2017-09-21 11:05 CEST

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0000462Cheat Engine(No Category)public2016-03-24 21:23
ReporterCsimbi 
Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
StatusnewResolutionopen 
PlatformPCOSWindows 7OS Versionx64 SP1
Summary0000462: Break and trace in ntdll.dll does not trace correctly
DescriptionI am working on a script for the Original Sin Enhanced Edition (Steam).
For some reason, the trace gets screwed up upon entering ntdll.dll.

When we break into ntdll.dll, the 'instruction tree' breaks because the instructions of the call do not go under a new section, they get added to the same level as the call. I guess this causes all the 'ret' instructions to close the wrong tree elements.

Not sure how to explain better.
The trace window should show "test eax,eax" after "call qword ptr [EoCApp.exe+FDB6B0]".
Steps To Reproduce1. I set a break and trace at this location:
EoCApp.exe+BA4070 - 48 89 5C 24 10 - mov [rsp+10],rbx
2. I trigger the code in-name.
3. I looked at the trace.
Additional InformationAttached a zip file with:
 - The saved trace
 - trace_shot_01.png; A screenshot showing the call into ntdll.dll (debug window)
 - trace_shot_02.png; A screenshot showing the call into ntdll.dll (trace window)
 - trace_shot_03.png; A screenshot showing called code in ntdll.dll
Tagstravian.ro
Attached Files

-Relationships
+Relationships

-Notes

~0001028

Csimbi (reporter)

Last edited: 2016-03-19 12:15

View 6 revisions

Forgot. 'Step over instead of a single step' was checked.

Edit 1
Also, it seems that the previous call is broken already:
EoCApp.exe+BA411D - E8 FEF8B6FF - call EoCApp.exe+713A20

Edit 2
It seems that there's some CE integrity issue.
This is how is should look like.
Restarted both game and CE so it's a fresh start and 'Step over instead of a single step' was not checked in this case.
See newly attached trace.png.

Interestingly, this 'fresh start' one did not trace the 5000 instructions I asked it to. It did maybe a 1000 or so. It stopped here:

EoCApp.exe+495FBA - FF 25 005FB400 - jmp qword ptr [EoCApp.exe+FDBEC0] { ->MSVCR120.dll+3C940 }

I have MSVCR120.dll in the donottrace.txt file, so CE should have skipped over it instead of stopping the trace there...

Edit 3
I set a new break and trace again at the same place as earlier and this time I had 'Step over instead of a single step' checked again.
When it fires, debugger crashes (and game hangs), see newly attached debugger_crash.png.

+Notes

-Issue History
Date Modified Username Field Change
2016-03-19 11:30 Csimbi New Issue
2016-03-19 11:30 Csimbi File Added: trace_files.zip
2016-03-19 11:36 Csimbi Note Added: 0001028
2016-03-19 11:38 Csimbi Note Edited: 0001028 View Revisions
2016-03-19 12:03 Csimbi Note Edited: 0001028 View Revisions
2016-03-19 12:04 Csimbi File Added: trace.png
2016-03-19 12:05 Csimbi Note Edited: 0001028 View Revisions
2016-03-19 12:08 Csimbi Note Edited: 0001028 View Revisions
2016-03-19 12:13 Csimbi File Added: debugger_crash.png
2016-03-19 12:15 Csimbi Note Edited: 0001028 View Revisions
2016-03-24 21:23 AAS Tag Attached: travian.ro
2016-03-24 21:24 AAS Issue cloned: 0000463
+Issue History