====== Debugging DS3 ======

***Note:** This is for //debugging// and breakpointing. For more information on //Debug Menu//, a different functionality, see [[https://docs.google.com/document/d/1dYDRQLBI0lQzM41nqTje14YHCVn0wEBxzb2xSJiUc3c/edit | Debug Menu DS3]].

===== Launching the game with a debugger =====

There are two problems when attempting to debug the game

First, you need to make sure the game actually launches when ran from a debugger, and second the game must be unable to detect that it's being debugged.

==== Preventing the game from being restarted ====

The first is simple. Place a `steam_appid.txt` file next to the DarkSoulsIII.exe binary with the appid: 374320.
This stops the game from restarting to make sure it was launched by Steam.

**Note**: there is a caveat here. If the Steam process is running as a different Windows user than your debugger the game will still exit immediately and restart. You will need to run the debugger as the same Windows user that Steam is running as to prevent this.

The second is a little trickier and needs some tools to solve.

==== Disabling anti-debug checks ====

The retail version of the game on Steam implements anti-debugging techniques, mostly coming from the Steam Stub itself. The known checks that the game performs are:

  * Check if debug registers were set in a CONTEXT object
  * Check if a debugger is present by looking at IsDebugged in the PEB
  * Check if a debugger is present by looking at heap validation flags in the PEB
  * Check if a debugger is present by checking if an exception was handled

All but the last list item here can be solved using [[https://github.com/x64dbg/ScyllaHide/releases/latest | ScyllaHide]]. Preventing detection of an exception handler will depend on the debugger being used,

To use ScyllaHide to bypass the first checks you will first need to configure the //scylla_hide.ini// file that came with the distribution. The entire contents can be replaced with:

<code>
[SETTINGS]
CurrentProfile=DS3
[DS3]
DLLNormal=1
DLLStealth=0
DLLUnload=0
NtSetInformationThreadHook=1
NtQueryInformationProcessHook=1
NtCloseHook=1
PebBeingDebugged=1
PebHeapFlags=1
</code>

Then use the CLI tool included with the Scylla distribution to inject the anti-anti-debug DLL into the game:

<code>
> $ .\InjectorCLIx64.exe DarkSoulsIII.exe .\HookLibraryx64.dll
Loaded VA for NtUserBlockInput = 0x00007FF8070A8450
Loaded VA for NtUserQueryWindow = 0x00007FF8070A1230
Loaded VA for NtUserBuildHwndList = 0x00007FF8070A13B0
Loaded VA for NtUserFindWindowEx = 0x00007FF8070A1DB0
Loaded VA for NtUserGetClassName = 0x00007FF8070A1F50
Loaded VA for NtUserInternalGetWindowText = 0x00007FF8070A1C70

PID     : 14328 0x37F8
DLL Path: .\HookLibraryx64.dll

Hook injection successful, image base 00000000001E0000
</code>

**Note**: when you launch the game the //Starting Directory// in your debugger must be set to the folder containing `DarkSoulsIII.exe`. If the game crashes with an access violation make sure this is set.

Next, you'll need to configure your debugger to ignore exceptions generated by the game. In WinDbg this can be done in the Events/Exceptions settings panel:

{{debug_ds3_1.png}}

You should now be able to run //Continue// in your debugger and run the game as if you were debugging via Cheat Engine.