1. ## The Point-R technique

Hello.

While trying to track down a really difficult problem in the production version of our software that only manifested itself in certain configurations on SunW,
i thought to myself... There Must Be A Better Way!

So here, i present you the Point-R technique.
It is very similar to the hmemcpy technique which we all miss so much, in that it will give you a jump start with any debugging problem.

Just load the problematic file, be it a program of yours or something you need to crack, into ida and run point-r.upb.idc.

Set a breakpoint on Point-R, let it run until the breakpoint breaks and you will be at the core of the problem at hand.

The script will find Point-R by utilizing a series of successive complex approximations, much in the same way you would find a square root with some fixed precision.

Enjoy and comment/enhance it!

point-r.upb.idc.txt

2. Cool, very interesting.

3. So, what exactly is it supposed to do?

Just load the problematic file, be it a program of yours or something you need to crack, into ida and run point-r.upb.idc.
Yes, but what is this "problem" you speak of? I know hmemcpy is a common data transfer point, but this "point R" appears to merely be a hash of bytes.

tl;dr: I think you need to elaborate a bit more.

4. Originally Posted by LLXX
So, what exactly is it supposed to do?

Yes, but what is this "problem" you speak of? I know hmemcpy is a common data transfer point, but this "point R" appears to merely be a hash of bytes.

tl;dr: I think you need to elaborate a bit more.
Indeed, the initial approximation of Point-R is found by a hash.
The approximation is made better and better by applying a R function few thousand times.

So each binary has a unique Point-R.

Breakpointing Point-R is appropriate for solving any problem,
like hmemcpy and Point-H, only Point-R is more efficient.

I hope this answers the question, if it doesnt read the enhanceR function (saves your from reading the too long code), you will understand the meaning behind Point-R

5. Originally Posted by upb
Breakpointing Point-R is appropriate for solving any problem,
like hmemcpy and Point-H, only Point-R is more efficient.
I understand perfectly well what you're doing, but it's a question of why you're doing it. "solving any problem" sounds like a panacea for every bug in existence, and if performing an iterative algorithm over the bytes of code could somehow locate every single bug, algorithmic or not, then you've successfully overturned 50+ years of computability theory and written something "divine", capable of reading the programmer's mind to figure out what she intended.

I am not convinced.

6. Exactly what are you not convinced about?

Is it which problem this technique is aimed at solving/helping out with? In that case please see the many tutorials written about hmemcopy, and Ricardo's tutorials about Point-H.

Is it how the technique goes about accomplishing its goal? In that case please be a little more specific about exactly which part it is that you don't understand, and I'm sure upb will be able to explain it to you.

7. Just late joining.
as far as I understood point-r is somehow similar to point-h, a crucial point from where some memory things flows, like any other point-* already known.
What is not clear to me are the following points instead which I would ask to upb..

1. if you use a script means that point-r is a point into the executable and not in the system like point-h
2. who discovered it, because I never heard of it before
3. what it is supposed to be used for
4. what exactly this script does, better, what is the theory behind this script, because the script is quite simple afterall..
5. some example of some application where this point-r can be used and for what (well this is similar to point 3)
6. who discovered it, the idea is your?
7. point-h was used for some specific problems, not a panacea, but useful in some cases. why this is better and for what?

well those questions are enough..

Thanks for clarifications of course

8. ## i hope this will satisfy the one who doubt in usefulness of Point-R

Originally Posted by Shub-nigurrath
1. if you use a script means that point-r is a point into the executable and not in the system like point-h
Correct

Originally Posted by Shub-nigurrath
2. who discovered it, because I never heard of it before
Like i wrote in the OP, i discovered it by accident.

Originally Posted by Shub-nigurrath
3. what it is supposed to be used for
It's supposed to be used to put an execution or data read/write breakpoint on , depending whether it is at data or instructions and also depending on the problem at hand. Basically, you can break on it when you have no idea where to start, exactly like you would use hmemcpy or Point-H.

Originally Posted by Shub-nigurrath
4. what exactly this script does, better, what is the theory behind this script, because the script is quite simple afterall..
Point-R of a PE executable is
• the instruction/data at the address that is found by
• iterating
• a 32 bit LFSR with feedback polynomial x^13 + x^16 +x^17 + x^18 + 1, seeded by the value calculated by
iteratively left-rotating the previous value by 24 positions and exclusive-or ing to it the current byte, modulo 2^32, over the first 1000 bytes of the first section of the PE executable
20000 times
• modulo size of section containing entry point

The LFSR is used to gain the R in Point-R, the seed value is used to make Point-R specific to each PE sharing the first 1000 bytes of the first section.

Originally Posted by Shub-nigurrath
5. some example of some application where this point-r can be used and for what (well this is similar to point 3)
A sample application of the Point-R technique can be found in the first paragraph of OP.

Originally Posted by Shub-nigurrath
6. who discovered it, the idea is your?
Yes, same as point 2.
Are you suggesting ideas never heard of before, or discovered by someone not famous in the cracking scene, are invalid/useless by definition ?

Originally Posted by Shub-nigurrath
7. point-h was used for some specific problems, not a panacea, but useful in some cases. why this is better and for what?
Point-R is not a panacea either. It is only useful to get an efficient jump-start when one is out of ideas for a starting point. It can prove to be quite usefull, like in the case mentioned in OP.

Originally Posted by Shub-nigurrath
well those questions are enough..

Thanks for clarifications of course

9. Does R stands for 'Random'?
This script looks like (is?) some bullshit calculating hell knows what (nothing senseful?)...
In what way is it similar to point-h? I see nothing in common, just some guy claiming so.

It is only useful to get an efficient jump-start when one is out of ideas for a starting point.
Like if you're already lost in program this should make you lost even more?

The script will find Point-R by utilizing a series of successive complex approximations, much in the same way you would find a square root with some fixed precision.
ROFL. You probably haven't seen complex things if you call this complex...

[EDIT JMI]

After Woodmann warned PowerUp about his "useless comments," he chose to follow up with another "useless comment" to Woodmann. I then edited that post and warned him that on his next "useless comment," HE would be deleted. Completely lacking any commen sense or self control, he chose to demonstrate, yet again, that he's so important that nobody can tell him what to do and so now he's joined the "goners."

JMI

10. tsch upb,
your sarcasm is not very well welcome, my mind never worries about these reversing things, my worries are others. Asking questions is always legit, correctly answering is just a matter of education..anyway thanks to your answer to my 4th point I finally understood also the real meaning of the "R"

11. Shub,

upb is not being sarcastic, it is just a poor translation of his words.
He/she meant no offense.

PowerUp, thanks for the useless comment.
Didnt your mama ever tell you to keep your mouth shut unless you have something constructive to say?

Woodmann

12. Oh I don't know, I think that's kind of funny.

In fact, Upb wins this months RCE Yank Award for yanking everyone's chain

And here it is (allow gif animation)

(seriously though, I think you need to do something about the bytes that are replaced (IsClipboardFormatAvailable is overwritten in notepad) - maybe you can incorporate an automated code cave to run the overwritten code?

C'mon, we're reversers, we're supposed to be able to figure out when we're being f***'ed over..

13. 1up to JMI, btw anyone knows how hmemcpy was found (was found in a manual, told by some microsoft's programmer, etc)?

14. ## A+, would read again.

This thread is full of drama and lulz.

Does R stands for 'Random'?
This script looks like (is?) some bullshit calculating hell knows what (nothing senseful?)...
In what way is it similar to point-h? I see nothing in common, just some guy claiming so.
You spoiled the joke! Enjoy ur B&!

upb, you should've saved this one for April 1st of next year.

@blurcode: hmemcpy was known back in the times of +ORC as a well-used data-transfer-point, and was apparently documented in the Windows SDKs, hence an article about its obolescence appearing on MSDN (just Google 'hmemcpy' and you'll find it).

15. Thank you Litana.

#### Posting Permissions

• You may not post new threads
• You may not post replies
• You may not post attachments
• You may not edit your posts
•