Results 1 to 8 of 8

Thread: TLS Callback with invalid entries

  1. #1

    TLS Callback with invalid entries

    This is my first post here so please don't flame me. If this is in the wrong area just let me know. I believe this is more of an advanced question than a newbie question.

    I am using the IDA Pro 5.2 debugger to try to set a breakpoint in WinMain and on the first line of the startup routine in an executable, but my breakpoints are never hit and the executable continues to run. After further investigation it looks like the technique in use is a tls callback routine that has an invalid value in the TLS_DIRECTORY that is fixed during loading with base relocation on the executable. I am still having a little bit of trouble determining how to figure out where the real tls callback routine is located. The is a little bit of information on this technique here:

    Here is a link to a rar with the executable :

    Does anyone have any experience with this?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Blog Entries
    if you think > TLS callback used, then find in kernel32.dll CALL to TLS-callbacks, put there breakpoint & ... move there

  3. #3

    I will try this next and see how it goes.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    I can't download .rar as it has '...' and live links are not permited

  5. #5
    How can I provide a link?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    If it is a commercial product, then you must do it in a PM (private message) and not post it in the open forum. If it is not a commercial product, then post the complete link and our software will keep it from becoming clickable.


  7. #7
    The application is used to update the firmware on a DS-Xtreme (info at The DS-Xtreme is a card for the Nintendo DS that allows you to play homebrew and "other" roms. The idea is that If I reverse the updater application I can figure out how the firmware is packed into a .bin file so that I can extract it and begin reversing it. I would think that this does not fall in the commercial category because the updater is freely available even if you have not purchased a DS-Xtreme card but I will just send a PM to those interested in taking a look at the application for now.

    The problem that I am having is that I can't seem to break the protection on the updater. I have yet to try debugging the loader. My tool of choice is IDA Pro 5.2 and I can't figure out how I can set a breakpoint on the windows loader while I have the database for the updater application open. Maybe I need to try another debugger?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    You say yourself that the value is fixed using base relocation... So can't you simply calculate the result of the relocation yourself and find out the location of the callback? Or maybe even simply look at the callback pointer's value at runtime. Once you've found the location you can simply place a breakpoint on it in IDA to debug it. Also, you can easily see (valid) TLS callback routines in the Entry Points window (ctrl-E).

    I would also recommend using e.g. IDAStealth to hide IDA from common debugger detection tricks.
    Last edited by arc_; December 24th, 2008 at 21:24.

Similar Threads

  1. Replies: 6
    Last Post: July 23rd, 2011, 04:28
  2. Replies: 0
    Last Post: January 12th, 2008, 00:08
  3. Replies: 0
    Last Post: October 19th, 2007, 20:49
  4. FlexLM7.2 -invalid pointer to the job structure
    By fafel in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: January 21st, 2004, 07:11


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts