Page 1 of 2 12 LastLast
Results 1 to 15 of 20

Thread: The Point-R technique

  1. #1
    Registered User upb's Avatar
    Join Date
    May 2003
    Posts
    50
    Blog Entries
    4

    The Point-R technique

    Hello.

    While trying to track down a really difficult problem in the production version of our software that only manifested itself in certain configurations on SunW,
    i thought to myself... There Must Be A Better Way!

    So here, i present you the Point-R technique.
    It is very similar to the hmemcpy technique which we all miss so much, in that it will give you a jump start with any debugging problem.

    Just load the problematic file, be it a program of yours or something you need to crack, into ida and run point-r.upb.idc.

    Set a breakpoint on Point-R, let it run until the breakpoint breaks and you will be at the core of the problem at hand.

    The script will find Point-R by utilizing a series of successive complex approximations, much in the same way you would find a square root with some fixed precision.

    Enjoy and comment/enhance it!

    point-r.upb.idc.txt

  2. #2
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Cool, very interesting.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  3. #3
    So, what exactly is it supposed to do?

    Just load the problematic file, be it a program of yours or something you need to crack, into ida and run point-r.upb.idc.
    Yes, but what is this "problem" you speak of? I know hmemcpy is a common data transfer point, but this "point R" appears to merely be a hash of bytes.

    tl;dr: I think you need to elaborate a bit more.

  4. #4
    Registered User upb's Avatar
    Join Date
    May 2003
    Posts
    50
    Blog Entries
    4
    Quote Originally Posted by LLXX View Post
    So, what exactly is it supposed to do?

    Yes, but what is this "problem" you speak of? I know hmemcpy is a common data transfer point, but this "point R" appears to merely be a hash of bytes.

    tl;dr: I think you need to elaborate a bit more.
    Indeed, the initial approximation of Point-R is found by a hash.
    The approximation is made better and better by applying a R function few thousand times.

    So each binary has a unique Point-R.

    Breakpointing Point-R is appropriate for solving any problem,
    like hmemcpy and Point-H, only Point-R is more efficient.

    I hope this answers the question, if it doesnt read the enhanceR function (saves your from reading the too long code), you will understand the meaning behind Point-R
    The key to understanding complicated things is to know what not to look at and what not to compute and what not to think.

  5. #5
    Quote Originally Posted by upb View Post
    Breakpointing Point-R is appropriate for solving any problem,
    like hmemcpy and Point-H, only Point-R is more efficient.
    I understand perfectly well what you're doing, but it's a question of why you're doing it. "solving any problem" sounds like a panacea for every bug in existence, and if performing an iterative algorithm over the bytes of code could somehow locate every single bug, algorithmic or not, then you've successfully overturned 50+ years of computability theory and written something "divine", capable of reading the programmer's mind to figure out what she intended.

    I am not convinced.

  6. #6
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Exactly what are you not convinced about?

    Is it which problem this technique is aimed at solving/helping out with? In that case please see the many tutorials written about hmemcopy, and Ricardo's tutorials about Point-H.

    Is it how the technique goes about accomplishing its goal? In that case please be a little more specific about exactly which part it is that you don't understand, and I'm sure upb will be able to explain it to you.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  7. #7
    Super Moderator Shub-nigurrath's Avatar
    Join Date
    May 2004
    Location
    Obscure Kadath
    Posts
    430
    Just late joining.
    as far as I understood point-r is somehow similar to point-h, a crucial point from where some memory things flows, like any other point-* already known.
    What is not clear to me are the following points instead which I would ask to upb..

    1. if you use a script means that point-r is a point into the executable and not in the system like point-h
    2. who discovered it, because I never heard of it before
    3. what it is supposed to be used for
    4. what exactly this script does, better, what is the theory behind this script, because the script is quite simple afterall..
    5. some example of some application where this point-r can be used and for what (well this is similar to point 3)
    6. who discovered it, the idea is your?
    7. point-h was used for some specific problems, not a panacea, but useful in some cases. why this is better and for what?

    well those questions are enough..

    Thanks for clarifications of course
    (`._.[*~-.,.-~* ŜħůβŇĝŕřāŧħ ₪*~-.,.-~*]._.)
    There are only 10 types of people in the world: Those who understand binary, and those who don't
    http://www.accessroot.com

  8. #8
    Registered User upb's Avatar
    Join Date
    May 2003
    Posts
    50
    Blog Entries
    4

    Exclamation i hope this will satisfy the one who doubt in usefulness of Point-R

    Quote Originally Posted by Shub-nigurrath View Post
    1. if you use a script means that point-r is a point into the executable and not in the system like point-h
    Correct

    Quote Originally Posted by Shub-nigurrath View Post
    2. who discovered it, because I never heard of it before
    Like i wrote in the OP, i discovered it by accident.

    Quote Originally Posted by Shub-nigurrath View Post
    3. what it is supposed to be used for
    It's supposed to be used to put an execution or data read/write breakpoint on , depending whether it is at data or instructions and also depending on the problem at hand. Basically, you can break on it when you have no idea where to start, exactly like you would use hmemcpy or Point-H.

    Quote Originally Posted by Shub-nigurrath View Post
    4. what exactly this script does, better, what is the theory behind this script, because the script is quite simple afterall..
    Point-R of a PE executable is
    • the instruction/data at the address that is found by
    • iterating
    • a 32 bit LFSR with feedback polynomial x^13 + x^16 +x^17 + x^18 + 1, seeded by the value calculated by
      iteratively left-rotating the previous value by 24 positions and exclusive-or ing to it the current byte, modulo 2^32, over the first 1000 bytes of the first section of the PE executable
      20000 times
    • modulo size of section containing entry point
    • added to the start address of section containing entry point.

    The LFSR is used to gain the R in Point-R, the seed value is used to make Point-R specific to each PE sharing the first 1000 bytes of the first section.

    Quote Originally Posted by Shub-nigurrath View Post
    5. some example of some application where this point-r can be used and for what (well this is similar to point 3)
    A sample application of the Point-R technique can be found in the first paragraph of OP.

    Quote Originally Posted by Shub-nigurrath View Post
    6. who discovered it, the idea is your?
    Yes, same as point 2.
    Are you suggesting ideas never heard of before, or discovered by someone not famous in the cracking scene, are invalid/useless by definition ?

    Quote Originally Posted by Shub-nigurrath View Post
    7. point-h was used for some specific problems, not a panacea, but useful in some cases. why this is better and for what?
    Point-R is not a panacea either. It is only useful to get an efficient jump-start when one is out of ideas for a starting point. It can prove to be quite usefull, like in the case mentioned in OP.

    Quote Originally Posted by Shub-nigurrath View Post
    well those questions are enough..

    Thanks for clarifications of course
    Thanks for asking

    Hope those answers bring peace to your mind
    The key to understanding complicated things is to know what not to look at and what not to compute and what not to think.

  9. #9
    PowerUp
    Guest
    Does R stands for 'Random'?
    This script looks like (is?) some bullshit calculating hell knows what (nothing senseful?)...
    In what way is it similar to point-h? I see nothing in common, just some guy claiming so.

    It is only useful to get an efficient jump-start when one is out of ideas for a starting point.
    Like if you're already lost in program this should make you lost even more?

    The script will find Point-R by utilizing a series of successive complex approximations, much in the same way you would find a square root with some fixed precision.
    ROFL. You probably haven't seen complex things if you call this complex...

    [EDIT JMI]

    After Woodmann warned PowerUp about his "useless comments," he chose to follow up with another "useless comment" to Woodmann. I then edited that post and warned him that on his next "useless comment," HE would be deleted. Completely lacking any commen sense or self control, he chose to demonstrate, yet again, that he's so important that nobody can tell him what to do and so now he's joined the "goners."

    JMI
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    Super Moderator Shub-nigurrath's Avatar
    Join Date
    May 2004
    Location
    Obscure Kadath
    Posts
    430
    tsch upb,
    your sarcasm is not very well welcome, my mind never worries about these reversing things, my worries are others. Asking questions is always legit, correctly answering is just a matter of education..anyway thanks to your answer to my 4th point I finally understood also the real meaning of the "R"
    Last edited by Shub-nigurrath; October 31st, 2007 at 04:27.
    (`._.[*~-.,.-~* ŜħůβŇĝŕřāŧħ ₪*~-.,.-~*]._.)
    There are only 10 types of people in the world: Those who understand binary, and those who don't
    http://www.accessroot.com

  11. #11
    Shub,

    upb is not being sarcastic, it is just a poor translation of his words.
    He/she meant no offense.

    PowerUp, thanks for the useless comment.
    Didnt your mama ever tell you to keep your mouth shut unless you have something constructive to say?

    Woodmann

  12. #12
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,079
    Blog Entries
    5
    Oh I don't know, I think that's kind of funny.

    In fact, Upb wins this months RCE Yank Award for yanking everyone's chain

    And here it is (allow gif animation)



    (seriously though, I think you need to do something about the bytes that are replaced (IsClipboardFormatAvailable is overwritten in notepad) - maybe you can incorporate an automated code cave to run the overwritten code?

    C'mon, we're reversers, we're supposed to be able to figure out when we're being f***'ed over..
    Attached Images Attached Images  

  13. #13
    Registered User
    Join Date
    Aug 2005
    Location
    Greece
    Posts
    157
    1up to JMI, btw anyone knows how hmemcpy was found (was found in a manual, told by some microsoft's programmer, etc)?
    A picture worth 1K words (or .5K DWORDS).

  14. #14

    A+, would read again.

    This thread is full of drama and lulz.

    Does R stands for 'Random'?
    This script looks like (is?) some bullshit calculating hell knows what (nothing senseful?)...
    In what way is it similar to point-h? I see nothing in common, just some guy claiming so.
    You spoiled the joke! Enjoy ur B&!

    upb, you should've saved this one for April 1st of next year.

    @blurcode: hmemcpy was known back in the times of +ORC as a well-used data-transfer-point, and was apparently documented in the Windows SDKs, hence an article about its obolescence appearing on MSDN (just Google 'hmemcpy' and you'll find it).
    Last edited by LLXX; October 31st, 2007 at 18:55.

  15. #15
    Registered User
    Join Date
    Aug 2005
    Location
    Greece
    Posts
    157
    Thank you Litana.
    A picture worth 1K words (or .5K DWORDS).

Similar Threads

  1. Anti debugging technique?
    By live_dont_exist in forum Advanced Reversing and Programming
    Replies: 8
    Last Post: November 26th, 2013, 01:18
  2. LINK: API Hooking: a new and fast technique
    By Kayaker in forum Advanced Reversing and Programming
    Replies: 8
    Last Post: October 6th, 2005, 04:31
  3. No Point Of Attack
    By cisco in forum The Newbie Forum
    Replies: 3
    Last Post: February 10th, 2004, 00:54
  4. Replies: 7
    Last Post: March 17th, 2003, 01:06
  5. debuggin technique? dumping eip
    By fred in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: January 16th, 2003, 14:58

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •