WinAsm Studio, The Assembly IDE - Free Downloads, Source Code
Articles
Programming Quick Start
32-bit Assembler is Easy
Porting Iczelion tutorials
What is FASM
Hard Drive Recovery
Wiring your own LAN
 
Forum
Pages (3) [1] 2 3   ( Go to first unread post )

finding breakpoints

Track this topic | Email this topic | Print this topic
Dragonborn
Quote Post


New Member
*

Group: Members
Posts: 8
Member No.: 55955
Joined: 6-January 13
Sponsored Links
i am dragonborn and have questions about software breakpoints.
how to detect them? i know the opcode for software breakpoints which is x0cc.
i can code a loop which search the whole memory for that opcode, but the problem is that my program uses a lot x0cc bytes. so i have to find the real breakpoints not "fake" x0cc's.

some help would be nice, i code in masm
PMEmail Poster
Top
huntingspace
Quote Post


Active Member
***

Group: Members
Posts: 49
Member No.: 49504
Joined: 11-February 12
Hello dragonborn,

You should look at some length disassembler engines like BeaEngine, VirXasm (written in masm), Z0mbie LDE32 (written in masm) or others. They can help you to calculate length of instructions and find int3 instructions.
PMEmail Poster
Top
ragdog
Quote Post


Extremely Active Member
******

Group: Moderators
Posts: 891
Member No.: 5019
Joined: 13-May 07
Read this http://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide#BpInt3

It help you
PMUsers Website
Top
Dragonborn
Quote Post


New Member
*

Group: Members
Posts: 8
Member No.: 55955
Joined: 6-January 13
i do not understand why calculate lenght of x0cc it is just 1 byte.
i got a example but as i said in my first post this example will find false breakpoints

CODE
invoke CreateFile, ADDR NamePath, 0, 0, 0, OPEN_EXISTING, 0, 0
mov hFile, eax
invoke GetFileSize, hFile, 0
mov ecx, eax; end size
mov edi, 00400000h; example begin size
mov al, 0CCh
repne scasb
jz being_debugged; bp found
jmp ok
PMEmail Poster
Top
huntingspace
Quote Post


Active Member
***

Group: Members
Posts: 49
Member No.: 49504
Joined: 11-February 12
i'm not sure but i think you should do that:
CODE

    mov esi,lpCodeSection                  ; in esi pointer to executable section of PE file (contain binary code)
    mov ebx,dwSizeofCodeSection            ; in ebx size of executable section
@next:
    invoke CalculateInstructionLength,esi  ; some procedure which calculate instruction length
    cmp eax,1                              ; in eax instruction length
    jnz @no
    cmp byte ptr [esi],0CCh                ; if eax==1 then compare byte with int3 instruction
    jnz @no
    inc dwInt3InstructionCounter           ; increase int3 instruction counter
@no:
    add esi,eax
    sub ebx,eax
    jg @next

you should repeat this loop if PE file has more than one of executable section
PMEmail Poster
Top
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
« Next Oldest | Main | Next Newest »

Topic Options Pages (3) [1] 2 3  Reply to this topicStart new topicStart Poll

 
Sponsors
Computer Science

Internet
C/C++
Hardware & PC maintenance

HiEditor

General Discussions
Suggestions/Bug Reports 		WinAsm Studio

General Discussions
Suggestions/Bug Reports
WinAsm Studio FAQ
Multilingual User Interface
Add-Ins 		Assembly Programming

Main
Newbies
Projects
Custom Controls
Snippets 		Announcements & Rules

Announcements

General

Online Degrees - Distance Learning
The Heap
Russian