I am trying to figure out which instruction writes to a certain memory address, but whatever I try, I end up with no result.

I know for a fact that the contents stored at this memory address is changed during the execution of my binary. Could anyone push me in the right direction what to do here?

Memory/Hardware Breakpoint can help you. Take a look @ https://i.stack.imgur.com/DJl27.png

Thanks! That helped!

Now.. I know why I got so confused during the reversing of this binary.

Apparently, the binary has a string as input, then it performs an action on it (I guess it is being decoded somehow, I could not find any crypto related stuff with keys etc), and the result is stored as opcodes... what 😮

 

So, for example the decoded string is "what" (77 00 68 00 61 00 74 00 in unicode)

I can find opcodes during debugging with x64 which are

 

77 00

6800 61

0074 00

 

I found that setting a bp on one of these instructions would let the binary run just fine, the string "what" now just looks a bit odd. I assume this is because some INT3 is put somewhere there, so the string is still read from the opcodes but now with the INT3 in there as well.

 

Any hint how I would figure out what that decoding mechanism is in the first place?

 

Could I for example put a bp when the opcodes are modified?

 

Thanks in advance!

You can use Hardware/Memory breakpoint instead of INT3 breakpoint. Good luck.