Game closes on any type of breakpoint. (Steam x64dbg)

[function2]

I'm trying to hack a "AAA" game called Sekiro (Steam Activision game). I've hacked over 20 games in the past to produce fun results, but this one has me stumped with its anti-debug.

I can change memory to modify variables in game, so some hacks will work, but without breakpoints I can't do anything fun or automate it.

I have compiled both x64dbg and ScyllaHide from source with MSVS 2019. Then copied the appropriate files to the correct directory.
When I use ScyllaHide I do:

1. Plugins -> ScyllaHide -> Attach process (sekiro.exe)
2. Plugins -> ScyllaHide -> Inject DLL (add HookLibraryx64.dll)
   Is this correct?

The log in x64dbg says
Thread 400C created, Entry: sekiro.00000001423A1C34
Thread 400C exit
[ScyllaHide] DLL entry point (DllMain) RVA 31A4!
[ScyllaHide] Starting Normal DLL Injection!
[ScyllaHide] DLL INJECTION: Injection of C:\Users\Michael\Downloads\x64mods\x64dbg\bin\x64\plugins\HookLibraryx64.dll successful, Imagebase 0000000006BB0000
Thread 2624 exit

I tried all sorts of different profiles, nothing works. Some sites say steam games inject something on startup that is irreversible?? So I have to somehow preempt steam when it launches the game?

If I try to hit "Apply" in ScyllaHide I get EXCEPTION_ACCESS_VIOLATION:
[ScyllaHide] Hook injection successful, image base 00000000098A0000
EXCEPTION_DEBUG_INFO:
dwFirstChance: 1
ExceptionCode: C0000005 (EXCEPTION_ACCESS_VIOLATION)
ExceptionFlags: 00000000
ExceptionAddress: 0000000031B931C0
NumberParameters: 2
ExceptionInformation[00]: 0000000000000008 DEP Violation
ExceptionInformation[01]: 0000000031B931C0 Inaccessible Address
First chance exception on 0000000031B931C0 (C0000005, EXCEPTION_ACCESS_VIOLATION)!

[Mattiwatti]

Hi,

When I use ScyllaHide I do:

Plugins -> ScyllaHide -> Attach process (sekiro.exe)
Plugins -> ScyllaHide -> Inject DLL (add HookLibraryx64.dll)
Is this correct?

Only the first of these is needed. The "inject DLL" button is only for, well, injecting DLLs (not including HookLibraryXX.dll, which ScyllaHide will inject on its own if needed). It is a fairly infrequently (if ever) used feature of ScyllaHide and does not accomplish anything that injecting via e.g. Process Hacker does not also do.

Is there any reason why you must attach to a running process, as opposed to starting the process from within x64dbg? Attaching to a running process has some downsides, the most serious of which is that it is not possible to undo any ThreadHideFromDebugger calls by the process that have already happened. When this is the case you will tend to get "weird" (for lack of a better term) crashes, because they involve things being done by threads that the debugger does not even know exist.

[function2]

Is there any reason why you must attach to a running process, as opposed to starting the process from within x64dbg?

Because the game closes itself and has steam re-open it. It must have steam run.

I also want to debug a denuvo anti-tamper game. I'm sure that will be a pain, as it makes you run an admin service.

[mrexodia]

To not restart, put steam_appid.txt with the appid inside in the working directory. With this you can also start the exe directly without going through steam.

Alternatively you can set up GFlags to automatically start the process in x64dbg when you launch it via steam.

You can also modify the entry point to EBFE and attach that way.

[mrexodia]

Also don't forget about https://github.com/atom0s/Steamless

[function2]

Well I used the steam_appid.txt and can start the .exe from debugger. I was able to set a hardware breakpoint and find the relevant code, but when I hit start again it crashes. This will be difficult getting only one hit. I'll try messing with options in ScyllaHide