About
Articles
Book Store
Distributed RCE
Downloads
Event Calendar
Forums
Live Discussion
Reference Library
RSS Feeds
Search
Users
What's New
Customize Theme
bluegrey
blackgreen
metal
simple
Flag:
Tornado!
Hurricane!
Login:
Password:
Remember Me
Register
Blogs
>>
waleedassar
's Blog
Created: Monday, February 6 2012 22:47.47 CST
Modified: Monday, February 6 2012 23:26.30 CST
Printer Friendly ...
OllyDbg v1.10 And Hardware Breakpoints
Author:
waleedassar
# Views:
29245
While playing with OllyDbg v1.10, i came across a weird behavior of OllyDbg v1.10, which was fixed in the latest version. The problem lies in the way OllyDbg sets hardware breakpoints.
At 0x4D8D70, there is an array of four structures of type, t_hardbpoint.
Each structure in this array holds information about each hardware breakpoint. Information includes hardware breakpoint address, type, and size. When you manually set a hardware breakpoint, this structure is filled, but the breakpoint is not immediately activated.
On the other hand, when an EXCEPTION_SINGLE_STEP or EXCEPTION_BREAKPOINT is received, information in the structures at 0x4D8D70 is copied to DR0 through DR3 overwriting old values in them, if there are any. The point here is that if you programmatically set a hardware breakpoint, single stepping will be enough to cause debug registers to be cleared.
N.B. IDA pro and OllyDbg v2.0 behave normally with this scenario.
An executable demonstrating how to use this strange behavior to detect OllyDbg v1.10 can be found here.
http://ollytlscatch.googlecode.com/files/demo_hwbp.exe
Original topic here.
http://waleedassar.blogspot.com/2012/02/ollydbg-v110-and-hardware-breakpoints.html
Blog Comments
NirIzr
Posted: Tuesday, February 7 2012 04:33.23 CST
cool!
do you have any idea why olly behaves this way?
is it a simple bug or perhaps there's more to it?
did you came across it when you were reversing something our were you searching for bugs in olly?
waleedassar
Posted: Tuesday, February 7 2012 13:30.29 CST
>>do you have any idea why olly behaves this way?
The reason why Olly v1.10 behaves this way is that Olly copies information from the t_hardbpoint structures to DRx, whether the structures are initialized or not, overwriting old values in DRx.
>>is it a simple bug or perhaps there's more to it?
Still investigating.
Here is how Olly v2.0 handles that situation.
Add New Comment
Comment:
There are
31,313
total registered users.
Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
hi!
Jul/01
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...
Recent Blog Comments
nieo
on:
Mar/22
IAT Patcher - new tool for ...
djnemo
on:
Nov/17
Kernel debugger vs user mod...
acel
on:
Nov/14
Kernel debugger vs user mod...
pedram
on:
Dec/21
frida.github.io: scriptable...
capadleman
on:
Jun/19
Using NtCreateThreadEx for ...
More ...
Imagery
SoySauce Blueprint
Jun 6, 2008
[+] expand
View Gallery
(11) /
Submit
Printer Friendly ...
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}