Results 1 to 6 of 6

Thread: How to find code generating known data?

  1. #1
    nomatter
    Guest

    How to find code generating known data?

    From debugging the program I only know that before clicking a link a set of known data isn't in memory (confirmed by memory search) and after clicking it the data is in memory (all the time a different location).

    How can I find the code that generates this data?

    One of the major problems (which might be important to know) is that it is a .net-Program (which I can't analyze with Reflector because it is obfuscated). So I'm analyzing the assembly generated by .NET (in Olly / Immunity / IDA).

    Instruction Tracing or stepping through the code after the click isn't possible because .NET generates to much code to do it in acceptable time.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2

    As Above

    Here's what you could do:

    1. Try and get a debugger that enables you to put in memory breakpoints (using h/w Breakpoints rather than normal ones).

    2. Run the program and see where it breaks. (Ensure that you have a debugger that enables you to record the number of times AND the instructions with addresses that the breakpoint occured -- IDA does quite OK)

    3. Then, go to the offending instruction and do what you want to do.

    Note however, that if normal PE executable managed to create MOUNTAINS of data when the breakpoints hit (in instructions AND numbers) then the .NET will give you INSANE amounts -- primarily because all memory moving instructions will be done by the .NET CLR and THAT is what will hit you.

    4. So, taking point above, after you have a list of instructions where the breakpoints hit (presumably, under the .NET dlls and exes, not that main exe), the real, grunt work begins. For EACH breakpoint hit, you need to RETURN TO CALLER and continue doing that UNTIL you hit the main exe. You *could* try a stack trace, but its a go-nogo situtation -- sticking with RETURN TO CALLER is better)

    And hey, no one said RCE would be easy. Or fast. Even with the right tools.

    Have Phun
    Blame Microsoft, get l337 !!

  3. #3
    nomatter
    Guest

    Memory Breakpoints

    Quote Originally Posted by Aimless View Post
    Here's what you could do:

    1. Try and get a debugger that enables you to put in memory breakpoints (using h/w Breakpoints rather than normal ones).
    I already thought about using memory breakpoints but the problem is i don't know where to place them because .NET places the known data on different locations at every execution.

    Also when i rerun the code again (by clicking the button again) the known data is stored a second time on a different location in memory.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4

    Ah, I see.

    In that case, you need something else.

    1. Download CHEAT ENGINE (now, I think in v5)
    2. Go through the tutorial, especially the part where it will show you how to get a fix on memory locations that continously change.
    3. More importantly, use the DEBUGGER to pinpoint the offending instruction.

    Let me know how it goes.

    Have Phun
    Blame Microsoft, get l337 !!

  5. #5
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    Quote Originally Posted by nomatter View Post
    From debugging the program I only know that before clicking a link a set of known data isn't in memory (confirmed by memory search) and after clicking it the data is in memory (all the time a different location).

    How can I find the code that generates this data?
    Use .NET Reflector to decompile the program and read the code for the link-clicked event.

  6. #6
    nomatter
    Guest
    @disavowed

    I tried using Reflector and it doesn't decompile the source cause of some packing/obfuscation techniques.

    But I got another tipp to use DILE (open source .net debugger) which worked great. I could read the CIL-Code and find the Method relevant to my problem.

    @Aimless

    After my success with DILE i didn't try Cheat Engine but thx for the tipp and thx for your help!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Replies: 9
    Last Post: January 15th, 2012, 03:24
  2. using filestreams to store data..or code as data?
    By BanMe in forum The Newbie Forum
    Replies: 7
    Last Post: August 8th, 2009, 21:58
  3. ida misinterpreted data section as code
    By The Keeper in forum Tools of Our Trade (TOT) Messageboard
    Replies: 6
    Last Post: May 14th, 2004, 23:27
  4. code opcodes interpreted by OD as data???
    By Anonymous in forum OllyDbg Support Forums
    Replies: 1
    Last Post: March 31st, 2003, 15:30
  5. From code to data???
    By homunculus in forum OllyDbg Support Forums
    Replies: 6
    Last Post: February 5th, 2003, 00:56

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •