Flag: Tornado! Hurricane!

Blogs >> waleedassar's Blog

Created: Monday, February 6 2012 22:47.47 CST Modified: Monday, February 6 2012 23:26.30 CST
Printer Friendly ...
OllyDbg v1.10 And Hardware Breakpoints
Author: waleedassar # Views: 24770

While playing with OllyDbg v1.10, i  came across a weird behavior of OllyDbg v1.10, which was fixed in the latest version. The problem lies in the way OllyDbg sets hardware breakpoints.

At 0x4D8D70, there is an array of four structures of type, t_hardbpoint.


Each structure in this array holds information about each hardware breakpoint. Information includes hardware breakpoint address, type, and size. When you manually set a hardware breakpoint, this structure is filled, but the breakpoint is not immediately activated.

On the other hand, when an EXCEPTION_SINGLE_STEP or EXCEPTION_BREAKPOINT is received, information in the structures at 0x4D8D70 is copied to DR0 through DR3 overwriting old values in them, if there are any. The point here is that if you programmatically set a hardware breakpoint, single stepping will be enough to cause debug registers to be cleared.

N.B. IDA pro and OllyDbg v2.0 behave normally with this scenario.

An executable demonstrating how to use this strange behavior to detect OllyDbg v1.10 can be found here.
http://ollytlscatch.googlecode.com/files/demo_hwbp.exe

Original topic here.
http://waleedassar.blogspot.com/2012/02/ollydbg-v110-and-hardware-breakpoints.html


Blog Comments
NirIzr Posted: Tuesday, February 7 2012 04:33.23 CST
cool!
do you have any idea why olly behaves this way?
is it a simple bug or perhaps there's more to it?

did you came across it when you were reversing something our were you searching for bugs in olly?

waleedassar Posted: Tuesday, February 7 2012 13:30.29 CST
>>do you have any idea why olly behaves this way?
The reason why Olly v1.10 behaves this way is that Olly copies information from the t_hardbpoint structures to DRx, whether the structures are initialized or not, overwriting old values in DRx.

>>is it a simple bug or perhaps there's more to it?
Still investigating.

Here is how Olly v2.0 handles that situation.



Add New Comment
Comment:









There are 31,054 total registered users.


Recently Created Topics
Ultimate Hacking Cha...
Jun/21
CreateMutex
May/31
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Immunity Debugger Re...
Aug/03


Recent Forum Posts
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack


Recent Blog Entries
crystalwade
Jul/20
test

nieo
Mar/22
Android Application Reversing

halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit