From debugging the program I only know that before clicking a link a set of known data isn't in memory (confirmed by memory search) and after clicking it the data is in memory (all the time a different location).

How can I find the code that generates this data?

One of the major problems (which might be important to know) is that it is a .net-Program (which I can't analyze with Reflector because it is obfuscated). So I'm analyzing the assembly generated by .NET (in Olly / Immunity / IDA).

Instruction Tracing or stepping through the code after the click isn't possible because .NET generates to much code to do it in acceptable time.

Here's what you could do:

1. Try and get a debugger that enables you to put in memory breakpoints (using h/w Breakpoints rather than normal ones).

2. Run the program and see where it breaks. (Ensure that you have a debugger that enables you to record the number of times AND the instructions with addresses that the breakpoint occured -- IDA does quite OK)

3. Then, go to the offending instruction and do what you want to do.

Note however, that if normal PE executable managed to create MOUNTAINS of data when the breakpoints hit (in instructions AND numbers) then the .NET will give you INSANE amounts -- primarily because all memory moving instructions will be done by the .NET CLR and THAT is what will hit you.

4. So, taking point above, after you have a list of instructions where the breakpoints hit (presumably, under the .NET dlls and exes, not that main exe), the real, grunt work begins. For EACH breakpoint hit, you need to RETURN TO CALLER and continue doing that UNTIL you hit the main exe. You *could* try a stack trace, but its a go-nogo situtation -- sticking with RETURN TO CALLER is better)

And hey, no one said RCE would be easy. Or fast. Even with the right tools.

Have Phun

I already thought about using memory breakpoints but the problem is i don't know where to place them because .NET places the known data on different locations at every execution.

Also when i rerun the code again (by clicking the button again) the known data is stored a second time on a different location in memory.

In that case, you need something else.

1. Download CHEAT ENGINE (now, I think in v5)
2. Go through the tutorial, especially the part where it will show you how to get a fix on memory locations that continously change.
3. More importantly, use the DEBUGGER to pinpoint the offending instruction.

Let me know how it goes.

Have Phun

Use .NET Reflector to decompile the program and read the code for the link-clicked event.

@disavowed

I tried using Reflector and it doesn't decompile the source cause of some packing/obfuscation techniques.

But I got another tipp to use DILE (open source .net debugger) which worked great. I could read the CIL-Code and find the Method relevant to my problem.

@Aimless

After my success with DILE i didn't try Cheat Engine but thx for the tipp and thx for your help!