 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
IAmHawtness
How do I cheat?
![]() Reputation: 0
Joined: 02 Aug 2009
Posts: 3
|
 Posted: Fri Oct 02, 2009 5:35 pm Post subject: EFLAGS help needed - Whats the deal with the Resume Flag? |
 |
|
So, I've made a hack for this MMORPG which uses debugging functions to set breakpoints at certain functions inside the game (send and receive packet functions (before/after en/decryption of the game packets)) and it works awesomely well.
However, it only works on Windows Vista and Seven. This is the part of my code that fails (note: written in VB.NET):
| Code: | hThread = OpenThread(ThreadAccessFlags.THREAD_ALL_ACCESS, False, DebugEvent.dwThreadId)
cThread.ContextFlags = ContextFlagsIntel.CONTEXT_ALL
GetThreadContext(ThreadHandle, cThread)
cThread.EFlags = cThread.EFlags Or EFLAGS.RF '// Sets the Resume Flag
'Do stuff here
SetThreadContext(ThreadHandle, cThread)
|
On Windows XP, the Resume Flag doesn't get set properly and it just freezes the application instead of continuing after the breakpoint is hit, as it it supposed to do.
I've already read the one or two posts on here about the Resume Flags not working, but has anyone figured out exactly why? I haven't seen any documentation at all about it not supporting Windows XP/older versions.
Anyone got any idea?
|
|
| Back to top |
|
 |
tombana
Master Cheater
![]() Reputation: 2
Joined: 14 Jun 2007
Posts: 456
Location: The Netherlands
|
| Posted: Sat Oct 03, 2009 4:42 am Post subject: |
|
|
| Code: | | cThread.EFlags = cThread.EFlags Or EFLAGS.RF '// Sets the Resume Flag |
I don't know VB.NET, but are you sure that 'Or' is the bitwise-or operator and not the logical-or operator?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 472
Joined: 09 May 2003
Posts: 25867
Location: The netherlands
|
| Posted: Sat Oct 03, 2009 5:03 am Post subject: |
|
|
it's not working because it's just broken in windows xp and 2000. The RF flag just isn't handled properly by the combination of setthreadcontext and continuedebugevent. (perhaps it executes at least one other instruction before entering the correct eip, which clears the RF flag, causing the same breakpoint to execute again)
Anyhow, the way ce does it is: Remove breakpoint for the specific thread, set the single step flag in the eflags register, execute that thread till next time it appears (note, could be in the time between waiting for the next instruction to break another thread can have caused a breakpoint as well, so watch for that) and then set the breakpoint back on that thread
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
IAmHawtness
How do I cheat?
![]() Reputation: 0
Joined: 02 Aug 2009
Posts: 3
|
| Posted: Sat Oct 03, 2009 5:42 am Post subject: |
|
|
| tombana wrote: | | Code: | | cThread.EFlags = cThread.EFlags Or EFLAGS.RF '// Sets the Resume Flag |
I don't know VB.NET, but are you sure that 'Or' is the bitwise-or operator and not the logical-or operator? |
Yes 
| Dark Byte wrote: | it's not working because it's just broken in windows xp and 2000. The RF flag just isn't handled properly by the combination of setthreadcontext and continuedebugevent. (perhaps it executes at least one other instruction before entering the correct eip, which clears the RF flag, causing the same breakpoint to execute again)
Anyhow, the way ce does it is: Remove breakpoint for the specific thread, set the single step flag in the eflags register, execute that thread till next time it appears (note, could be in the time between waiting for the next instruction to break another thread can have caused a breakpoint as well, so watch for that) and then set the breakpoint back on that thread |
I see, thanks for the explanation, I'm glad it wasn't my program that was doing something wrong.
But, the way Cheat Engine is doing it, won't that cause my program to miss some exceptions if the instructions are executed right after setting the Single Step flag? I want my program to record every time a certain function in the game is called
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 472
Joined: 09 May 2003
Posts: 25867
Location: The netherlands
|
| Posted: Sun Oct 04, 2009 4:52 am Post subject: |
|
|
After the single step your debugger will break again saying it was a single step exception, and that happens BEFORE that instruction is executed
So then disable the single step flag (not sure if windows does that for you or not, I always do it to be sure) set the breakpoint back and continue. If that new eip also has a breakpoint, it will then get triggered
(TF is triggered because of the execution of the previous instruction, not the current one)
example:
00400100: nop //DR0 breakpoint
00400101: nop //DR1 breakpoint
eip at 00400100 will cause a breakpoint, BEFORE executing it , so eip is still at 00400100
You disable the DR0 breakpoint in this specific thread
set the single step flag and continue
It will then break at 00400101 because of the TF flag
set DR0 breakpoint back in the thread
remove the TF flag and continue
It will then break on 00400101 because of the DR1 debug reg
so disable DR1
single step
.......
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
IAmHawtness
How do I cheat?
![]() Reputation: 0
Joined: 02 Aug 2009
Posts: 3
|
| Posted: Sun Oct 04, 2009 6:56 am Post subject: |
|
|
| Dark Byte wrote: | After the single step your debugger will break again saying it was a single step exception, and that happens BEFORE that instruction is executed
So then disable the single step flag (not sure if windows does that for you or not, I always do it to be sure) set the breakpoint back and continue. If that new eip also has a breakpoint, it will then get triggered
(TF is triggered because of the execution of the previous instruction, not the current one)
example:
00400100: nop //DR0 breakpoint
00400101: nop //DR1 breakpoint
eip at 00400100 will cause a breakpoint, BEFORE executing it , so eip is still at 00400100
You disable the DR0 breakpoint in this specific thread
set the single step flag and continue
It will then break at 00400101 because of the TF flag
set DR0 breakpoint back in the thread
remove the TF flag and continue
It will then break on 00400101 because of the DR1 debug reg
so disable DR1
single step
....... |
Ah, I see, thanks a bunch!
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
