Cheat Engine

Autem · Posted: Tue Nov 21, 2023 12:04 pm Post subject: Some questions about threads

I have some questions about threads as I venture into some new (to me) areas and want to make sure I'm learning right.

1. Understanding threads in general: When a game creates a thread, and it has an entry point, that entry point seems to change sometimes. Correct? Or should the entry point of a thread be the spot in the coding that I always figure that thread will start, and should always be the same? My original understanding was that it is static entry point but I think I was wrong there as I research and observe more.

2. Understanding the killing process: When I use x64dbg to "kill" a thread, it seems like the way it does it is to zero-out the RIP of that thread. Is that essentially the process of "killing" a thread? And does it work by way of RIP being the final step of the thread where it would tell it where to go next, but having been zeroed-out, it ends right there? Am I understanding that right?

3. I know how to find the threadlist and thread IDs and all that in CE, but it seems like "Freeze thread" doesn't work. Should it work in CE or is that an obsolete option now when I'm viewing the Threadlist?

4. If I'd like to "kill" a thread using CE, what's the best way? Looking around extensively I cannot find an option similar to x64dbg. Is there a way in CE?

5. Once a thread is "killed" or stopped in any fashion, would there be a way to RESUME or revive the thread later when it's needed? It's a thread created by the game, not by me. If something exists where maybe there's a way to zero out the RIP (assuming my understanding in question 2 above is right) and during that time the thread is "dead" but then maybe you return the value of RIP and it resumes? Anything like that doable, or make sense, or already exist?

6. Finding/understanding WHERE (in the disassembler) a thread is created and dealing with it there? If I know there's a thread I don't want the game to run, how do I approach finding it in the disassembler and possibly preventing it altogether? Breakpoints possible upon new thread creation maybe? Set some restriction somehow to stop that thread-creation-order-number that always seems to be the same number (not the ID)? Etc..?

Thanks for any and all help I can get on this. Threads seem to be very valuable to know how to explore and manipulate but I'm trying to improve my understanding before I get too involved with them.

Dark Byte · Posted: Tue Nov 21, 2023 1:06 pm Post subject:

1: A thread starts wherever it's told to start. this can be in static memory, but also in dynamic memory locations

2: No, it just kills it so it doesn't exist anymore. How do you represent the state of a thread that doesn't exist ?

3: still works. Make sure the thread you're freezing actually does something. Also, won't work on the currently debugged thread

4: killing a thread is a really dumb thing to do. it's like throwing a brick into a window because you need to get into the house, while you could also use the door (it's not going to fix any real anti cheat as it causes the heartbeat to stop)

anyhow, you can likely use OpenThread and TerminateThread API calls to terminate a thread (e.g an autoassemble local script that does that, or even just executeCodeLocalEx)

5: After killing, no. Only if you suspend it you can resume it. You can of course create a new thread at the original entry point but the initial state and memory values will be difficult to reproduce (in short: no)

6: it starts at BaseThreadInitThunk and then jumps to the entry point

Autem · Posted: Tue Nov 21, 2023 2:54 pm Post subject:

This actually explains a lot. Especially for my 3rd question.

Thank you very much!