Setting Breakpoints & Stepping Instructions

In HyperDbg, we have multiple options to set a breakpoint.

One of the ways of setting breakpoints is hooking. Another way is using the 'bp' command. In this article, we describe the second method.

Assume that ObRegisterCallbacks is located at fffff805`5cbac610.

This function creates callbacks for thread, process, and other objects' tasks like creation, opening, etc. You can see more information at MSDN.

Many game anti-cheat solutions use this function to monitor processes to prevent game cheater to cheat on games.

In order to bypass this mechanism, we use the following command in HyperDbg to set a breakpoint on this function.

0: kHyperDbg> bp nt!ObRegisterCallbacks

or,

0: kHyperDbg> bp fffff805`5cbac610

Then, we will run our game and see if the breakpoint is triggered or not.

If the breakpoint is triggered, then the system is halt and we are able to control the debuggee.

After that, we can use the 'p' command to step-over the instructions.

0: kHyperDbg> p 
fffff805`5cbac610    48 81 EC 50 01 00 00                sub rsp, 0x150

You can also add a number to run multiple instructions.

0: kHyperDbg> p 3
fffff805`5cbac610    48 81 EC 50 01 00 00                sub rsp, 0x150
fffff805`5cbac617    48 8D AC 24 80 00 00 00             lea rbp, ss:[rsp+0x80]
fffff805`5cbac620    C6 45 AB 00                         mov byte ptr ss:[rbp-0x55], 0x00

If you want to step-in, you can use the 't' command.

0: kHyperDbg> t
fffff805`5cbac610    48 81 EC 50 01 00 00                sub rsp, 0x150