This is my first post here so please don't flame me. If this is in the wrong area just let me know. I believe this is more of an advanced question than a newbie question.

I am using the IDA Pro 5.2 debugger to try to set a breakpoint in WinMain and on the first line of the startup routine in an executable, but my breakpoints are never hit and the executable continues to run. After further investigation it looks like the technique in use is a tls callback routine that has an invalid value in the TLS_DIRECTORY that is fixed during loading with base relocation on the executable. I am still having a little bit of trouble determining how to figure out where the real tls callback routine is located. The is a little bit of information on this technique here:

http://hype-free.blogspot.com/2008/10/playing-tricks-with-windows-pe-loader.html

Here is a link to a rar with the executable :

http://wiki.gbatemp.net/wiki/...pdaterTool.rar

Does anyone have any experience with this?

if you think > TLS callback used, then find in kernel32.dll CALL to TLS-callbacks, put there breakpoint & ... move there

Thanks,

I will try this next and see how it goes.

I can't download .rar as it has '...' and live links are not permited

How can I provide a link?

If it is a commercial product, then you must do it in a PM (private message) and not post it in the open forum. If it is not a commercial product, then post the complete link and our software will keep it from becoming clickable.



Regards,

The application is used to update the firmware on a DS-Xtreme (info at http://www.ds-x.com/cgi-bin/dsx/engine.pl?page=home). The DS-Xtreme is a card for the Nintendo DS that allows you to play homebrew and "other" roms. The idea is that If I reverse the updater application I can figure out how the firmware is packed into a .bin file so that I can extract it and begin reversing it. I would think that this does not fall in the commercial category because the updater is freely available even if you have not purchased a DS-Xtreme card but I will just send a PM to those interested in taking a look at the application for now.

The problem that I am having is that I can't seem to break the protection on the updater. I have yet to try debugging the loader. My tool of choice is IDA Pro 5.2 and I can't figure out how I can set a breakpoint on the windows loader while I have the database for the updater application open. Maybe I need to try another debugger?

You say yourself that the value is fixed using base relocation... So can't you simply calculate the result of the relocation yourself and find out the location of the callback? Or maybe even simply look at the callback pointer's value at runtime. Once you've found the location you can simply place a breakpoint on it in IDA to debug it. Also, you can easily see (valid) TLS callback routines in the Entry Points window (ctrl-E).

I would also recommend using e.g. IDAStealth to hide IDA from common debugger detection tricks.