About
Articles
Book Store
Distributed RCE
Downloads
Event Calendar
Forums
Live Discussion
Reference Library
RSS Feeds
Search
Users
What's New
Customize Theme
bluegrey
blackgreen
metal
simple
Flag:
Tornado!
Hurricane!
Login:
Password:
Remember Me
Register
Blogs
>>
waleedassar
's Blog
Created: Monday, February 6 2012 22:47.47 CST
Modified: Monday, February 6 2012 23:26.30 CST
Printer Friendly ...
OllyDbg v1.10 And Hardware Breakpoints
Author:
waleedassar
# Views:
726
While playing with OllyDbg v1.10, i came across a weird behavior of OllyDbg v1.10, which was fixed in the latest version. The problem lies in the way OllyDbg sets hardware breakpoints.
At 0x4D8D70, there is an array of four structures of type, t_hardbpoint.
Each structure in this array holds information about each hardware breakpoint. Information includes hardware breakpoint address, type, and size. When you manually set a hardware breakpoint, this structure is filled, but the breakpoint is not immediately activated.
On the other hand, when an EXCEPTION_SINGLE_STEP or EXCEPTION_BREAKPOINT is received, information in the structures at 0x4D8D70 is copied to DR0 through DR3 overwriting old values in them, if there are any. The point here is that if you programmatically set a hardware breakpoint, single stepping will be enough to cause debug registers to be cleared.
N.B. IDA pro and OllyDbg v2.0 behave normally with this scenario.
An executable demonstrating how to use this strange behavior to detect OllyDbg v1.10 can be found here.
http://ollytlscatch.googlecode.com/files/demo_hwbp.exe
Original topic here.
http://waleedassar.blogspot.com/2012/02/ollydbg-v110-and-hardware-breakpoints.html
Blog Comments
NirIzr
Posted: Tuesday, February 7 2012 04:33.23 CST
cool!
do you have any idea why olly behaves this way?
is it a simple bug or perhaps there's more to it?
did you came across it when you were reversing something our were you searching for bugs in olly?
waleedassar
Posted: Tuesday, February 7 2012 13:30.29 CST
>>do you have any idea why olly behaves this way?
The reason why Olly v1.10 behaves this way is that Olly copies information from the t_hardbpoint structures to DRx, whether the structures are initialized or not, overwriting old values in DRx.
>>is it a simple bug or perhaps there's more to it?
Still investigating.
Here is how Olly v2.0 handles that situation.
Add New Comment
Comment:
There are
28,631
total registered users.
Recently Created Topics
windbg - olly/immunity
May/14
Reverse a WinRAR pac...
May/13
Add comments to resu...
May/10
can we code script ...
May/09
Type Casting Structu...
May/07
How to Reverse Engin...
May/03
Sulley on OS X (10.7)
May/01
Help me guys
May/01
IDA Resource Viewer ...
Apr/28
How do i use plugins...
Apr/27
Recent Forum Posts
windbg - olly/immunity
blowcheck
Help me guys
Olivier
Reverse a WinRAR pac...
NirIzr
windbg - olly/immunity
anonymouse
Reverse a WinRAR pac...
DriEm
Add comments to resu...
phn1x
IDA Resource Viewer ...
DriEm
Add comments to resu...
qiuhan
IDA Resource Viewer ...
waleeda...
IDA Resource Viewer ...
DriEm
Recent Blog Entries
waleedassar
Apr/20
OllyDbg NumberOfSections Crash
icegood
Apr/13
Advanced labels plugin for ...
waleedassar
Mar/31
GetModuleFileNameEx And Inf...
waleedassar
Mar/31
OllyDbg v1.10 And Wow64
waleedassar
Mar/29
OllyDbg Resource Table Pars...
More ...
Recent Blog Comments
raxen
on:
Mar/27
Anti-Dumping
Dallas
on:
Mar/22
ChapljaVM Code Obfuscator
Dallas
on:
Mar/22
Hack stuff, get paid
Dallas
on:
Mar/22
Exe Packer TAGGANT system f...
Dallas
on:
Mar/22
Olly2 SystemTray Plugin
More ...
Imagery
SoySauce Blueprint
Jun 6, 2008
[+] expand
View Gallery
(11) /
Submit
Printer Friendly ...
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}