Jump to content
Tuts 4 You

Writing a Simply debugger

ragdog

By ragdog
in Programming and Coding

Recommended Posts

ragdog

ragdog

Posted
Posted (edited)

Hi

I Write a simply debugger in masm32

now have i a problem why crash it the Target If set a Bp by other Address

Test Target if "crackme.upx.exe" from Apox

Set i a BP by 004082AF works it fine

But set i a bp by 004082A8 or other address if my Bp not reached and the target crash it


;004082A6   .^\EB E1 		JMP SHORT 00408289
;004082A8   >  FF96 54850000 CALL DWORD PTR DS:[ESI+8554]
;004082AE   >  61        	POPAD
;004082AF   .- E9 0C90FFFF   JMP 004012C0
;004082B4  	00        	DB 00
 	mov eax,004082A8h
 	mov [bpAddress],eax	invoke SetBP,eax ;Set a Int3 Breakpoint 	;from winhex if INT3 written ?
 	;and Yes if written
 	;EBE1(CC)965485	.while TRUE
			invoke WaitForDebugEvent,ADDR DBE,INFINITE
			.if DBE.dwDebugEventCode==EXCEPTION_DEBUG_EVENT
				.if DBE.u.Exception.pExceptionRecord.ExceptionCode==EXCEPTION_BREAKPOINT
				;-----------------------------------------------------------------------
				;-----------------------------------------------------------------------
		  			mov pContext.ContextFlags,CONTEXT_CONTROL
		           invoke GetThreadContext,pProcessInfo.hThread,addr pContext
		  			mov eax,pContext.regEip
		  			.if eax==[bpAddress]
                      	invoke wsprintf,addr hStatus,CTEXT ("Breakpoint %08X"),eax
                      	invoke MessageBox,hWnd,addr hStatus,0,MB_OK
		    			.break
		  			.endif
				;-----------------------------------------------------------------------
				;-----------------------------------------------------------------------
		           invoke ContinueDebugEvent,DBE.dwProcessId,DBE.dwThreadId,DBG_CONTINUE
				.endif
			.elseif DBE.dwDebugEventCode==EXIT_PROCESS_DEBUG_EVENT
				.break
			.endif
			invoke ContinueDebugEvent,DBE.dwProcessId,DBE.dwThreadId,DBG_EXCEPTION_NOT_HANDLED
		.endw
SetBP  proc  dwBpAddress:DWORD
	pushad
	dec [dwBpAddress] 	
	invoke  ReadProcessMemory, pProcessInfo.hProcess,dwBpxAddress, addr oldbyte, 1, 0 
	invoke WriteProcessMemory,pProcessInfo.hProcess,dwBpxAddress,addr INT3,1,addr NbByteWr 
	popad
	ret
SetBP endp

Greets,

Edited by ragdog
ragdog

ragdog

Posted
  • Author
Posted

Hey spider :turned:

No this im not really what i need

Thanks for your reply

Aguila

Aguila

Posted
Posted

remove:

dec [dwBpAddress]

ragdog

ragdog

Posted
  • Author
Posted

Yes this is it

And a other Mistake with this offset 004082A8h

I have load the target in Olly and have set a BP on it and lol i see this if not used (Reached) by Olly :turned:

Thanks

ghandi

ghandi

Posted
Posted (edited)

When your code hits the first breakpoint, it will exit out of the loop, never calling ContinueDebugEvent. The 'break' you set in the breakpoint handler actually breaks out of the 'while' loop, not the switch condition testing, by default it will fall through to the bottom of the loop if you don't use the 'break' keyword.

Not saying the following snippet will be perfect for your needs but it may help show what i mean:

LOCAL dwContinueStat:DWORD
LOCAL bContinue:DWORD; Set bContinue to TRUE
mov bContinue,TRUE.while bContinue  invoke WaitForDebugEvent,ADDR DBE,INFINITE
  .if ZERO?
    mov bContinue,FALSE
  .endif  mov dwContinueStat,DBG_EXCEPTION_NOT_HANDLED ; Default behaviour, mark ALL events as unhandled and then adjust later if necessary  .if DBE.dwDebugEventCode==EXCEPTION_DEBUG_EVENT     .if DBE.u.Exception.pExceptionRecord.ExceptionCode==EXCEPTION_BREAKPOINT 
    ;----------------------------------------------------------------------- 
    ;-----------------------------------------------------------------------       mov eax,DBE.u.Exception.pExceptionRecord.ExceptionAddress ; The address of the exception is passed as part of the exception record     .if eax==[bpAddress] 
       invoke wsprintf,addr hStatus,CTEXT ("Breakpoint %08X"),eax 
       invoke MessageBox,hWnd,addr hStatus,0,MB_OK
       mov dwContinueStat,DBG_CONTINUE ; Set status so process knows breakpoint was handled
     .endif     ; Fall through to bottom of while loop where it will call ContinueDebugEvent again
    ;----------------------------------------------------------------------- 
    ;----------------------------------------------------------------------- 
  .elseif DBE.dwDebugEventCode==EXIT_PROCESS_DEBUG_EVENT
    invoke MessageBox,hWnd,CTEXT("Process exited."),0,MB_OK 
    mov bContinue,FALSE
  .endif 
  invoke ContinueDebugEvent, DBE.dwProcessId, DBE.dwThreadId, dwContinueStatus 
.endw

HR,

Ghandi

Edited by ghandi

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to topic listing
×
×
  • Create New...