^ Like I said several times so far, but I guess NO ONE READS: RockStar uses the protection Blizzard used in the first few versions for StarCraft 2 (or still uses)!
That is a code mutator I've never heard the name of so far with several forms of anti-debug: anti-attach, IsDebuggerPresent and other debugger detection tricks, spliced SEHs that trigger various exception types to exactly trap debuggers (hence your crash on F5 in CE) - also known as "nanomites", come to think about their functionality - and, perhaps, not verified, but somewhat confirmed by various posts, memory integrity checks, timed or not, on just SOME portions of code (not the whole code). In StarCraft 2 this was done on the ASM accessing resources and unit health, so if you hooked those spots, you'd crash instantly or after a little while. Oh.. and most were occurring when you loaded or unloaded a map. From testing, I see the same shit happens with RDR2 (if you hit Story at main menu, that's when the SEHs hit). If you still have SC2 installed, open up Battle.net.dll
in x64dbg and have a little tracing through it. You'll see the 98% similarity in how the code runs and how it looks like.
Here's an example of SEH designed to crash your ass, directly from RDR2 itself:
Code: Select all
00007FF72D49FCB5 | 0F0B | UD2 | UD2 exception
00007FF72D49FCB7 | E9 F64B41FF | JMP rdr2.7FF72C8B48B2 |
00007FF72C8B48B6 | 48:8D6424 08 | LEA RSP,QWORD PTR SS:[RSP+8] |
00007FF72C8B48BB | 48:8B05 023CB1FF | MOV RAX,QWORD PTR DS:[<&RtlRemoveVectoredExceptionHandler>] |
00007FF72C8B48C2 | E9 28A28B00 | JMP rdr2.7FF72D16EAEF |
00007FF72D16EAEF | 48:8B55 70 | MOV RDX,QWORD PTR SS:[RBP+70] |
00007FF72D16EAF3 | 52 | PUSH RDX |
00007FF72D16EAF4 | 59 | POP RCX |
00007FF72D16EAF5 | 55 | PUSH RBP |
00007FF72D16EAF6 | E9 62231300 | JMP rdr2.7FF72D2A0E5D |
00007FF72D2A0E5D | 48:8D2D 53454DFF | LEA RBP,QWORD PTR DS:[7FF72C7753B7] |
00007FF72D2A0E64 | 48:872C24 | XCHG QWORD PTR SS:[RSP],RBP |
00007FF72D2A0E68 | FFE0 | JMP RAX |
00007FFFC84E0DF0 | 33D2 | XOR EDX,EDX | RtlRemoveVectoredExceptionHandler
Many others like these are spliced across the game/protector code. And no, they're not in some thread that you can kill off easily
But sure, no one will pay too much attention to this shit since there's trainers out there, you can use CE with a few tricks to debug and so on. No one around here is interested in reversing; just gamehacking (by any means; when the means are met, the reversing part becomes white noise) and playing.
P.S.: NO, there's no Denuvo or VMProtect or some other shit you read on the internet and just like to assume about. Game's DRM-free.