Hi, I have a problem when using OllyDBG to attach to a game. I click attach to process, cilck the game, and press F9.. the game freezes, all threads are suspended. I have used Cheat Engine, and it has the ability to debug a process without stopping it like Olly does. Is there a plugin of some sort, or a way to stop OllyDBG from stopping my game upon attaching? Thanks.

Actually, this ia a rather interesting question, which involves reversing Olly, I presume.

What API does Olly use to attach to a debugged process , and what are the parameters passed onto that API?

That is the key question here.

Ah! A question answered with a good question, and a challenge issued.

Regards,

I'll try to figure that out, someone said it uses WriteProcessMemory() to set breakpoints. Not sure about attaching. I thought of another method. The game I'm trying to reverse uses a launcher that uses CreateProcessA() to launch the game. It does have a "PROCESSINFO" parameter, which means I might be able to retrieve the process ID from that, and finally make olly attach to a certain PID very quickly. This is just another idea. Any thoughts?

The target is free, so I think it's ok for me to reveal it. It's TA Spring.

0012FB70 006B1E7A /CALL to CreateProcessA from TASClien.006B1E75
0012FB74 00000000 |ModuleFileName = NULL
0012FB78 04234180 |CommandLine = "C:\Program Files\Spring\spring.exe script.txt"
0012FB7C 00000000 |pProcessSecurity = NULL
0012FB80 00000000 |pThreadSecurity = NULL
0012FB84 00000000 |InheritHandles = FALSE
0012FB88 04000020 |CreationFlags = NORMAL_PRIORITY_CLASS|CREATE_DEFAULT_ERROR_MODE
0012FB8C 00000000 |pEnvironment = NULL
0012FB90 0423481C |CurrentDir = "C:\Program Files\Spring\"
0012FB94 00710B78 |pStartupInfo = TASClien.00710B78
0012FB98 00710B68 \pProcessInfo = TASClien.00710B68

here you see, pProcessInfo is starting at 710B68.. maybe I can pull the needed values from there?

Read around here. (Iczelion's series)

http://win32assembly.online.fr/tut28.html

OllyDbg uses DebugActiveProcess to attach. This function, by nature, must suspend all the threads in the target process prior to effecting the attach. Olly then enters a standard debug-loop using WaitForDebugEvent, the first few events of which describe the state of all threads and modules in the target process. So considering that the threads are all suspended before OllyDbg's execution resumes, there is not really much you can do.

What's the real problem? Is it that OllyDbg complains that 'all threads are suspended' when you attempt to run, or is there some other reason you'd like to alter this behaviour?