Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


What's going on with my "what access this address"

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming
View previous topic :: View next topic  
Author Message
igoticecream
Grandmaster Cheater Supreme
Reputation: 0

Joined: 23 Apr 2006
Posts: 1807
Location: 0x00400000
PostPosted: Wed Sep 22, 2010 9:44 pm    Post subject: What's going on with my "what access this address" Reply with quote
Hey all!

Well, I'm putting a hardware breakpoint on a variable that (obviously) will change it value, the breakpoint works fine and i can handle the EXCEPTION_SINGLE_STEP exception on my VEH. But when i look the address where the exception occurs... well, it is not exact. I will show you:

This is my code (kinda long because of the bunch of defines, i will paste them too in case you detect something wrong):

Code:

#include "stdafx.h"
#pragma auto_inline(off)

// Macros
#define DEBUG_REGISTER_0         0x00000001
#define DEBUG_REGISTER_1         0x00000002
#define DEBUG_REGISTER_2         0x00000004
#define DEBUG_REGISTER_3         0x00000008

// Macros for DR0
#define DR0_BREAKPOINT_LOCAL      0x00000001
#define DR0_BREAKPOINT_GLOBAL      0x00000002

#define DR0_WRITE               0x00010000
#define DR0_ACCESS               0x00030000
#define DR0_EXECUTE               0x00000000

#define DR0_ONE_BYTE            0x00000000
#define DR0_TWO_BYTE            0x00040000
#define DR0_FOUR_BYTE            0x000C0000

//Macros for DR1
#define DR1_BREAKPOINT_LOCAL      0x00000004
#define DR1_BREAKPOINT_GLOBAL      0x00000008

#define DR1_WRITE               0x00100000
#define DR1_ACCESS               0x00300000
#define DR1_EXECUTE               0x00000000

#define DR1_ONE_BYTE            0x00000000
#define DR1_TWO_BYTE            0x00400000
#define DR1_FOUR_BYTE            0x00C00000

// Macros for DR2
#define DR2_BREAKPOINT_LOCAL      0x00000010
#define DR2_BREAKPOINT_GLOBAL      0x00000020

#define DR2_WRITE               0x01000000
#define DR2_ACCESS               0x03000000
#define DR2_EXECUTE               0x00000000

#define DR2_ONE_BYTE            0x00000000
#define DR2_TWO_BYTE            0x04000000
#define DR2_FOUR_BYTE            0x0C000000

// Macros for DR3
#define DR3_BREAKPOINT_LOCAL      0x00000040
#define DR3_BREAKPOINT_GLOBAL      0x00000080

#define DR3_WRITE               0x10000000
#define DR3_ACCESS               0x30000000
#define DR3_EXECUTE               0x00000000

#define DR3_ONE_BYTE            0x00000000
#define DR3_TWO_BYTE            0x40000000
#define DR3_FOUR_BYTE            0xC0000000

//Macros for general DR
#define BREAKPOINT_LOCAL_EXACT      0x00000100
#define BREAKPOINT_GLOBAL_EXACT      0x00000200
#define RESERVED_BIT_10            0x00000400
#define GENERAL_DETECT            0x00002000

// Global variables
DWORD dwWriteOnThis;
DWORD dwReadFromThis;

// Functions
DWORD WINAPI VectoredExceptionHandler(PEXCEPTION_POINTERS pExceptionInfo);
VOID SetBreakpoint(HANDLE hTargetThread, PVOID pAddr, DWORD dwDRX, DWORD dwLevel, DWORD dwCondition, DWORD dwLength);

//Code
int _tmain(int argc, _TCHAR* argv[])
{
   UNREFERENCED_PARAMETER(argc);
   UNREFERENCED_PARAMETER(argv);

   PVOID pExceptionHandler = AddVectoredExceptionHandler(1,(PVECTORED_EXCEPTION_HANDLER)VectoredExceptionHandler);   

   dwWriteOnThis = 0;
   dwReadFromThis = 0;

   SetBreakpoint(GetCurrentThread(), (PVOID)&dwWriteOnThis, DEBUG_REGISTER_1, DR1_BREAKPOINT_LOCAL, DR1_WRITE, DR1_FOUR_BYTE);
   SetBreakpoint(GetCurrentThread(), (PVOID)&dwReadFromThis, DEBUG_REGISTER_2, DR2_BREAKPOINT_LOCAL, DR2_ACCESS, DR2_FOUR_BYTE);

   dwReadFromThis++;
   dwWriteOnThis++;

   RemoveVectoredExceptionHandler(pExceptionHandler);
   _getch();
   return 0;
}

DWORD WINAPI VectoredExceptionHandler(PEXCEPTION_POINTERS pExceptionInfo)
{
   if (pExceptionInfo->ExceptionRecord->ExceptionCode == EXCEPTION_BREAKPOINT)
   {
      return EXCEPTION_CONTINUE_SEARCH;
   }
   else if (pExceptionInfo->ExceptionRecord->ExceptionCode == EXCEPTION_SINGLE_STEP)
   {
      _tprintf_s("0x%08X\n",pExceptionInfo->ExceptionRecord->ExceptionAddress);
      return EXCEPTION_CONTINUE_EXECUTION;
   }
   return EXCEPTION_CONTINUE_SEARCH;
}

VOID SetBreakpoint(HANDLE hTargetThread, PVOID pAddr, DWORD dwDRX, DWORD dwLevel, DWORD dwCondition, DWORD dwLength)
{
   CONTEXT lpContext;
   lpContext.ContextFlags = CONTEXT_DEBUG_REGISTERS;
   if (GetThreadContext(hTargetThread, &lpContext))
    {
      switch (dwDRX)
      {
      case DEBUG_REGISTER_0:
         lpContext.Dr0 = (DWORD)pAddr;
         lpContext.Dr7 |= BREAKPOINT_LOCAL_EXACT | dwLevel | dwCondition | dwLength;
         break;
      case DEBUG_REGISTER_1:
         lpContext.Dr1 = (DWORD)pAddr;
         lpContext.Dr7 |= BREAKPOINT_LOCAL_EXACT | dwLevel | dwCondition | dwLength;
         break;
      case DEBUG_REGISTER_2:
         lpContext.Dr2 = (DWORD)pAddr;
         lpContext.Dr7 |= BREAKPOINT_LOCAL_EXACT | dwLevel | dwCondition | dwLength;
         break;
      case DEBUG_REGISTER_3:
         lpContext.Dr3 = (DWORD)pAddr;
         lpContext.Dr7 |= BREAKPOINT_LOCAL_EXACT |dwLevel | dwCondition | dwLength;
         break;
      }
      SetThreadContext(hTargetThread, &lpContext);
   }
}


And the output is the following:

Quote:

0x0040108B
0x00401091


This output means, those address are accessing my variable:
( at the code
dwReadFromThis++;
dwWriteOnThis++;
)

But, when i check the disassemble:

Code:

00401080 - b8 01 00 00 00             - mov eax,00000001
00401085 - 01 05 6c 33 40 00          - add [dwreadfromthis],eax
0040108B - 01 05 70 33 40 00          - add [dwwriteonthis],eax
00401091 - 8b 45 fc                   - mov eax,[ebp-04]




Confused 0x00401091 is not accessing dwWriteOnThis nor 0x0040108B accessing dwReadFromThis. So, what's going on? how i can fix my output to be exact?
_________________
+~
Back to top
View user's profile Send private message
justa_dude
Grandmaster Cheater
Reputation: 23

Joined: 29 Jun 2010
Posts: 891
PostPosted: Wed Sep 22, 2010 10:06 pm    Post subject: Reply with quote
Looks right to me at a glance. Each address points to the instruction /after/ the breakpoint.

As an aside, it's interesting that the compiler optimized i++ into ++i.

Cheers
Back to top
View user's profile Send private message
igoticecream
Grandmaster Cheater Supreme
Reputation: 0

Joined: 23 Apr 2006
Posts: 1807
Location: 0x00400000
PostPosted: Wed Sep 22, 2010 10:21 pm    Post subject: Reply with quote
Hey, thanks for the answer.

Well, it will be nice to show the user the actual address and opcode that is accessing/writting the variable and not the next one.

Imagine CE, after it "find what is accessing this address", show you this:

Quote:

dwVariable is being read/write at address "0x0065342D - nop"... will be like Evil or Very Mad

_________________
+~
Back to top
View user's profile Send private message
justa_dude
Grandmaster Cheater
Reputation: 23

Joined: 29 Jun 2010
Posts: 891
PostPosted: Thu Sep 23, 2010 3:01 am    Post subject: Reply with quote
AFAIK, it's just a reflection of the way the system works. The ip always points to the next instruction. You can try feeding code to libdisasm starting with the last page, then look at the last instruction. If you're trying to emulate CE you're going to need disassembly at some point.
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 470

Joined: 09 May 2003
Posts: 25778
Location: The netherlands
PostPosted: Thu Sep 23, 2010 5:10 am    Post subject: Reply with quote
Yup, you're going to need a disassembler to find the original instruction
Unless it's a rep movsX instruction in which case only when ecx is 0... (So much things to keep track off...)

ot: Also, ce 6 has an option to use VEH as one of the debugger interfaces as well (There's a special interface for easy adding of new types of debuggers)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
igoticecream
Grandmaster Cheater Supreme
Reputation: 0

Joined: 23 Apr 2006
Posts: 1807
Location: 0x00400000
PostPosted: Thu Sep 23, 2010 3:45 pm    Post subject: Reply with quote
Yea I'm emulating CE because VEH is not detected for what i need it.

So, the easy way i guess is that, get where the exception ocurrs and find out the previous instruction (correct instruction that access my variable). That's the way CE works, right?

Thanks and can't wait to see CE 6 Shocked
_________________
+~
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites