.com/4gb-patch/. You can read up on the backgrounds but the TLDR is that otherwise the game can only allocate 1.5 GiB of virtual address space. And PiX has an overhead, while TDU certainly had been trimmed to exactly ride the 1.5GiB border. What you can also do is inspect the capture using the 64bit PiX application and/or trying to 4GB patch the 32bit one, I think that was also a problem.

FWIW TDU contains the shaders as blobs in the application, whereas TDU2 has dedicated .sob files. Furthermore static analysis will help you understand tdu1's rendering whereas tdu2 is using some xbox derived command list abstraction where it's building a linked list of "commands" that are then implemented by some backend that polls the list.

So as it turns out the 32bits 4GB thingy wasn't the issue, the issue may be in part because my gpu only has 1GB of vram but mostly because I'm stupid.

Whenever I tried PIX in the "What information do you want to gather ?" part I only ever selected "A single-frame capture of Direct3D whenever F12 is pressed" and while trying to debug the crash one time I think I selected "Statistics for each frame, using counterset:", I also used "A replayable Direct3D call stream, saved to file" and it works just fine excepts I can't really debug the file it gives me because when I click to another frame or calls to inspect it, it start recalculating/redrawing frames from the beginning to know the state of the call I want and it takes a good 30s or minutes even.

Also I seems to (maybe mis)remember having the game crash on a loop where it creates a bunch of surfaces so the vram is probably it, the single frame capture has to store the "integral" of the draw calls so probably use more memory (and I guess vram especially).

Also for anyone reading this I used PIX from Microsoft DirectX SDK (March 2009) (can't be bothered to find a link), the game doesn't want to be debugged so it calls D3DPERF_SetOptions which can be easily bypassed ( https://coherent-labs.com/posts/debugging-undebuggable-applications-with-pix/ ).

 

On 6/21/2024 at 4:29 PM, MeFisto94 said:

 

Probably not the case here, but remember that asserts kind of compile to:

 

if (IsDebuggerPresent()) {
  __asm int 3; // maybe there's a WinAPI function for that too
}

Actually, that's probably a give away for you of where anti debug resides anyway, so you can get rid of it.

 

Cracks. Since the game is abandonware, there's probably no legit (i.e. requiring activation) version floating around anymore anyway, and depending on the crack (maybe there's multiple "vendors") they may have removed the DRM protection more or less.

 

Could just hook it to "return false", but yeah there's a lot more Anti Debug techniques.

Besides that, do a lot of static analysis and maybe try to fiddle with some less mainstream functions. Generally, DRM will only try to monitor protection worthy functions, as everything else will become too expensive.

Yeah I found some code like that, patched it out, and some other stuff I thought looks suspicious (someplace there was a cmp against 0xCC the opcode for int 3, which I presumed to be the game checking for breakpoints) and did a really good job because the patched executable just crashes on startup (probably because I didn't patched all of it and what was left saw some thing got patched).

In any case I managed to find why in that instance CE's code filter made it crash, turns out it doesn't do a good job of identifying calls from disassembler (which I would've known if I searched for it).

In my case there was I think some weird value that was used as offset/pointer for a jmp or something and also happened to look like the opcode for a call, so CE put a breakpoint on it, changed the seemingly "opcode" to 0xCC and it made the game crash, it's also not the only "call breakpoint" that makes the game crash and I got 100k+ call addresses, needless to say I'm gonna need to automate the process (probably cut up the address list in half breakpoint a half check which half (if not both) gets the game to crash before reaching a certain address and repeat until it zeroes in on every wrong address), and I thought I would do it later which turns out happens to be more than the (almost) 4 months since I posted.

Anyways I was probably paranoid about the game's anti-debug, I (probably) don't even need the code filter to find what I wanted because I thought of another way to get to it (which I still have yet to try of course), I figure I should get around to post eventually even though it I haven't gotten further on anything since then, I do plan on releasing something (small probably) for the game soon™ (as in hopefully someday if ever).

Edited by 32qYVQdH
typo & added a comma
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...