Posted September 18, 20222 yr I am trying to figure out which instruction writes to a certain memory address, but whatever I try, I end up with no result. I know for a fact that the contents stored at this memory address is changed during the execution of my binary. Could anyone push me in the right direction what to do here?
September 18, 20222 yr Memory/Hardware Breakpoint can help you. Take a look @ https://i.stack.imgur.com/DJl27.png
September 19, 20222 yr Author Thanks! That helped! Now.. I know why I got so confused during the reversing of this binary. Apparently, the binary has a string as input, then it performs an action on it (I guess it is being decoded somehow, I could not find any crypto related stuff with keys etc), and the result is stored as opcodes... what 😮 So, for example the decoded string is "what" (77 00 68 00 61 00 74 00 in unicode) I can find opcodes during debugging with x64 which are 77 00 6800 61 0074 00 I found that setting a bp on one of these instructions would let the binary run just fine, the string "what" now just looks a bit odd. I assume this is because some INT3 is put somewhere there, so the string is still read from the opcodes but now with the INT3 in there as well. Any hint how I would figure out what that decoding mechanism is in the first place? Could I for example put a bp when the opcodes are modified? Thanks in advance!
Create an account or sign in to comment