weazer Posted September 18, 2022 Posted September 18, 2022 I am trying to figure out which instruction writes to a certain memory address, but whatever I try, I end up with no result. I know for a fact that the contents stored at this memory address is changed during the execution of my binary. Could anyone push me in the right direction what to do here?
Vic Posted September 18, 2022 Posted September 18, 2022 Memory/Hardware Breakpoint can help you. Take a look @ https://i.stack.imgur.com/DJl27.png
weazer Posted September 19, 2022 Author Posted September 19, 2022 Thanks! That helped! Now.. I know why I got so confused during the reversing of this binary. Apparently, the binary has a string as input, then it performs an action on it (I guess it is being decoded somehow, I could not find any crypto related stuff with keys etc), and the result is stored as opcodes... what 😮  So, for example the decoded string is "what" (77 00 68 00 61 00 74 00 in unicode) I can find opcodes during debugging with x64 which are  77 00 6800 61 0074 00  I found that setting a bp on one of these instructions would let the binary run just fine, the string "what" now just looks a bit odd. I assume this is because some INT3 is put somewhere there, so the string is still read from the opcodes but now with the INT3 in there as well.  Any hint how I would figure out what that decoding mechanism is in the first place?  Could I for example put a bp when the opcodes are modified?  Thanks in advance!
Vic Posted September 21, 2022 Posted September 21, 2022 You can use Hardware/Memory breakpoint instead of INT3 breakpoint. Good luck.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now