About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New


Customize Theme

Flag: Tornado! Hurricane!

Blogs >> waleedassar's Blog

Created: Monday, February 6 2012 22:47.47 CST Modified: Monday, February 6 2012 23:26.30 CST
Printer Friendly ...
OllyDbg v1.10 And Hardware Breakpoints
Author: waleedassar # Views: 2053

While playing with OllyDbg v1.10, i  came across a weird behavior of OllyDbg v1.10, which was fixed in the latest version. The problem lies in the way OllyDbg sets hardware breakpoints.

At 0x4D8D70, there is an array of four structures of type, t_hardbpoint.


Each structure in this array holds information about each hardware breakpoint. Information includes hardware breakpoint address, type, and size. When you manually set a hardware breakpoint, this structure is filled, but the breakpoint is not immediately activated.

On the other hand, when an EXCEPTION_SINGLE_STEP or EXCEPTION_BREAKPOINT is received, information in the structures at 0x4D8D70 is copied to DR0 through DR3 overwriting old values in them, if there are any. The point here is that if you programmatically set a hardware breakpoint, single stepping will be enough to cause debug registers to be cleared.

N.B. IDA pro and OllyDbg v2.0 behave normally with this scenario.

An executable demonstrating how to use this strange behavior to detect OllyDbg v1.10 can be found here.
http://ollytlscatch.googlecode.com/files/demo_hwbp.exe

Original topic here.
http://waleedassar.blogspot.com/2012/02/ollydbg-v110-and-hardware-breakpoints.html


Blog Comments
NirIzr Posted: Tuesday, February 7 2012 04:33.23 CST
cool!
do you have any idea why olly behaves this way?
is it a simple bug or perhaps there's more to it?

did you came across it when you were reversing something our were you searching for bugs in olly?

waleedassar Posted: Tuesday, February 7 2012 13:30.29 CST
>>do you have any idea why olly behaves this way?
The reason why Olly v1.10 behaves this way is that Olly copies information from the t_hardbpoint structures to DRx, whether the structures are initialized or not, overwriting old values in DRx.

>>is it a simple bug or perhaps there's more to it?
Still investigating.

Here is how Olly v2.0 handles that situation.



Add New Comment
Comment:









There are 29,898 total registered users.


Recently Created Topics
Decompiling raw bina...
May/22
Incorrect bitness wh...
May/20
PaiMei stalker modul...
May/19
Attach to program us...
May/13
IDA PRO how to make ...
May/12
FACT: OpenRCE is dead.
May/08
Int 3 anti debug?
May/05
help needed - Beginn...
May/03
Attaching IDA Pro to...
Apr/27
File type
Apr/21


Recent Forum Posts
Ollydbg 2.0 - Plugin...
openrce...
IDA PRO how to make ...
codeinject
FACT: OpenRCE is dead.
codeinject
IDA Resource Viewer ...
r2x64
FACT: OpenRCE is dead.
djnemo
FACT: OpenRCE is dead.
codeinject
FACT: OpenRCE is dead.
pedram
help needed - Beginn...
araujo
Attaching IDA Pro to...
codeinject
Int 3 anti debug?
codeinject


Recent Blog Entries
lowpriority
Apr/13
OllyMigrate Plugin for Olly...
everdox
Mar/08
2 anti-trace mechanisms spe...
everdox
Mar/07
Advanced debugging techniques
everdox
Mar/06
Branch tracing and LBR acce...
everdox
Mar/05
Using pre-paged in virtual ...
More ...


Recent Blog Comments
clarisonic on:
Apr/03
New version of Ollydbg!
clarisonic on:
Apr/03
New version of Ollydbg!
trackerx90 on:
Mar/04
SuppressDebugMsg As Anti-De...
coachfactory on:
Feb/25
Portable Executable Format ...
coachfactory on:
Feb/25
A new Anti-Olly trick.
More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit