Cheat Engine

[Culinary]

Hi, I have a question about how this is implemented in Cheat Engine. I thought it might have been a vectored exception handler, but when toggling a register modification, I see no new modules in the target programs address space, to support a VEH.

I know it does not use simple software int3's, so I wrote a hardware breakpoint loop to try and modify and register for a certain thread. It works of course when this instruction is called once in while (like every 10 seconds or so) but if there is a constant loop checking this instruction, its as if my code is not fast enough to keep up. The game is a choppy mess (the register edit works) but the game will eventually die.

Basically what I am doing is setting a hardware break on the instruction, then setting the Dr registers back to 0, and modifying said register. Then I issue the breakpoint again, in a continuous loop.

Is this not the way I should be doing it?

thanks!

[Dark Byte]

In cheat engine it depends on which debugger interface you use if it uses VEH or not. Kernelmode debugger, windows debugger and VEH debugger (this one used veh....)

it can work with both simple int3's and hardware breakpoints (but that's because I handle them both)

I don't recommend you use a software breakpoint unless you like playing with critical sections and total process freezes (reason why: Thread1 breaks and restores the original byte, Thread 2 executes the original instruction, thread 1 executes the original instruction and puts back the int3 bp)

anyhow, for your problem.

This is the basic implementation:
first put a breakpoint where you want
then when the breakpoint is hit change the registers

if windows XP, disable the breakpoint (dr7), single step, re-enable the breakpoint and continue
if windows vista+ , set the resume flag and continue

My guess is that at the spot where the breakpoint is hit and you change the register there is a bottleneck. Perhaps you're updating the gui, or synchronizing with the mainthread. That is not needed for a change register feature, all you need to do is set the registers state and continue

[Culinary]

thank you dark byte

[Culinary]

maybe my way of going about this is completely wrong, and my coding style is what is causing this bottleneck.

My debugger operation & loop is a single thread. The target process I am trying to do this to, uses about 26 threads, 1 of which is constantly accessing this instruction. No other threads access it.

So firstly I enumerate the threads that belong to this process, suspend them, set their context and the address to break on, and then I go straight to WaitForDebugEvent.

When the single_step exception is caught, I get the thread context, check the EIP, set the resume flag in dr7, set the context. and then proceed to exit the switch. Which is followed by ContinueDebugEvent of course.

Right after ContinueDebugEvent, I active the bp again by suspending the thread and setting its context.

Sorry to plague you with these questions, I have read the intel manual, I understand the debug registers, but I do not know if my implementation of this is right.

thanks again.


edit - I noticed like I said before - I tried it with Cheat Engine and it works flawlessly, with no vectored exception handler.

So that would lead me to believe me implementation is flawed =/

[Dark Byte]

What you are doing is setting the breakpoint back after continuing from the breakpoint. This will cause a problem.
situation 1:
The thread has not been scheduled to continue after you set the breakpoint back
situation 2:
the routine has been executed multiple times between continueing and setting the breakpoint

also, are you using windows xp , vista or 7 ?

anyhow, for the implementation:
if windows xp:
change registers
disable the breakpoint
set the trap flag in eflags
continue debugging (ContinueDebugEvent)
wait for the single step caused by the trap flag (next instruction)
set the breakpoint back
continue debugging (ContinueDebugEvent)

if vista+:
change registers
set the resume flag in eflags
continue debugging (ContinueDebugEvent)

[Culinary]

thanks again, I got it to work thanks to you ;p

cant believe i wasted the past 4 hours of my life all because I was accidently setting the alignment check flag instead of the resume flag.. yawn

also I was suspending and setting the context when I wasnt suppose to be -_-

Also I really appreciate the help and thank you for cheat engine, its a great learning tool