Hello.

While trying to track down a really difficult problem in the production version of our software that only manifested itself in certain configurations on SunW,
i thought to myself... There Must Be A Better Way!

So here, i present you the Point-R technique.
It is very similar to the hmemcpy technique which we all miss so much, in that it will give you a jump start with any debugging problem.

Just load the problematic file, be it a program of yours or something you need to crack, into ida and run point-r.upb.idc.

Set a breakpoint on Point-R, let it run until the breakpoint breaks and you will be at the core of the problem at hand.

The script will find Point-R by utilizing a series of successive complex approximations, much in the same way you would find a square root with some fixed precision.

Enjoy and comment/enhance it!

http://www.woodmann.com/forum/attach/txt.gifpoint-r.upb.idc.txt ("http://www.woodmann.com/forum/blog_attachment.php?attachmentid=1&d=1193347587")

Cool, very interesting.

So, what exactly is it supposed to do?

Yes, but what is this "problem" you speak of? I know hmemcpy is a common data transfer point, but this "point R" appears to merely be a hash of bytes.

tl;dr: I think you need to elaborate a bit more.

Indeed, the initial approximation of Point-R is found by a hash.
The approximation is made better and better by applying a R function few thousand times.

So each binary has a unique Point-R.

Breakpointing Point-R is appropriate for solving any problem,
like hmemcpy and Point-H, only Point-R is more efficient.

I hope this answers the question, if it doesnt read the enhanceR function (saves your from reading the too long code), you will understand the meaning behind Point-R

I understand perfectly well what you're doing, but it's a question of why you're doing it. "solving any problem" sounds like a panacea for every bug in existence, and if performing an iterative algorithm over the bytes of code could somehow locate every single bug, algorithmic or not, then you've successfully overturned 50+ years of computability theory and written something "divine", capable of reading the programmer's mind to figure out what she intended.

I am not convinced.

Exactly what are you not convinced about?

Is it which problem this technique is aimed at solving/helping out with? In that case please see the many tutorials written about hmemcopy, and Ricardo's tutorials about Point-H.

Is it how the technique goes about accomplishing its goal? In that case please be a little more specific about exactly which part it is that you don't understand, and I'm sure upb will be able to explain it to you.

Just late joining.
as far as I understood point-r is somehow similar to point-h, a crucial point from where some memory things flows, like any other point-* already known.
What is not clear to me are the following points instead which I would ask to upb..

1. if you use a script means that point-r is a point into the executable and not in the system like point-h
2. who discovered it, because I never heard of it before
3. what it is supposed to be used for
4. what exactly this script does, better, what is the theory behind this script, because the script is quite simple afterall..
5. some example of some application where this point-r can be used and for what (well this is similar to point 3)
6. who discovered it, the idea is your?
7. point-h was used for some specific problems, not a panacea, but useful in some cases. why this is better and for what?

well those questions are enough..

Thanks for clarifications of course

Correct


Like i wrote in the OP, i discovered it by accident.


It's supposed to be used to put an execution or data read/write breakpoint on , depending whether it is at data or instructions and also depending on the problem at hand. Basically, you can break on it when you have no idea where to start, exactly like you would use hmemcpy or Point-H.


Point-R of a PE executable is

the instruction/data at the address that is found by
iterating

a 32 bit LFSR with feedback polynomial x^13 + x^16 +x^17 + x^18 + 1, seeded by the value calculated by

iteratively left-rotating the previous value by 24 positions and exclusive-or ing to it the current byte, modulo 2^32, over the first 1000 bytes of the first section of the PE executable

20000 times
modulo size of section containing entry point
added to the start address of section containing entry point.

The LFSR is used to gain the R in Point-R, the seed value is used to make Point-R specific to each PE sharing the first 1000 bytes of the first section.


A sample application of the Point-R technique can be found in the first paragraph of OP.


Yes, same as point 2.
Are you suggesting ideas never heard of before, or discovered by someone not famous in the cracking scene, are invalid/useless by definition ?


Point-R is not a panacea either. It is only useful to get an efficient jump-start when one is out of ideas for a starting point. It can prove to be quite usefull, like in the case mentioned in OP.


Thanks for asking

Hope those answers bring peace to your mind

Does R stands for 'Random'?
This script looks like (is?) some bullshit calculating hell knows what (nothing senseful?)...
In what way is it similar to point-h? I see nothing in common, just some guy claiming so.


Like if you're already lost in program this should make you lost even more?


ROFL. You probably haven't seen complex things if you call this complex...

[EDIT JMI]

After Woodmann warned PowerUp about his "useless comments," he chose to follow up with another "useless comment" to Woodmann. I then edited that post and warned him that on his next "useless comment," HE would be deleted. Completely lacking any commen sense or self control, he chose to demonstrate, yet again, that he's so important that nobody can tell him what to do and so now he's joined the "goners."

JMI

tsch upb,
your sarcasm is not very well welcome, my mind never worries about these reversing things, my worries are others. Asking questions is always legit, correctly answering is just a matter of education..anyway thanks to your answer to my 4th point I finally understood also the real meaning of the "R"

Shub,

upb is not being sarcastic, it is just a poor translation of his words.
He/she meant no offense.

PowerUp, thanks for the useless comment.
Didnt your mama ever tell you to keep your mouth shut unless you have something constructive to say?

Woodmann

Oh I don't know, I think that's kind of funny.

In fact, Upb wins this months RCE Yank Award for yanking everyone's chain

And here it is (allow gif animation)



(seriously though, I think you need to do something about the bytes that are replaced (IsClipboardFormatAvailable is overwritten in notepad) - maybe you can incorporate an automated code cave to run the overwritten code?

C'mon, we're reversers, we're supposed to be able to figure out when we're being f***'ed over..

1up to JMI, btw anyone knows how hmemcpy was found (was found in a manual, told by some microsoft's programmer, etc)?

This thread is full of drama and lulz.

You spoiled the joke! Enjoy ur B&!

upb, you should've saved this one for April 1st of next year.

@blurcode: hmemcpy was known back in the times of +ORC as a well-used data-transfer-point, and was apparently documented in the Windows SDKs, hence an article about its obolescence appearing on MSDN (just Google 'hmemcpy' and you'll find it).

Thank you Litana.

always ask raymond these odd question he has an answer all the times

http://blogs.msdn.com/oldnewthing/archive/2004/06/15/156022.aspx

it is a documented ? undocumented ? whoknowsmented api

you can find referances to this api in some vb version 2.0 codes in msdn


http://support.microsoft.com/kb/119395

its an internal non exported function i believe that ends up in ntdll in later oses under the name RtlCopyMemory or RtlMoveMemeory

Also thanks blabberer, i visited the first site after searching on google but did poor reading (fast reading actually but it was poor also), i've seen the visual basic code on search results and skipped them ermmm because they were visual basic, shame on me

Hey upb (greets from another time and place),

I realize you're taking the piss, but:

Message(form("\nPoint-R at 0x%08X!\n", r));

Message is already a variadic function, there's no need to call form(). E.g. this is functionally equivalent:

Message("\nPoint-R at 0x%08X!\n", r);

And furthermore, if you do this:

Message("%lx: Point-R!\n", r);

You will be able to double-click that line in IDA's status window to jump there immediately.

hmmmmmmmm ?:P:P i knew you couldnt resist :P

Thx for the advice

I do it too. It certainly is annoying to see loads of VB crap in the SERPs when all you want to do is find something in C/C++ I suppose ignoring them is just a habit that forms over time if you're not a VB "programmer".