Log in

View Full Version : The Point-R technique


upb
October 25th, 2007, 17:04
Hello.

While trying to track down a really difficult problem in the production version of our software that only manifested itself in certain configurations on SunW,
i thought to myself... There Must Be A Better Way!

So here, i present you the Point-R technique.
It is very similar to the hmemcpy technique which we all miss so much, in that it will give you a jump start with any debugging problem.

Just load the problematic file, be it a program of yours or something you need to crack, into ida and run point-r.upb.idc.

Set a breakpoint on Point-R, let it run until the breakpoint breaks and you will be at the core of the problem at hand.

The script will find Point-R by utilizing a series of successive complex approximations, much in the same way you would find a square root with some fixed precision.

Enjoy and comment/enhance it!

http://www.woodmann.com/forum/attach/txt.gifpoint-r.upb.idc.txt ("http://www.woodmann.com/forum/blog_attachment.php?attachmentid=1&d=1193347587")

dELTA
October 26th, 2007, 02:38
Cool, very interesting.

LLXX
October 27th, 2007, 01:58
So, what exactly is it supposed to do?

Quote:
Just load the problematic file, be it a program of yours or something you need to crack, into ida and run point-r.upb.idc.
Yes, but what is this "problem" you speak of? I know hmemcpy is a common data transfer point, but this "point R" appears to merely be a hash of bytes.

tl;dr: I think you need to elaborate a bit more.

upb
October 28th, 2007, 00:52
Quote:
[Originally Posted by LLXX;69854]So, what exactly is it supposed to do?

Yes, but what is this "problem" you speak of? I know hmemcpy is a common data transfer point, but this "point R" appears to merely be a hash of bytes.

tl;dr: I think you need to elaborate a bit more.


Indeed, the initial approximation of Point-R is found by a hash.
The approximation is made better and better by applying a R function few thousand times.

So each binary has a unique Point-R.

Breakpointing Point-R is appropriate for solving any problem,
like hmemcpy and Point-H, only Point-R is more efficient.

I hope this answers the question, if it doesnt read the enhanceR function (saves your from reading the too long code), you will understand the meaning behind Point-R

LLXX
October 28th, 2007, 15:01
Quote:
[Originally Posted by upb;69878]Breakpointing Point-R is appropriate for solving any problem,
like hmemcpy and Point-H, only Point-R is more efficient.
I understand perfectly well what you're doing, but it's a question of why you're doing it. "solving any problem" sounds like a panacea for every bug in existence, and if performing an iterative algorithm over the bytes of code could somehow locate every single bug, algorithmic or not, then you've successfully overturned 50+ years of computability theory and written something "divine", capable of reading the programmer's mind to figure out what she intended.

I am not convinced.

dELTA
October 28th, 2007, 16:59
Exactly what are you not convinced about?

Is it which problem this technique is aimed at solving/helping out with? In that case please see the many tutorials written about hmemcopy, and Ricardo's tutorials about Point-H.

Is it how the technique goes about accomplishing its goal? In that case please be a little more specific about exactly which part it is that you don't understand, and I'm sure upb will be able to explain it to you.

Shub-nigurrath
October 29th, 2007, 03:45
Just late joining.
as far as I understood point-r is somehow similar to point-h, a crucial point from where some memory things flows, like any other point-* already known.
What is not clear to me are the following points instead which I would ask to upb..

1. if you use a script means that point-r is a point into the executable and not in the system like point-h
2. who discovered it, because I never heard of it before
3. what it is supposed to be used for
4. what exactly this script does, better, what is the theory behind this script, because the script is quite simple afterall..
5. some example of some application where this point-r can be used and for what (well this is similar to point 3)
6. who discovered it, the idea is your?
7. point-h was used for some specific problems, not a panacea, but useful in some cases. why this is better and for what?

well those questions are enough..

Thanks for clarifications of course

upb
October 30th, 2007, 15:12
Quote:
[Originally Posted by Shub-nigurrath;69905]
1. if you use a script means that point-r is a point into the executable and not in the system like point-h

Correct

Quote:
[Originally Posted by Shub-nigurrath;69905]
2. who discovered it, because I never heard of it before

Like i wrote in the OP, i discovered it by accident.

Quote:
[Originally Posted by Shub-nigurrath;69905]
3. what it is supposed to be used for

It's supposed to be used to put an execution or data read/write breakpoint on , depending whether it is at data or instructions and also depending on the problem at hand. Basically, you can break on it when you have no idea where to start, exactly like you would use hmemcpy or Point-H.

Quote:
[Originally Posted by Shub-nigurrath;69905]
4. what exactly this script does, better, what is the theory behind this script, because the script is quite simple afterall..

Point-R of a PE executable is

the instruction/data at the address that is found by
iterating
a 32 bit LFSR with feedback polynomial x^13 + x^16 +x^17 + x^18 + 1, seeded by the value calculated by
iteratively left-rotating the previous value by 24 positions and exclusive-or ing to it the current byte, modulo 2^32, over the first 1000 bytes of the first section of the PE executable

20000 times
modulo size of section containing entry point
added to the start address of section containing entry point.

The LFSR is used to gain the R in Point-R, the seed value is used to make Point-R specific to each PE sharing the first 1000 bytes of the first section.

Quote:
[Originally Posted by Shub-nigurrath;69905]
5. some example of some application where this point-r can be used and for what (well this is similar to point 3)

A sample application of the Point-R technique can be found in the first paragraph of OP.

Quote:
[Originally Posted by Shub-nigurrath;69905]
6. who discovered it, the idea is your?

Yes, same as point 2.
Are you suggesting ideas never heard of before, or discovered by someone not famous in the cracking scene, are invalid/useless by definition ?

Quote:
[Originally Posted by Shub-nigurrath;69905]
7. point-h was used for some specific problems, not a panacea, but useful in some cases. why this is better and for what?

Point-R is not a panacea either. It is only useful to get an efficient jump-start when one is out of ideas for a starting point. It can prove to be quite usefull, like in the case mentioned in OP.

Quote:
[Originally Posted by Shub-nigurrath;69905]
well those questions are enough..

Thanks for clarifications of course

Thanks for asking

Hope those answers bring peace to your mind

PowerUp
October 30th, 2007, 16:01
Does R stands for 'Random'?
This script looks like (is?) some bullshit calculating hell knows what (nothing senseful?)...
In what way is it similar to point-h? I see nothing in common, just some guy claiming so.

Quote:
It is only useful to get an efficient jump-start when one is out of ideas for a starting point.

Like if you're already lost in program this should make you lost even more?

Quote:
The script will find Point-R by utilizing a series of successive complex approximations, much in the same way you would find a square root with some fixed precision.

ROFL. You probably haven't seen complex things if you call this complex...

[EDIT JMI]

After Woodmann warned PowerUp about his "useless comments," he chose to follow up with another "useless comment" to Woodmann. I then edited that post and warned him that on his next "useless comment," HE would be deleted. Completely lacking any commen sense or self control, he chose to demonstrate, yet again, that he's so important that nobody can tell him what to do and so now he's joined the "goners."

JMI

Shub-nigurrath
October 30th, 2007, 19:21
tsch upb,
your sarcasm is not very well welcome, my mind never worries about these reversing things, my worries are others. Asking questions is always legit, correctly answering is just a matter of education..anyway thanks to your answer to my 4th point I finally understood also the real meaning of the "R"

Woodmann
October 30th, 2007, 22:10
Shub,

upb is not being sarcastic, it is just a poor translation of his words.
He/she meant no offense.

PowerUp, thanks for the useless comment.
Didnt your mama ever tell you to keep your mouth shut unless you have something constructive to say?

Woodmann

Kayaker
October 30th, 2007, 22:32
Oh I don't know, I think that's kind of funny.

In fact, Upb wins this months RCE Yank Award for yanking everyone's chain

And here it is (allow gif animation)



(seriously though, I think you need to do something about the bytes that are replaced (IsClipboardFormatAvailable is overwritten in notepad) - maybe you can incorporate an automated code cave to run the overwritten code?

C'mon, we're reversers, we're supposed to be able to figure out when we're being f***'ed over..

blurcode
October 31st, 2007, 09:08
1up to JMI, btw anyone knows how hmemcpy was found (was found in a manual, told by some microsoft's programmer, etc)?

LLXX
October 31st, 2007, 18:46
This thread is full of drama and lulz.

Quote:
Does R stands for 'Random'?
This script looks like (is?) some bullshit calculating hell knows what (nothing senseful?)...
In what way is it similar to point-h? I see nothing in common, just some guy claiming so.
You spoiled the joke! Enjoy ur B&!

upb, you should've saved this one for April 1st of next year.

@blurcode: hmemcpy was known back in the times of +ORC as a well-used data-transfer-point, and was apparently documented in the Windows SDKs, hence an article about its obolescence appearing on MSDN (just Google 'hmemcpy' and you'll find it).

blurcode
November 1st, 2007, 06:07
Thank you Litana.

blabberer
November 1st, 2007, 10:28
Quote:
[Originally Posted by blurcode;69947]1up to JMI, btw anyone knows how hmemcpy was found (was found in a manual, told by some microsoft's programmer, etc)?


Quote:


What was the purpose of the hPrevInstance parameter to WinMain?
Once your average GUI program picks itself up off the ground, control begins at your WinMain function. The second parameter, hPrevInstance, is always zero in Win32 programs. Certainly it had a meaning at some point?

Of course it did.

In 16-bit Windows there was a function called GetInstanceData. This function took an HINSTANCE, a pointer, and a length, and copied memory from that instance into your current instance. (It's sort of the 16-bit equivalent to ReadProcessMemory, with the restriction that the second and third parameters had to be the same.)

(Since 16-bit Windows had a common address space, the GetInstanceData function was really nothing more than a hmemcpy, and many programs relied on this and just used raw hmemcpy instead of using the documented API. Win16 was actually designed with the possibility of imposing separate address spaces in a future version - observe flags like GMEM_SHARED - but the prevalence of tricks like hmemcpy'ing your previous instance reduced this potential to an unrealized dream.)



always ask raymond these odd question he has an answer all the times

http://blogs.msdn.com/oldnewthing/archive/2004/06/15/156022.aspx

it is a documented ? undocumented ? whoknowsmented api

you can find referances to this api in some vb version 2.0 codes in msdn

Code:

Declare Sub hmemcpy Lib "kernel" (hpvDest As Any,
ByVal hpvSource As Any,
ByVal cbCopy As Long)
Declare Sub hmemcpy2 Lib "kernel" Alias "hmemcpy" (hpvDest As Any,
hpvSource As Any,
ByVal cbCopy As Long)

http://support.microsoft.com/kb/119395

its an internal non exported function i believe that ends up in ntdll in later oses under the name RtlCopyMemory or RtlMoveMemeory

Quote:

A little research found another MSDN article taken from Bruce McKinney's excellent book "Hardcore Visual Basic". If you can find a copy, then you can follow the trail to Bruce McKinney's replacement for hmemcpy() - CopyMemory(). This is defined as an "alias" for the RtlMoveMemory() function that resides in the Kernel32 library. Bruce gets all of the credit for this and thus for most of what follows, excluding any mistakes - these are all mine.

The code below can be downloaded (with a demonstration screen) as a zip file by clicking here (3 KB). Instructions for the demo can be found towards the end of this page.

In order to use the following functions you will need to declare the following

Declare Sub CopyMemory Lib "KERNEL32" Alias "RtlMoveMemory" _(hpvDest As Any, hpvSource As Any, ByVal cbCopy As Long)
http://www.adit.co.uk/html/numbers.html

blurcode
November 1st, 2007, 17:44
Also thanks blabberer, i visited the first site after searching on google but did poor reading (fast reading actually but it was poor also), i've seen the visual basic code on search results and skipped them ermmm because they were visual basic, shame on me

habituallurker
November 5th, 2007, 23:16
Hey upb (greets from another time and place),

I realize you're taking the piss, but:

Message(form("\nPoint-R at 0x%08X!\n", r));

Message is already a variadic function, there's no need to call form(). E.g. this is functionally equivalent:

Message("\nPoint-R at 0x%08X!\n", r);

And furthermore, if you do this:

Message("%lx: Point-R!\n", r);

You will be able to double-click that line in IDA's status window to jump there immediately.

upb
November 6th, 2007, 12:03
Quote:
[Originally Posted by habituallurker;70066]Hey upb (greets from another time and place),


hmmmmmmmm ?:P:P i knew you couldnt resist :P

Thx for the advice

LLXX
November 10th, 2007, 04:30
Quote:
[Originally Posted by blurcode;69982]Also thanks blabberer, i visited the first site after searching on google but did poor reading (fast reading actually but it was poor also), i've seen the visual basic code on search results and skipped them ermmm because they were visual basic, shame on me
I do it too. It certainly is annoying to see loads of VB crap in the SERPs when all you want to do is find something in C/C++ I suppose ignoring them is just a habit that forms over time if you're not a VB "programmer".