How to debug a program spawned by another program?

[jonwil]

I have one program which spawns a second program. Due to how this stuff all works, running the second program manually is impossible. Is there a way I can load the second program into IDA, run the first program and somehow stop on the second program's entry point or something so I can apply breakpoionts and let it continue?
Or is that not possible?

[Av0id]

what kind of software is it? what peid said about main executable?

if you mean armadillo debug-blocker, then catch moment when WriteProcessMemory writing memory at OEP and put EB FE there

if you mean simple CreateProcess then modify process creation flags to CREATE_SUSPENDED

[jonwil]

Its for the Origin digital software store.
Origin.exe (main store program) runs. When you click "play" it starts OriginClientService.exe. This then starts the actual game exe (lets say RenegadeLauncher.exe for one of the exes I am working with). When RenegadeLauncher.exe runs, some unknown form of inter-process-communication is done between Origin.exe/OriginClientService.exe and RenegadeLauncher.exe to verify that its genuine and authorized and if it is, RenegadeLauncher.exe runs and does its work. If you run RenegadeLauncher.exe directly, it doesn't recieve whatever "this is legit" instructions it is looking for and instead of running, it starts Origin if needed, passes Origin a "play this game" instruction and then terminates (whereupon Origin starts the game as above)

The CREATE_SUSPENDED idea wont work because OriginClientService.exe does not use CreateProcess, it uses ShellExecuteEx.

[cnbragon]

Quote:

Originally Posted by jonwil

Its for the Origin digital software store.
Origin.exe (main store program) runs. When you click "play" it starts OriginClientService.exe. This then starts the actual game exe (lets say RenegadeLauncher.exe for one of the exes I am working with). When RenegadeLauncher.exe runs, some unknown form of inter-process-communication is done between Origin.exe/OriginClientService.exe and RenegadeLauncher.exe to verify that its genuine and authorized and if it is, RenegadeLauncher.exe runs and does its work. If you run RenegadeLauncher.exe directly, it doesn't recieve whatever "this is legit" instructions it is looking for and instead of running, it starts Origin if needed, passes Origin a "play this game" instruction and then terminates (whereupon Origin starts the game as above)

The CREATE_SUSPENDED idea wont work because OriginClientService.exe does not use CreateProcess, it uses ShellExecuteEx.

ShellExecuteEx will call CreateProcessAsUser or CreateProcessInternal , so you can set breakpoint on this function, and change the dwCreationFlags parameter.

[deepzero]

if it does, it probably passes its arguments via command line arguments...which you can catch, skip the shell execute call and start it on your own.

[jonwil]

I checked with process explorer and it doesn't seem to pass command line arguments.

[jonwil]

I did some further analysis and it seems to be passing values in environment variables. However if I set those environment variables to the same values manually, it doesn't work (it gives me an error related to the copy protection and wont start the game)

The programmers at EA have obviously put a lot of work into making it hard to do exactly the thing I am trying to do (get the actual code behind the protection system into a debugger)

[jonwil]

ok, sounds like I need to get origin.exe into the debugger, find a way to get it to launch originclientservice.exe suspended, get THAT into the debugger then find a way to get that to launch renegadelauncher.exe suspended and then I can get THAT into the debugger in order to find out what it does (assuming I can locate the correct place to plant a breakpoint to hit the OEP after the copy protection has done its thing)

[deepzero]

you could also patch the EP of the last process to EBFE (endless loop), and attach your debugger to the hanging process.

[WaSt3d_ByTes]

Which game is that?

[dyn!o]

Did not you think about using Syser for this specifying case?

[MarcElBichon]

Quote:

Originally Posted by dyn!o

Did not you think about using Syser for this specifying case?

Nice to see you here

[jonwil]

Thanks, the infinate loop trick was just what I needed.
Point EP to infinate loop, run game through Origin, attach with IDA, set breakpoints (in this case to valuie used when it jumps to real EP), set current IP to real protection start IP and hit "go".

[LaptoniC]

It looks like your game is protected by CDCops or something equivalent. You can hook the function of ShellExecute or CreateProcess. There are different ways to hook the functions. You can use ApiHooks by EliCZ, Detorus by Microsoft or any other libraries. Or you may do by Poor LaptoniC's method. Create a kernel32.dll and create a stub functions for which calls original kernel32.dll function. Only change the ShellExecute, GetModuleHandle or any function which will be called first so that you can dump the process. It is bulky, messy but it works.

[LaDidi]

You may put a breakpoint on the CreateProcessInternal().