Hello everybody, I have the problem that I look for a special datasequence, which I know, in memory. I want to hit the moment when the prog loads this data. I know that the prog must use this data to decode something, but I never find it in Memory.
Ist it possible that the prog use the data sequence in an hidden Thread (NtSetInformationThread) and, through that, OllyDbg never will find it ?

Michael

Hi and welcome
Even if the data you are searching for is in another thread it should be findable.
Can you see the data after it has been used? If not, how do you know it is used, ever?
Do you know where it is used to decode something? I mean, do you know where to find the decoding routine? The data must be addressed somewhere. If the data is loaded at to same address everytime you could set a memorybreakpoint on write (if the data is written from somewhere else).
To make it short, there are tons of possibilities. It would be helpful if you provided a bit more information.
Do so and we will find it together

Regards

I have a software (DLL). It is completly unsecured and easy to read as I know now after goin deeper in reverse engineering. I build my own PC in the eigthies, so I know assembler very well, but I never did RE and such things.
My DLL use a table of bytecodes that I use to de/encode something. These codes cannot be calculated. You must have the table I'm quite shure about that.
Somebody else stole my code and use this table I'm very shure because I found it sometimes in an vmem-file of a VMWare in which I let the "bad" program run. But I need big luck to stop the VM in the right moment. This means that the "bad" program helds the table only a short time in memory, and also I'm quite shure about that because of the other code that I saw in there. He use an EXE Packer and Injection stuff, but until now I did'nt found Antidebugging stuff. Because of that I think the best thing would be to have some kind of script that trace through the code and scan the memory after every machine command.
What do you think?
One last word, I m really not angry about the bad guy, I must confess that I be a bit impressed of his quality (btw. I did not know him/her :-) ) but my goal is to find out what his programm exactly did.

Michael

I'm not sure if I understand you correctly.
So you have the "bad" program as an .exe file, right?
It is packed with some packer/protector, right?
If this is correct so far, I'd suggest to unpack it first. You will find a lot more meaningful data in Olly afterwards.
I must admit I don't get how the VM is involved. Do you run it in Olly within a VM? Why do you have to stop the VM then?
If the program is legal and you don't want to "crack" something, a link to it would be useful. Send me a PM if you don't want to post it publically.

regards

My progam is legal but not his. He cracked a lot of secured formats. I don't want him to be arrested or something bad, so if it is not absolut necessary I dont want to give you the link.

I started the bad program in an VM an suspended the VM when it runs. After that I just looked in to the vmem-file (with a simple Hexviewer) for my bytes. After abut 20-30 trys I found it in there, but after that no more luck.

That bad prog was "simple" UPX-packed, as I noted I m not so familiar with RE, but now I have it decompressed. Thanks for that tip.