Flag: Tornado! Hurricane!

Blogs >> apridgen's Blog

Created: Friday, March 30 2007 01:17.30 CDT Modified: Friday, March 30 2007 01:18.46 CDT
Printer Friendly ...
Getting to where you need to with Memory break points
Author: apridgen # Views: 2819

Up front and personal, the lesson from this exercises is that memory break-points are your friend.  Use them, but use them wisely.

I am sure this has been covered else where, but I want to mark it up in another section of the internet mostly for my benefit (being old and having a mild form of memory loss has an impact), and it might prove useful to others new to the art.  

This is actually a slight variation from E. Eilam's Cryptex example in Reversing.  In his example, Cryptex is actually a single thread target, and here we want to attack a multi-threaded target.

In this scenario there are n threads, where n > 1:

t_0 is my target and t_x is the thread where my input received and later passed on to t_0.  In this particular scenario, t_x is a window/dialog box that requires user interaction after the input is given, so simply stepping through the program is not feasible.  The program is large, so simply stepping through the target to get to the point before t_x is spawned is also not feasible.  

Basically, I invoke Feature K and this feature prompts me in another window via a dialog box to provide the required input.  I control the input, so I input something unique: "Hello World, Fool!"  Now, before I click OK on the dialog box, I break the program and perform a memory search for "Hello World, Fool!," and I put a memory breakpoint at this position.  Resume program execution and then click OK in the dialog box.  Bing! Your program should break because the t_0 (or any other thread) needs this input to perform Feature K.  Onward and forward, happy reversing me.  

I figured I'd mention this technique, since it stumped me for a few days.

This way works, but is there more effective way.  I had thought about spoofing window messages, but I did not know which ones to use or if a utility was out there for such a purpose.  I also thought about using process injection, but I really don't know how to utilize that technique or actually how to hook my code into the target process (guess I should read up).

Is there a better way to do this?  


Blog Comments
drew Posted: Friday, March 30 2007 10:15.26 CDT
Good technique.

HW memory breakpoints come in handy all the time.  For example, if you're looking for where a mail program parses email addresses, throwing a hw bp on the "RCPT TO" strings can help show you the call stack.

Raindog Posted: Wednesday, April 4 2007 15:38.34 CDT
I recently used the same thing, I was reversing a game and needed to know the call stack for the code responsible for turning the character, set a HW BP on the character heading and dump the call stack when it is written to.



Add New Comment
Comment:









There are 31,310 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
hi!
Jul/01
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

oleavr
Jun/25
Build a debugger in 5 minutes

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit