Application crashes when inserted breakpoint is hit RRS feed

  • Question

  • Hello everybody, recently I have used Visual Studio 2015 Professional to create two single threaded 32 bit console applications:

    The first one I named "Break Me", and the other one is I named "Breaker". Both applications are single threaded.

    "Break Me" prints details about process id, thread id and the address of counter variable, which it's size is only 1 byte.

    When I press any key in "Break Me", this counter is incremented by 1, printed and updated on the console window.

    I also launch cheat engine (32 bit) and open "Break Me". Then I "add address manually" and add the address of the counter to the cheat engine list view, which is printed on the console, so I don't have to guess. Then I "Find out what writes to this address", and then press any key in "Break Me" console and get the Instruction "mov [ebp-19],al" and Count 1, at the address 00DB186F, where 00DB changes, but 186F is constant. In "breaker" I input process id and thread id, that is printed in "break me" console window, so I don't have to guess, and also the address of the instruction that I found in cheat engine.

    I don't get any runtime error.

    I input process id and thread id with scanf_s("%d",&...); and the address of the instruction with scanf_s("%p",&...);

    After input, I OpenProcess with PROCESS_ALL_ACCESS and OpenThread with THREAD_ALL_ACCESS, use DebugActiveProcess, DebugActiveProcessStop, and WriteProcessMemory to insert the breakpoint at the increment instruction, whose address was input before, I use the "int 3" 0xcc value.

    Also in an infinite loop, I use WaitForDebugEvent in the beginning of the loop, and ContinueDebugEvent in the end of the loop.

    In the middle of the loop, I check if dwDebugEventCode == EXCEPTION_DEBUG_EVENT && u.Exception.ExceptionRecord.ExceptionCode == EXCEPTION_BREAKPOINT, and if the conditions are met, then Beep(800, 200);

    As I said I don't get any compile error and even not runtime error.

    I expect that when I increment the counter by one by pressing any key in the console window of "Break Me", I suppose to hear a beep, but instead "Break Me" crashes with no error.

    0xcc I saw in this link 

    I don't understand what I am doing wrong. I need some directions and guides, I am newbie in windows debugging. I need your help.
    Friday, April 8, 2016 7:37 PM

All replies

  • If I understand you correctly, would assume, you have either problems to attach, or else you detach debugger with DebugActiveProcessStop from debuggee before your debugger receives any DEBUG_EVENTs. For I would expect according to your description, that you get two beeps.
    One when initial EXCEPTION_BREAKPOINT is reached at attach and a second one, when you hit the 0xcc - before your app crashes because, resuming with corrupted code, because you do not mention any breakpoint handling.  
    I'd take a look at samples at
    how to attach. Normally, there is no need to do an OpenProcess. Process-handle, thread-handles you get from respective DEBUG_EVENTs.
    Also I would insert the 0xcc breakpoint, when initial EXCEPTION_BREAKPOINT is reached and certainly one needs to restore original code-sequence, decrement program counter ..., after the inserted bp is hit.

    Just as example: Code before inserting breakpoint:

    0:000> u 0xb017ea
    00b017ea 68306bb000      push    offset ConsoleApplication2!`string' (00b06b30)
    00b017ef e831fbffff      call    ConsoleApplication2!ILT+800(_printf) (00b01325)
    00b017f4 83c404          add     esp,4
    00b017f7 8bf4            mov     esi,esp
    00b017f9 ff156ca1b000    call    dword ptr [ConsoleApplication2!_imp__getchar (00b0a16c)]
    00b017ff 3bf4            cmp     esi,esp
    00b01801 e812f9ffff      call    ConsoleApplication2!ILT+275(__RTC_CheckEsp) (00b01118)
    00b01806 33c0            xor     eax,eax
    And afterwards:
    0:000> u 0xb017ea
    00b017ea cc              int     3
    00b017eb 306bb0          xor     byte ptr [ebx-50h],ch
    00b017ee 00e8            add     al,ch
    00b017f0 31fb            xor     ebx,edi
    00b017f2 ff              ???
    00b017f3 ff83c4048bf4    inc     dword ptr [ebx-0B74FB3Ch]
    00b017f9 ff156ca1b000    call    dword ptr [ConsoleApplication2!_imp__getchar (00b0a16c)]
    00b017ff 3bf4            cmp     esi,esp
    With kind regards

    EDIT: Forgot first/second-chance notification, so there may be 3 beeps. before crash. 
    Friday, April 8, 2016 11:29 PM
  • Wow long reply, thanks, I will be thinking about it.
    Sunday, April 10, 2016 11:40 AM