Cheat Engine

iPromise · Posted: Sat Feb 01, 2014 11:35 pm Post subject: Hardware Breakpoints

there is maximum capacity of 4 addresses which you can set a hardware breakpoint on (dr0 - dr3) but 4 aren't usually enough. I was wondering if it was possible to set one hardware breakpoint on a specific thread that would enable me to control the entire application.

an acquaintance of mine has actually accomplished this. apparently he did something with the main thread of the application.

if it is possible, how would someone go about accomplishing this?

661089799107 · Posted: Sun Feb 02, 2014 3:17 pm Post subject:

So you want to set one HW breakpoint on a single threads context, and want all threads to break on it?

Dark Byte · Posted: Sun Feb 02, 2014 3:25 pm Post subject:

Try something like page exceptions which can have an unlimited amount of breakpoints (including read and write watches)

Or you could single step every thread and every step it does check if one of the addresses has been accessed/modified (slower than page exceptions)

And if it's a java program you could use a read or write watch on a class field using the jvm itself

iPromise · Posted: Sun Feb 02, 2014 7:47 pm Post subject:

@Blackknight Something of that nature is possible.

@Dark_Byte

Now that you've mentioned it, my buddy did tell me that he single stepped the main thread or something similar.

Is there any documentation on single stepping a thread, I haven't found any decent ones. How does it work because you only have the ability to set a maximum of 4 hardware breakpoints on a single address; how do you exploit that to monitor EACH address?

Dark Byte · Posted: Mon Feb 03, 2014 12:17 am Post subject:

as long as the TF bit in the Flags register is set it will raise an debug event when an instruction has been executed
Depending on the operating system you have to manually set the TF back every instruction

iPromise · Posted: Mon Feb 03, 2014 9:46 pm Post subject:

I am injected into the debugee so using a vectored exception handler would be appropriate in my case right?

I go through all the threads in the application, I set CONTEXT_CONTROL to get the flag register and then I set the trap flag in the EFlag member of context.

In my exception handler, I would then write down in a text file the address of the breakpoint to confirm that I had been able to go through every instruction at will.

What am I doing wrong here, the results in my text file weren't what I had expected them to be.

Dark Byte · Posted: Tue Feb 04, 2014 3:08 am Post subject:

Make sure you don't call setBreakpoint on your own thread, because it'll freeze after suspendThread

In the exception handler you may need to set the TF flag back in the context structure of the exceptioninfo structure

And what is the result of your text file and what did you expect? (Remember that because you've done multiple threads the results will be random addresses)

iPromise · Posted: Wed Feb 05, 2014 5:23 pm Post subject:

I followed your suggestions but that made the application hang, and it also crashed other running applications. I was expecting to see the majority of addresses in the text file starting from the entry-point to the last address being executed.

Dark Byte · Posted: Wed Feb 05, 2014 5:54 pm Post subject:

Processes don't start at the entry point. They start at the launcher stub, which sets up the main modules, kernel32 init, tls setup, etc...
only after a very long time it'll reach the entry point

as for other programs crashing not sure. You're not using a global windows hook to inject the dll are you? Because if so that dll will be running in ALL gui processes, and if you didn't add in a specific process targeter, that'll cause a crash as well

Also, don't use "test << ExceptionInfo->ExceptionRecord->ExceptionAddress << endl;" inside the exception handler

the console output is not re-entrant.
Explanation: