Cheat Engine

ducspam · Posted: Fri Oct 14, 2005 6:58 am Post subject:

Nope. I'm not even doing Set/GetThreadContext. All I was trying to see is what kind of events and exceptions was called.

This is what msdn say about EXCEPTION_INVALID_HANDLE:

ducspam · Posted: Fri Oct 14, 2005 7:02 pm Post subject:

Ok, I think I got it working.

My solution was:
1) Open up the process and do the "patching". Then set the process to null after you're done.
2) Open up the process (again) and do the debug. This seem to work fine.

In addition, the modifying of the register works and I saw a shitload of "exception" (that I on purposely caused which is a good thing). Well there was so much that it crash. I haven't been running the debugger on another process yet, but I will now.

Question:
Since I can only put 4 hardware exceptions in there (Dr0, Dr1, Dr2, Dr3), how come CE only does 3? Would it be possible to create another debugger (2 of them) and this way double the hardware exceptions?

Dark Byte · Posted: Fri Oct 14, 2005 7:16 pm Post subject:

ce only has 3 because it uses the 4th for stuff like "stepping over" and "run till" commands while debugging.

And no, it doesn't increase the number of registers when you have more debuggers. Each thread can only have 4 debug regs. Both debuggers will be working with the same thread so that won't work .And not to mention you can't have 2 (usermode) debuggers running at the same time (kernel debuggers are a different thing especially when they chain eachother int handlers)

ducspam · Posted: Fri Oct 14, 2005 9:44 pm Post subject:

Off topic but I was wondering:

What's the API for changing the value at an address?

Dark Byte · Posted: Sat Oct 15, 2005 5:17 am Post subject:

WriteProcessMemory

hcong · Newbie cheater Reputation: 0 Joined: 12 Mar 2006 Posts: 21

i have some problems on my debugger

i have set an int3 breakpoint on a process that my debugger debugging, after the breakpoint reach, i call GetThreadContext to get the thread context, then i change the eax value, then i call the SetThreadContext to set the thread context back to the thread, then write back the original byte, after that i call ContinueDebugEvent to continue the thread, but it skip the instruction that i set breakpoint.

another problem is hardware breakpoint, after i call ContinueDebugEvent, it still break on the same instruction without continue the thread

Dark Byte · Posted: Tue Sep 26, 2006 3:29 am Post subject:

for int3:
write back the original byte

getcontextthread
change eax
decrease eip with 1
set the single step flag in the eflags register
setcontextthread

continue.
in the next event set the byte back to int3 and continue

for hardware breakpoint:
on a break, remove the debug breakpoint, do a single step, and then set the breakpoint back. (Like above, but then without a int3 but with a debugregister and no decrease eip)

hcong · Newbie cheater Reputation: 0 Joined: 12 Mar 2006 Posts: 21

how about if i want to change eip also?
did i need to decrease eip after change eip?
or i no need to decrease eip?

CryptWizard · Posted: Fri Oct 13, 2006 5:25 pm Post subject:

I figured out this INT handler stuff, but how do you set a breakpoint?

Dark Byte · Posted: Sat Oct 14, 2006 1:16 am Post subject:

change the debugregisters so they raise a int1 on execute, write or read/write
use a apc, setthreadcontext os pssetcontextthread

CryptWizard · Posted: Mon Oct 16, 2006 5:07 am Post subject:

What would I have to pass to NtSetContextThread() to do that? since I would perfer to do as much stuff from kernel mode as possible. If there is another kernel way to do it please tell me. Thanks for the help. Smile