MantisBT - Cheat Engine
View Issue Details
0000462Cheat Engine(No Category)public2016-03-19 11:302016-03-24 21:23
Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
PlatformPCOSWindows 7OS Versionx64 SP1
Summary0000462: Break and trace in ntdll.dll does not trace correctly
DescriptionI am working on a script for the Original Sin Enhanced Edition (Steam).
For some reason, the trace gets screwed up upon entering ntdll.dll.

When we break into ntdll.dll, the 'instruction tree' breaks because the instructions of the call do not go under a new section, they get added to the same level as the call. I guess this causes all the 'ret' instructions to close the wrong tree elements.

Not sure how to explain better.
The trace window should show "test eax,eax" after "call qword ptr [EoCApp.exe+FDB6B0]".
Steps To Reproduce1. I set a break and trace at this location:
EoCApp.exe+BA4070 - 48 89 5C 24 10 - mov [rsp+10],rbx
2. I trigger the code in-name.
3. I looked at the trace.
Additional InformationAttached a zip file with:
 - The saved trace
 - trace_shot_01.png; A screenshot showing the call into ntdll.dll (debug window)
 - trace_shot_02.png; A screenshot showing the call into ntdll.dll (trace window)
 - trace_shot_03.png; A screenshot showing called code in ntdll.dll
Attached Fileszip (78,760) 2016-03-19 11:30
png trace.png (34,101) 2016-03-19 12:04

png debugger_crash.png (3,631) 2016-03-19 12:13

2016-03-19 11:36   
(Last edited: 2016-03-19 12:15)
Forgot. 'Step over instead of a single step' was checked.

Edit 1
Also, it seems that the previous call is broken already:
EoCApp.exe+BA411D - E8 FEF8B6FF - call EoCApp.exe+713A20

Edit 2
It seems that there's some CE integrity issue.
This is how is should look like.
Restarted both game and CE so it's a fresh start and 'Step over instead of a single step' was not checked in this case.
See newly attached trace.png.

Interestingly, this 'fresh start' one did not trace the 5000 instructions I asked it to. It did maybe a 1000 or so. It stopped here:

EoCApp.exe+495FBA - FF 25 005FB400 - jmp qword ptr [EoCApp.exe+FDBEC0] { ->MSVCR120.dll+3C940 }

I have MSVCR120.dll in the donottrace.txt file, so CE should have skipped over it instead of stopping the trace there...

Edit 3
I set a new break and trace again at the same place as earlier and this time I had 'Step over instead of a single step' checked again.
When it fires, debugger crashes (and game hangs), see newly attached debugger_crash.png.

Issue History
2016-03-19 11:30CsimbiNew Issue
2016-03-19 11:30CsimbiFile Added:
2016-03-19 11:36CsimbiNote Added: 0001028
2016-03-19 11:38CsimbiNote Edited: 0001028bug_revision_view_page.php?bugnote_id=1028#r154
2016-03-19 12:03CsimbiNote Edited: 0001028bug_revision_view_page.php?bugnote_id=1028#r155
2016-03-19 12:04CsimbiFile Added: trace.png
2016-03-19 12:05CsimbiNote Edited: 0001028bug_revision_view_page.php?bugnote_id=1028#r156
2016-03-19 12:08CsimbiNote Edited: 0001028bug_revision_view_page.php?bugnote_id=1028#r157
2016-03-19 12:13CsimbiFile Added: debugger_crash.png
2016-03-19 12:15CsimbiNote Edited: 0001028bug_revision_view_page.php?bugnote_id=1028#r158
2016-03-24 21:23AASTag Attached:
2016-03-24 21:24AASIssue cloned: 0000463