| View previous topic :: View next topic |
| Author |
Message |
kitesan
Expert Cheater
![]() Reputation: 0
Joined: 01 May 2014
Posts: 124
|
 Posted: Sat Feb 07, 2015 4:57 am Post subject: I can't find return point |
 |
|
| Help i'm inside a thread but i cant find a return point , i dont know how to go at the end of this thread because the code looks strange , the debugger says Currently debugging Thread 30C0 |
|
| Back to top |
|
 |
SteveAndrew
Master Cheater
 Reputation: 30
Joined: 02 Sep 2012
Posts: 323
|
| Posted: Sat Feb 07, 2015 5:33 am Post subject: |
|
|
Right click on the stack area in the bottom right corner and select "Full Stack".
Then start clicking on some addresses that look like return addresses.
Or you could always try a break and trace 
_________________
|
|
| Back to top |
|
|
kitesan
Expert Cheater
![]() Reputation: 0
Joined: 01 May 2014
Posts: 124
|
| Posted: Sat Feb 07, 2015 6:11 am Post subject: |
|
|
| done.. i cant find it yet |
|
| Back to top |
|
|
SteveAndrew
Master Cheater
Reputation: 30
Joined: 02 Sep 2012
Posts: 323
|
| Posted: Sat Feb 07, 2015 7:02 am Post subject: |
|
|
Okay how about using step over, instead of single step? You can get further that way:
Also try increasing the trace count
Maybe save a trace and upload it so someone can take a look?
How does the code look? What's weird about it?
Find a "ret" and after that is where the function you were inside of was called from.
_________________
|
|
| Back to top |
|
|
kitesan
Expert Cheater
![]() Reputation: 0
Joined: 01 May 2014
Posts: 124
|
| Posted: Sat Feb 07, 2015 7:08 am Post subject: |
|
|
| It's like obfuscated.. and i cant find any ret by the way |
|
| Back to top |
|
|
SteveAndrew
Master Cheater
Reputation: 30
Joined: 02 Sep 2012
Posts: 323
|
| Posted: Sat Feb 07, 2015 7:19 am Post subject: |
|
|
Well maybe there's an anti-debug (have you tried the other debug methods?)
If it's not anti-debug then maybe the code your looking at isn't running at the moment your trying to break on it...
To check if the code is even being executed at all and maybe get a return address (if it's on the top of the stack / nothing else pushed into it at the point you hook from)
have ce generate an autoassembler script for you. then modify it slightly
| Code: |
//ce auto generated script
label(ReturnAddressMaybe)
registersymbol(ReturnAddressMaybe)
newmem:
push eax
mov eax,[esp]
mov [ReturnAddressMaybe],eax
pop eax
originalcode:
//original code here -->
// <--
exit:
jmp returnhere
ReturnAddressMaybe:
dq 0
|
_________________
|
|
| Back to top |
|
|
kitesan
Expert Cheater
![]() Reputation: 0
Joined: 01 May 2014
Posts: 124
|
| Posted: Sat Feb 07, 2015 7:30 am Post subject: |
|
|
I am actually debugging by VEH , because the game have anti-debug tricks
this is a screen of the tracer what do you think? , thanks for your help by the way |
|
| Back to top |
|
|
SteveAndrew
Master Cheater
Reputation: 30
Joined: 02 Sep 2012
Posts: 323
|
| Posted: Sun Feb 08, 2015 9:11 am Post subject: |
|
|
You're right it is a bit tricky looking code, with all the jumps everywhere...
But anyway, actually I meant to actually use one of the newer features of CE and actually save the trace as a file... File->Save Trace... and upload that so we could scroll down. An image is nice, but being able to load the entire thing and check it more thoroughly is better.
Anyway I forgot to mention if you manually set the breakpoint you can do Debug->Execute till return ( Shift+F8 )
Also I pieced together a little lua script that stops the debugger immediately after the first encounter of a "ret" or "ret XXXX" as long as the opcode says "ret" in it basically...
Press CTRL+ALT+L or goto Table->Show Cheat Table Lua script and paste this... Then modify "BreakpointAddress to where you want to start debugging. I set it to your top address in that trace as an example.
Then with CE attached to your process, and the debugger also attached (set a breakpoint anywhere to get CE to ask you if you want to attach the debugger and hit yes of course.)
Then you're ready to hit execute on this lua script.
| Code: |
BreakpointAddress=0x1455ca237 --change this to the address you want
FoundIt=0
debug_removeBreakpoint(BreakpointAddress)
function debugger_onBreakpoint()
if(FoundIt == 0) then
debug_continueFromBreakpoint(co_stepover)
extra, opcode, bytes, addy = splitDisassembledString(disassemble(RIP))
RetFound = string.find(opcode, "ret")
if(RetFound) then
print(opcode)
FoundIt=1
debug_removeBreakpoint(BreakpointAddress)
return 1
end
end
return 0
end
debug_setBreakpoint(BreakpointAddress)
|
Once the breakpoint is hit, you'll see it tracing automatically for you until it encounters a ret somewhere along the line. If it doesn't you might get stuck and have to close the game! lol... There isn't a maximum trace count it just goes until it finds it! 
_________________
|
|
| Back to top |
|
|
atom0s
Moderator
 Reputation: 198
Joined: 25 Jan 2006
Posts: 8517
Location: 127.0.0.1
|
| Posted: Sun Feb 08, 2015 10:19 pm Post subject: |
|
|
Instead of looking for the ret, try looking for the start of the thread. If you can find that, try and get the application to either recreate the thread, or have Cheat Engine immediately attach to the process and suspend it when it starts, and refind the desired code via AoB scanning, set a break at the start of the thread and resume the process.
_________________
- Retired. |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
