Hi guys,
I'm working on reverse-engineering a rather nasty little PDF security module which has been implemented as a .API plugin for Adobe Reader / Acrobat Reader. Basically, it generates a UUID from the local machine, sends that UUID and a ton of personal information to a server, then the server sends back an encryption key and a set of permissions (can print / can't print, expiry date, etc.)

I've figured out most of the crypto side of things, but it generates a bunch of padding data for an MD5 operation at runtime. I'd rather like to snaffle the contents of this padding buffer, and I know where my BPX needs to be, but it's executed almost immediately after AR starts up. I'm using Ollydbg to spy on it while it's running, but I can't see any obvious way to breakpoint a DLL, or cause a trap when a new DLL is loaded in.

In Softice I'd have BPX'd LoadLibrary and LoadLibraryEx, then wait for the .API file to load and set my breakpoints. Problem is, this tactic doesn't seem to work with AR, or at least it doesn't work with Ollydbg. The breakpoints never trap, and AR keeps loading.

So how do I go about breaking into a DLL that's dynamically loaded at runtime?

Thanks!

olly: options ->debugging options[checkbreak on new module]..
of course this all depends on how said plugin framework loads plugin into memory..

regards BanMe

It's just a Loadlibrary call. Nothing particularly weird or wonderful.
Break-on-new-module worked great! I had to F9 a couple of times until AR9 loaded the plugin, but once it had loaded in I set a couple of breakpoints on code I'd found with IDA, and extracted the encryption key I needed.

So much easier than tracing a dead-listing

EDIT: Even found out which bit of the client/server handshaking was broken, so now I can grab the key straight off the server. Digital rights management indeed, this thing's got more holes than a lump of Swiss cheese.