Log in

View Full Version : Newbie question: why aren't hardware breakpoints breaking???


IGOR
December 30th, 2003, 13:39
Hello,

This is my very first post. I'm new to RE so often simple things can get me lost.
I have been playing with an application that PEiD identifies as being protected by ASProtect 1.2 / 1.2c. I did not unpack it (I would not know where to start from) and I have only been letting the application run under the control of a debugger and once unpacked and running I have taken a look at its code. In one of the experiments I have done I have identified interesting code and wanting to know when that code is generated by the unpacking routines I have placed hardware breakpoints on the bytes where that code should "appear" ... well, those breakpoints never break. The same exact thing works as I would expect under an UPX protected application but not under this asprotected application. I expect that asprotect must be "blamed" for this behavior. Is anyone willing to provide me a hint on how this is accomplished and how I could stop it?

IGOR

Ricardo Narvaja
December 30th, 2003, 18:33
Asprotect, erase the hardware bpx, i made a tut of how erase asprotect and acprotect the hardware bpx and how you can mantain working.

Is in spanish in my ftp

Ricardo narvaja

Quote:
[Originally Posted by IGOR]Hello,

This is my very first post. I'm new to RE so often simple things can get me lost.
I have been playing with an application that PEiD identifies as being protected by ASProtect 1.2 / 1.2c. I did not unpack it (I would not know where to start from) and I have only been letting the application run under the control of a debugger and once unpacked and running I have taken a look at its code. In one of the experiments I have done I have identified interesting code and wanting to know when that code is generated by the unpacking routines I have placed hardware breakpoints on the bytes where that code should "appear" ... well, those breakpoints never break. The same exact thing works as I would expect under an UPX protected application but not under this asprotected application. I expect that asprotect must be "blamed" for this behavior. Is anyone willing to provide me a hint on how this is accomplished and how I could stop it?

IGOR

IGOR
December 30th, 2003, 18:45
Ricardo,

I can attempt to read spanish (my native language isn't too different). Please let me know the title of your tutorial. I should have the coordinates to get to your FTP repo.

IGOR

Ricardo Narvaja
December 30th, 2003, 19:12
165-Como borra el ACPROTECT 1.10 y el ASPROTECT nuestros queridos hardware breakpoints.rar

the tut is explained in acprotect 1.10 but in asprotect is the same method.



ftp://curso:curso@ricnar456.no-ip.org/


user:curso
pass:curso

carpeta NUEVO CURSO-TEORIAS

in

NUEVO CURSO\TEORIAS-PROGRAMAS\165-PROGRAMA TEORIA 165

is the program acprotect 1.10.

Ricardo Narvaja


Quote:
[Originally Posted by IGOR]Ricardo,

I can attempt to read spanish (my native language isn't too different). Please let me know the title of your tutorial. I should have the coordinates to get to your FTP repo.

IGOR

JMI
December 31st, 2003, 02:16
You also would benefit from use of the "search" key at the top of the Forums. You will find a wealth of threads on the subject of asprotect and its evolution over the last year. You really should study all these threads and begin making your own notes of things like "stolen bytes" and relocating parts of the protection to a different address each time the program starts. These things will become more clear to you as a study of the techniques of ASPR, even if they do not help you always with a specific target.

Regards.

IGOR
December 31st, 2003, 11:09
JMI,

I understand and agree with you, that should be the correct approach, and in fact that IS my usual approach to things, but you see JMI exactly because that is my normal approach to any problem I ALSO know that it tends to get me lost. I sometimes find more useful to skip a few steps and go ahead trying to solve a problem eventhough I'm not fully prepared and then, once solved, I usually get back and redo the entire process as it should have been done at first. I have seen that by adopting this problem solving process I usually learn more because when I afterwards study things I fully understand their importance and how they fit in to explain all those missing pieces.
Hope you undestand.


IGOR

JMI
December 31st, 2003, 18:58
I highly recommend that you do NOT adopt this approach to the subject of landmine removal. Once you start screwing with the detionator, there IS NO GOING BACK to learn how to do it the right way. There the "missing pieces" will be parts of YOU.

In all seriousness, it is always easy to jump in and muck around in the program and learn everything from scratch yourself. But if that is your REAL attitude, you shouldn't be asking for any help. You should just do it your own damn self. However, if your object is actual learning, without having to re-invent the wheel, then a general subject review it always the wisest approach. The principle point of my post was that the subject of your question had been discussed here before you posted your question and I was simply reminding you, and others reading the thread, that it is policy here that one is supposed to search BEFORE asking a question.

Regards,

IGOR
January 1st, 2004, 10:09
JMI, I already said I agree with you. Still I wanted to explain the rationale behind my approach. I could have avoided it. You already have all your answers.

IGOR
________________________________________
You should just do it your own damn self.