Cheat Engine. How to work after attaching

[anna]

I need  to attach some process , stop it right after attaching (CREATE_PROCESS_DEBUG_EVENT event) and do some work (set breakpoints , modify some opcodes etc.). Then I need resume process. So I need OllyBDG behaviour. But Cheat Engine runs attached process by itself. How to prevent this activities?

http://cheat-engine.googlecode.com/svn/trunk/Cheat Engine/
I have added some lines in execute-loop of debughelper.pas( https://code.google.com/p/cheat-engine/source/browse/trunk/Cheat+Engine/debughelper.pas?r=1464 ), but project freezes on startdebuggerifneeded(true) function:

Code: [Select]

      while (not terminated) and debugging do
      begin
        if WaitForDebugEvent(debugEvent, 100) then
        begin
(*CHANGES BEGIN*)
          if debugEvent.dwDebugEventCode=CREATE_PROCESS_DEBUG_EVENT then
          begin
            if startdebuggerifneeded(true) then
            begin
              DebuggerThread.ToggleOnExecuteBreakpoint($004A098D);
              memorybrowser.disassemblerview.Update;
            end;
          end;
(*CHANGES END*)
          ContinueStatus:=DBG_CONTINUE;
          debugging := eventhandler.HandleDebugEvent(debugEvent, ContinueStatus);

          if debugging then
          begin
            //check if something else has to happen (e.g: wait for user input)

            ContinueDebugEvent(debugEvent.dwProcessId, debugevent.dwThreadId, ContinueStatus);
          end;



        end
        else
        begin
          {
          no event has happened, for 100 miliseconds
          Do some maintenance in here
          }
          //remove the breakpoints that have been unset and are marked for deletion
          cleanupDeletedBreakpoints;
        end;
      end;

[anna]

As I see actually if you start a process (not attach) it's impossible to stop on AddressOfEntryPoint . But all debuggers first of all stop app on entry point.

[anna]

I have uploaded revision 1482 for further consideration:
http://www.mediafire.com/?d2gv0sggl06kfm5

And here is modified debughelper.pas: http://www.mediafire.com/?pvnctqhfdykwkey

I'm using Lazarus Lazarus-1.1-37902-fpc-2.6.1-20120709-win32 : http://www.mediafire.com/?scxw60fxdd9g9se

Can anybody tell me why it freezes on 237 line?

[anna]

In rev 1482 there is unit olddebugger.pas, which contain some work with CREATE_PROCESS_DEBUG_EVENT. But this unit is not used in any other unit. What is olddebugger intended for?

[anna]

Well next code works:

Code: [Select]

(*---------cut---------*)     
while (not terminated) and debugging do
      begin
        if WaitForDebugEvent(debugEvent, 100) then
        begin
          if debugEvent.dwDebugEventCode=CREATE_PROCESS_DEBUG_EVENT then
          begin
            self.ToggleOnExecuteBreakpoint($004A097D);
{Debuggerthread.ToggleOnExecuteBreakpoint($004A097D );// SIGSEGV error in ToggleOnExecuteBreakpoint function}
          end;

(*---------cut---------*)
But I would like to know why does not work commented code? As I see this topic is not interesting. So maybe anybody tell me how to find author of Code Engine. Is author registered on this forum.

The next task is how to know Entry Point and set breakpoint on it. There is SetEntryPointBreakpoint procedure in DebugHelper unit, but it does not toggle breakpoint (mayby it sets not int3-breakpoint, but a memory- or hardware-breakpoint)

Ok. I reach what I want . The problem was inside SetEntryPointBreakpoint procedure. The first comand was:

Code: [Select]

if fNeedsToSetEntryPointBreakpoint then
So I've commented out this line .

[anna]

I have found another (better ) way to stop application on entry point:

Code: [Select]

{------cut------------  -------------   -------------   -------------- }
      begin
        fNeedsToSetEntryPointBreakpoint:=false; //just be sure
        if not DebugActiveProcess(processid) then
          exit;
      end;       
{------cut------------  -------------   -------------   -------------- }fNeedsToSetEntryPointBreakpoint := TRUE; helps

But I need help with another problem. How programmicaly know that debugged process was stopped on Toggle Breakpoint. For example in my program I write:

Code: [Select]

uses
  Classes, SysUtils, FileUtil, Forms, Controls, Graphics, Dialogs, StdCtrls,
  ComCtrls, ActnList, ExtCtrls, FileCtrl,

  windows,ServiceManager,jwawintype, jwapsapi,
  mainunit, ProcessWindowUnit,
 dos,
  MemoryBrowserFormUnit, frmFillMemoryUnit,
  DebugHelper,CEDebugger;   
{...}


procedure TForm1.Button1Click(Sender: TObject);   
begin

  if startdebuggerifneeded(true) then
  begin
    DebuggerThread.ToggleOnExecuteBreakpoint($004A098D);
    memorybrowser.disassemblerview.Update;
  end;

    application.ProcessMessages;
    memorybrowser.Run1.Click;
{here I need some loop which will get control when debugged process will stop on address $004A098D}
end;

[anna]

DebuggerThread.isWaitingToContinue is what i was wanted. So for now everything is clear for me .

[anna]

Cheat engine does not work with nat (nats is long integer, which muck bigger longint interval) ( http://www.polarhome.com:793/~franco/bigint.zip )
I have uploaded project :
http://www.mediafire.com/?olygw13or4oiyd9
When you click on Button3 appears strange SIGSEG error . I think , problem is because of huge asm insertions in Bigint18 unit. How to solve problem?

So problem is in how assembler code compiled. So in cheat engine with nat unit added n_muls1 procedure is

Code: [Select]

CPU Disasm
Address   Hex dump          Command                                  Comments
005F44B0  /$  8B75 08       MOV ESI,DWORD PTR SS:[EBP+8]             ; ASCII "4294967296"
005F44B3  |.  8B7D 0C       MOV EDI,DWORD PTR SS:[EBP+0C]
005F44B6  |.  83FF 00       CMP EDI,0
005F44B9  |.  75 0F         JNE SHORT 005F44CA
005F44BB  |.  C706 01000000 MOV DWORD PTR DS:[ESI],1
005F44C1  |.  C746 04 00000 MOV DWORD PTR DS:[ESI+4],0
005F44C8  |.  EB 2B         JMP SHORT 005F44F5
005F44CA  |>  8B0E          MOV ECX,DWORD PTR DS:[ESI]
005F44CC  |.  31DB          XOR EBX,EBX
005F44CE  |.  8D748E 04     LEA ESI,[ECX*4+ESI+4]
005F44D2  |.  F7D9          NEG ECX
005F44D4  |>  8B048E        /MOV EAX,DWORD PTR DS:[ECX*4+ESI]
005F44D7  |.  F7E7          |MUL EDI
005F44D9  |.  01D8          |ADD EAX,EBX
005F44DB  |.  83D2 00       |ADC EDX,0
005F44DE  |.  89048E        |MOV DWORD PTR DS:[ECX*4+ESI],EAX
005F44E1  |.  89D3          |MOV EBX,EDX
005F44E3  |.  41            |INC ECX
005F44E4  |.^ 75 EE         \JNZ SHORT 005F44D4
005F44E6  |.  83FB 00       CMP EBX,0
005F44E9  |.  74 0A         JE SHORT 005F44F5
005F44EB  |.  8B75 08       MOV ESI,DWORD PTR SS:[EBP+8]
005F44EE  |.  FF06          INC DWORD PTR DS:[ESI]
005F44F0  |.  8B0E          MOV ECX,DWORD PTR DS:[ESI]
005F44F2  |.  891C8E        MOV DWORD PTR DS:[ECX*4+ESI],EBX
005F44F5  \>  C3            RETN

And in project just with nat unit:

Code: [Select]

CPU Disasm
Address   Hex dump          Command                                  Comments
0053D440  /$  55            PUSH EBP                                 ; project1.0053D440(guessed Arg1,Arg2)
0053D441  |.  89E5          MOV EBP,ESP
0053D443  |.  8B75 08       MOV ESI,DWORD PTR SS:[ARG.1]
0053D446  |.  8B7D 0C       MOV EDI,DWORD PTR SS:[ARG.2]
0053D449  |.  83FF 00       CMP EDI,0
0053D44C  |.  75 0F         JNE SHORT 0053D45D
0053D44E  |.  C706 01000000 MOV DWORD PTR DS:[ESI],1
0053D454  |.  C746 04 00000 MOV DWORD PTR DS:[ESI+4],0
0053D45B  |.  EB 2B         JMP SHORT 0053D488
0053D45D  |>  8B0E          MOV ECX,DWORD PTR DS:[ESI]
0053D45F  |.  31DB          XOR EBX,EBX
0053D461  |.  8D748E 04     LEA ESI,[ECX*4+ESI+4]
0053D465  |.  F7D9          NEG ECX
0053D467  |>  8B048E        /MOV EAX,DWORD PTR DS:[ECX*4+ESI]
0053D46A  |.  F7E7          |MUL EDI
0053D46C  |.  01D8          |ADD EAX,EBX
0053D46E  |.  83D2 00       |ADC EDX,0
0053D471  |.  89048E        |MOV DWORD PTR DS:[ECX*4+ESI],EAX
0053D474  |.  89D3          |MOV EBX,EDX
0053D476  |.  41            |INC ECX
0053D477  |.^ 75 EE         \JNZ SHORT 0053D467
0053D479  |.  83FB 00       CMP EBX,0
0053D47C  |.  74 0A         JE SHORT 0053D488
0053D47E  |.  8B75 08       MOV ESI,DWORD PTR SS:[ARG.1]
0053D481  |.  FF06          INC DWORD PTR DS:[ESI]
0053D483  |.  8B0E          MOV ECX,DWORD PTR DS:[ESI]
0053D485  |.  891C8E        MOV DWORD PTR DS:[ECX*4+ESI],EBX
0053D488  |>  C9            LEAVE
0053D489  \.  C2 0800       RETN 8

So in first code (copied from ollyDBG) there are no

PUSH EBP 
MOV EBP,ESP
LEAVE 

 instructions.

[anna]

There is stupid failure in Cheat Engine. Toggle breakpoint on 2 neighbouring instructions.
 For examle, suppose, we have next binary code:

00401012  MOV EAX,DWORD PTR DS:[4F01E7]
00401017  SHL EAX,2
0040101A  MOV DWORD PTR DS:[4F01EB],EAX

So we toggle-breakpoint (int3 breakpoint) on 00401017 and 0040101A. Then Run debugged process. First we must stop on 00401017. Run . Stop on 0040101A. Then change EIP-register to 00401012 (it will change current instruction , so we make such as jump to 00401012) . Then Run. As expected we will stop on 00401017, but breakpoint on 0040101A disappeare!!!!!!!!!

Well if we see breakpoint list, we see that breakpoint's Active column is No. The problem is in that debugger disables every breakpoint, but almost immediately SetBreakpoit back. What the stupid, eh!
So failure is shown as debugger forget to set breakpoint afret disabling it. Problem is on near 744 line in debugeventhandler.pas. Result := SingleStep(dwContinueStatus);  must be executed to set breakpoint back.

[anna]

One more question. Can Cheat Engine work without lua5.1-32.dll . I made my debugger (based on Cheat Engine) but when I run exe-file an error flashes "not found lua5.1-32.dll. bla-bla-bla";
(russian: приложению не удалось запуститься, поскольку  lua5.1-32.dll не был найден)

*******************

Does Cheat Engine uses lua-scripts by itself or just it contain some features for user?
I have tryed to delete fom project all units with 'lua' letters and commented out all errors which start appear. But my project does not work properly.

[Leledumbo]

One more question. Can Cheat Engine work without lua5.1-32.dll . I made my debugger (based on Cheat Engine) but when I run exe-file an error flashes "not found lua5.1-32.dll. bla-bla-bla";

Looking at the source it seems to use static loading so you can't run your program without it.

[anna]

One more question. Can Cheat Engine work without lua5.1-32.dll . I made my debugger (based on Cheat Engine) but when I run exe-file an error flashes "not found lua5.1-32.dll. bla-bla-bla";

Looking at the source it seems to use static loading so you can't run your program without it.

Maybe there is a way to move funcs from dll  to exe? Where is project which make dll?
Oh! There is no source of dll! 

[BigChimp]

Don't know what you mean exactly....

The lua 5.1 source code apparently is shown here:
http://www.lua.org/source/5.1/
... and I'm sure you can download it.

[anna]

Don't know what you mean exactly....

The lua 5.1 source code apparently is shown here:
http://www.lua.org/source/5.1/
... and I'm sure you can download it.

It is needed translation to Pascal... 

[BigChimp]

You're going to translate the interpreter for the lua script language to Pascal? Why?

Why don't you e.g. link statically to the lua library?