OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: March 25, 2008 20:23 CDT by mori .

Whilst running an application, I have some data which I'd like to be able to know when the application is processing.
Is there a way of setting IDA up to stop when a string variable contains a section of data?

detlef		March 26, 2008 03:31.43 CDT
Ollydbg offers methods to break on access, read, write on arbitrary memory locations. I think that this is also possible in IDA Pro but I've not done it with it. Take a look into the manual... it should be written down there

mori		March 26, 2008 04:15.47 CDT
Yeah its possible to do that, but only if you know the memory location; i only know of what data will be in it. Brian

RabidCicada		March 26, 2008 09:51.59 CDT
Mori, It sounds like you could use another tool to help you out. I'd say to start debugging the application then use a memory space searcher to find the value you know exists in the program. Then you can use IDA pro to peek at the location and set a memory access breakpoint. An example program is something like Tsearch(more focused on gaming type hacking). It'll search a process memory space for a value. I'm sure there's other tools. Then when you get the location use your debugger to set a memory access breakpoint on it. It takes some time to find the memory location with that value because it requires contextual information to interpret arbitrary bytes of information. For example: You may want to search for a characters health. You'll have to take a guess at how the health is stored (long unsigned int, signed int) (how many bytes are used? 1,2,4) You tell Tsearch to then perform a search. Due to the inherently large memory space of many programs its likely you'll find many matches that are not the real thing. What you do then is force the value to change(hurt your character a bit) then search through the points you found before for any that match your new health value. Keep narrowing like that. You just need to find some way to force a known new value for the point of interest. If you're looking for a different value likea string in memory then you jsut need to find a tool that does what you're looking for or write your own for IDA wiht the plugin capabilities.

daniellewis		March 26, 2008 21:34.42 CDT
The problem with that is that the value may never be stored in unciphered form in memory. Which is when you'd diff your memory dump before and after changing something (hopefully only that thing) to narrow down your search and then set breakpoints on tainted stuff and trace it down that way.

RabidCicada		March 27, 2008 12:35.57 CDT
> daniellewis: The problem with that is that the value may never be stored in unciphered form in memory. Which is when you\'d diff your memory dump before and after changing something (hopefully only that thing) to narrow down your search and then set breakpoints on tainted stuff and trace it down that way. He's very right. If there's any kind of encoding in general (whether ciphering on purpose, or just the method of storing information) then you will not be able to find it using a simple memory space searcher. Your next question is well how do you know if it's encoded. The answer is you really can't know pre-emptively. You simply have to invest the time to figure it out on your own. Daniellewis recommendation is a good one...though, as he alluded to, the state of many memory locations may change along with your target for related or completely unrelated reasons. Example: You dump memory. You shoot yourself to force a life total change. You dump memory. You find 501 memory locations changed. Well, what are some of those? Lets see: Life did change, so did your location when you got blasted backwards by the rocketlauncher, so did game time, so did ammo count, so did.....and the list goes on. When it comes down to it you simply have to sleuth your way through it by trying to rule out variables that you can then force ways of uniquely pulling your target value out of the noise.

mori		May 13, 2008 12:20.22 CDT
Well... I spent 2 months every waking hour outside of work trying to whittle down the 650,000 functions to find the function which deals with access rights in the application, to no avail. I did notice if I do something i'm not allowed to do, then do something I am allowed to do, it denies me access to it. So i'm certain I can trace it with a memory compare.. What tools can I use to get a memory dump? Will IDA do it? I'd like to tie it back into IDA; but if I run it again, the memory locations are likely to be alloc'd differently. Very frustrating. I'm quite certain the code is not morphic, but it is complex enough, and substantial operations occur in the operations i'm looking at.. Everytime I get close, I find i'm looking into the wrong corner. I've been able to trace the operations which have strings involved; interacting with the user, but this is pure API calls, and very difficult to trace. Does anyone know of any documentation of the "watches" feature of IDA? I can find no documentation, and it really doesn't behave inany way I can determine.

mori		May 13, 2008 12:21.33 CDT
I'd like to be able to "watch" until a pointer comes into a register which points to a string containing something I can trace.. But I have a feeling IDA watches don't work that way.

dennis		May 14, 2008 07:22.14 CDT
> mori: I\'d like to be able to \"watch\" until a pointer comes into a register which points to a string containing something I can trace.. But I have a feeling IDA watches don\'t work that way. a bit circumstantial and slow solution is to enable instruction tracing in IDA and then define a stop condition using the IDC language. A sample stop condition would be "ebx == 0x403000". For a more complex stop condition you can write and compile an IDC script and enter its custom function name into the stop condition field.

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit