Cheat Engine

Redouane · Posted: Sun Aug 23, 2015 9:14 am Post subject: Int 3 in a program's memory

I found this while debugging a game,the part that contains many 'int 3' instructions delimits two functions.

1- Why is the 'int 3' instruction used here? (I read that it's used for debugging,to implement breakpoints,but what is it doing here?)

2- Is that part of the memory used by the game (ie. if I change some bytes there,is there a risk to crash the application?)

Thanks

Gniarf · Posted: Sun Aug 23, 2015 9:35 am Post subject:

1-Take the developer's perspective: obviously your program is never meant to execute those instructions that are outside functions so if by mistake (like a corrupt function pointer...) your program does execute them it'll immediately trigger a breakpoint allowing you (the dev) to look at it, closer to where it started going wrong than if the program executed the next function (ie: when functions are padded with nops).

2-You can safely modify those bytes and/or put your hacks there (I've done that many times). However if the game has integrity checks, they'll likely also check this padding.

Fresco · Posted: Sun Aug 23, 2015 9:54 am Post subject:

Perhaps the game has it's own debugger in the background!
I saw that once in Need For Speed Most Wanted 2005
If that's the case then yes, changing those instructions may, but most of times will not, crash the game.
In your case though:
From the snapshot, I can see that the int3's are outside of functions (i.e. methods). Compilers like C++ fill blank areas (mainly for alignment purposes) with int3 instructions, I mean areas between functions or methods.
So yes, In your case, you can safely replace the int3's with whatever you please.
If you ever encounter an int3 inside a function/method

Redouane · Posted: Sun Aug 23, 2015 10:07 am Post subject:

STN · Posted: Sun Aug 23, 2015 12:01 pm Post subject:

The devs could have nothing to do with it and it may simply be compiler generated or a simple exception handling routine or just padding. Chances are those instructions are never executed.

I won't read much into it, the game is single player indie game probably using one of those weird game engines

atom0s · Posted: Sun Aug 23, 2015 1:38 pm Post subject:

1. It is compiler generated padding between functions. Depending on the compiler, those bytes can also be generated as various different things. It is used (int3) in those paddings as a sure-fire method to crash the application if anything is ever to over-extend its proper execution bounds.

2. No, it is just simple padding. You can safely do things to them if you are looking for places for code-caves and similar.

Dark Byte · Posted: Sun Aug 23, 2015 2:36 pm Post subject:

as everyone said, it's padding yes

One of the reasons it's not 0 is that 00 00 turns into add [eax],al which would make debugging things difficult if EAX contained something useful for debugging
e.g:

Redouane · Posted: Sun Aug 23, 2015 3:36 pm Post subject:

Thanks guys Smile