Cheat Engine

[whateve12]

Hi,

Could someone explain how CE attaches its debugger? The UCE that I made could read/write to maple's memory without problem, but attaching debugger doesn't work.

From the sourcecode, It looks like CE created a debugger thread, and attaches this thread to other process' context. One thing that confused me though is that the debugger thread is implemented in usermode in pascal.

Before, I thought this had something to do with KeAttachProcess, but I realized the thread must be a kernel thread.

So, now, I am kinda lost in debugger.pas.. I haven't touched pascal for a few years.

Few specific question:
1. Is debug registers process specific or thread specific?
2. There is a variable debuggerthread2, what is this? From what I know, we could only attach 1 debugger.
3. Does gameguard found the debugger using signature detection or is it monitoring some kernel data structure?
4. What are the differences between the 2 TDebugger constructor?
5. What does TDebugger.execute do? It's such a huge procedure..

--- I'm posting this here because this is not bypass-specific, and posts in other forums get buried too quickly.

[Dark Byte]

there are 2 debuggers.
The standard usermode debugger (won't work for nprotected games)
and the kernelmode debugger (sometimes works)

The standard debugger uses variable debuggerthread, that is a normal usermode debugger, which uses the default windows debug api

the kerneldebugger uses debuggerthread2 , which is used for reading out the log when using "find out what accesses/writes to address xxx"
for changing registers only the processwatcher is used which watches the threads being created.
Besides that the kernel is told to watch for certain debug events, and when they happen it changes the registers without any usermode interaction

.execute in a thread object is the main thread code. It's the code that gets executed in the thread, in this case it's the debugger loop (see it like a windows message loop, waiting for a event and then acting on it, but then for a debugger)

[whateve12]

Thanks a lot for the fast reply, it really helps =)

[whateve12]

I finally managed to attach the kernel debugger to change register on breakpoint. Turns out, gameguard was hooking ioctl and intercepted some commands.

Now, I guess the only problem left is to figure out why the handler (GeneralHandler IIRC) wasn't called on breakpoint. It worked on a test program, but not on maple. What could be going on here?

edit: solved... turns out the function name was the problem. I expected something more elaborate from gameguard -_-

[whateve12]

I have another question on debug register:

What happens to the debug registers when a process is terminated? If breakpoints are process specific, how come CE still holds the breakpoints even after the opened process is already terminated?

Also, other process opened by CE seems to 'inherit' all breakpoints from the previous process. (But the breakpoints doesn't seem to work.) This is weird indeed, and easily fixed by a reboot.

It might just because of incorrect source editing though, I'll have to check this using release version of CE.

Edit: nevermind, I forgot about DR7