DD2 anti-tamper still traps changes to the exe with latest nightly...

[FransBouma]

Just a FYI so you can test it: DD2 latest, steam

DD2.exe+43EBC69 - 74 05                 - je DD2.exe+43EBC70
DD2.exe+43EBC6B - E8 8075F5FF           - call DD2.exe+43431F0
DD2.exe+43EBC70 - 48 8B 5C 24 20        - mov rbx,[rsp+20]
DD2.exe+43EBC75 - 44 89 AE 98000000     - mov [rsi+00000098],r13d
DD2.exe+43EBC7C - 48 85 DB              - test rbx,rbx
DD2.exe+43EBC7F - 74 08                 - je DD2.exe+43EBC89
DD2.exe+43EBC81 - 48 8B CB              - mov rcx,rbx
DD2.exe+43EBC84 - E8 B7BE0100           - call DD2.exe+4407B40
DD2.exe+43EBC89 - 49 8B C7              - mov rax,r15
DD2.exe+43EBC8C - 4C 8B 7C 24 30        - mov r15,[rsp+30]          << RAX now contains the PrimaryCameraAddress
DD2.exe+43EBC91 - 48 8B 7C 24 70        - mov rdi,[rsp+70]
DD2.exe+43EBC96 - 48 8B 5C 24 60        - mov rbx,[rsp+60]
DD2.exe+43EBC9B - 4C 8B 6C 24 40        - mov r13,[rsp+40]
DD2.exe+43EBCA0 - 48 83 C4 50           - add rsp,50 { 80 }
DD2.exe+43EBCA4 - 5E                    - pop rsi
DD2.exe+43EBCA5 - C3                    - ret 
DD2.exe+43EBCA6 - CC                    - int 3 

If you in cheat engine create an interception at the specified location, this will create a jmp far , which is a 14 byte jmp instruction. (Memory viewer -> Tools -> Auto assemble -> Template -> AOB injection. After doing that, do File -> Assign to current cheat table and exit the window, don't click Execute).

If you put a breakpoint on DD2.exe+43EBC89, and then activate the script you just created, you'll be able to break at the given breakpoint, but as soon as you step into the jmp, it'll crash the game.

No reshade installed.

Tbh, I can imagine you're pretty tired of these capcom shenanigans, so I won't blame you if you'd close this and take a beer in the sun, but in case you want to get to the bottom of this, this might be a location to start :) I have no idea where to start with the capcom anti-tamper otherwise I'd do it myself.

Thanks!

[praydog]

REF does not disable anything other than the integrity checks and the detection of wrapper DLLs, which was semi-intentional.

Do you need the debugger checks removed? There are lot more checks intact but I only wanted to remove the relevant ones.

[FransBouma]

REF does not disable anything other than the integrity checks and the detection of wrapper DLLs, which was semi-intentional. Do you need the debugger checks removed? There are lot more checks intact but I only wanted to remove the relevant ones.

The weird thing is, the VEH debugger of CE doesn't trigger it, that works ok, I can use features like 'what addresses does this op code access' etc. which do use the debugger. I can also break at that location without creating the long jmp and step through the code, that works fine...

So that's why I assumed an integrity check caused this crash as code is changed by inserting a long jmp which usually suggests external code is injected.

I have no idea how much work it is tbh. If it's doable for you to check what check in the exe is triggered by the long jmp and it's easy to remove, it would be great if you could remove it. If it's a lot of work then perhaps not... :)

[praydog]

Nah, I know how to completely neuter it, it's just a question of: how far should I be going for something Capcom is intentionally doing?

And it was better for me to make the removal minimally viable, because removing large parts of it in SF6 resulted in gameplay bugs (chat not working, certain gameplay features not working as intended, etc...), and I didn't wanna test potentially hours into the game if certain gameplay elements were no longer working.

They have debugger timing checks, tls callbacks, obfuscated code, bunch more checks, etc...

[FransBouma]

Completely understandable. Reading this I'm also not sure I'm willing to spent a couple of full time days of work making my camera software compatible only to find out it won't work out because of anti-tamper code either being there still or because it's removed and the game is now broken. Gameplay not working as intended because of anti-tamper code not being executed sure sounds like something they did intentionally...

Ok, I can't ask of you to remove it because of this, and atm I think the risk is too high to go through with this... a sad state of things, but what can you do. Thanks for your time, as always :) 👍

[FransBouma]

Using Fling's trainer does disable the check apparently... no longer a problem to add the jmp at that location. Hmm. Will see if I can proceed with the trainer being active. It's at least something.

(edit).. spoke too soon, it still crashes. Oh well... was worth a shot